SlideShare una empresa de Scribd logo
1 de 48
Descargar para leer sin conexión
APTs and the Failure of Prevention Wayne Goeckeritz Director of Channels, NetWitness Corporation [email_address] ,[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object]
Malware/APT continues to grow “ State of the Internet”  Report, Akamai Technologies
Security SUCKS!
Risk Management 101? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Who Really 0wns Your Network?
Tracking the Opposing I/T Organization Drop Sites Phishing Keyloggers Botnet Owners Spammers Botnet Services Malware Distribution Service Data Acquisition Service Data Mining & Enrichment Data Sales Cashing $$$ Malware Writers Identity Collectors Credit Card Users Master Criminals Validation Service (Card Checkers) Card Forums ICQ eCommerce Site Retailers Banks eCurrency Drop Service Wire Transfer Gambling Payment Gateways
Are Security Teams Failing?  Definitely… ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],Something missing here…
The Malware Problem ,[object Object],[object Object],[object Object],"With security researchers now uncovering close to 100,000 new malware samples a day, the time and resources needed to conduct deep, human analysis on every piece of malware has become overwhelming."  (GTISC Emerging Cyber Threats Report 2011)
Current Technologies Are Failing - Firewalls ,[object Object],[object Object],[object Object],Firewalls
The Gaps in Status Quo Security – IDS/ IPS ,[object Object],[object Object],[object Object],Intrusion Detection/ Prevention Systems
The Gaps in Status Quo Security – Anti-Malware ,[object Object],[object Object],Anti-Malware Technologies From a top AV Vendor Forum
2010 Ponemon Institute Advanced Threats Survey ,[object Object]
2010 Ponemon Institute Advanced Threats Survey ,[object Object]
New Security Concept: “OFFENSE IN DEPTH” ATTACKER FREE TIME Attack Begins System Intrusion Attacker Surveillance Cover-up Complete Access  Probe Leap Frog Attacks Complete  Target Analysis Time Attack Set-up Discovery / Persistence Maintain foothold Cover-up  Starts Attack  Forecast Physical Security Containment & eradication System Reaction Damage Identification Recovery Defender discovery Monitoring & Controls Impact Analysis Response Threat Analysis Attack  Identified Incident  Reporting Need to collapse attacker free time Source:  NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
Copyright 2007 NetWitness Corporation John Smith CISO
Thinking Differently about Network Monitoring ,[object Object]
There ARE specific targets…
What Questions Are Vexing Today? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Typical Scenario These Days… ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
What’s really happening (in many cases)… ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Sample Approach to Resilience
Today’s adversaries leverage every weakness ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Who is Netwitness ,[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Security Leaders Leverage NetWitness “ Traditional security measures like firewalls, intrusion detection, patch management, anti-virus, single tier DMZs are not enough to stop the new threats.” CISO Major U.S. Federal Agency “ NetWitness is the last security appliance you will ever need to buy.” Josh Corman 451 Group “ NetWitness is a cutting edge vendor for Network Analysis and Visibility.” John Kindervag Forrester Research ,[object Object],[object Object]
Changes on the horizon…
Enabling A Revolution in Network Monitoring ,[object Object]
Understanding the NetWitness Network Monitoring Platform Automated Malware Analysis and Prioritization  Automated Threat Reporting, Alerting and Integration Freeform Analytics for Investigations and Real-time Answers Revolutionary Visualization of Content for Rapid Review
Signature-Free, Automated Malware Analysis, Prioritization, and Workflow Spectrum ,[object Object],[object Object],[object Object],[object Object]
Automated Analysis, Reporting and Alerting Informer ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Getting Answers to the Toughest Questions ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Investigator
A New Way to Look at Information ,[object Object],[object Object],[object Object],[object Object],Visualize
Case Study ,[object Object]
Finding bad things on the network: Are all ZeuS variants created equal?
Realities: Continued Targeted Attacks Against USG Assets ,[object Object],[object Object],[object Object],Subject: DEFINING AND DETERRING CYBER WAR From: ctd@nsa.gov U.S. Army War College, Carlisle Barracks, PA 17013‐5050 December 2009 DEFINING AND DETERRING CYBER WAR Since the advent of the Internet in the 1990s, not all users have acted in cyberspace for peaceful purposes. In fact, the threat and impact of attack in and through cyberspace has continuously grown to the extent that cyberspace has emerged as a setting for war on par with land, sea, air, and space, with increasing potential to damage the national security of states, as illustrated by attacks on Estonia and Georgia. Roughly a decade after the advent of the Internet, the international community still has no codified, sanctioned body of norms to govern state action in cyberspace. Such a body of norms, or regime, must be established to deter aggression in cyberspace. This project explores the potential for cyber attack to cause exceptionally grave damage to a state’s national security, and examines cyber attack as an act of war. The paper examines efforts to apply existing international norms to cyberspace and also assesses how traditional concepts of deterrence apply in cyberspace. The project concludes that cyber attack, under certain conditions, must be treated as an act of war, that deterrence works to dissuade cyber aggression, and provides recommendations to protect American national interests. Source:  iSightpartners
 
