These slides - based on the webinar featuring David Monahan, research director at leading IT analyst firm Enterprise Management Associates (EMA), and Wade Williamson, director of product marketing at Vectra Networks - explain how threat detection algorithms can replace your Big Data with better data. Learn how algorithms can improve incident response, reduce risk and improve ROI.

1. David Monahan
Research Director
Enterprise Management Associates (EMA)
Ahead of RSA – Threat Detection Algorithms
Make Big Data into Better Data
April 29, 2016
Wade Williamson
Director of Product Marketing
Vectra Networks

2. Today’s Presenters
Slide 2 © 2016 Enterprise Management Associates, Inc.
David Monahan – Research Director, Risk and Security
David is a senior information security executive with several years of experience.
He has organized and managed both physical and information security
programs, including security and network operations (SOCs and NOCs) for
organizations ranging from Fortune 100 companies to local government and
small public and private companies.
Wade Williamson, Director of Product Marketing, Vectra Networks
Wade has extensive industry experience in intrusion prevention, malware
analysis, and secure mobility, and has spoken at a variety of industry
conferences, including the keynote address at the EICAR malware conference
and led the Malware Researcher Peer Discussion at RSA. Prior to joining Vectra,
he was Sr. Security Analyst at Palo Alto Networks where he led the monthly
Threat Review Series and authored the Modern Malware Review.

3. Logistics for Today’s Webinar
Slide 3 © 2016 Enterprise Management Associates, Inc.
Questions
• An archived version of the event recording
will be available at
www.enterprisemanagement.com
• Log questions in the Q&A panel located on the
lower right corner of your screen
• Questions will be addressed during the Q&A
session of the event
Event recording
Event presentation
• A PDF of the PowerPoint presentation will be
emailed to you as part of the follow-up email.

4. Security Challenges
Slide 4 © 2016 Enterprise Management Associates, Inc.
Lack of Visibility
Attack Complexity
Patient Attackers Persistent Attack
Protecting Information

5. © Vectra Networks | www.vectranetworks.com
About Vectra Networks
5
Leadership
Customers
Alain Mayer
VP Product Mgmt
Jason Kehl
VP Engineering
Mike Banic
VP Marketing
Rick Geehan
VP Sales, N. Amer.
Oliver
Tavakoli
CTO
Hitesh Sheth
President & CEO
Investors
Mission
Automatically detect ongoing cyber attacks in real time
Industry Recognition
8% 4%6% 18% 6% 12% 6% 6% 19% 17%
Education Energy Entertainment Finance Legal
Health S&L Govt Media Technology Other
Gerard Bauer
VP EMEA

6. © Vectra Networks | www.vectranetworks.com
Detecting Threats Across the Kill Chain
Slide 6

7. © Vectra Networks | www.vectranetworks.com
The Cybersecurity Gap
Slide 7
Prevention Phase Active Phase Clean-up Phase
Key assets
found in the wild
Initial
Infection
Cybersecurity Gap
days
Attackers had free rein
in breached networks1
205
• Firewalls
• IPS
• Proxies
• Sandboxes
• SIEM analysis
• Forensic
consultants
$$$$
$
$$$
$$
Internal
Recon
Lateral
Movement
External
Remote
Access
Exfiltrate
Data
Command &
Control
Botnet
Fraud

8. © Vectra Networks | www.vectranetworks.com
Addressing the Cybersecurity Gap
Slide 8
Prevention Phase Active Phase Clean-up Phase
• Analyze all traffic and detects all phases of attack
• Apply data science to original traffic finds hidden threats
• Automate time-consuming, expensive analysis in real time
• Learn and share fundamental attack behaviors across systems
• Firewalls
• IPS
• Proxies
• Sandboxes
• SIEM analysis
• Forensic
consultants
$$$$
$
$$$
$$
Vectra Networks:
Real-time, automated
detection of all phases
of active cyber attacks

