egambit Your defensive cyber-weapon system. You have the players. We have the game. TEHTRI-Security

Transcription

1 egambit Your defensive cyber-weapon system. You have the players. We have the game. TEHTRI-Security

2 security.com egambit egambit is a product that can monitor and improve your IT Security against complex threats like cyber-spy or cyber-sabotage activities. This product is realized by the TEHTRI-Security company in FRANCE. It is fully designed and developed near Bordeaux, and Paris as well. Created in 2012, the egambit product has already helped some companies in China, Brazil, USA and Europe against internal and external cyber threats. In 3 years egambit has already caught billions of events related to security issues worldwide, thanks to the tremendous skill and motivation of expert Consultants working on the project with a real Ethical Hacking spirit. 100% of the source code is within TEHTRIS hands, and it was designed with extended security features. egambit is your defensive cyber-weapon system.

3 3 Let s discover egambit The all-in-one security product with advanced services Based on egambit version 3.0 April 2015 At a glance Integration Focus MSSP TEHTRIS Join us

4 4 At a glance How and why can egambit improve your IT Security?

5 5 Quick overview of egambit s features Your defensive cyber-weapon system Global Architecture Easy to use: simply deploy one egambit device on each needed site, and they will all monitor and protect your infrastructures against cyber threats. Easy to play: all egambit devices a re l i n k e d w i t h a s e c u re infrastructure allowing remote direct global and local analysis of your security. Powerful Appliances Ready to serve: one egambit appliance can fully protect one physical site thanks to unlimited signatures and complete security features. Ready to fight: e G a m b i t appliances are built with the best s e c u r i t y m e t h o d s a n d technologies.

6 6 Knowing Assets and Vulnerabilities What is installed, where, and how secure is it? Inventory [Passive + Active] Knowing: on site passive and active detection of assets by listening to some flows, or by doing requests to specific devices. Detecting: find and follow weird or rogue devices joining your environment. Audits [Passive + Active] Passive audit: continuous and safe vulnerability audit by listening to your assets. Active audit: d i re c t security scans can be launched to evaluate the security of your assets.

7 7 Monitoring events and attacks Let s follow the lives of your assets at any layer: network, system, and applications. egambit contains a full Security Information and Event Management. This collects and manages your logs sent from any standard source, with agent and agent-less technologies. Unlimited correlation rules can generate security alerts when needed. Long-term storage can help for further analysis, log crunching sessions, and forensic activities. egambit contains a full Network Intrusion Detection System. P l a c e d a t s t r a t e g i c p o i n t s l i k e infrastructure links, it monitors traffic to and from any device in order to detect intrusion attempts, abnormal behaviors, etc. Thousands of signatures with daily updates can handle multiple families of threats, like Malwares, Trojans, Exploits, Web attacks, etc.

8 8 Retaliation and interaction against threats How to handle attackers and malwares when some barriers have been defeated Honeypots O u r h o n e y p o t s c a n d e f e a t fingerprinting and offensive tools by creating fake assets, in order to detect attackers and low signals of security issues. Why egambit? During the beginning of a Chess game, a gambit is a voluntary sacrifice, for example a pawn, in order to get a strategic advantage. Place your pawns in your IT infrastructure with egambit. egambit contains a full Host-based Intrusion Prevention System. Deployed on your operating systems, it monitors system activity in order to detect and prevent intrusion attempts, abnormal behaviors, etc. This can handle multiple families of threats, like Malwares, or Advanced Persistent Threats and Trojans.

9 9 Advanced threats management Let s handle security incidents and follow the real threats worldwide Forensics Thanks to public and private s e r v i c e s, w e c a n a n a l y z e advanced threats targeting your environment. Depending on the threats, we practice advanced logs analysis, network and system forensics, specific sandboxing activities, and reverse engineering. Threat Intelligence Our consultants continuously follow real security threats and deliver regular updates that are linked to offensive threats. This helps to avoid issues and detect issues such as Advanced Persistent Threats (APT), Botnets, compromised boxes, links to infected sites (reputation ).

