Accenture Cyber Defense Platform. Architecture Overview

Transcription

1 Accenture Cyber Defense Platform Architecture Overview

2

3 Introduction Companies are facing a wide variety of new and complex security challenges. Growing attack surfaces, sophisticated attacks, explosive data growth and diverse heterogeneous defense systems are examples of the issues plaguing the industry. With large attack surfaces, organizations don t holistically know what they need to protect or how to prioritize their concerns. The recent shift to investing in cyber security detection and remediation is not enough to fight the high volume and sophistication level of today s attacks. Overwhelming data volumes cause traditional security information and event management (SIEM) tools to become slow to respond. Finally, so many technologies exist between data centers and clouds that it is hard to manage or track them all. To help businesses combat the ever-growing list of challenges, Accenture has created the Accenture Cyber Defense Platform. Better Together Accenture, serving as a trusted advisor in cyber security to the world s largest enterprises, sees its clients struggle to define security architectures and choose which combination of security solutions works best to protect their assets from attacks. To address this problem,, Palo Alto Networks, Tanium and Accenture have partnered to jointly develop a comprehensive solution for the Accenture Cyber Defense Platform that: Reduces the number of point products. Increases both security posture and resilience. Moves the enterprise along the security maturity curve. The solution utilizes a combination of industry-leading applications: Enterprise and Enterprise Security (ES), Palo Alto Networks Next-Generation Firewall (NGFW), Palo Alto Networks Traps TM, Palo Alto Networks WildFire TM, Tanium Platform and Tanium Security Suite all tied together with customized Accenture software. For most organizations, attaining a fully secured environment seems like a daunting goal. Implementing a comprehensive platform that addresses identification, prevention, detection, response and recovery and does so across endpoints and networks represents a major leap forward in mitigating risks. This document explains how enterprises can leverage the combination of the capabilities provided by, Palo Alto Networks, Tanium and Accenture now available via the Accenture Cyber Defense Platform to help them defend their enterprises effectively. Accenture Cyber Defense Platform Bringing industry leaders together using custom software and Accenture know-how. Enterprise Security analytics and SIEM mixed with machine learning to monitor the environments. Palo Alto Networks Identifying and stopping threats at the perimeter, intranet and endpoints. Tanium Monitoring and controlling the endpoints for maximum effectiveness. 3

4 Today s Landscape Cloud, mobile and social networking solutions have earned their places in countless enterprise implementations by successfully creating business value, and they are the new normal bedrock components of many mission-critical business systems. While the adoption of cloud services has been widespread and rapid, many security organizations have lagged behind in establishing appropriate frameworks, policies and controls to deal with cloud technologies. Digital Assets Landscape Endpoints & connectivity Through corporate network HYBRID/PUBLIC CLOUD ASSETS Through CASB Cloud-to-cloud OT AND IOT ASSETS Data center, private cloud and workplace assets (user endpoints), plus hosted sites CASB/3P cloud security services IaaS PaaS SaaS Segregated endpoints, POS Direct client-to-cloud Identify Prevent Detect Respond Recover Endpoints Network Applications Data Identities Window of visibility Controls Monitoring Analytics Intelligence Orchestration & workflow Tickets Automation Forensics Remediation Continuous improvement Response 4

5 Asset Management, Attack Surfaces and Common Challenges Despite all the efforts and resources that organizations invest in traditional information security approaches, they still fall prey to cyber threats, or they find that they are unprepared to manage the rapidly blurring boundaries of the enterprise s perimeter (made less clear as a result of cloud computing, mobile devices, etc.). Common Challenges Identify The attack surface is expansive, diverse and misunderstood. Asset management continues to be a major, unsolved challenge. Organizations don t holistically know what assets they need to protect and how to prioritize their concerns, including shadow IT. Respond Tasks that incident responders need to perform are time-consuming, including: - Scoping the extent of a problem. - Collecting context information (if at all possible). - Containing and stopping the incident from progressing further as an outbreak. - Investigating forensics. Prevent Organizations are currently focusing on and investing in detection and remediation technologies, which alone are not enough to fight today s high volume of increasingly sophisticated attacks. Businesses are stacking point products on their networks, adding more overhead and inefficiency. Security compliance is difficult to manually enforce and monitor. Recover Incident recovery often requires an outage and significant downtime. Restoring systems to their preinfection status may not be feasible. Negative publicity and the financial fallout from a public breach will likely have far-reaching consequences. Detect Traditional security information and event management (SIEM) tools are becoming too slow due to the large volumes of data they ingest, which results in overwhelming amounts of incoming data that cannot be parsed. Unknown threats may not match the signatures or attack databases on which most tools rely. A more robust level of heuristics is required to detect fraud. Insiders abilities to gain access to confidential data may go unnoticed. 5

6 Tanium With Tanium, security and IT operations teams can query every endpoint, understand what is happening on each endpoint as it s happening, and perform remediation at scale and within seconds. By integrating cyber threat intelligence, and delivering precise and granular endpoint threat detection, incident response and remediation, Tanium delivers the speed, scale and simplicity that incident responders need to hunt down and defend against emerging cyber threats, along with building good security hygiene into IT operations processes. ES is a premium security solution that provides insights into machine data generated from security technologies such as network, endpoint, access, malware, vulnerability and identity information. It enables security teams to quickly detect and respond to internal and external attacks to simplify threat management while minimizing risk and safeguarding a business. ES streamlines all aspects of security operations and is suitable for organizations of all sizes and levels of expertise. Palo Alto Networks Palo Alto Networks is the nextgeneration security company, leading a new era in cyber security by safely enabling applications and preventing cyber breaches for tens of thousands of organizations worldwide. Built with an innovative approach and highly differentiated cyber threat prevention capabilities, its game-changing security platform delivers security far superior to legacy or point products, safely enables daily business operations and protects an organization s most valuable assets. Accenture Cyber Defense Platform (ACDP) Bringing Together Powerful Technologies to Simplify the Complex ACDP provides efficient and effective ways to improve an organization s security posture, meet your goals and address your hardest challenges. Platform Components Security Big Data Analytics by and Accenture Intelligence, ES, User Behavior Analytics, ACDP s content pack and technology add-ons from Tanium and Palo Alto Networks is a platform that was originally designed for management of big data, including logging both structured and unstructured machine data. Since then, it has expanded into the SIEM market with ES, a premium solution that gathers data for security analytics. ES provides a number of dashboards based on underlying queries that detect malicious activities (historical data mining and real-time analysis). In addition, User Behavior Analytics helps find known and unknown threats through machine learning and peer-group baselining analytics. Perimeter, Internal Network and Cloud Asset Protection by Palo Alto Networks Next-Generation Firewall (NGFW), Panorama, WildFire, GlobalProtect and Aperture Palo Alto Networks provides nextgeneration firewalls, managed through the Panorama interface, that guard the network perimeter. Palo Alto Networks NGFW goes beyond traditional access control lists and stateful packet inspection by performing these security functions: User identification (identity management) Application identification URL filtering and proxy service Decryption VPN services Intrusion detection and prevention Anti-virus and malware detection 6

