Removing Blind Spots in Network Visibility to Stop Data...
Transcript of Removing Blind Spots in Network Visibility to Stop Data...
![Page 1: Removing Blind Spots in Network Visibility to Stop Data Theftfbcinc.com/e/.../tracka/...Newman-Removing_Security_Blind_Spots-FI… · Removing Blind Spots in Network Visibility to](https://reader034.fdocuments.us/reader034/viewer/2022042710/5f5f94c22eefcc62ac56afc4/html5/thumbnails/1.jpg)
Removing Blind Spots in Network Visibility to Stop Data TheftStephen Newman, CTO, DamballaThursday, October 2911:20 AM - 11:50 AM
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
![Page 2: Removing Blind Spots in Network Visibility to Stop Data Theftfbcinc.com/e/.../tracka/...Newman-Removing_Security_Blind_Spots-FI… · Removing Blind Spots in Network Visibility to](https://reader034.fdocuments.us/reader034/viewer/2022042710/5f5f94c22eefcc62ac56afc4/html5/thumbnails/2.jpg)
CLUES TO A CRIME
Photo Source: NBC
![Page 3: Removing Blind Spots in Network Visibility to Stop Data Theftfbcinc.com/e/.../tracka/...Newman-Removing_Security_Blind_Spots-FI… · Removing Blind Spots in Network Visibility to](https://reader034.fdocuments.us/reader034/viewer/2022042710/5f5f94c22eefcc62ac56afc4/html5/thumbnails/3.jpg)
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
CYBERCRIMES IN 1H 2015
577 Breaches
155M+ Records
Source: Identity Theft Resource Center, 2015 Data Breach Category Summary
![Page 4: Removing Blind Spots in Network Visibility to Stop Data Theftfbcinc.com/e/.../tracka/...Newman-Removing_Security_Blind_Spots-FI… · Removing Blind Spots in Network Visibility to](https://reader034.fdocuments.us/reader034/viewer/2022042710/5f5f94c22eefcc62ac56afc4/html5/thumbnails/4.jpg)
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
DETECTION TAKES TOO LONG
229 days to discover a breach
67% discovered by 3rd parties
Source: Mandiant’s 2014 M-Trends Report
Minutes
11%
Hours
13%
Days
17%
Weeks
25%
Months
29%
Years
5%
![Page 5: Removing Blind Spots in Network Visibility to Stop Data Theftfbcinc.com/e/.../tracka/...Newman-Removing_Security_Blind_Spots-FI… · Removing Blind Spots in Network Visibility to](https://reader034.fdocuments.us/reader034/viewer/2022042710/5f5f94c22eefcc62ac56afc4/html5/thumbnails/5.jpg)
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
Tsunami of Noise Layers of Security Prevention Products
BLINDED BY ALERTS
Uncertainty About Actual Threats
Overwhelming volume
High rate of false positives
Snapshot-in-time data
Information without context
![Page 6: Removing Blind Spots in Network Visibility to Stop Data Theftfbcinc.com/e/.../tracka/...Newman-Removing_Security_Blind_Spots-FI… · Removing Blind Spots in Network Visibility to](https://reader034.fdocuments.us/reader034/viewer/2022042710/5f5f94c22eefcc62ac56afc4/html5/thumbnails/6.jpg)
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
Unknown indicators
Known indicators
AV HIPS FW DNS FW IDSIPS
WSGProxy
VMSandbox
Endpoint Security Network Security
Proof of Infection
LOTS OF EVIDENCE BUT NO PROOF
![Page 7: Removing Blind Spots in Network Visibility to Stop Data Theftfbcinc.com/e/.../tracka/...Newman-Removing_Security_Blind_Spots-FI… · Removing Blind Spots in Network Visibility to](https://reader034.fdocuments.us/reader034/viewer/2022042710/5f5f94c22eefcc62ac56afc4/html5/thumbnails/7.jpg)
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
PREVENTION IS BLIND TO EVASIVE MALWARE
Initial Infection
Dropper
Update/Repurpose
Updater Site Downloader Site
Initial C&C and 2nd Repurpose
C&C Portals
C&C Proxies
Repository
![Page 8: Removing Blind Spots in Network Visibility to Stop Data Theftfbcinc.com/e/.../tracka/...Newman-Removing_Security_Blind_Spots-FI… · Removing Blind Spots in Network Visibility to](https://reader034.fdocuments.us/reader034/viewer/2022042710/5f5f94c22eefcc62ac56afc4/html5/thumbnails/8.jpg)
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
Initial Infection
Files Downloaded
HOW CAN YOU REMOVE THE BLINDERS?
Initial C&C and 2nd Repurpose
C&C Portals
C&C Proxies
Automation
Emergent Threat
Domain Fluxing
Update/Repurpose
Queries
P2P Activity
HTTP Attempts
Communications with C&C
Executed files
![Page 9: Removing Blind Spots in Network Visibility to Stop Data Theftfbcinc.com/e/.../tracka/...Newman-Removing_Security_Blind_Spots-FI… · Removing Blind Spots in Network Visibility to](https://reader034.fdocuments.us/reader034/viewer/2022042710/5f5f94c22eefcc62ac56afc4/html5/thumbnails/9.jpg)
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
WHAT IF YOU COULD ELIMINATE GUESSWORK?
Slog through alerts
Dig through logs
Chase false positives
Correlate data
Make assumptions
Act/Don’t Act?
Instrument the network for detection
Indicators of compromise are monitored
Pieces of evidence are corroborated
Proof of infection is verified
High-risk devices are prioritized
Data theft is averted
![Page 10: Removing Blind Spots in Network Visibility to Stop Data Theftfbcinc.com/e/.../tracka/...Newman-Removing_Security_Blind_Spots-FI… · Removing Blind Spots in Network Visibility to](https://reader034.fdocuments.us/reader034/viewer/2022042710/5f5f94c22eefcc62ac56afc4/html5/thumbnails/10.jpg)
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
NETWORK SECURITY MONITORING BY DAMBALLA
YOUR NETWORK TRAFFIC
& DEVICES
RISK PROFILERSAc
tivity
Impo
rtanc
e
Inte
nt
DETECTION ENGINES
Behaviors
Content
Threats
CASE ANALYZER & MANAGER TRUE POSITIVES CONFIRMED
CLOSED CASES
Threat Discovery
Center
IR TEAM
![Page 11: Removing Blind Spots in Network Visibility to Stop Data Theftfbcinc.com/e/.../tracka/...Newman-Removing_Security_Blind_Spots-FI… · Removing Blind Spots in Network Visibility to](https://reader034.fdocuments.us/reader034/viewer/2022042710/5f5f94c22eefcc62ac56afc4/html5/thumbnails/11.jpg)
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
TAKEAWAYS
Prevent what you canUnderstand how malware evades detectionInstrument the network to discovery hidden threatsA compromise doesn’t have to led to a breachRespond in a prioritized way based on risk factors