10 10 TEHTRIX The internal Linux distribution used to host egambit Full Security 100% network flows ciphered 100% files and data ciphered 100% permissions audited Hardened Kernel Latest kernel with improved security parameters and features at the lowest level RBAC Security policies with local hardening and privileges separation FDE Hardened Full Disk E n c r y p t i o n w i t h specific features VPN G l o b a l e x t e r n a l i n f r a s t r u c t u re o f management The egambit services are provided on top of the TEHTRIX distribution. Any device involved in an egambit infrastructure will be a TEHTRIX. This ensures a high global security level, compared to standard enterprise solutions.

11 11 egambit Project history Honeypots2 Inventory1 Inventoryα Alertingα High Availability Honeypots1 Auditsα 1 α α Self-Defenseα Honeypotsα 1 Active Audits1 Alerting1 Passive Audits1 Windows α Sandbox1 Forensics Site1 Sandbox 2 Windows October egambit launched Physical Appliance January egambit 1.0 Virtual Appliance January egambit 2.0 July egambit 2.1 TEHTRIXα October egambit 2.2 TEHTRIX 1.0 April egambit 3.0 Partnership with NXLog

12 12 Web Frontend Content Delivery Network with 19 points worldwide Passive algorithms improved by 30 times Gorgeous visual improvements and bug fixes Host-based Intrusion Prevention System Now with egambit you will be protected by more than 50 antiviruses and millions of signatures contains optional strike-back features Honeypots Recent SSH attacks trends handled properly Anti OS-Fingerprint improved from 90% to 100% of success New WEB Plugin with advanced fingerprinting methods New sandboxing infrastructure on the go We analyzed trojan horses and APT created to defeat antiviruses, and we obtained awesome results of detection against these real threats First TEHTRIX integration New infrastructure based on our internal distribution called TEHTRIX with egambit on top of it Better MSSP support features Insanely great optimizations Unlimited VLANs supported on each egambit Unlimited egambit devices per customer Network traffic needed for installation reduced by 7 Great improvement of network bandwidth What s new in egambit 3.0? New defensive weapons embedded: - Properly strike-back on your LAN in order to block attackers in case of big crisis - Mitigate backdoors and trojan horses thanks to our smart feature - Detect unknown backdoors and unknown trojan horses -...

13 13 Integration How to add egambit devices in your environment?

14 Just connect 1 egambit per targeted site. Then TEHTRIS will remotely deploy packages. 14 egambit Active Audits Passive Audits Inventory Honeypots Correlation Collection Vulnerabilities and Assets management Interactions with malwares and attackers Agent and Agent-less Collection of logs Site [N] of Customer [X]

15 Your egambit devices will securely connect back to their dedicated home in a TEHTRIS Cloud used for - Management - Security alerting Dedicated infrastructure for Customer [X] TEHTRIS Cloud 15 TEHTRIS Cloud is built with c e r t i f i e d h o s t i n g [ISO27001:2005, SOC1 Type II/SSAR16 ISAE3402, and SOC2 Type II] egambit Internet Site [N] of Customer [X] egambit egambit Site [N+1] of Customer [X] Site [ ] of Customer [X]

16 Forensics and Intelligence Threats Dedicated infrastructure for Customer [X] 16 Web Frontend Sandboxes Web Frontend TEHTRIS Cloud You will be able to - See and receive alerts - Launch forensics jobs - Deeply analyze events Customer [X] Internet egambit Active Audits Passive Audits Inventory Honeypots Correlation Collection Vulnerabilities and Assets management Interactions with malwares and attackers Agent and Agent-less Collection of logs Site [N] of Customer [X]

17 17 Focus Let s share more details about the egambit technology

18 18 Inventory Know your assets Vendor MAC Address Latest time VMware, Inc. 00:50:56:b9:48:e4 Tue Mar :07:17 VMware, Inc. 00:50:56:b9:47:56 Mon Mar :08:44 CISCO SYSTEMS, INC. 00:0a:f3:94:42:33 Mon Apr :25:11 VMware, Inc. 00:50:56:b9:41:45 Sat Apr :39:14 VMware, Inc. 00:50:56:b9:41:94 Mon Apr :26:03 CISCO SYSTEMS, INC. 00:09:e9:7f:12:15 Mon Apr :29:28 Passive Inventory Stealth and non intrusive listening of network dialogs that will help at building a list of local assets: - Timestamp, IP Address, MAC Address, MAC Vendor, Hostname, VLAN ID Active Inventory Network requests initiated by egambit with some specific devices in order to improve the knowledge base of assets. - Timestamp, MAC Address, Switch port, VLAN ID

