How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
-
Upload
surfwatch-labs -
Category
Data & Analytics
-
view
224 -
download
4
Transcript of How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
![Page 1: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/1.jpg)
How to Access and Make Use of Your “Trapped” Cyber Data
to Reduce Your Risk
![Page 2: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/2.jpg)
Today’s Speakers
2
Jason PolancichFounder & Chief Architect
SurfWatch Labs
Mustafa RassiwalaDirector, Product Management
Platfora
![Page 3: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/3.jpg)
Freeing Your Trapped Security Data!
Case Study: “Chocolate and Peanut Butter”
Extending A Manufacturing Company SIEM
+
3
![Page 4: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/4.jpg)
Bridge the Gap Between Low-Level Tactics & Strategic Insights
4
![Page 5: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/5.jpg)
5
SIEM Can Be Even More Powerful…
![Page 6: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/6.jpg)
… How?• Add the Strategy Piece: Low-level
threat intel is only small part of the full picture of risk
• Stop Navel-Gazing: An outside and inside view is necessary!
• Start Meerkat-ing: Situational awareness makes every defense operation better
• Make it Mean Something for Everyone: Connect security to business operations
• Enable Sustained Diligence: Both inside and outside of SECOPS
6
![Page 7: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/7.jpg)
Customer Profile
Tech/Security Environment•Geographically dispersed IT locations
•Lots of data sources, few source types
•Centralized SIEM analysis
•Historical SIEM data storage
•Focus on low-level, internal threat intel
•Static intel reporting and reactive alerting
•No strategic intelligence analysis function
7
Large Multi-National Manufacturing and Consumer Goods
with Deep and Wide Supply Chain
![Page 8: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/8.jpg)
It All Starts with Data …
8
![Page 9: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/9.jpg)
9
Intuitive, Simple & Standardized
![Page 10: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/10.jpg)
SIEM + Threat Intel
10
![Page 11: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/11.jpg)
Instant Insights
11
![Page 12: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/12.jpg)
Deep-Dive Analysis and Discovery
12
PETABYTES
OF DATA
HADOOP PLATFORA
HDFS ANALYTICS
Network SecurityData
Endpoint Security
Data
Data CenterSecurity Data
SIEMLog/event
Data (30 days)
A complement to SIEM.Security Analyst uses Platfora for investigating incidents:
– User Behavior Analytics– Network Data Based
Analytics– Device Communication
Analytics– Information Flow
Analytics
More Data & Business Context (Multi-Structured)
IT & BusinessData
UnlimitedData
![Page 13: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/13.jpg)
Using Analytics to Understand the Impact of Cyber
Over Time
![Page 14: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/14.jpg)
14
A Typical Data Breach Lasts 243 Days
Recon•Social Engineering
•Network Layout
Weaponization•Targeted Malware
Exploit / Install•Lateral Movement
C2C / Exfil•Command Communication
•Data Exfiltration
Delivery•Spear Phishing
•Watering Hole Attacks
DAY 1DAY 1 DAY 243DAY 243
Multiple Attempts at each stage of the
attack
Multiple Attempts at each stage of the
attack
Fingerprint of attack in Log files and security
events
Fingerprint of attack in Log files and security
events
![Page 15: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/15.jpg)
15
Anunak Gang Targeting Financial Institutions
C2C / Exfil•Gain access to server and banking system admin workstations•Install software for monitoring key system operators•Remote access to servers of interest
Delivery
•Spear Phishing Email to Bank Employee
•From Government Email Acct
•Deliver new payload to existing malware
Recon
•Government and Banking Partners
•Partnership with Bot Operators
•Search for Existing malware already installed in banking environment
Weaponization
•Mimikatz
•MBR Eraser
•SoftPerfect Network Scanner
•Cain and Abel
Exploit / Install•Password of admin user on local machine•Legitimate access to one server•Compromise domain admin password from one server•Gaining access and compromise to domain controller accounts•Gain access to email servers
FINANCIAL INSTITUTION APT
![Page 16: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/16.jpg)
16
C2C / Exfil•Pass the Hash Attack•VPN Connection from external source to maintain continuous access•Covert TCP Channel bounced across servers
Delivery•Targeted Phishing Email•URL Link to Fake Game Site•Download of Game – Install backdoor on user machine•Installing Password Scrapping and network scanning tools
Recon•Controlling “bounce” machines across the globe•Social Media/LinkedIn/Usergroups/Support Forums etc•Corporate Website/Local Events
Weaponization•Password Scrapping Tools•NetCat Backdoor•Remote Access Tools•Fake Game Download Site•Other Techniques – Watering Hole Attacks
