Closing the Window Full Fidelity Forensics for Accelerated ... · Incident Response and Security...
Transcript of Closing the Window Full Fidelity Forensics for Accelerated ... · Incident Response and Security...
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 1
Closing the Window — Full Fidelity Forensics for Accelerated Incident and Endpoint Response
Blue Coat and Carbon BlackApril 20th, 2016
Erik Engberg
Advanced Threat Defense Specialist, Nordics & Benelux
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 2
• 20th year in Security, started pen-testing in ’96
• Worked within Government, Large Enterprise, ISP/Telco
• Everything from carrier architecture to compliance projects
• Certified Information Assurance Officer, NDU Washington
• Speak geek and boardroom, but not enough Spanish
https://www.linkedin.com/in/erikengberg74
Who am I?
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 4
How To Prevent My Organization
From Suffering Security Breaches?
The Burning Question?
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 6
Is it at all Possible to RemainZen in this Context?
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 7
How To Prevent My organization
From Suffering Security Breaches?
How To Prevent My Organisation
From Suffering Security Breaches?
The Burning Question TODAY
Am I Ready To Respond?
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 8
The Expanding Window of Exposure
I N C I D E N TI D E N T I F I E D
T O D AY ’ S R E A L I T Y
T I M E T OD E T E C T I O N
T I M E T OR E S O L V E
206 DAYS to Detection*
21-35 DAYSAverage Breach Resolution
* Verizon 2014 Data Breach Investigations Report
R E S O L U T I O NI N C I D E N T
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 9
Quickly Closing the Window of Exposure
RESOLUTIONI N C I D E N T
I D E N T I F I E D
NET RESULT = LOWER COSTmanpower, time, exposure to business and mitigated risk
O U R M I S S I O N
T I M E T OD E T E C T I O N
T I M E T OR E S P O N S E
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 11
BLIND SPOTS ARE EVERYWHERE We need comprehensive visibility on the wire and on the host
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 12
The
The Elephant in the living room - You may try to ignore it, but it's not going away.
SSL =
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 13
SSL/TLS Traffic is PERVASIVE and Introduces Risk!
*Source: Gartner
of all malware will
use SSL by 2017*
2013 2015 2017
35%
50%
73%SSL is estimated at 35 - 50% of
network traffic and growing 20%
annually*
• >75% in some industries
(e.g. healthcare, finance)
Advanced Persistent Threats (APTs)
increasingly use SSL as a transport
• Dyre, Zeus & Gameover trojans and
VMZeus & Upatre Command &
Control (C&C)
The serious actors take advantage!
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 14
Encrypted Traffic ManagementDelicate Balance between Privacy and compliance issues
LEAD TO REQUIREMENTS
Support for wide-range of
encryption ciphers
Policy driven encrypted
traffic managementProvides complete traffic
stream visibility to security
controls
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 15
SECURITY Industry Confirmation
“The average performance loss across 7 NGFWs
when SSL inspection is enabled is 81%...”
https://salesportal.bluecoat.com/#workspaces/UG9ydGFs/directories/
05850000000CqKDAA0/files/06850000001US4bAAG
SSL Inspection is a Security Best Practice“Implement a Secure Sockets Layer (SSL) inspection
capability to inspect both ingress and egress encrypted
network traffic for potential malicious activity”.
—Alert TA14-353A: Targeted Destructive Malware (Dec 2014)
https://www.us-cert.gov/ncas/alerts/TA14-353A
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 17
2015 Cyberthreat Defense report• Sinking expectations - 52% to be
compromised in 2015
• Malware a major headache - Malware and phishing cause the greatest concern
• Security analytics on the rise - Security Analytics #1 security tech cited for acquisition in 2015, followed by threat intelligence
• Flying blind - Only 1/4 are confident the they have tools to inspect SSL-encrypted traffic for cyberthreats
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 18
Solving the other “Blind Spots”(and a lot of the Malware headache)
For any File, Website/URL, Email or Cloud Service• Is it known good, unknown or malicious? Perhaps Suspicious?
• Does the origin already have a reputation, history or risk rating?
• What do I do if “unknown”? Just allow it?
• Is it safe to use? What would actually happen if MY CLIENTS used it?
• If potentially harmful, how can I allow, block or scrub it with the least amount of impact?
What is happening in that endpoint? CDs, USB sticks?
What are my users doing in the cloud?
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 20
When A Breach Happens, You Need Answers!Potential Legal Liabilities?
#6 Who did this to us?
#5 Can it happen again? #4 How did they do it?
#3 Can we be sure
it is over?
#2 What systems, users
and data are affected?
#1 What is going on?For each step –
How certain are we?
ASSURANCE!
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 22
Manual Forensics & Random Packet Analysis
CLEANUP TAKES MONTHS WITH RANDOM PACKET ANALYSIS WITHOUT COMPLETE RESOLUTION
• DIFFICULT
• INEFFICIENT
• INCOMPLETE
BREACH
!
NOTIFICATION
COPY HARD
DRIVES
COLLECT SYSTEM
LOGS
START COLLECTING
PCAPSANALYZE LOGS
ANALYZE PCAPS
ANALYZE ENDPOINT ACTIVITY
MANUAL STITCHING OF
DATA
TRY TO CREATE
SCOPE OF EVENT
ISOLATE RESPONSE
REPORT TO 3RD PARTIES
RISK ANALYSIS
ANALYZE SERVERACTIVITY
TURN ON PCAP / LOGS WHERE
NEEDED
REPORT TO EXECUTIVE
TEAM
REMEDIATE
ROOT CAUSE
ANALYSIS
CORRELATE NETWORK
TRAFFIC TIMES ZONES /
ENDPOINTS
ANALYZE IP ADDRESS COMM / URLS / WEB SITES
COLLECT SAMPLES /
QUARANTINE
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 23
R E C O R D I N G T R A N S C R I P T S
Full Capture
C A L L L O G SNetflow
C A L L N O T E SMetadata
Call Note #17662
To: John Doe
From: Bill Smith
Topics Covered:
1. Greetings
2. Request for payment by John
3. Transfer of funds
1. Wire Transfer
2. Account Number 133488 8998387 8988
3. CLICK HERE FOR REPLAY of audio
4. Click here to check account number
Etc……..
Understanding the Value of Metadata
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 24
RECORD AND INDEXALL TRAFFIC
(Don’t forget SSL!)
THE ONLY WAY TO BE SURE
(“BIG DATA” APPROACH)The Big Data Approach – The only way to get complete visibility
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 26
Details for every alert
Forensic
Details
Before,
During and
After an Alert
• Know what happened before, during and after an alert, with complete, clear supporting evidence
• Integrate workflows with network and endpoint security tools to add context and improve effectiveness
• Trace back and discover Tactics, Techniques & Procedures and identify Indicators of Compromise
• Enrich your Detection and Investigation capabilities with multiple sources for real-time integrity & reputation of URL, IP address, file hash or email address
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 27
Reduce
Time-to-
Resolution
Reduce
Breach Impact
Improve
Time-to-Action
Reduce time-to-resolution
• Unlike log traces, the network can’t lie or omit data- If it happened on the network – you got it!
• Quickly identify the source, scope and impact of an attack, greatly reducing time-to-resolution
• Easily extract any payload or selection of traffic for further analysis in any other tools
• Answer the critical “post-breach” questions that plague CISOs – how? what? who? when? ...
• Assurance! Increased confidence in having correct and complete answers
• Improve and automate your other defenses
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 28
HISTORICAL CAPTURE AND REPLAY ACCELERATES RESPONSE AND MINIMIZES COSTS DRAMATICALLY
• EASY
• EFFICIENT
• COMPLETE
Proactive Forensics with Security Analytics
BREACH
!NOTIFICATION
REVIEW CAPTURED
TRAFFIC
REPLAY NETWORK ACTIVITY
ANALYSIS, CONTAINMENT
TARGETED RESPONSE & REMEDIATION
RISKANALYSIS
REPORT TO EXECUTIVE TEAM
REPORT TO 3RD PARTIES
ROOT CAUSE
ANALYSIS
REVIEW CAPTURED
TRAFFIC
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 30
Security Analytics – Market Leadership
“Unlike competitors that often use only
packet headers and metadata for
visibility into potential security incidents,
Blue Coat Security Analytics seeks to
empower security professionals with
full packet capture, indexing and
analyzing packets to offer maximum
resolution in a forensics
investigation”
– Frost & Sullivan
Frost & Sullivan Recognizes Blue Coat Systems for Dominance in
the Global Network Security Forensics Market
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 32
Network + Endpoint + SIEM
Network Visibility, Detection
& Threat Intelligence
Endpoint Visibility, Detection
and Remediation
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 33
Incident Response
Blue Coat
• Full Network Visibility
• 0 Day Malware Analysis
• Network Traffic Enforcement
Endpoint Detection Response
• Continuous Host Monitoring
• Host Based Remediation
• Also protects against non-network vectors(USB/CD, User, VPN)
SIEM
• Collects and indexes logs from any source
• Powerful search, analysis and visualization
• Apps provide solutions for security, IT ops, business analysis
SIEM
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 34
• Getting data into SIEM as events • Blue Coat products have extensive logging
capabilities for getting data• Syslog
• Custom configurations
• API calls
• Splunk Apps
• Many of the EDR partners have Technical Add-Ons and Dashboard apps to ingest and display the data.
• Single pane of glass provides for comprehensive high level correlation
Integration: Logging and Correlation
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 35
• Files that evade network inspection still are inspected by Blue Coat
• Confirmation that files inspected on the network made it to the endpoint
• Full system snap shot when malicious activity seen on network intended for host
Integration: Data Enrichment
ProxySG
Content Analysis
Malware Analysis
SIEM
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 36
React quickly and accurately
• Event work flow action in SIEM (or directly in Firewall, IPS etc) to take any data source and pivot into Security Analytics
• Right click menu driven from Security Analytics into Carbon Black
• Carbon Black right click pivot to investigate host actions that may have also touched network traffic
Integration: Workflow
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 37
Improved Incident Response
Blue Coat
• Full Network Visibility
• 0 Day Malware Analysis
• Network Traffic Enforcement
Endpoint Detection Response
• Continuous Host Monitoring
• Host Based Remediation
• Third bullet point
SIEM
• Collects and indexes logs from any source
• Powerful search, analysis and visualization
• Apps provide solutions for security, IT ops, business analysis
• Workflow Pivots
• Alert Automation
• Data Sharing
• Threat Validation
• Workflow Pivots
• Threat Updates
• File Submission
• Workflow Pivot
• Cross Product Analytics
• Alert Automation
SIEM