BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf ·...
Transcript of BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf ·...
![Page 2: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/2.jpg)
2
BRIEF HISTORY …two long years ago
• Send all documents from mail traffic to be opened in virtual machines
• Unclear purpose
![Page 3: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/3.jpg)
3
TURNING POINT
• Bring in the cavalry • Start extracting information • Much resources, such lack of results
• A lot of research on technologies • Was not a critical project • Few resources, less progress, lots of issues • Finally a “usable” framework
BRIEF HISTORY (CON’D)
![Page 4: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/4.jpg)
4
WE NEED REAL WORLD DATA
• We like dogfooding • Still not a critical project • Easiest way to integrate was at network level • Start the learning process
![Page 5: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/5.jpg)
5
WE NEED REAL WORLD DATA (CONT’D)
• Why limit ourselves to SMTP? • Added some more info extracted • Entire HQ traffic filtered • Re-start the learning process
![Page 6: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/6.jpg)
6
MISTAKES WERE MADE
• In-house intercepting solutions vs open-source • Focus on the wrong side of the optimizations war • Aggressive vs too aggressive • A lot of data, no means of visualizing
![Page 7: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/7.jpg)
7
THERE WERE ALSO BENEFITS
• Discovered early on brand new malware • We already had an idea of what and how it behaves • Sped up the our reaction to emerging threats
![Page 8: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/8.jpg)
8
EXAMPLE July, this year
![Page 9: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/9.jpg)
9
EXAMPLE OF ADDITIONAL INFO
![Page 10: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/10.jpg)
10
IN A PARALLEL UNIVERSE
• New project called KARMA • Focus on centralized management of events • Used mostly by the AM / AS / APH Labs for correlating
various events / investigations • Concept of Event Correlation was introduced
![Page 11: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/11.jpg)
11
THE SYNERGY
• Serenity should and must send all malware events to KARMA
• Added some more events “sensors” • And then added some more
![Page 12: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/12.jpg)
12
ADDING MORE DATA
• Serenity already has access to a lot of other information • Added netflows
![Page 13: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/13.jpg)
13
OUR FORENSICS
• Search the entire Intelligence Database for various info • Establish connections between different threat vectors
![Page 14: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/14.jpg)
14
OUR FORENSICS (CONT’D)
• We also have pies and charts to back us …
![Page 15: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/15.jpg)
15
SO MUCH DATA
• We have two teams of PhD’s and scientists • Machine Learning • Trends analysis
• On-going research for applications • We already have (some) automated incident detection
![Page 16: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/16.jpg)
16
BUT WE WANT MORE DATA
• Several external installations • We would not refuse other beta-testers of the technology
![Page 17: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/17.jpg)
17
ACHIEVEMENT UNLOCKED
• NOW It is considered a CRITICAL project
![Page 18: BITDEFENDER SERENITY TECHNOLOGYronog2.ronog.ro/.../2015/11/Bitdefender-RONOG-2015.pdf · BITDEFENDER SERENITY TECHNOLOGY Sabin POTIRCA – Technical Project Manager spotirca@bitdefender.com](https://reader035.fdocuments.us/reader035/viewer/2022081401/5f0616e17e708231d4163c49/html5/thumbnails/18.jpg)
18
Thank you