Presentation material from Cyber Security Briefing held in Ottawa on June 12, 2013.
- Investigating, Mitigating, and Preventing Cyber Attacks with Security Analytics and Visualization - Presented by: Orion Suydam, Director of Product Management, 21CT
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
1. Investigating and Preventing Cyber Attacks
with Security Analytics and Visualization
Orion Suydam
Director of Product Management, 21CT
June 12, 2013
Unleash Your Data.
Secure Your World.
2. About 21CT
21CT Established:
Innovation incubator
for Department of
Defense and Intel
community
21CT applies Graph
Pattern Matching
technology to
Department of Defense
projects for detecting
terrorist activity
Commercialization
of Graph Pattern
Matching in cyber
security
Launch of LYNXeon
for intelligence
community
Launch of LYNXeon
for cyber security
within DoD
LYNXeon launches
for enterprise cyber
security
LYNXeon releases
enhanced graph
search for pattern-
detection
1999 2001 2003 2005 2007 2009 2011 2013
8 Patents Awarded and 5 Applied
21CT
surpasses 100
employees
2
3. 3
Human Versus Human Battle
You know they are inside your network and you
want to go on the offensive
Protecting the business is YOUR business and
perimeter defenses only stop what they recognize
Unleash Your Data
4. • Provide unprecedented network visibility
• Identify previously hidden malicious behavior
• Determine incident impact with full activity history
pre- and post-breach
• Create active defense and go head-to-head against
the adversaries
LYNXeon from 21CT
Security Data Visualization & Analytics
4
6. Threat Feed Demo (Step 1)
6
• We’ve imported our favorite threat feed of known bad IP addresses
• Question: Which internal hosts have connected to a known bad IP?
• Answer: 10.0.10.139 initiated 2 port 80 connections to a known bad IP
7. Threat Feed Demo (Step 2)
7
• We’ve “expanded” on the known bad host to learn more about it
• The good news: no other internal hosts have connected to it
• More good news: we have some detail on one of the port 80 connections
• The bad news: the external website is called “virus-doctor.com”
• Hovering over the HTTP node reveals that a binary was downloaded in
the process
8. Threat Feed Demo (Step 3)
8
• Let’s find other cases of this binary being downloaded from other sites
• We ask the question by clicking on the nodes that represent our pattern
of interest: an external host, an internal host, and an HTTP file download
• Note that we retain the MD5 hash of the downloaded file
• With this pattern defined, LYNXeon finds all other instances
9. Threat Feed Demo (Step 4)
9
• The bad news is that we have identified yet another internal host that
downloaded the same file (but from a different external site)
• This new external site was NOT in our threat feed
• So we now have two internal hosts to investigate & remediate and a new
external IP to add to our list of known bad IP addresses
• The good news is that no other internal hosts connected to this 2nd host
11. 11
“Using LYNXeon is like setting fire to
the haystack to find the needle.”
Josh Sokol, National Instruments
12. • “Ultimate Malware Intelligence” | “Threat Feed
Intelligence” | “Behavioral Analysis Intelligence”
12
Malware Insight
– Confirmed gaps in
Malware Detection
– Identified other
undetected infected
hosts
– Extended the value of
their perimeter defense
Threat Feed Insight
– Cross-check threat feeds
against historical NetFlow
and DPI logs
– Identify suspicious host
activity
– Find similarly undetected
patterns in the network
Hunting Insight
– Reveal hosts not
conforming to corporate
policy
– Highlight and flag assets
acting abnormally
– Find compromised hosts
that no detection system
will find
13. Malware Insight
13
LYNXeon in use by National
Instruments to extend
malware threat defense
Challenge:
• Perimeter defense systems (IPS/IDS, Malware
detection, etc…) miss attacks
Need:
• Comprehensive malware coverage
“By combining our malware
analysis using FireEye and
our NetFlow analysis using
LYNXeon, we have created a
hybrid system capable of far
more than either of these
tools by themselves. This is
the magic of symbiotic
security in action.”
--Josh Sokol, NI
14. • Fuse data from existing
systems: FireEye & NetFlow
• FireEye alert detected
between malicious host and
internal host
Malware Insight: Step 1
FireEye
Alert
Malicious
host
14
15. Malware Insight: Step 2
1. Original host
pair
2. Other
Hosts
3. LYNXeon analytic reveals
potential command and control
hosts
LYNXeon:
– Reveals other compromised hosts and potentially malicious external hosts
– Extends the value of perimeter defenses
15
16. Threat Feed Insights
16
Challenge:
• US Air Force receives a constant stream of
intelligence feeds from various sources
• Analysts typically have limited experience to
utilize and respond to threat feeds
Need:
• Analysts must quickly answer:
– Have we seen these threats on our network?
– How did a threat propagate?
– Who was affected?
“First term airmen with limited
experience can easily operate
LYNXeon, developing their
own query patterns to
uncover suspicious and
potentially threatening
network activity.”
--Air Force, Cyber Threat
Analysis Lead
17. • In seconds determine which
hosts are talking to known
bad sites
• Further investigation quickly
reveals the depth of the
problem
Threat Feed Insights
These hosts have
talked to known bad
host
From which other
sites were these
files downloaded?
Were files
downloaded?
17
18. Hunting Insight
18
Challenge:
• Investigating anomalous network behavior to
proactively remediate issues
Need:
• Implement active defenses and stay ahead
of the threat
Rackspace also uses
LYNXeon for “proactive
hunting” to uncover
abnormalities and are
revealing surprising results.
19. • Rapidly visualize network and observe
the behavior of high value assets
• Find managed assets using external
DNS
• LYNXeon uncovers managed asset
using more than 216 different external
DNS servers in one day
19
Domain
Controllers
Internal
system
connecting
to myriad
external
DNS
Hunting for Anomalies
20. Policy violation:
web traffic leaving
domain controllers
LYNXeon:
– Reveals hosts not conforming to corporate policy, helping IT resolve policy issues
– In the best case: a policy violation
– In the worst case: compromised asset
Hunting for Anomalies
20
21. 6011 W Courtyard Dr
Building 5, Suite 300
Austin, TX 78730
Phone: 512.682.4700
Fax: 512.682.4701
www.21CT.com
21