7 Traditional firewall access lists based on IP addresses are cumbersome and static. Network rules provide control of users authentication and what applications/ URLs they can access (with the help of existing identity and access management systems). The technology either allows or blocks access and then reports the results. If the traffic is encrypted, the NGFW will perform packet decryption to examine the contents. VPN services allow inbound and outbound connections from the corporate intranet, including destinations like the ACDP Amazon Web Services portal. External internet traffic is analyzed and controlled by Aperture TM and WildFire. Aperture is Palo Alto Networks management console for monitoring SaaS applications. As a cloud service, WildFire provides malware detection, with the added protection of a virtual sandbox for creating unknown threat signatures. That means both known and unknown threats can be detected, blocked and reported. Attack signatures are updated by Aperture s threat feed service. Malware signatures are stored in WildFire and on the firewall itself. Endpoint Security by Palo Alto Networks Traps and the Tanium Platform Traps developed by Palo Alto Networks focuses on the core techniques that threat actors leverage with advanced cyber attack exploits. Traps renders these techniques ineffective by breaking the exploit sequence and blocking the technique the moment it is attempted. Traps includes a console that provides a user-interface application, an agent that protects the endpoint (such as desktops or servers) and communicates with the Endpoint Security Manager Server, and the service that collects forensic data. The Traps agent protects the endpoint by implementing the organization s defined security policy. It also protects authorized processes, blocking unauthorized ones (by using known exploit protection modules). The agents integrate with WildFire by sending executable hashes for inspection. Suspicious files are sent to a forensics folder. For mobile hosts like laptops, Palo Alto Networks uses its GlobalProtect TM client agent for virtual private network services. Tanium provides visibility and control of end user and data center endpoints (e.g., laptops, desktops, servers, etc.) in the world s largest organizations. By providing complete and accurate visibility and control across every endpoint, organizations can quickly and accurately detect and remediate threats, improve incident response capabilities and build good security practices into IT operations, such as patching systems and gaining continuous asset visibility. The Tanium Core Platform enables organizations to ask any question of every endpoint and get an answer back within seconds. That way, in the case of cyber hunting, they know the scope and impact of a threat and can act quickly to take any action needed at scale (such as patching or quarantining all infected machines across the enterprise). Tanium s real-time endpoint data can enhance many existing IT operations systems, such as ServiceNow, BMC Remedy and Atrium. The Tanium Security Suite consists of a collection of modules that complement the platform by delivering purpose-built capabilities for security professionals. With Tanium, organizations can quickly find unmanaged assets and secure them; proactively hunt for and remediate threats; block known attacks on the endpoints; consolidate and make thirdparty threat intelligence data actionable through automated, scheduled scanning; make operating systems more secure through current patching at scale; and enable investigators to retrieve and search forensic data to fully scope and investigate attacks. Accenture Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology, operations and security. ACDP includes a content pack (customized software) that leverages the hardware and software capabilities of the solution components, allowing unprecedented response management centralization, visibility and control. Platform Architecture A visualization of the asset landscape is given below, showing where each solution component acts. Palo Alto Networks firewalls guard the perimeter and provide IDS/IPS, anti-virus, URL filtering and malware protection. Together, Palo Alto Networks Traps and Tanium agents secure the endpoints. Traps works with WildFire to prevent malicious executables from running on desktops, laptops, servers and the like. Tanium continuously scans the network for unmanaged hosts, and it records processes and watches changes in files. Solutions by Tanium and Palo Alto Networks log back to, where the data is monitored in real time and analyzed through ES. Response and recovery are automated, with Accenture building custom queries for the ACDP application. 7

8 Accenture Cyber Defense Platform Overarching Logical Diagram On-site endpoints Endpoint protection Palo Alto Networks Traps Tanium Endpoint Anti-virus Remote endpoints Endpoint remote protection Palo Alto Networks Traps Palo Alto Networks GlobalProtect Tanium Endpoint Anti-virus Virtual server protection Palo Alto Networks Traps Tanium Endpoint Anti-virus Server logs PERIMETER Tanium server INTRANET Tanium zone server PANORAMA Tanium server Next-generation firewall covers functionalities of IDK/IPS, anti-virus, malware protection, URL filtering, proxy and DLP that can replace what is currently in line and adding latency. collects data feeds from Palo Alto Networks and Tanium platforms as well as other data sources. (ES, UBA and response framework), TAs from PA and Tanium. The Accenture Cyber Defense Platform content pack is used as integration points. Internet SaaS Aperture WildFire UBA ISA ES Custom-ware AutoFocus SOC 8

