Defining cybersecurity.

PREPARING FOR TOMORROW’S THREATS 28 September 2016

Andrew Facchini Presales & Product Manager +47 459 07 330 andrew@mnemonic.no

QUALIFIED SECURITY ASSESSOR (QSA) APPROVED SCANNING VENDOR (ASV) PAYMENT APPLICATION QSA (PA-QSA) FORENSIC INVESTIGATOR (PFI) LEVEL 1 SERVICE PROVIDER

2013 2014 2015 2016

events analysed daily in our global sensor

network

3 billion Advisory Group for

Internet Security

Advanced threat analytics, detection &

response platform

24x7 Managed Security Services Incident Response Risk Services Products & Support

• Founded in 2000 • 110+ security specialists • Among Europe’s largest incident response teams • Over 14 years’ R&D into Argus

WHO IS MNEMONIC?

100% PREVENTION IS NOT POSSIBLE. DETERMINED ATTACKERS WILL ALWAYS GET THROUGH. ALWAYS.

i CYBERSECURITY FACT

DETECTION Generate and collect alerts

Triage & validate alert

Investigate & verify incident

Identify scope of incident

Assess priority & response

actions

Execute response actions

Is it a duplicated alert? Eliminate obvious false positives Does the alert warrant further investigation?

Analyse the alert Is the source reputable? Are there any other indicators? Answer question: does this pose a potential threat?

Identify involved users, assets, services Understand what you’re dealing with, Put the incident in context of your organisation

Evaluate how your business is affected How should we handle it? Who needs to be contacted?

Take corrective measures to recover e.g. Isolate devices from network Revoke credentials Take service offline

STAGES OF DETECTING AND RESPONDING TO SECURITY INCIDENTS

Received from: Firewalls Web proxies IDS/IPS Anti-Virus Email gateway, SIEM +other security products

RESPONSE

Applies to all organisations, regardless of technology, industry, or the type & severity of the threat

DETECTION Generate and collect alerts

Triage & validate alert

Investigate & verify incident

Identify scope of incident

Assess priority & response

actions

Execute response actions

Is it a duplicated alert? Eliminate obvious false positives Does the alert warrant further investigation?

Analyse the alert Is the source reputable? Are there any other indicators? Answer question: does this pose a potential threat?

Identify involved users, assets, services Understand what you’re dealing with Put the incident in context of your organisation

Evaluate how your business is affected How should we handle it? Who needs to be contacted?

Take corrective measures to recover e.g. Isolate devices from network Revoke credentials Take service offline

STAGES OF DETECTING AND RESPONDING TO SECURITY INCIDENTS

Received from: Firewalls Web proxies IDS/IPS Anti-Virus Email gateway, SIEM +other security products

RESPONSE

Applies to all organisations, regardless of technology, industry, or the type & severity of the threat

TECHNOLOGY DRIVEN HUMAN DRIVEN, TECHNOLOGY ASSISTED

of security staff’s time is wasted because of faulty intelligence 66%

alerts considered reliable 19%

Alerts can be overwhelming

4% of alerts are investigated

[1] [2] [3] The Cost of Malware Containment, Ponemon Institute, January 2015

An “ordinary” organisation with 2000 employees and standard security controls

403 602 SECURITY ALERTS

82

MANUALLY ASSESSED INCIDENTS

1.8

CONFIRMED SECURITY INCIDENTS

A day in the life of Company X

Manual analysis of new suspected incident every 5.5 working minutes

Security Incident examples: Malware infection, suspicious user behaviour, detected intrusion, targeted attack, denial of service, data leakage, ++

0.2 to 0.3 CONFIRMED SECURITY INCIDENTS PER YEAR

EXPECT EACH USER IN YOUR COMPANY TO GENERATE

45 to 60 INCIDENTS FOR EVERY CONFIRMED INCIDENT

EXPECT TO MANUALLY ANALYSE

USERS MANUALLY ANALYSED

100 500 1000 3000 5000

25 125 250 750

1 250

CONFIRMED INCIDENTS

1 312 6 562

13 125 39 375 65 625

ON AN ANNUAL BASIS

Receive reliable, accurate alerts Respond faster with actionable intelligence

Concentrate your security resources on the real threats Gain insight and confidently report on security

MNEMONIC MANAGED DETECTION AND RESPONSE AVAILABLE ON

DEMAND

DETECTION Generate and collect alerts

Triage & validate alert

Investigate & verify incident

Identify scope of incident

Assess priority & response

actions

Execute response actions

RESPONSE

97% alert accuracy

from mnemonic

19% alerts considered

reliable

The importance of context

CONTEXT IN ACTION

Market Guide for Managed Detection and Response Services

Download the report free at www.mnemonic.no/Gartner

mnemonic is the only European vendor featured in the report

Predictions for 2020 15% of midsize & enterprise organisations will be using MDR services – up from 1% today. 50% of MSSPs will offer MDR-type services

Preparing for the future Collaboration between academia, government and enterprise is key

Research collaborations OSLO ANALYTICS Developing new analytical methods to gain a deep situational awareness of security incidents

Participants: University of Oslo (UiO) mnemonic The US Army Research Labs The Norwegian National Security Authority (NSM) The Norwegian Defence Intelligence College Norwegian Computing Center (NR) Technische Universität Darmstadt

ARS FORENSICA Global research effort to improve the investigation and prosecution of cybercrime

Participants: Center for Cyber and Information Security (CCIS) mnemonic Europol Cybercrime Center (EC3) United Nations The Netherlands Forensic Institute (NFI) The Norwegian National Police Directorate (POD) The Norwegian National Criminal Investigation Service (Kripos) The Norwegian Police University College Økokrim The Oslo Police District The Norwegian Ministry of Justice and Public Security

Dedicate 10% of our resources to research Contribute to security community

Examples: FIRST, Europol Cybercrime Centre (EC3), Center for Cyber & Information Security (CCIS), open source contributions

Share threat intelligence Academic involvement

2 post doctorates 1 PhD 1.5 university professorships 3 masters thesis mentors

semi-Automated Cyber Threat intelligence - ACT mnemonic led, 3-year collaborative research project to solve the

challenges in receiving, storing, and sharing threat data

Partners

The resulting platform will be open-sourced

Want to contribute? Contact us!

Develop new algorithms for automated analysis to detect more attacks with more precise results Develop new algorithms to identify threat actors and attack campaigns Automated exchange of analysis results between private and public industry

Goals include

PassiveDNS.mnemonic.no Investigate historical relationship between domains and IP addresses

OPEN TOOLS & SERVICES URLQuery.net Automatically scan public webpages

SecureDNS Intercept and block users from known malicious pages. Takes minutes to set up.

Andrew Facchini andrew@mnemonic.no +47 459 07 330

@andrewfacchini

CONTACT ME

READ

Market Guide for Managed Detection and Response Services

www.mnemonic.no/Gartner

mnemonic Security Seminar in Stockholm October 25th

Follow us for all the details

LEARN MORE

mnemonic-as mnemonic.no

THANK YOU!