9. Approaches to Security
• Focuses
• Network
• Endpoint
• Users
• Data
• Methodologies
• Signature/Pattern
• Policy/Rule
• Data Science
 Behavioral
 Anomaly
 Prediction
Slide 9 © 2016 Enterprise Management Associates, Inc.
Sandboxing DPI/Netflows
Antivirus, HIDS, DLP

10. Program Maturity...
Slide 10 © 2016 Enterprise Management Associates, Inc.
66%
Strong to
Very Strong
Network
Prevention
Maturity
65%
Strong to
Very Strong
Network IR
Maturity
71%
Strong to
Very Strong
Network
Detection
Maturity
Very Strong
At least 99% of the network segments have active prevention and are actively monitored and managed.
AND
The system generates very few, if any, false positives. The system prevents/detects (as applicable) 99% or greater
of the network-based attacks.
Strong
At least 85% of the network segments have active prevention/detection (as applicable) and are actively monitored
and managed.
AND
The system generates only a few false positives. The system prevents/detects (as applicable) 95% or greater of the
network-based attacks.

11. Underdeveloped
Less than 75% of network segments have active prevention/detection (as
applicable) and are not necessarily actively monitored and managed.
OR
The system generates an excessive number of false positives. The system
prevents/detects (as applicable) no more than 90% of the network-based attacks.
Is Overrated and Underdeveloped
Slide 11 © 2016 Enterprise Management Associates, Inc.
59%
Lack
Analysis
Capabilities
40%
Have
Network
Analysis
tools
58%
Maintain
Historical
Data for
Analysis

12. Decline of Baselines and Asset Prioritization
Slide 12 © 2016 Enterprise Management Associates, Inc.

13. Decline in Monitoring High Value Assets
Slide 13 © 2016 Enterprise Management Associates, Inc.

14. Decline in Security Confidence
Slide 14 © 2016 Enterprise Management Associates, Inc.

15. © Vectra Networks | www.vectranetworks.com
Focus on what threats do, not what they are called
Trying to name all bad things only ensures
that you are always behind
• Near infinite supply of repackaged malware, IP
addresses, and URLs
Vectra uses behavioral traffic analysis to
expose the true purpose and effect of traffic
Malicious behaviors are similar across
platforms
• Does it really matter if that port scanner is on
laptop or iPhone?

16. © Vectra Networks | www.vectranetworks.com
Traditional DPI vs Behavioral DPI
How the threat looks
Find threats that you’ve seen before
Snapshot in time
No local context
Signatures Data Science
What the threat does
Find what all threats have in common
Learning over time
Local learning and context
Short-lived
reactive
intelligence
Long-lived
predictive
intelligence

17. © Vectra Networks | www.vectranetworks.com
Extending behavioral analysis where it matters most
Slide 17
Signatures
Sandboxes
Finds unique identifiers of known threats
Detects infecting behavior based on short-term analysis
in a virtual environment
Vectra
üDetects behavior of all phases of attack
üShort-term and long-term analysis
üReal network environment, real traffic
üSee threats in context of key assets
üDevice and OS agnostic
Windows 8 Windows 10
Vista Lollipop
KitKat
Jellybean
Ubuntu Debian
CentOS
iOS 9
Mavericks
YosemiteiOS 8

18. © Vectra Networks | www.vectranetworks.com
External remote access case study: GlassRAT
Undetected for over 3 years
• Discovered by RSA Security
• Used a cert of a valid software
company in China
• No AV coverage initially
• Rare overlaps with C&C
servers used in nation-state
attacks
Source: https://blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf

19. © Vectra Networks | www.vectranetworks.com
External remote access case study: GlassRAT
Highly successful at
avoiding signatures
Behavior still looked exactly
like a RAT
• Similar to Netcat connected to
a command shell over TCP

20. Data Science: Bigger Data is Not necessarily Better Data
• Storage is cheap so data is rampant!
• Analysis is key
Slide 20 © 2016 Enterprise Management Associates, Inc.