Exploit / Install•Backdoor Trojan Installation•Network scans for open ports and services•Connect to multiple fileshares•Overwrite notepad.exe with malicious backdoor
TECHNOLOGY ORGANIZATION APT – SOURCE CODE BREACH
![Page 17: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/17.jpg)
17
C2C / Exfil•Buffer Overflow Attack on Backup Program•Installation of Sniffer to watch internal traffic•Port Scan of Server•SQL Injection on Web Application•Access to database records of millions of Credit Card
Delivery•Ping Sweep•Reverse DNS lookup of Server IP•Port Scan•Password Guessing – connect to FTP Server
Recon•Store Expansion Information•Physical scouting of the stores•Network Scanning•Detect Open Ports for TCP and UDP. Discover webserver and DNS server
Weaponization•Wireless LAN Assessment Tool•MAC Address Detection from SSID•MAC Address Spoofing
Exploit / Install•Network Exploration•Connection over VPN to FTP servers across network•Access to Credit Card Data
RETAIL ORGANIZATION APT – POINT OF SALE (POS) BREACH
![Page 18: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/18.jpg)
18
Major Challenges When Detecting Breaches
Exploit / Install
Recon
Weaponization
C2C / ExfilDelivery
243 DAYS
Difficult to Recognize Sequence of Attacks in
Petabytes of Data
Difficult to Recognize Sequence of Attacks in
Petabytes of Data
Data Silos Make it Hard to Understand
your Critical Business Data
Data Silos Make it Hard to Understand
your Critical Business Data
![Page 19: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/19.jpg)
19
Suspicious File Downloaded by UserA– Possible Spear Phishing Attack
Incident Detectedin SIEM
Security Analyst Investigates
Analyze file download pattern for the Joe over last 6 months – Compare against Org and Dept Statistics
Analyze device behavior anomalies – Examine data over last 6 months and compare against various dimensionsAnalyze source of
download – analyze all communication to source domain across org and dept over last 6 months
Analyze all communication path of device and Joe to uncover if attack has spread
1
24
3
!
![Page 20: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/20.jpg)
20
Malformed Image File Spread – SQL Injection Based Attack
Incident Detectedin SIEM Security Analyst
Investigates
Analyze all recent incidents related to user and device and compare over last 6 months (Various Statistics)
Analyze communication between endpoint and internal web server
Analyze webserver compromise - internal and external communication mapped and analyzed for anomalies
Follow trail of SQL Injection attack followed by compromise of customer accounts and malformed file upload
1
24
3
!
![Page 21: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/21.jpg)
21
User Account Compromise – VPN Authentication Errors
Incident Detectedin SIEM
Security Analyst Investigates
Analyze VPN Access pattern of user over last 6 months – compare against Org and Dept
Analyze all failed and successful authentication for user over last 6 months – compare against Org and Dept
User Behavior Analytics – file downloads, URL access, application access etc
Device Behavior Analytics – destinations, bytes, protocols, ports etc
1
24
3
!
![Page 22: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/22.jpg)
22
Detecting Breaches Through Security Investigations
Forest through
the Trees
Understand Business
Data
Iterate and Pivot
Petabytes of Data
![Page 23: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/23.jpg)
23
Big Data Security Analytics
Forest through
the Trees
Understand Business
Data
Iterate and Pivot
Petabytes of DataVisualization End to End
Platform
Hadoop/HDFSAnalytics
Map Reduce/Spark
Connect Variety of
Data
SecurityAnalyst
![Page 24: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/24.jpg)
24
Security Incident Investigation
![Page 25: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/25.jpg)
25
Security Incident Investigation
![Page 26: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/26.jpg)
26
Security Incident Investigation
![Page 27: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/27.jpg)
27
User Behavior Analytics
![Page 28: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/28.jpg)
28
User Behavior Analytics
![Page 29: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/29.jpg)
29
User Behavior Analytics
![Page 30: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/30.jpg)
30
User Behavior Analytics
![Page 31: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/31.jpg)
Q&A and Additional SurfWatch Labs Resources
31
Get Additional Cyber Intel Resources:
•SurfWatch Cyber Risk Report:http://info.surfwatchlabs.com/Sample-Cyber-Risk-Report
•Big Data, Big Mess Whitepaper:http://info.surfwatchlabs.com/big-data-security-analytics
Learn About SurfWatch Solutions:
•SurfWatch Product Review: www.scmagazine.com/surfwatch-c-suite/review/4324/
•Schedule a Personal SurfWatch Demo:info.surfwatchlabs.com/request-demo
![Page 32: How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk](https://reader035.fdocuments.us/reader035/viewer/2022062710/55b365cabb61eb99548b47a6/html5/thumbnails/32.jpg)
Thank You!
www.surfwatchlabs.comFollow us at: