THREAT DETECTION AND INCIDENT RESPONSEWHAT’S NEW FOR 2014?

2

INTRODUCTIONS

Mike RothmanPresident, Securosis@securityincitemrothman@securosis.com

Jaime BlascoDirector, AlienVault Labs@jaimeblascob

Meet today’s speakers

AGENDA

• New attack methods and vulnerabilities exploited in 2013

• How to respond and recover quickly from a breach

• Security technologies to consider going into 2014

• Q&A

About Securosis

• Independent analysts with backgrounds on both

the user and vendor side.• Focused on deep technical and industry expertise.• We like pragmatic.• We are security guys - that’s all we do.

The Pendulum Swings Back to Security

http://www.flickr.com/photos/imlichenit/5532476683/

Advanced Malware is Advanced

• Attacks > Defenses

• Advanced Attackers > You

• Attack surface is (pretty much) infinite.

• This isn’t going to change…

Denial of Service hits the mainstream

• 300+ Gbps network attacks

• Availability attacks on the applications

• Favorite tactic of hacktivists

http://www.flickr.com/photos/astanhope/3592189/

The Cloud - Not If, But WHEN

http://www.flickr.com/photos/52859023@N00/644335254

Technology Problems are easy…

Biggest emerging problem is the security skills gap

http://www.flickr.com/photos/morton/

2305095296/

“Best Practices” Moving Forward

• Depends on the maturity of your security

program…

• Determine:• Where you are

• Where you want to be

• Do you understand what that really means?

• But the first job is to…

http://www.flickr.com/photos/clintw/6051081177/

http://www.flickr.com/photos/61063852@N00/5088741119/

React Faster and Better

• You can’t stop all the attacks, so you better

detect them faster.

• And respond better.

• This involves monitoring, forensics, and

incident response.

• Most enterprises don’t do this very well.

Less Mature Programs: Blocking and Tackling

• Malware/Attack Detection

• Evolving Network Security

• Endpoint/Server Hygiene

• Logging and Simple Alerting

http://www.flickr.com/photos/bibbit/6187662743/

More Mature Programs: Deeper Detection

• Network-based Malware Detection• Incident Response Focus/Forensics• Threat Intelligence

http://www.flickr.com/photos/

crowt59/2217016729/

Shopping List 2014

Network Security

• Network-based Malware Detection

• Next Generation Firewall

• Perimeter Re-architecture

• Perimeter Security Gateway

Endpoint Security

• Advanced Malware Protection

• Application HIPS

• Isolation (browser & kernel)

• White Listing

• Endpoint Activity Monitoring

• Whither traditional AV?

http://flic.kr/p/9kC2Q1

Security Monitoring/Management

• Continued investment in monitoring

technologies

• Aggregation of information across the entire

technology stack

• Alerting, Visualization, Reporting

• Threat Intelligence Driven

ALIENVAULT OPEN THREAT EXCHANGE (OTX) COLLABORATIVE THREAT INTELLIGENCE

20

OTX IN ACTION

Continuous updates

Updates provided every 30 minutes

200,000-350,000 validated malicious IP’s at any point

Active and open threat sharing

Since March 2012, OSSIM & USM users have flagged 196 million events as malicious

Average of ~11 million a month (365,000 a day)

Effective against targeted attacks

20% of ‘live’ APT1 domains were in OTX at time of Mandiant report

218 domains were ‘live’ at time of report (the rest were added later the same day), 44 IPs found in OTX

ALIENVAULT UNIFIED SECURITY MANAGEMENT (USM)WITH THREAT INTELLIGENCE POWERED BY OTX

ALIENVAULT IN ACTION

Step 2: Dig deeper by clicking on bad IP to continue investigation.

Step 1: Immediately identify known malicious IPs targeting your network.

DIG DEEPERON BAD IP ADDRESSES

SHARE AND REVIEW COMMENTS ON ACTIVE THREATS

ALIENVAULT IN ACTIONStep 3: Follow step-by-step guidance in responding to the threat.

ALIENVAULT IN ACTION

Optional: Provide contextual feedback to OTX so others can avoid becoming targets of the same threat.

UNIFIED MONITORING, PRESCRIPTIVE GUIDANCE, AND PREVENTATIVE RESPONSE

AlienVault USM delivers unified and coordinated security monitoring for incident response and compliance management.

AlienVault Labs provides coordinated intelligence and analysis of the latest threats, and prescriptive guidance on how to respond.

AlienVault Open Threat Exchange offers real-time insights on incidents affecting others that may impact you, so you can deploy a preventative response.

Critical Success Factor 2014: Invest in Your People

• You can’t find them, so you need to grow them• Training, Internships

http://www.flickr.com/photos/alanenglish/6027912804/

NOW FOR SOME Q&A

More from AlienVault… Join OTX:http

://www.alienvault.com/open-threat-exchange

AlienVault Labs blog:

http://www.alienvault.com/open-threat-exchange/

blog

Download a Free 30-Day Trial of USM:http

://www.alienvault.com/free-trial

Join us for a LIVE Demo of USM:http

://www.alienvault.com/marketing/alienvault-usm-li

ve-demo

More from Securosis… Follow Mike on Twitter:

@securityincite

Securosis blog:

http://securosis.com/blog

Securosis research:

http://securosis.com/research

Securosis publishes (almost)

everything for free. Contribute. Make it

better.

View Webcast On-Demand

View a recorded version of this webcast On-Demand here.