Closing the Window Full Fidelity Forensics for Accelerated ... · Incident Response and Security...

34
Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 1 Closing the Window — Full Fidelity Forensics for Accelerated Incident and Endpoint Response Blue Coat and Carbon Black April 20 th , 2016 Erik Engberg Advanced Threat Defense Specialist, Nordics & Benelux

Transcript of Closing the Window Full Fidelity Forensics for Accelerated ... · Incident Response and Security...

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 1

Closing the Window — Full Fidelity Forensics for Accelerated Incident and Endpoint Response

Blue Coat and Carbon BlackApril 20th, 2016

Erik Engberg

Advanced Threat Defense Specialist, Nordics & Benelux

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 2

• 20th year in Security, started pen-testing in ’96

• Worked within Government, Large Enterprise, ISP/Telco

• Everything from carrier architecture to compliance projects

• Certified Information Assurance Officer, NDU Washington

• Speak geek and boardroom, but not enough Spanish

[email protected]

https://www.linkedin.com/in/erikengberg74

Who am I?

Challenge and Goal

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 4

How To Prevent My Organization

From Suffering Security Breaches?

The Burning Question?

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 5

However…

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 6

Is it at all Possible to RemainZen in this Context?

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 7

How To Prevent My organization

From Suffering Security Breaches?

How To Prevent My Organisation

From Suffering Security Breaches?

The Burning Question TODAY

Am I Ready To Respond?

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 8

The Expanding Window of Exposure

I N C I D E N TI D E N T I F I E D

T O D AY ’ S R E A L I T Y

T I M E T OD E T E C T I O N

T I M E T OR E S O L V E

206 DAYS to Detection*

21-35 DAYSAverage Breach Resolution

* Verizon 2014 Data Breach Investigations Report

R E S O L U T I O NI N C I D E N T

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 9

Quickly Closing the Window of Exposure

RESOLUTIONI N C I D E N T

I D E N T I F I E D

NET RESULT = LOWER COSTmanpower, time, exposure to business and mitigated risk

O U R M I S S I O N

T I M E T OD E T E C T I O N

T I M E T OR E S P O N S E

Make sure you can see it…Eliminate your blind spots

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 11

BLIND SPOTS ARE EVERYWHERE We need comprehensive visibility on the wire and on the host

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 12

The

The Elephant in the living room - You may try to ignore it, but it's not going away.

SSL =

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 13

SSL/TLS Traffic is PERVASIVE and Introduces Risk!

*Source: Gartner

of all malware will

use SSL by 2017*

2013 2015 2017

35%

50%

73%SSL is estimated at 35 - 50% of

network traffic and growing 20%

annually*

• >75% in some industries

(e.g. healthcare, finance)

Advanced Persistent Threats (APTs)

increasingly use SSL as a transport

• Dyre, Zeus & Gameover trojans and

VMZeus & Upatre Command &

Control (C&C)

The serious actors take advantage!

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 14

Encrypted Traffic ManagementDelicate Balance between Privacy and compliance issues

LEAD TO REQUIREMENTS

Support for wide-range of

encryption ciphers

Policy driven encrypted

traffic managementProvides complete traffic

stream visibility to security

controls

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 15

SECURITY Industry Confirmation

“The average performance loss across 7 NGFWs

when SSL inspection is enabled is 81%...”

https://salesportal.bluecoat.com/#workspaces/UG9ydGFs/directories/

05850000000CqKDAA0/files/06850000001US4bAAG

SSL Inspection is a Security Best Practice“Implement a Secure Sockets Layer (SSL) inspection

capability to inspect both ingress and egress encrypted

network traffic for potential malicious activity”.

—Alert TA14-353A: Targeted Destructive Malware (Dec 2014)

https://www.us-cert.gov/ncas/alerts/TA14-353A

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 17

2015 Cyberthreat Defense report• Sinking expectations - 52% to be

compromised in 2015

• Malware a major headache - Malware and phishing cause the greatest concern

• Security analytics on the rise - Security Analytics #1 security tech cited for acquisition in 2015, followed by threat intelligence

• Flying blind - Only 1/4 are confident the they have tools to inspect SSL-encrypted traffic for cyberthreats

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 18

Solving the other “Blind Spots”(and a lot of the Malware headache)

For any File, Website/URL, Email or Cloud Service• Is it known good, unknown or malicious? Perhaps Suspicious?

• Does the origin already have a reputation, history or risk rating?

• What do I do if “unknown”? Just allow it?

• Is it safe to use? What would actually happen if MY CLIENTS used it?

• If potentially harmful, how can I allow, block or scrub it with the least amount of impact?

What is happening in that endpoint? CDs, USB sticks?

What are my users doing in the cloud?

Make sense of things…Incident Response and Security Analytics

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 20

When A Breach Happens, You Need Answers!Potential Legal Liabilities?

#6 Who did this to us?

#5 Can it happen again? #4 How did they do it?

#3 Can we be sure

it is over?

#2 What systems, users

and data are affected?

#1 What is going on?For each step –

How certain are we?

ASSURANCE!

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 22

Manual Forensics & Random Packet Analysis

CLEANUP TAKES MONTHS WITH RANDOM PACKET ANALYSIS WITHOUT COMPLETE RESOLUTION

• DIFFICULT

• INEFFICIENT

• INCOMPLETE

BREACH

!

NOTIFICATION

COPY HARD

DRIVES

COLLECT SYSTEM

LOGS

START COLLECTING

PCAPSANALYZE LOGS

ANALYZE PCAPS

ANALYZE ENDPOINT ACTIVITY

MANUAL STITCHING OF

DATA

TRY TO CREATE

SCOPE OF EVENT

ISOLATE RESPONSE

REPORT TO 3RD PARTIES

RISK ANALYSIS

ANALYZE SERVERACTIVITY

TURN ON PCAP / LOGS WHERE

NEEDED

REPORT TO EXECUTIVE

TEAM

REMEDIATE

ROOT CAUSE

ANALYSIS

CORRELATE NETWORK

TRAFFIC TIMES ZONES /

ENDPOINTS

ANALYZE IP ADDRESS COMM / URLS / WEB SITES

COLLECT SAMPLES /

QUARANTINE

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 23

R E C O R D I N G T R A N S C R I P T S

Full Capture

C A L L L O G SNetflow

C A L L N O T E SMetadata

Call Note #17662

To: John Doe

From: Bill Smith

Topics Covered:

1. Greetings

2. Request for payment by John

3. Transfer of funds

1. Wire Transfer

2. Account Number 133488 8998387 8988

3. CLICK HERE FOR REPLAY of audio

4. Click here to check account number

Etc……..

Understanding the Value of Metadata

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 24

RECORD AND INDEXALL TRAFFIC

(Don’t forget SSL!)

THE ONLY WAY TO BE SURE

(“BIG DATA” APPROACH)The Big Data Approach – The only way to get complete visibility

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 26

Details for every alert

Forensic

Details

Before,

During and

After an Alert

• Know what happened before, during and after an alert, with complete, clear supporting evidence

• Integrate workflows with network and endpoint security tools to add context and improve effectiveness

• Trace back and discover Tactics, Techniques & Procedures and identify Indicators of Compromise

• Enrich your Detection and Investigation capabilities with multiple sources for real-time integrity & reputation of URL, IP address, file hash or email address

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 27

Reduce

Time-to-

Resolution

Reduce

Breach Impact

Improve

Time-to-Action

Reduce time-to-resolution

• Unlike log traces, the network can’t lie or omit data- If it happened on the network – you got it!

• Quickly identify the source, scope and impact of an attack, greatly reducing time-to-resolution

• Easily extract any payload or selection of traffic for further analysis in any other tools

• Answer the critical “post-breach” questions that plague CISOs – how? what? who? when? ...

• Assurance! Increased confidence in having correct and complete answers

• Improve and automate your other defenses

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 28

HISTORICAL CAPTURE AND REPLAY ACCELERATES RESPONSE AND MINIMIZES COSTS DRAMATICALLY

• EASY

• EFFICIENT

• COMPLETE

Proactive Forensics with Security Analytics

BREACH

!NOTIFICATION

REVIEW CAPTURED

TRAFFIC

REPLAY NETWORK ACTIVITY

ANALYSIS, CONTAINMENT

TARGETED RESPONSE & REMEDIATION

RISKANALYSIS

REPORT TO EXECUTIVE TEAM

REPORT TO 3RD PARTIES

ROOT CAUSE

ANALYSIS

REVIEW CAPTURED

TRAFFIC

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 30

Security Analytics – Market Leadership

“Unlike competitors that often use only

packet headers and metadata for

visibility into potential security incidents,

Blue Coat Security Analytics seeks to

empower security professionals with

full packet capture, indexing and

analyzing packets to offer maximum

resolution in a forensics

investigation”

– Frost & Sullivan

Frost & Sullivan Recognizes Blue Coat Systems for Dominance in

the Global Network Security Forensics Market

Technology SolutionHow can 1+1=3 and 1+1+1=9?

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 32

Network + Endpoint + SIEM

Network Visibility, Detection

& Threat Intelligence

Endpoint Visibility, Detection

and Remediation

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 33

Incident Response

Blue Coat

• Full Network Visibility

• 0 Day Malware Analysis

• Network Traffic Enforcement

Endpoint Detection Response

• Continuous Host Monitoring

• Host Based Remediation

• Also protects against non-network vectors(USB/CD, User, VPN)

SIEM

• Collects and indexes logs from any source

• Powerful search, analysis and visualization

• Apps provide solutions for security, IT ops, business analysis

SIEM

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 34

• Getting data into SIEM as events • Blue Coat products have extensive logging

capabilities for getting data• Syslog

• Custom configurations

• API calls

• Splunk Apps

• Many of the EDR partners have Technical Add-Ons and Dashboard apps to ingest and display the data.

• Single pane of glass provides for comprehensive high level correlation

Integration: Logging and Correlation

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 35

• Files that evade network inspection still are inspected by Blue Coat

• Confirmation that files inspected on the network made it to the endpoint

• Full system snap shot when malicious activity seen on network intended for host

Integration: Data Enrichment

ProxySG

Content Analysis

Malware Analysis

SIEM

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 36

React quickly and accurately

• Event work flow action in SIEM (or directly in Firewall, IPS etc) to take any data source and pivot into Security Analytics

• Right click menu driven from Security Analytics into Carbon Black

• Carbon Black right click pivot to investigate host actions that may have also touched network traffic

Integration: Workflow

Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. 37

Improved Incident Response

Blue Coat

• Full Network Visibility

• 0 Day Malware Analysis

• Network Traffic Enforcement

Endpoint Detection Response

• Continuous Host Monitoring

• Host Based Remediation

• Third bullet point

SIEM

• Collects and indexes logs from any source

• Powerful search, analysis and visualization

• Apps provide solutions for security, IT ops, business analysis

• Workflow Pivots

• Alert Automation

• Data Sharing

• Threat Validation

• Workflow Pivots

• Threat Updates

• File Submission

• Workflow Pivot

• Cross Product Analytics

• Alert Automation

SIEM