Transcript Real-time Security Analytics: Visibility, Alerting or Forensic Digging - Which is it? Neal Hartsell Vice President Marketing What this prezo will address… 1.

Real-time Security Analytics: Visibility,
Alerting or Forensic Digging - Which is it?
Neal Hartsell
Vice President Marketing
What this prezo will address…
1. What is a security analytic anyway?
2. Who on my staff would actually use this product?
3. What problems does it actually solve?
4. Does it replace products like Log Management systems
and SIEMs?
2
Click Security Confidential
Typical Enterprise Network Today
Cloud Services
Contractor
Mobility
WAN F/W & IPS
EP
Web
Proxy
Server
DMZ F/W & IPS
EP
Malicious
Insider
BYOD
Consumerization of IT
3
Click Security Confidential
Are We Secure?
• IP theft to US Co’s is
$250B / year
• Global cybercrime is
$114 billion…
• $388 billion when you
factor in downtime…
Symantec*
We spent $25B
on IT Security in
2012**
• $1 trillion was spent
globally on remediation
McAfee*
* http://threatpost.com/en_us/blogs/nsa-chief-says-todays-cyber-attacks-amount-greatest-transfer-wealth-history-070912
**http://www.slideshare.net/Pack22/it-security-market-overview-sept-12
4
Click Security Confidential
What Happened?
Massive
Network Attack Surface
Your
Defense
Signature-based
Defenses
The
Enemy
Intelligent, Stealthy,
Relentless, Motivated
IPS, Anti-X, Firewall
•
•
Complex
Constant Flux
Between 50% and 5%
effective
Staff
Numerous
“Based on some research
by the U.S. intelligence,
the total number of
•
•
•
•
•
5
Social Media
Consumerization of IT
IP Device Explosion
Mobility
Cloud Computing
$1B Revenue
x 5% on IT
x 10% on Security
x 30% on Staff
/ $200K/Yr loaded
7.5 Heads
Click Security Confidential
registered
hackers in China
is approaching
400,000.”
Infosecisland.com
Attack
Reserved IP
Address
Internal Web
Server
Entry
Attribution
Internal Web
Server
ExFil
6
Click Security Confidential
$
Attack
Autopsy Report
• Did you see these alarms?
– Remember a F/W @ 15K EPS = 1 Billion EPD
• Did you recognize their relative importance?
– High, Medium, Low severity?
• Did you know they were connected?
– e.g., how may IP addresses are involved here?
• Did you see them in time to be proactive?
– Or do you study them forensically?
• Do you even have staff to spend time on this?
– Or are you chief, cook and bottle washer?
7
Click Security Confidential
Current Answer…
Forensics
2012 Verizon Data Breach Investigations Report
Minutes – hours to execute a breach.
Days – months to discover.
8
Click Security Confidential
Better Answer…
Real-time Security Analytics
Catch This…
9
Click Security Confidential
Before This…
Incident Detection Challenges
10
Click Security Confidential
Security Analytics Defined
11
Click Security Confidential
What is a Security Analytic?
…and a Real-time Security Analytic
Action …
If this entity
took this action
on this entity…
Detect …
Did this entity
take this action
on this entity?
Visibility…
12
then take this action
AUTOMATICALLY
and in REAL TIME…
Examples:
Alert Human
Block IP
Quarantine Endpoint
Gather more data
Create trouble ticket
Execute script
Click Security Confidential
Example Analytics
Example Interactive Reports
1.
Authentication history for this entity (user,
dept, zone, etc.)
2.
What accts in this entity logged in during x
timeframe
3.
Show all service accounts
–
4.
5.
13
Show al that are machine local / distributed
Authentication history by (user, dept, zone,
geo…)
Root cause a user account lock out
Example Alerts
1.
Anomalous log in by some attribute (to
service, time, loc, etc.)
2.
“Relative to user” failed log in attempts
3.
Failed log ins to a specific app
4.
Distributed failed log ins
5.
Service acct failed log in
6.
Acct log in from non-whitelisted geo area
7.