Which AV Product Sucks the LEAST!!! ?
“ DPRK has carried out nuclear missile attack on Japan” ,[object Object],[object Object],[object Object]
Infection Progression – Nothing Unusual ,[object Object],[object Object],[object Object]
Further Network Forensics Evidence… ,[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object]
Files harvested from victim machines in drop server (located in Minsk, Belarus) ,[object Object]
[object Object]
Conclusions
Combating Advanced Threats Requires More and Better Information… Highest Value     Lowest  Value Data Source Description Firewalls, Gateways, etc. IDS Software NetFlow Monitoring SEIM Software Real-time Network Forensics (NetWitness) Overwhelming amounts of data with little context, but can be valuable when used within a SEIM and in conjunction with network forensics. For many organizations, the only indicator of a problem, only for known exploits. Can produce false positives and limited by signature libraries.  Network performance management and network behavioral anomaly detection (NBAD) tools. Indicators of changes in traffic flows within a given period, for example, DDOS.  Limited by lack of context and content. Correlates IDS and other network and security event data and improves signal to noise ratio.  Is valuable to the extent that data sources have useful information and are properly integrated, but lacks event context that can be provides by network forensics. Collects the richest network data. Provides a deeper level of advanced threat identification and situational awareness.  Provides context and content to all other data sources and acts as a force multiplier.
Take-Away ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Copyright 2007 NetWitness Corporation
Q&A ,[object Object],[object Object],[object Object],[object Object],[object Object],Know Everything…Answer Anything.

Más contenido relacionado

La actualidad más candente

Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516Yasser Mohammed
 
How to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USMHow to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USMAlienVault
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Crack the Code
Crack the CodeCrack the Code
Crack the CodeInnoTech
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Data Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsData Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsMelissa Lim
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityLumension
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudSwapna Shetye
 

La actualidad más candente (20)

Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
 
How to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USMHow to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USM
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guide
 
Data Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsData Sheet_What Darktrace Finds
Data Sheet_What Darktrace Finds
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
 
VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT Infomagnum
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivism
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day Reality
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus Cloud
 

Similar a NetWitness

It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityLumension
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introductionjagadeesh katla
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9Amanda Case
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Realityamiable_indian
 
Trends in network security feinstein - informatica64
Trends in network security   feinstein - informatica64Trends in network security   feinstein - informatica64
Trends in network security feinstein - informatica64Chema Alonso
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT securitySophos Benelux
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Clinic Denial Of Services Case Study
Clinic Denial Of Services Case StudyClinic Denial Of Services Case Study
Clinic Denial Of Services Case StudyMaritza Peterson
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0James Perry, Jr.
 
Growing Threat Of Computer Crimes
Growing Threat Of Computer CrimesGrowing Threat Of Computer Crimes
Growing Threat Of Computer CrimesTheresa Singh
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
 
Anton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin
 
Infa 610 Final Exam Solutions
Infa 610 Final Exam SolutionsInfa 610 Final Exam Solutions
Infa 610 Final Exam SolutionsChelsea Porter
 
Advantages And Disadvantages Of Ids.pdfAdvantages And Disadvantages Of Ids
Advantages And Disadvantages Of Ids.pdfAdvantages And Disadvantages Of IdsAdvantages And Disadvantages Of Ids.pdfAdvantages And Disadvantages Of Ids
Advantages And Disadvantages Of Ids.pdfAdvantages And Disadvantages Of IdsVeronica Morse
 

Similar a NetWitness (20)

It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint Security
 
185
185185
185
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Reality
 
Trends in network security feinstein - informatica64
Trends in network security   feinstein - informatica64Trends in network security   feinstein - informatica64
Trends in network security feinstein - informatica64
 
Information security
Information securityInformation security
Information security
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Clinic Denial Of Services Case Study
Clinic Denial Of Services Case StudyClinic Denial Of Services Case Study
Clinic Denial Of Services Case Study
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
 
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
 
Growing Threat Of Computer Crimes
Growing Threat Of Computer CrimesGrowing Threat Of Computer Crimes
Growing Threat Of Computer Crimes
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
C3
C3C3
C3
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
 
Anton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability Intelligence
 
Infa 610 Final Exam Solutions
Infa 610 Final Exam SolutionsInfa 610 Final Exam Solutions
Infa 610 Final Exam Solutions
 
Advantages And Disadvantages Of Ids.pdfAdvantages And Disadvantages Of Ids
Advantages And Disadvantages Of Ids.pdfAdvantages And Disadvantages Of IdsAdvantages And Disadvantages Of Ids.pdfAdvantages And Disadvantages Of Ids
Advantages And Disadvantages Of Ids.pdfAdvantages And Disadvantages Of Ids
 

Más de TechBiz Forense Digital

10 atributos que o seu firewall precisa ter
10 atributos que o seu firewall precisa ter10 atributos que o seu firewall precisa ter
10 atributos que o seu firewall precisa terTechBiz Forense Digital
 
En case cybersecurity automating incident response-bhagtani-5-22-2012 [compat...
En case cybersecurity automating incident response-bhagtani-5-22-2012 [compat...En case cybersecurity automating incident response-bhagtani-5-22-2012 [compat...
En case cybersecurity automating incident response-bhagtani-5-22-2012 [compat...TechBiz Forense Digital
 
Ata srp 015 2010 v1 - marinha - netwitness
Ata srp 015 2010 v1 - marinha - netwitnessAta srp 015 2010 v1 - marinha - netwitness
Ata srp 015 2010 v1 - marinha - netwitnessTechBiz Forense Digital
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesTechBiz Forense Digital
 
Verisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence ServicesVerisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence ServicesTechBiz Forense Digital
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesTechBiz Forense Digital
 
Artigo velasquez (combate a crimes digitais)
Artigo velasquez (combate a crimes digitais)Artigo velasquez (combate a crimes digitais)
Artigo velasquez (combate a crimes digitais)TechBiz Forense Digital
 
C:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud WebinarC:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud WebinarTechBiz Forense Digital
 

Más de TechBiz Forense Digital (20)

Casos de sucesso
Casos de sucessoCasos de sucesso
Casos de sucesso
 
Cases forense[2]
Cases forense[2]Cases forense[2]
Cases forense[2]
 
Cnasi sp apresentação marcelo souza
Cnasi sp   apresentação marcelo souzaCnasi sp   apresentação marcelo souza
Cnasi sp apresentação marcelo souza
 
10 atributos que o seu firewall precisa ter
10 atributos que o seu firewall precisa ter10 atributos que o seu firewall precisa ter
10 atributos que o seu firewall precisa ter
 
En case cybersecurity automating incident response-bhagtani-5-22-2012 [compat...
En case cybersecurity automating incident response-bhagtani-5-22-2012 [compat...En case cybersecurity automating incident response-bhagtani-5-22-2012 [compat...
En case cybersecurity automating incident response-bhagtani-5-22-2012 [compat...
 
