SlideShare a Scribd company logo

Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics

IBMGovernmentCA
IBMGovernmentCA

Presentation material from Cyber Security Briefing held in Ottawa on June 12, 2013. - Investigating, Mitigating, and Preventing Cyber Attacks with Security Analytics and Visualization - Presented by: Orion Suydam, Director of Product Management, 21CT

1 of 21
Download to read offline
Investigating and Preventing Cyber Attacks with Security Analytics and Visualization Orion Suydam Director of Product Management, 21CT June 12, 2013 Unleash Your Data. Secure Your World.
About 21CT 21CT Established: Innovation incubator for Department of Defense and Intel community 21CT applies Graph Pattern Matching technology to Department of Defense projects for detecting terrorist activity Commercialization of Graph Pattern Matching in cyber security Launch of LYNXeon for intelligence community Launch of LYNXeon for cyber security within DoD LYNXeon launches for enterprise cyber security LYNXeon releases enhanced graph search for pattern- detection 1999 2001 2003 2005 2007 2009 2011 2013 8 Patents Awarded and 5 Applied 21CT surpasses 100 employees 2
3 Human Versus Human Battle You know they are inside your network and you want to go on the offensive Protecting the business is YOUR business and perimeter defenses only stop what they recognize Unleash Your Data
•  Provide unprecedented network visibility •  Identify previously hidden malicious behavior •  Determine incident impact with full activity history pre- and post-breach •  Create active defense and go head-to-head against the adversaries LYNXeon from 21CT Security Data Visualization & Analytics 4
LYNXeon Demo Threat Feed Insights
Threat Feed Demo (Step 1) 6 •  We’ve imported our favorite threat feed of known bad IP addresses •  Question: Which internal hosts have connected to a known bad IP? •  Answer: 10.0.10.139 initiated 2 port 80 connections to a known bad IP
Threat Feed Demo (Step 2) 7 •  We’ve “expanded” on the known bad host to learn more about it •  The good news: no other internal hosts have connected to it •  More good news: we have some detail on one of the port 80 connections •  The bad news: the external website is called “virus-doctor.com” •  Hovering over the HTTP node reveals that a binary was downloaded in the process
Threat Feed Demo (Step 3) 8 •  Let’s find other cases of this binary being downloaded from other sites •  We ask the question by clicking on the nodes that represent our pattern of interest: an external host, an internal host, and an HTTP file download •  Note that we retain the MD5 hash of the downloaded file •  With this pattern defined, LYNXeon finds all other instances
Threat Feed Demo (Step 4) 9 •  The bad news is that we have identified yet another internal host that downloaded the same file (but from a different external site) •  This new external site was NOT in our threat feed •  So we now have two internal hosts to investigate & remediate and a new external IP to add to our list of known bad IP addresses •  The good news is that no other internal hosts connected to this 2nd host
LYNXeon Use Cases
11 “Using LYNXeon is like setting fire to the haystack to find the needle.” Josh Sokol, National Instruments
•  “Ultimate Malware Intelligence” | “Threat Feed Intelligence” | “Behavioral Analysis Intelligence” 12 Malware Insight –  Confirmed gaps in Malware Detection –  Identified other undetected infected hosts –  Extended the value of their perimeter defense Threat Feed Insight –  Cross-check threat feeds against historical NetFlow and DPI logs –  Identify suspicious host activity –  Find similarly undetected patterns in the network Hunting Insight –  Reveal hosts not conforming to corporate policy –  Highlight and flag assets acting abnormally –  Find compromised hosts that no detection system will find
Malware Insight 13 LYNXeon in use by National Instruments to extend malware threat defense Challenge: •  Perimeter defense systems (IPS/IDS, Malware detection, etc…) miss attacks Need: •  Comprehensive malware coverage “By combining our malware analysis using FireEye and our NetFlow analysis using LYNXeon, we have created a hybrid system capable of far more than either of these tools by themselves. This is the magic of symbiotic security in action.” --Josh Sokol, NI
•  Fuse data from existing systems: FireEye & NetFlow •  FireEye alert detected between malicious host and internal host Malware Insight: Step 1 FireEye Alert Malicious host 14
Malware Insight: Step 2 1. Original host pair 2. Other Hosts 3. LYNXeon analytic reveals potential command and control hosts LYNXeon: –  Reveals other compromised hosts and potentially malicious external hosts –  Extends the value of perimeter defenses 15
Threat Feed Insights 16 Challenge: •  US Air Force receives a constant stream of intelligence feeds from various sources •  Analysts typically have limited experience to utilize and respond to threat feeds Need: •  Analysts must quickly answer: –  Have we seen these threats on our network? –  How did a threat propagate? –  Who was affected? “First term airmen with limited experience can easily operate LYNXeon, developing their own query patterns to uncover suspicious and potentially threatening network activity.” --Air Force, Cyber Threat Analysis Lead
•  In seconds determine which hosts are talking to known bad sites •  Further investigation quickly reveals the depth of the problem Threat Feed Insights These hosts have talked to known bad host From which other sites were these files downloaded? Were files downloaded? 17
Hunting Insight 18 Challenge: •  Investigating anomalous network behavior to proactively remediate issues Need: •  Implement active defenses and stay ahead of the threat Rackspace also uses LYNXeon for “proactive hunting” to uncover abnormalities and are revealing surprising results.
•  Rapidly visualize network and observe the behavior of high value assets •  Find managed assets using external DNS •  LYNXeon uncovers managed asset using more than 216 different external DNS servers in one day 19 Domain Controllers Internal system connecting to myriad external DNS Hunting for Anomalies
Policy violation: web traffic leaving domain controllers LYNXeon: –  Reveals hosts not conforming to corporate policy, helping IT resolve policy issues –  In the best case: a policy violation –  In the worst case: compromised asset Hunting for Anomalies 20
6011 W Courtyard Dr Building 5, Suite 300 Austin, TX 78730 Phone: 512.682.4700 Fax: 512.682.4701 www.21CT.com 21

Recommended

Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionJosh Sokol
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using HadoopDataWorks Summit
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk Splunk
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
 
Confusion and deception new tools for data protection
Confusion and deception new tools for data protectionConfusion and deception new tools for data protection
Confusion and deception new tools for data protectionPriyanka Aash
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoringchrissanders88
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data ScienceAustin Taylor
 

Recommended

Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionJosh Sokol
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using HadoopDataWorks Summit
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk Splunk
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
 
Confusion and deception new tools for data protection
Confusion and deception new tools for data protectionConfusion and deception new tools for data protection
Confusion and deception new tools for data protectionPriyanka Aash
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoringchrissanders88
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data ScienceAustin Taylor
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Huntingchrissanders88
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Presentation1
Presentation1Presentation1
Presentation1Abhishek Malhotra
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber AnalyticsNovetta
 
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad SahputraContent Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputraidsecconf
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 
Data breach at Target, demystified.
Data breach at Target, demystified.Data breach at Target, demystified.
Data breach at Target, demystified.Cyphort
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.pptKaukau9
 

More Related Content

What's hot

Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Huntingchrissanders88
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber AnalyticsNovetta
 
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad SahputraContent Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputraidsecconf
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 

What's hot (20)

Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Hunting
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Presentation1
Presentation1Presentation1
Presentation1
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
 
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad SahputraContent Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defense
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat Intelligence
 

Similar to Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics

Data breach at Target, demystified.
Data breach at Target, demystified.Data breach at Target, demystified.
Data breach at Target, demystified.Cyphort
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.pptKaukau9
 
Toward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicToward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicCharles Lim
 
Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010Agora Group
 
Hunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsHunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsLancope, Inc.
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
IoT Malware Detection through Threshold Random Walks
IoT Malware Detection through Threshold Random WalksIoT Malware Detection through Threshold Random Walks
IoT Malware Detection through Threshold Random WalksBiagio Botticelli
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threatsZscaler
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
 
Cyber Security
Cyber SecurityCyber Security
Cyber Securityfrcarlson
 
Top 6 Sources for Identifying Threat Actor TTPs
Top 6 Sources for Identifying Threat Actor TTPsTop 6 Sources for Identifying Threat Actor TTPs
Top 6 Sources for Identifying Threat Actor TTPsRecorded Future
 
Get Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationGet Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationSecurity Innovation
 
Splunk Live! Utrecht 2016 - CERT EU
Splunk Live! Utrecht 2016 - CERT EUSplunk Live! Utrecht 2016 - CERT EU
Splunk Live! Utrecht 2016 - CERT EUSplunk
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksAlienVault
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
SplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunk
 
SplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunk
 

Similar to Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics (20)

Data breach at Target, demystified.
Data breach at Target, demystified.Data breach at Target, demystified.
Data breach at Target, demystified.
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
 
Toward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicToward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - Public
 
Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010
 
Hunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsHunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit Trails
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
IoT Malware Detection through Threshold Random Walks
IoT Malware Detection through Threshold Random WalksIoT Malware Detection through Threshold Random Walks
IoT Malware Detection through Threshold Random Walks
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Top 6 Sources for Identifying Threat Actor TTPs
Top 6 Sources for Identifying Threat Actor TTPsTop 6 Sources for Identifying Threat Actor TTPs
Top 6 Sources for Identifying Threat Actor TTPs
 