19 19 Audits Evaluate the security of your assets Active Audits Direct security assessment by interacting with remote chosen devices - Timing options - Regular scan - Fire & forget - Network scan options (TCP/IP, speed ) - Vulnerabilities and special situations (e.g.: detect sniffers ) Passive Audits Stealth security assessment without talking to the remote assets - Respectful and compatible with special infrastructures - Shadow networks, Industrial networks, Productions - Sniffing for security issues - Clear text passwords, etc.

20 20 Centralization of your logs + Smart correlation engine Wide list of log sources We accept flows through - Agent-less: UDP, TCP, HTTP/HTTPS, TLS/SSL, WMI - Agent: Windows Events (included for free with MSSP) We accept a wide list of formats like - Syslog, CSV, JSON, XML, Flat files, Multiline files, SNMP Traps, W3C, NCSA - Apache, Tomcat/Java, Cisco, Checkpoint OPSEC LEA We use a plug & play technology to ease deployment Wide list of scenarios and rules Unlimited scenarios and scenarios changes New scenarios can be created by TEHTRIS Correlation engine - Pre-blacklist, Whitelist, Blacklist, Grey list - Local rules + Global rules Network related attacks - ARP Poisoning/attacks, ARP scans, Applications and Systems attacks - Tracking installations / start of components / applications / modules on assets / weird activity

21 21 Centralization of your logs and Smart correlation engine Log Sources Preferred log collector Web Frontend Global Database Logs collected Active grabbing Passive grabbing Agent or agent-less Logs analyzed Local correlation engine Local storage Rotation and compression Remote requests accepted Alerts sent to the central database Bandwidth respect Queuing capabilities Ciphering Alerts TEHTRIS Cloud Your network Our network

22 22 Network Intrusion Detection System Layer 2 [example: ARP Spoof detected] Compatible IPv4 & IPv6 Thousands of signatures Malwares and Trojans horses (non mobile & mobile devices), Web intrusions methods, Methods used to exploit remote computers (Windows, UNIX). Layers 3 to 7 [example: Admin RDP] Just use a dedicated Ethernet card on an egambit device, and then send the traffic to analyze Port Mirroring or Network Tap Example: at the entrance/exit of a sensitive zone, HQ/factory, network, infrastructure

23 23 Honeypots Add fake assets in order to delude attackers Network and applicative layers Fake TCP/IP stacks + Fake applications + Advanced Logging features = Follow and understand attackers methods & tools Example: SSH, WEB Self-Defense techniques Example: automatic gathering of extended information about remote attackers. à Climb back and defeat the chain of bounces used by attackers over Internet like TOR, SSH, Proxies, etc.

24 24 When Antiviruses are not enough, our will fight for you against threats. Automatic alerts to monitor activity and results [More than 50 antiviruses] >> [1 or 2 antiviruses] APT Features

25 25 Threat intelligence Helping analysis and qualification of threats Search for known threats Links with external knowledge databases INTERNET Analysis are built with internal and external sources of information over Internet to propose a wide Threat Intelligence service. Such automatic requests might reach sources over Internet, in the name of TEHTRI-Security company (not in your name). TEHTRIS Analysis are sent to TEHTRI-Security infrastructures and/or TEHTRI-Security consultants. This is not automatically shared out of our company. For quick wins, you should use the automatic INTERNET Analysis. For in-depth and/or private overviews, you should use the TEHTRIS Analysis.