21. Machine Learning Not Magic
• Supervised
• Uses large datasets specific to an environment or community
• Outliers are ignored
• Algorithms attempt to determine expected behaviors
• Faster but needs direction
• Unsupervised
• Uses large datasets specific to an environment or community
• Identifies what is normal/acceptable and what is anomalous/abnormal
with respect the group
• Outliers are considered bad (or at least anomalous and worth
investigating).
• Slower but does not requires direction
Slide 21 © 2016 Enterprise Management Associates, Inc.

22. © Vectra Networks | www.vectranetworks.com
Data science requires the right data
First-hand data is required
• Summaries will often lack
details to catch a threat
• Dependent on systems that
missed the attack
Must have context
• Attacks take place over multiple
hosts and over time
Must be in real-time
• Prevention of loss, not post-
mortem forensics
Network Coverage
DataQualityandSpeed
Network
traffic
Endpoint
agents
SIEM &
logs
NetFlow
Data source options

23. © Vectra Networks | www.vectranetworks.com
An example of supervised machine learning
Recently observed
malware using Gmail as
an automated C&C
Synced encoded Python
scripts using the Drafts
folder
Signatures, reputation,
and approved use
policies all fail

24. © Vectra Networks | www.vectranetworks.com
It’s what it does, not what it is
Command and control via Gmail
• Trusted application, trusted URL, trusted IP,
allowed behavior
• No email ever sent
Communication behavior still looks like
traditional botnet pulling behavior
• Unique pattern of call and response
• Bot completes a task and asks for next
instructions

25. © Vectra Networks | www.vectranetworks.com
Example of unsupervised machine learning in action
Vectra observes Kerberos traffic to learn the user accounts
and services normally used on each device
Vectra detected admin account being used on several
devices and accessing new hosts and services

26. Perspectives on Technology
Slide 26 © 2016 Enterprise Management Associates, Inc.

27. Staffing Impacts
Slide 27 © 2016 Enterprise Management Associates, Inc.

28. Automation of tasks, actions and/or analysis in detection
Slide 28 © 2016 Enterprise Management Associates, Inc.
51%
35%
13%
0%
1%
Very Important
Important
Somewhat Important
Somewhat Unimportant
Not Important at All
Network

29. Automation of tasks, actions and/or analysis in IR
Slide 29 © 2016 Enterprise Management Associates, Inc.
48%
35%
15%
1%
1%
Very Important
Important
Somewhat Important
Somewhat Unimportant
Not Important at All
Network

30. Rank of Automation for security functions/actions in terms
of importance
Slide 30 © 2016 Enterprise Management Associates, Inc.
2.37
2.72
3.00
3.37
3.39
Threat Intelligence
Integration
Scalability
Price
Ease of Use
Security Tasks

31. © Vectra Networks | www.vectranetworks.com
Automation to address the skills shortage
Slide 31
Delivering security analysts in software
• Automatically does the investigative work of a
dedicated team of security analysts
• Hours and days of manual work performed
in real-time
Empowers the security organization
• Enables IT and security generalists to address
advanced threats
• Reveals hidden problems that can lead to future
attacks
20

32. © Vectra Networks | www.vectranetworks.com
Turning complexity against the attackers
Slide 32
Internal
Recon
Lateral
Movement
Acquire
Data
Botnet
Monetization
Standard C&C
Exfiltrate
Data
Custom C&C
& RAT
Opportunistic
Targeted
Custom C&C
Initial
Infection

33. © Vectra Networks | www.vectranetworks.com 33

34. Slide 34 © 2016 Enterprise Management Associates, Inc.
Log Your Questions in the Q&A Panel
• Learn more! Request a demo: http://bit.ly/1Qnbc0I
• Learn more about EMA IT Analyst Research:
http://www.enterprisemanagement.com/freeResearch