Get Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationGet Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and Organization
 
Splunk Live! Utrecht 2016 - CERT EU
Splunk Live! Utrecht 2016 - CERT EUSplunk Live! Utrecht 2016 - CERT EU
Splunk Live! Utrecht 2016 - CERT EU
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
SplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for Security
 
SplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for Security
 

More from IBMGovernmentCA

Cge leadership summit ibm presentation public sector analytics
Cge leadership summit ibm presentation public sector analyticsCge leadership summit ibm presentation public sector analytics
Cge leadership summit ibm presentation public sector analyticsIBMGovernmentCA
 
Security Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public SectorSecurity Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public SectorIBMGovernmentCA
 
CEO Study Insights; Career Resiliency In Time of Change
CEO Study Insights; Career Resiliency In Time of ChangeCEO Study Insights; Career Resiliency In Time of Change
CEO Study Insights; Career Resiliency In Time of ChangeIBMGovernmentCA
 
Overview of IBM Capabilities
Overview of IBM CapabilitiesOverview of IBM Capabilities
Overview of IBM CapabilitiesIBMGovernmentCA
 
Business Process Management
Business Process ManagementBusiness Process Management
Business Process ManagementIBMGovernmentCA
 
Information Governance for Smarter Government Strategy and Solutions
Information Governance for Smarter Government Strategy and SolutionsInformation Governance for Smarter Government Strategy and Solutions
Information Governance for Smarter Government Strategy and SolutionsIBMGovernmentCA
 
Smarter Computing Integrated Systems
Smarter Computing Integrated SystemsSmarter Computing Integrated Systems
Smarter Computing Integrated SystemsIBMGovernmentCA
 
Smarter Software for Smarter Governments
Smarter Software for Smarter GovernmentsSmarter Software for Smarter Governments
Smarter Software for Smarter GovernmentsIBMGovernmentCA
 
Perspectives and Case Studies on Effective Theatre Base Service Management
Perspectives and Case Studies on Effective Theatre Base Service ManagementPerspectives and Case Studies on Effective Theatre Base Service Management
Perspectives and Case Studies on Effective Theatre Base Service ManagementIBMGovernmentCA
 
Reducing IT Costs and Improving Security with Purpose Built Network Appliances
Reducing IT Costs and Improving Security with Purpose Built Network AppliancesReducing IT Costs and Improving Security with Purpose Built Network Appliances
Reducing IT Costs and Improving Security with Purpose Built Network AppliancesIBMGovernmentCA
 
Improving Defence Program Execution
Improving Defence Program ExecutionImproving Defence Program Execution
Improving Defence Program ExecutionIBMGovernmentCA
 
A Hybrid Technology Platform for Increasing the Speed of Operational Analytics
A Hybrid Technology Platform for Increasing the Speed of Operational AnalyticsA Hybrid Technology Platform for Increasing the Speed of Operational Analytics
A Hybrid Technology Platform for Increasing the Speed of Operational AnalyticsIBMGovernmentCA
 
Social Networks the Next Emerging Spectrum in Asymmetric Warfare and Counter ...
Social Networks the Next Emerging Spectrum in Asymmetric Warfare and Counter ...Social Networks the Next Emerging Spectrum in Asymmetric Warfare and Counter ...
Social Networks the Next Emerging Spectrum in Asymmetric Warfare and Counter ...IBMGovernmentCA
 
Defense Intelligence & The Information Challenge
Defense Intelligence & The Information ChallengeDefense Intelligence & The Information Challenge
Defense Intelligence & The Information ChallengeIBMGovernmentCA
 
Analytics for Smarter Defence
Analytics for Smarter DefenceAnalytics for Smarter Defence
Analytics for Smarter DefenceIBMGovernmentCA
 
Keynote phaedra boinodiris serious games beyond training from process optim...
Keynote phaedra boinodiris serious games beyond training from process optim...Keynote phaedra boinodiris serious games beyond training from process optim...
Keynote phaedra boinodiris serious games beyond training from process optim...IBMGovernmentCA
 

More from IBMGovernmentCA (20)

Cge leadership summit ibm presentation public sector analytics
Cge leadership summit ibm presentation public sector analyticsCge leadership summit ibm presentation public sector analytics
Cge leadership summit ibm presentation public sector analytics
 
Security Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public SectorSecurity Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public Sector
 