Insa cyber intelligence_2011-1
Insa cyber intelligence_2011-1Insa cyber intelligence_2011-1
Insa cyber intelligence_2011-1
 
Apresentação SegInfo
Apresentação SegInfoApresentação SegInfo
Apresentação SegInfo
 
Palantir
PalantirPalantir
Palantir
 
Online fraud report_0611[1]
Online fraud report_0611[1]Online fraud report_0611[1]
Online fraud report_0611[1]
 
Ata srp 015 2010 v1 - marinha - netwitness
Ata srp 015 2010 v1 - marinha - netwitnessAta srp 015 2010 v1 - marinha - netwitness
Ata srp 015 2010 v1 - marinha - netwitness
 
Road Show - Arcsight ETRM
Road Show - Arcsight ETRMRoad Show - Arcsight ETRM
Road Show - Arcsight ETRM
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence Services
 
CyberSecurity
CyberSecurityCyberSecurity
CyberSecurity
 
Verisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence ServicesVerisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence Services
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence Services
 
Access data
Access dataAccess data
Access data
 
01 11- alexandre atheniense
01 11- alexandre atheniense01 11- alexandre atheniense
01 11- alexandre atheniense
 
16 03 - institucional
16 03 - institucional16 03 - institucional
16 03 - institucional
 
Artigo velasquez (combate a crimes digitais)
Artigo velasquez (combate a crimes digitais)Artigo velasquez (combate a crimes digitais)
Artigo velasquez (combate a crimes digitais)
 
C:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud WebinarC:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud Webinar
 

Último

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 

Último (20)

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 

NetWitness

  • 1.
  • 2.
  • 3. Malware/APT continues to grow “ State of the Internet” Report, Akamai Technologies
  • 5.
  • 6. Who Really 0wns Your Network?
  • 7. Tracking the Opposing I/T Organization Drop Sites Phishing Keyloggers Botnet Owners Spammers Botnet Services Malware Distribution Service Data Acquisition Service Data Mining & Enrichment Data Sales Cashing $$$ Malware Writers Identity Collectors Credit Card Users Master Criminals Validation Service (Card Checkers) Card Forums ICQ eCommerce Site Retailers Banks eCurrency Drop Service Wire Transfer Gambling Payment Gateways
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16. New Security Concept: “OFFENSE IN DEPTH” ATTACKER FREE TIME Attack Begins System Intrusion Attacker Surveillance Cover-up Complete Access Probe Leap Frog Attacks Complete Target Analysis Time Attack Set-up Discovery / Persistence Maintain foothold Cover-up Starts Attack Forecast Physical Security Containment & eradication System Reaction Damage Identification Recovery Defender discovery Monitoring & Controls Impact Analysis Response Threat Analysis Attack Identified Incident Reporting Need to collapse attacker free time Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
  • 17. Copyright 2007 NetWitness Corporation John Smith CISO
  • 18.
  • 19. There ARE specific targets…
  • 20.
  • 21.
  • 22.
  • 23. Sample Approach to Resilience
  • 24.
  • 25.
  • 26.
  • 27. Changes on the horizon…
  • 28.
  • 29. Understanding the NetWitness Network Monitoring Platform Automated Malware Analysis and Prioritization Automated Threat Reporting, Alerting and Integration Freeform Analytics for Investigations and Real-time Answers Revolutionary Visualization of Content for Rapid Review
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35. Finding bad things on the network: Are all ZeuS variants created equal?
  • 36.
  • 37.  
  • 38. Which AV Product Sucks the LEAST!!! ?
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 46. Combating Advanced Threats Requires More and Better Information… Highest Value Lowest Value Data Source Description Firewalls, Gateways, etc. IDS Software NetFlow Monitoring SEIM Software Real-time Network Forensics (NetWitness) Overwhelming amounts of data with little context, but can be valuable when used within a SEIM and in conjunction with network forensics. For many organizations, the only indicator of a problem, only for known exploits. Can produce false positives and limited by signature libraries. Network performance management and network behavioral anomaly detection (NBAD) tools. Indicators of changes in traffic flows within a given period, for example, DDOS. Limited by lack of context and content. Correlates IDS and other network and security event data and improves signal to noise ratio. Is valuable to the extent that data sources have useful information and are properly integrated, but lacks event context that can be provides by network forensics. Collects the richest network data. Provides a deeper level of advanced threat identification and situational awareness. Provides context and content to all other data sources and acts as a force multiplier.
  • 47.
  • 48.

Notas del editor

  1. Security is hard job You are everyone’s friend, or enemy People want to see you or they dread seeing you in the hallway You know what you need to do, but good luck getting it done. Today: Talk about why security sucks and what’s wrong with security today in most organizations Some brief examples of why security teams are failing Maybe it will suck less when we are done
  2. Electronic Criminal Groups: Established Underground Industry (continued examples of successful large scale operations) Organization: Low to High Capability: High Intent: High for financial gain “ Kneber” ZeuS BotNet – information sold to anybody Nation-Sponsored Activities: From Intelligence Gathering to Network-Centric Warfare Organization: High Capability: High Intent: Connected to national policy Operation Aurora, Titan Rain, etc.
  3. OK, back to being the CIO of an organized criminal group…
  4. Build Slide…. SUCKER!!!
  5. Unfortunately, our job is usually not as much fun and doesn’t pay as well. So in the face of all this, what’s your job strategy? Maybe you should go work for the government? They have more money and better resources…and you get to wear a tie to work…
  6. The government has it’s problems too….security sucks there too… Advanced - the adversary can operate in the full spectrum of computer intrusion Persistent - the adversary is driven to accomplish a mission Threat - the adversary is: Organized Funded Motivated Analysts speak of multiple "groups" consisting of dedicated "crews" with various missions
  7. Who is NetWitness? Ask the Industry! Ultimately, we can say whatever we want about the value we will bring to your organization, but that value is best defined by what others in the industry say about us. The best security teams on the planet are using NetWitness: Our customers include: 5 of the Fortune 10 A large number of the Global 1000, including 3 of the Top 10 banks. Over 70% of U.S. Federal Agencies are enterprise customers of NetWitness, and most are planning larger deployments Over 45,000 security experts use NetWitness Investigator Freeware. The Analysts agree too: Forrester says that in 2011 all enterprises should inspect and analyze all network traffic to obtain better visibility and that NetWitness is a cutting edge vendor in this space. Gartner says that current malware threats will require approaches other than signature, and named NetWitness as a technology offering an important solution using forensics, behavioral, and reputational based techniques 451 Group says that “ If you can handle the truth, NetWitness can show it to you.” and that “NetWitness is the last security appliance you will ever need to buy.” The company has received a number of awards: Inc.500 -- #21 overall and #1 in Software and DC area WBJ #3 in Wash DC area SC Mag numerous awards Customer Testimonials ----- Meeting Notes (1/16/11 13:33) ----- The people that know a lot about the high threat environment use us.
  8. NetWitness infrastructure builds a pervasive and complete understanding of what is happening across your network Layer 2 to layer 7 – characteristics of network behavior Real-time knowledge Fused with the knowledge of the global security community Threat and fraud intel Business intelligence Community and reputation-based Cloud-based
  9. Just like every other application, provides completeness and security rigor.
  10. How many people have worked with Zeus? There are many commercial and non-commercial variants of Trojans such as ZeuS that have been developed by eCrime groups for specific targets of interest: Banks, DIB, specific government agencies in U.S. and Europe Numerous signs of collaboration among malware writers, including “best practices” for improving techniques for detection avoidance and resilience (e.g. ZeuS and Waledac collaboration noted in NetWitness “Kneber” report) New features, such as the inclusion of robust Backconnect reverse proxy capabilities Many of these non-commercial variants are invisible to typical security tools
  11. This particular directory contains files harvested by the attackers from my bait PC that I set up and infected; each directory (top listing in graphic for “/”) is associated with one victim.