9 Use Cases To further explain the vision behind ACDP, below are two use cases that demonstrate how the solution works. Use Case 1: Unmanaged Assets A new, unknown device appears on the network and may pose a threat. Asset management systems are not up-to-date and cannot be relied upon. Use Case 2: Ransomware The organization is confronted with advanced malware that is silently encrypting corporate data and asking for a ransom to decrypt it. Use Case 1: Unmanaged Assets Cyber Defense Tools vs. Unmanaged Assets can act as a security nerve center in this scenario. It receives discovery events from the Tanium solution and can also instantiate a range of actions to either Palo Alto Networks or Tanium, based on the event itself and correlation against the data about all assets in the environment. If the Tanium agent is not installed successfully, will signal the Palo Alto Networks firewall to modify a rule for quarantine until the agent can be installed successfully, at which point will change the state of the device from unmanaged to whitelisted. It can uniquely scan networks with hundreds of thousands or even millions of endpoints and discover unmanaged assets within the environment via a scheduled process. Once unmanaged assets are detected and identified by Tanium Discover, an automated event can be forwarded to Tanium. Tanium then forwards that information to or third-party applications such as . In addition, Tanium Discover from the single click of a mouse can install a Tanium agent or block the endpoint (with assistance from Palo Alto Networks NGFW and Dynamic Address Groups). Tanium Discover (a module within the Tanium Security Suite), coupled with the Tanium platform, provides the ability to alert and allow network administrators to take action when a new device is discovered on the network. Tanium Discover can also alert on lost assets. This identifies managed assets that now show up as unmanaged, indicating a problem with the Tanium agent that may indicate a compromised endpoint. In this case, an unmanaged device appears on the network. It could be a hacker s rogue agent, which is used to corrupt good processes, or piggyback on good processes, in order to bypass security protocols. 9

10 ACDP: Defenses 1. Tanium Discover runs a scheduled query to search for unmanaged assets. 2. New device data is sent to for indexing when Tanium Discover finds an unmanaged asset. 3. queries data it already has received from Palo Alto Networks (through the Palo Alto Networks add-on) for what it knows about each unmanaged asset. Palo Alto Networks NGFW logs network traffic and sends syslog data to. 4. ACDP s app dashboard in presents the best current known information about unmanaged assets, correlates with data from Configuration Management Database (CMDB) and other asset sources, and provides follow-up actions, such as: whitelist the host, install the Tanium agent and Palo Alto Networks Traps, or quarantine/block the host with Palo Alto Networks NGFW (limits host to local network connections). 5. Analyst chooses a response from the options offered in the ACDP app dashboard (column 6). 6. Device whitelisted or Tanium/Traps agents installed. 7. instructs the firewall to remove asset from quarantine. The Security Operations Center (SOC) verifies that Tanium/Traps agents are installed and removes device from quarantine. 8. Asset is removed from quarantine in Palo Alto Networks NGFW. Use Case 1: Unmanaged Assets queries data it has already received from Palo Alto Networks (through the Palo Alto Networks add-on) for what it knows about each unmanaged asset Accenture CDP app dashboard presents the best current known information of unmanaged assets and correlates with data from the CMDB, Palo Alto Networks ESM and other asset sources Device is removed from quarantine New device data is sent to for indexing Tanium runs scheduled query to search for unmanaged assets BEGIN vs. New unmanaged asset is detected Tanium Discover Palo Alto Networks logs network traffic and sends syslog into Unmanaged asset is automatically quarantined + Captive portal is applied Device whitelisted Tanium Agent Tanium agent installed SOC analyst removed asset from firewall via instructs firewall to remove asset from quarantine END Palo Alto Networks Palo Alto Networks Traps Client Palo Alto Networks SOC Traps client installed SOC Asset is removed from quarantine ENDPOINT SOC chooses a response SOC verifies Traps and Tanium client deployment, and removes asset from quarantine 10

11 Use Case 2: Ransomware Cyber Defense Tools vs. Ransomware The best prevention for ransomware is to prevent installation of the malware in the first place. In this deployment scenario, provides the security analytics engine that collects the log and event data for correlation of a suspicious event. A spurious attempt to install malware is detected by Palo Alto Networks Traps and blocked by its firewall against additional context (e.g., other network infrastructures). also incorporates queries at the Tanium endpoint in order to determine the scope of the infection, and to further verify this against upstream/downstream activities. From that point on, alerts can be created and automation initiated by to quarantine or block as well. Tanium IOC Detect (a module within the Tanium Security Suite), coupled with the Tanium platform, provides incident responders an automated way to download Indicators of Compromise (IOCs) and run detection scans against endpoints both on and off the enterprise network infrastructure. In this use case, Tanium can schedule an automated process to check in with the Palo Alto Networks NGFW to see if it has encountered a possible threat. If a threat has been encountered, it will be forwarded to WildFire. Tanium will ask for the threat ID and will then query WildFire for the IOC it created. Tanium downloads the IOC so that an analyst can run a scan via Tanium IOC Detect against endpoints both on and off the enterprise network. IOC scans can be configured to run at any time or on a schedule. In this case, a user downloads a ransomware payload. The infected workstation then communicates out to a command and control server, encrypts local files, and sends the keys back to the hacker. The user is then guided to a ransomware site where the hijackers give instructions on how to make a payment in exchange for decrypting the information and returning control of the PC. 11