Security Intelligence
Security IntelligenceSecurity Intelligence
Security Intelligence
 
Reputational Risk
Reputational RiskReputational Risk
Reputational Risk
 
CEO Study Insights; Career Resiliency In Time of Change
CEO Study Insights; Career Resiliency In Time of ChangeCEO Study Insights; Career Resiliency In Time of Change
CEO Study Insights; Career Resiliency In Time of Change
 
Overview of IBM Capabilities
Overview of IBM CapabilitiesOverview of IBM Capabilities
Overview of IBM Capabilities
 
Business Process Management
Business Process ManagementBusiness Process Management
Business Process Management
 
Information Governance for Smarter Government Strategy and Solutions
Information Governance for Smarter Government Strategy and SolutionsInformation Governance for Smarter Government Strategy and Solutions
Information Governance for Smarter Government Strategy and Solutions
 
Smarter Computing Integrated Systems
Smarter Computing Integrated SystemsSmarter Computing Integrated Systems
Smarter Computing Integrated Systems
 
Smarter Software for Smarter Governments
Smarter Software for Smarter GovernmentsSmarter Software for Smarter Governments
Smarter Software for Smarter Governments
 
Perspectives and Case Studies on Effective Theatre Base Service Management
Perspectives and Case Studies on Effective Theatre Base Service ManagementPerspectives and Case Studies on Effective Theatre Base Service Management
Perspectives and Case Studies on Effective Theatre Base Service Management
 
Reducing IT Costs and Improving Security with Purpose Built Network Appliances
Reducing IT Costs and Improving Security with Purpose Built Network AppliancesReducing IT Costs and Improving Security with Purpose Built Network Appliances
Reducing IT Costs and Improving Security with Purpose Built Network Appliances
 
Improving Defence Program Execution
Improving Defence Program ExecutionImproving Defence Program Execution
Improving Defence Program Execution
 
A Hybrid Technology Platform for Increasing the Speed of Operational Analytics
A Hybrid Technology Platform for Increasing the Speed of Operational AnalyticsA Hybrid Technology Platform for Increasing the Speed of Operational Analytics
A Hybrid Technology Platform for Increasing the Speed of Operational Analytics
 
Social Networks the Next Emerging Spectrum in Asymmetric Warfare and Counter ...
Social Networks the Next Emerging Spectrum in Asymmetric Warfare and Counter ...Social Networks the Next Emerging Spectrum in Asymmetric Warfare and Counter ...
Social Networks the Next Emerging Spectrum in Asymmetric Warfare and Counter ...
 
Defense Intelligence & The Information Challenge
Defense Intelligence & The Information ChallengeDefense Intelligence & The Information Challenge
Defense Intelligence & The Information Challenge
 
Analytics for Smarter Defence
Analytics for Smarter DefenceAnalytics for Smarter Defence
Analytics for Smarter Defence
 
Keynote phaedra boinodiris serious games beyond training from process optim...
Keynote phaedra boinodiris serious games beyond training from process optim...Keynote phaedra boinodiris serious games beyond training from process optim...
Keynote phaedra boinodiris serious games beyond training from process optim...
 
Where Ideas Come From
Where Ideas Come FromWhere Ideas Come From
Where Ideas Come From
 
What Are The Chances
What Are The ChancesWhat Are The Chances
What Are The Chances
 

Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics

  • 1. Investigating and Preventing Cyber Attacks with Security Analytics and Visualization Orion Suydam Director of Product Management, 21CT June 12, 2013 Unleash Your Data. Secure Your World.
  • 2. About 21CT 21CT Established: Innovation incubator for Department of Defense and Intel community 21CT applies Graph Pattern Matching technology to Department of Defense projects for detecting terrorist activity Commercialization of Graph Pattern Matching in cyber security Launch of LYNXeon for intelligence community Launch of LYNXeon for cyber security within DoD LYNXeon launches for enterprise cyber security LYNXeon releases enhanced graph search for pattern- detection 1999 2001 2003 2005 2007 2009 2011 2013 8 Patents Awarded and 5 Applied 21CT surpasses 100 employees 2
  • 3. 3 Human Versus Human Battle You know they are inside your network and you want to go on the offensive Protecting the business is YOUR business and perimeter defenses only stop what they recognize Unleash Your Data
  • 4. •  Provide unprecedented network visibility •  Identify previously hidden malicious behavior •  Determine incident impact with full activity history pre- and post-breach •  Create active defense and go head-to-head against the adversaries LYNXeon from 21CT Security Data Visualization & Analytics 4
  • 6. Threat Feed Demo (Step 1) 6 •  We’ve imported our favorite threat feed of known bad IP addresses •  Question: Which internal hosts have connected to a known bad IP? •  Answer: 10.0.10.139 initiated 2 port 80 connections to a known bad IP
  • 7. Threat Feed Demo (Step 2) 7 •  We’ve “expanded” on the known bad host to learn more about it •  The good news: no other internal hosts have connected to it •  More good news: we have some detail on one of the port 80 connections •  The bad news: the external website is called “virus-doctor.com” •  Hovering over the HTTP node reveals that a binary was downloaded in the process
  • 8. Threat Feed Demo (Step 3) 8 •  Let’s find other cases of this binary being downloaded from other sites •  We ask the question by clicking on the nodes that represent our pattern of interest: an external host, an internal host, and an HTTP file download •  Note that we retain the MD5 hash of the downloaded file •  With this pattern defined, LYNXeon finds all other instances
  • 9. Threat Feed Demo (Step 4) 9 •  The bad news is that we have identified yet another internal host that downloaded the same file (but from a different external site) •  This new external site was NOT in our threat feed •  So we now have two internal hosts to investigate & remediate and a new external IP to add to our list of known bad IP addresses •  The good news is that no other internal hosts connected to this 2nd host
  • 11. 11 “Using LYNXeon is like setting fire to the haystack to find the needle.” Josh Sokol, National Instruments
  • 12. •  “Ultimate Malware Intelligence” | “Threat Feed Intelligence” | “Behavioral Analysis Intelligence” 12 Malware Insight –  Confirmed gaps in Malware Detection –  Identified other undetected infected hosts –  Extended the value of their perimeter defense Threat Feed Insight –  Cross-check threat feeds against historical NetFlow and DPI logs –  Identify suspicious host activity –  Find similarly undetected patterns in the network Hunting Insight –  Reveal hosts not conforming to corporate policy –  Highlight and flag assets acting abnormally –  Find compromised hosts that no detection system will find
  • 13. Malware Insight 13 LYNXeon in use by National Instruments to extend malware threat defense Challenge: •  Perimeter defense systems (IPS/IDS, Malware detection, etc…) miss attacks Need: •  Comprehensive malware coverage “By combining our malware analysis using FireEye and our NetFlow analysis using LYNXeon, we have created a hybrid system capable of far more than either of these tools by themselves. This is the magic of symbiotic security in action.” --Josh Sokol, NI
  • 14. •  Fuse data from existing systems: FireEye & NetFlow •  FireEye alert detected between malicious host and internal host Malware Insight: Step 1 FireEye Alert Malicious host 14
  • 15. Malware Insight: Step 2 1. Original host pair 2. Other Hosts 3. LYNXeon analytic reveals potential command and control hosts LYNXeon: –  Reveals other compromised hosts and potentially malicious external hosts –  Extends the value of perimeter defenses 15
  • 16. Threat Feed Insights 16 Challenge: •  US Air Force receives a constant stream of intelligence feeds from various sources •  Analysts typically have limited experience to utilize and respond to threat feeds Need: •  Analysts must quickly answer: –  Have we seen these threats on our network? –  How did a threat propagate? –  Who was affected? “First term airmen with limited experience can easily operate LYNXeon, developing their own query patterns to uncover suspicious and potentially threatening network activity.” --Air Force, Cyber Threat Analysis Lead
  • 17. •  In seconds determine which hosts are talking to known bad sites •  Further investigation quickly reveals the depth of the problem Threat Feed Insights These hosts have talked to known bad host From which other sites were these files downloaded? Were files downloaded? 17
  • 18. Hunting Insight 18 Challenge: •  Investigating anomalous network behavior to proactively remediate issues Need: •  Implement active defenses and stay ahead of the threat Rackspace also uses LYNXeon for “proactive hunting” to uncover abnormalities and are revealing surprising results.
  • 19. •  Rapidly visualize network and observe the behavior of high value assets •  Find managed assets using external DNS •  LYNXeon uncovers managed asset using more than 216 different external DNS servers in one day 19 Domain Controllers Internal system connecting to myriad external DNS Hunting for Anomalies
  • 20. Policy violation: web traffic leaving domain controllers LYNXeon: –  Reveals hosts not conforming to corporate policy, helping IT resolve policy issues –  In the best case: a policy violation –  In the worst case: compromised asset Hunting for Anomalies 20
  • 21. 6011 W Courtyard Dr Building 5, Suite 300 Austin, TX 78730 Phone: 512.682.4700 Fax: 512.682.4701 www.21CT.com 21