Outlier detection
Click Security Confidential
Real-Time Security Analytics
Click Modules
Click Platform
Click Labs
14
•
Programmable Real-time Analytics
•
Captured Intelligence
•
“Lego” building blocks
•
Stream Processing Engine
•
Dynamic Visualizations
•
Interactive Workbooks
•
Highly Scalable
•
Security Threat Expertise
•
Protocol / Application Savvy
•
Module Development
•
Customer Environment Assessment
Click Security Confidential
Solution Requirements…
Lots of data sources
…in their full glory
100’s to 1000’s
of complex statistical,
heuristic, and behavioral
correlation analytics
running persistently
Accuracy
15
Click Security Confidential
Parallel processing
real-time data
crunching and
visualization engine
Automated, Real-time
Contextualization
Flow Events
Authentication Events
Access Events
Security Events
-
-
-
-
Client Entity
Server Entity
Time First / Last Active
Flow Type
Transport Protocol
Application Protocol
Prior / Current State
Byte / Packet Count
Session ID
Other Entities
- Directory Lookup
Augmentation
- HRIS Information
Modules
- DHCP Information
- WHOIS Information
- O/S Fingerprint Data
- NMAP Assessments
Utility
- Anti-Virus Information
Modules
- Asset Information Data
- Vulnerability Scan Data
- Geo-Location Information
- Entity Severity Inormation
- Password Cracking Information
- Network Monitoring Information
- Firewall Configuration and Logs
- IDS/IPS Configuration and Logs
- Forward & Reverse DNS Resolution
- Blacklist/Whitelist Reputational Data
16
Client Entity
Server Entity
Authentication Time
Protocol Type
Result
Message
Other Entities
Client Entity
Server Entity
Access Time
Resource Type
Result
Message
Other Entities
Actor / Entity
-
Username
Hostname
Entity Type
Time First / Last Active
IP Address
MAC Address
Recent Network Flows
Recent Authentications
Recent Accesses
Recent Security Events
DHCP Lease
NAT Lease
VPN Lease
Other Entities
Click Security Confidential
Client Entity
Server Entity
Detection Time
Rule
Result
Message
Other Entities
- Routing Anomalies
- Malicious Callbacks
- SPAM Relay Detector
- Proxy Bypass Detector
- Information Ex-filtration
- Suspicious Web Traffic
Action
- Covert Channel Detector
Modules
- Suspicious Data Access
- Anomalous User Behavior
- Anomalous Email Detector
- Suspicious Account Lockouts
External
- Firewall Rule Analysis Module
System
- Anomalous Endpoint Behavior
- Data Storage/Access Anomalies
- Compromised Account Detection
- Inappropriate Resource Utilization
- Anomalous Network Transmission
Analysis
Modules
Different Strokes…
SIEM
Batch Query Analytics
RtSA
(RDBMS)
(Distributed Map Reduce)
(Stream Processing Engine)
Processor
Processor
Data
Storage
Memory
Data
Storage
Data
Storage
Memory
Data
Storage
17
Processor
Data in Memory
SERIAL Query Analytic
SERIAL Query Analytic
PARALLEL Query Analytic
Crunch Time
Crunch Time
Crunch Time
Hours to Days
Minutes
Seconds
Good for:
Good for:
Good for:
Compliance Mgmt
Forensic Analysis
Real-time Analytics
(Limited data volume processing,
simple alerting)
(Large data volume processing,
but not large # analytics)
(Large data volume processing,
AND large # concurrent analytics)
Click Security Confidential
Example Analytics Application: RtSA Tracker
Actor Prioritization
Actor Fanout
Automated Histogram of High Anomaly Actors
Automated Fan-out of Actor Connectivity
RtSA
18
Click Security Confidential
RtSA Tracker Workbook
Blacklisted Actors by Country
Actor Location
43 blacklisted
actors by country
of origin
19
Actor Relationships
Selected actors
(Germany, Bahamas,
and US) relationships by
status and
communications
Actor Activity
Blacklisted actors:
email servers
receiving
transmissions from a
handful of systems on
a protected network
•
Miners ingest 100,000+ events into “human usable” tables
•
Interpreters apply Click Lab’s application and protocol knowledge to the data
•
Analyzers automatically contextualize event, flow, authentication, access and
augmentation data to 12,000+ actors
•
RtSA Tracker’s Blacklist Workbook brings visual acuity to 43 blacklisted Actors
Click Security Confidential
RtSA Tracker Workbook
Total Critical: Top 25 Actors by Critical Event Count
20
•
Actor is an internal system with a reserved IP address
(blue)
•
Actor is attacking an internal (blue) web server with a
variety of HTTP-based attacks, including buffer overflows
and SQL injection
•
Actor is sending malicious java to an internal web server
•
Victim of the HTTP attacks has initiated HTTPS
connections with four external systems (the rightmost fanout pattern); three in the US (gray), one in Europe (pink)
•
Attacker is logged in, anonymously, to an FTP server –
and is actively transferring data. The blue (internal) node
top left also anonymously logged into same FTP server.
•
The gold-colored node is from Asia – actor’s IP address
is dynamically assigned from China’s hinet.net, a
broadband ISP – and a well-known haven for hackers
and phishing activity
Click Security Confidential
RtSA Workflow
External
Triggers
Lockdown
Action
Interactive
Reporting
Confident
Needs
Investigation
Dynamic Workbooks
Click Modules
Real-time
Stream Processing
Understood &
Actionable
New
Module
Authoring
21
Click Security Confidential
Real-time
Investigation
Batch
Process
Investigation
Market Evolution
Real-time Security Analytics
Big Data Analytics
Batch Query Analytics
Big Data Search
SIEM
Compliance Reporting
Log Management
Forensic Archive
22
Click Security Confidential
RtSA Solution Benefits
Find and Stop Attack Activity – Early in the Kill Chain
• Actor-tracking contextualizes big data into prioritized, in-depth
security visibility - automatically
Speed & Simplify Analysis / Incident Response Process
• Dynamic Workbooks provide real-time visualization, interactive
data analysis, and immediate results encoding
Modular Analytics Evolve with Changing Threat Landscape
• Click Labs continually adds new Workbooks and Click Modules
• Analysts can quickly and easily create their own
Leverage Existing Information and Enforcement Infrastructure
• No rip and replace. Utilize existing data sources and enforcement
points.
23
Click Security Confidential
REAL-TIME SECURITY ANALYTICS
AUTOMATED INVESTIGATION | AUTOMATED LOCKDOWN
24
Click Security Confidential