12 Use Case 2: Ransomware The file is sent to WF cloud for analysis The client is infected BEGIN A client starts downloading a file MD5 hash is calculated from the file FW MD5 hash is sent to WF Client downloads file Client The hash is checked against the local WF database Unknown FW does not have the hash for that file in its local WF database FW WF Malware Benign WildFire does NOT detect malware and the client is infected FW is informed about NO malware detection FW The file is NOT malicious FW is informed about malware detection Client The file is not malware. The only result we see would be in WildFire statistics. END FW Malware FW Connect checks Palo Alto Networks periodically for new threats Palo Alto Networks returns info about new threat Tanium Connect Tanium Connect ENDPOINT 12

13 Malware starts working Traps analyzes malware behavior Traps NOT detected Malware is still working Client FW stops malware calling home by anti-spyware function (IDS) FW SOC is alerted in ACDP app SOC END is informed via syslog Detected Information about stopped attack is sent to ESM server ESM Traps updates WildFire SOC is alerted in ACDP app WF IOC Sent (in dev) Device is quarantined WF queries WF cloud for additional IOC data SOC SOC must manually launch IOC Detect in Tanium FW END Connect contacts WF for threat IOC WF Tanium Connect Connect updates IOC module Tanium IOC receives client list detected by IOC SOC WF returns IOC for threat Tanium returns result from IOC Detect SOC is informed in ACDP app 13

14 ACDP: Defenses 1. Client downloads malicious file via internet or Palo Alto Networks NGFW intercepts infected PDF; the file is sent to WildFire for analysis and passed through to the client. Tanium Connect continually checks for new WildFire IOC updates and runs queries for them in the background. 3. The firewall is informed about results of WildFire s analysis verdict (malware or not), which is sent to the ACDP app dashboard in. This alerts the SOC and may launch IOC Detect in Tanium. 4. Traps detects the exploit based on its behavior pattern and stops it. Traps updates WildFire, and the logs are sent to. The SOC is alerted by the ACDP app dashboard in. Cost Benefits Organizations often have a collection of security point solutions that are not integrated, or together do not provide an end-to-end coverage of the attack surface (the IT stack), kill chain (lifecycle) or asset landscape. The architecture proposed in this overview not only addresses many of the security challenges discussed above (see above section, Asset Management, Attack Surfaces and Common Challenges ); it also provides a potential replacement for existing solutions by exchanging older, high-cost-of-ownership hardware for newer hardware that provides more performance for less cost. This creates cost savings through reduction of labor and built-in system efficiencies, which in turn frees up the budget for further security initiatives while improving the overall effectiveness and response time of security operations. 5. If Traps does not stop the malware, it may be caught by the firewall intrusion detection system while phoning home. The logs are then sent to, which automatically alerts the SOC. 6. Tanium IOC Detect runs, based on WildFire IOCs. 7. Positive IOC hits for infected hosts are sent to, which informs the SOC. 8. Device(s) quarantined by Palo Alto Networks NGFW. 14

15 Conclusion While it might seem impossible to fully secure an organization s environment, the use cases above demonstrate how a comprehensive, automated solution can greatly mitigate risks while reducing expenses. The integrated solutions of, Palo Alto Networks, Tanium and Accenture form a powerful, comprehensive platform for many of the challenges in today s and tomorrow s enterprise IT environments. 15

16 For More Information Find out more about Accenture Security Services at accenture.com/security. About Accenture Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions underpinned by the world s largest delivery network Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 375,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at Copyright 2016 Accenture All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.