Breach Discovery
-
Upload
bitglass -
Category
Technology
-
view
192 -
download
0
Transcript of Breach Discovery
Breach DiscoveryNat KausikCEO, BitglassRich CampagnaVP, Products Bitglass
Polling Question #1Which of the following is currently your biggest
security concern?• Malware & Hacking• Lost Devices• Misuse/ShadowIT• User Errors• None of the above
Breach Stats
*California AG Breach Report 2014
Types of Breaches
Nuisance Breach - Opportunistic hack on vulnerable end-points
Untargeted Breach - Opportunistic hack on vulnerable enterprises
Targeted Breach - Custom hack on specific enterprise
Nuisance Breach
Effectiveness of Defense: Good
Tools: Anti-malware
Target: Vulnerable endpoints
Weapon: Malware
Gain: Fun, botnets, passwords
Effectiveness of Defense: Limited
Tools: Anti-X, NGFW, APT protection
Target: Vulnerable enterprises
Weapon: Malware
Gain: Credit card numbers, etc.
Untargeted Breach
Untargeted Breach
1. 3rd party website “Company Fun
Run”
2. Employees Register with
company creds
4. Log into JPM
5. Exfiltrate data over months
6. 3rd party website hires security guru, notifies JPMorgan
3. Hack 3rd party site to steal creds
Effectiveness of Defense: ???
Tools: ???
Target: Specific enterprises
Weapon: Many
Gain: Geo-political advantage?
Targeted Breach
Targeted Breach
1. April 2014: Spoofed site myhr.we11point.com
3. Employees login with
Anthem creds
4. Anthem creds
5. Log into Anthem
5. Query & steal 80M identities
2. Spear phishing emails
Feb 2015: Anthem IT discovers breach
Polling Question #2How long do you think it would take you to detect
a typical breach?• Less than 1 day• Less than 1 week• Less than 1 month• Less than 6 months• More than 6 months
© 2014 Bitglass – Confidential: Do Not Distribute
The Reality - Breaches Happen
*Source: Mandiant/FireEye
229 67%Average # of days before detection
Victims notified by external sources
“Two kinds of companies, those that were hacked and those that don’t yet know it”
- John Chambers, CEO, Cisco
Bitglass Breach Discovery Limit the Damage
Problem: Corporate data moving outside the firewall
3. At Access: Data theft via hacked devices & accounts
2. In Cloud: Attack on SaaS vendor risks sensitive data
1. On Network: Data breaches - exfiltration & Shadow IT
4. On Device: Lost tablet containing financial records
Clou
d
MobileOn-premise
On-
prem
ise
© 2014 Bitglass – Confidential: Do Not Distribute
Breach Discovery - How it Works
Upload Firewall or Proxy logs
Big Data Analysis of Outflows
Bitglass Breach Discovery
Ranked alerts on high-risk outflows
ShadowIT RisksDrill-down investigationNo software
Bitglass Risk Intelligence
© 2014 Bitglass – Confidential: Do Not Distribute
Customer Example
Data exfiltration to ~200 TOR nodes 4 high-risk, high-volume Shadow IT apps
Case study at bitglass.com/resources
Transportation company
25,000 Employees
2M log lines per day
Findings
© 2014 Bitglass – Confidential: Do Not Distribute
Customer Example
Ten machines infected with malwareCommand & control trafficNext-Gen Firewall ineffectiveCase study at bitglass.com/resources
Wall Street Tech Firm
300 Employees
25K log lines per day
Findings
Polling Question #3Biggest challenge your existing breach detection
tools (i.e. SIEM)?• Too many alerts to be useful• Too difficult to manage and integrate threat
intelligence• We don’t have a SIEM• Other issues not listed• We don’t have any challenges
Prevention-focused tools Bitglass Breach DiscoveryPrevention tools increasingly ineffective against targeted and persistent attacks
Outbound Data Flow Analysis catches breaches early
Existing and emerging anomaly detection technologies throw too many alerts to be useful
Prioritized alerts via cloud-powered big data analytics with proprietary ranking
SIEM requires curation of risk intelligence feeds and ongoing manual interpretation by SMEs
Rapid Deployment - Simply upload logs, nothing to install
Discovery vs Prevention“Determined attackers can get malware into organizations at
will.” Neil MacDonald/Peter Firstbrook, Gartner
Total Data ProtectionOutside the Firewall