26 26 Forensics Digital investigations against unknown threats Sandboxes and Analyses We can analyze many different kind of entities, like suspicious files or remote resources, in order to detect viruses, malware and malicious activities. In case we would send questions to external sources of knowledge, the related requests would be processed in the name of the TEHTRI-Security company over Internet, meaning that your entity would not appear. Stealth unknown malwares examples Designed to avoid Antivirus and forensics Standard Antivirus Products Standard Sandboxing Products Moreover, the egambit Windows Analyzer feature might help with remote issues or specific cases like private networks with air gap, etc. You just need to download the egambit Windows Analyzer tool and then to launch it over a Windows computer that would need an egambit check. The obtained report will offer an offline analysis in order to detect weird issues on your Windows. egambit

27 27 MSSP TEHTRIS as a Managed Security Service Provider

28 Managed Security Services with egambit 28 Systems, Networks, ApplicaAons Full egambit Maintenance ConfiguraAon Management Upgrades and changes Detect intrusions Analyzing and monitoring Find vulnerabiliaes Phone calls Handle post- mortem MSSP Providing Support Handling incidents s Accomplish security tasks planified QualificaAon Assistance with resoluaon ReporAng security issues Specific Tuning of rules Advice Crunching logs Hardening Windows Log agent Bonus Windows agent RetaliaAon OpAons

29 29 Managed Security Services examples Delivered around egambit þ þ þ þ Reporting security issues to partners Intrusions or attacks detected Anomalies or weaknesses found Sharing technical data: what, when, where, who, how...? Helping at assessing and managing security incidents What is the impact? Level of incident? Systems affected? Compliance issues? Data safety?... Forensics, sandboxing, threat intelligence, reverse engineering Following and helping during crisis Escalation, communication, mitigation, proofs collected... Learning from incidents with and for the partners How to quickly fix the same kind of issues next time? How to prevent this from happening again? Shadow zones?... Free Worldwide Consulting J TEHTRIS Consultants can work remotely with your teams, to help and share support, to monitor your security, to do mitigation, etc. Subscribing to our remote Managed Security Services, will help you at - Avoiding travel costs (no money lost) - Waiting for consultants (no time lost)

30 30 Direct Alerting In case egambit would detect something showing a proof of unwanted activity, we support different kind of alerts. Critical alert: intrusion success into an account with administrative privileges For flash alerts messages, we currently support the most common operating systems on mobile devices, including: Apple ios: iphone, ipad, Apple Watch Android, BlackBerry, Symbian, Windows Mobile, Windows Phone and Windows RT.

31 31 TEHTRIS Some facts about TEHTRI-Security

32 32 Our consultants Ethical Hacking The core of our skills. We believe in practical results and science, far away from theory and concepts. #Hackers We are doers. Development O u r i n t e r n a l t o o l s a re a l s o developed by those who will use the tools on the ground. #DevOps We build efficient code, with results. Operational Services We regularly find technical security issues and vulnerabilities for the benefit of our customers, with actions like analyses, fixes, alerts... #MSSP We share our skills with our customers. Threat Intelligence Our consultants follow the cyber threats thanks to public and private sources of information. We also build and test our own kits to remain in the front of technical risks and reality. #0days We master offensive tools and methods.

33 33 Penetration Tests Success in 5 years Ethical Hackers with strong background and experience related to cyber-spy risks 99% of targets hacked: products, infrastructures [from the objectives chosen by our customers] Success rate for our consultants: Standard penetration test 98% Number of 0days found >150 Cyber-spy simulation [APT] 100% Bypassing antivirus worldwide 100% Stealth simulation [Evasion] 98% Average days to own remote network 5-10

34 34 Vulnerabilities found in many products wordwide This is just a tiny list of examples (samples) of 0days found in 5 years. CITRIX Zenprise MDM 0day: McAfee EMM Portal+app BYOD 0day: Apple iphone ipad 0day: Apple Safari Workstations 0day: Rockwell Automation, Allen Bradley SCADA Hundreds of 0days on Web apps www Mobile 0day: Twitter spoofing any account

35 35 Join us Ready for innovative solutions against cyber threats?

36 36 egambit Your defensive cyber-weapon system You have the players. We have the game. Let s use egambit in your environment, in order to improve hardening and detection of security issues and incidents.

37 37 Follow-up Do not hesitate to contact our team TEHTRI-Security Managed Security Service Provider egambit Complete defensive weapon

38