User Behavior Analytics: A New Approach to Detection and Response

Size: px

Start display at page:

Download "User Behavior Analytics: A New Approach to Detection and Response"

Blaze Berry
9 years ago
Views:

1 User Behavior Analytics: A New Approach to Detection and Response

2 The Typical CEO Data Breach Letter Attackers gained unauthorized access I personally apologize to each of you. Information accessed may have included names, dates of birth, Social Security numbers, health care ID numbers, home addresses, addresses, employment information, including income data Believe it happened over the course of several weeks beginning in early December 2014 contacted the FBI / retained Mandiant

ID numbers, home addresses, email addresses, employment information, including income data Believe it

The big detection problems 1 2 3 Attackers using valid credentials are

3 The big detection problems Attackers using valid credentials are unseen Lost in a sea of nonprioritized alerts Can t tell a complete incident story

4 Current State of Cyber Attack Detection and Response 5. Restoration of infected systems Malicious (credential enabled) Code Triggered 4-8 Days 3. Containment of Infected systems 9 Hours 1. Time to Discovery 2. Attack Vector Identified Incident Story 30 Hours >200 Days

Credentials Use Enables the Attack Chain Maintain Presence Move Laterally Initial Recon Initial Compromise Establish Foothold Escalate Privileges Internal Recon

5 Credentials Use Enables the Attack Chain Maintain Presence Move Laterally Initial Recon Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission POSSIBLE CREDENTIAL USE S o u r c e : F i r e Ey e M a n d i a n t A P T 1 r e p o r t ( F e b ) Hours Weeks or Months Hours C O N F I D E N T I A L 5

Complete Mission POSSIBLE CREDENTIAL USE S o u r c e : F i r e Ey e M a n d i a n t

were accessed (user and peers) Manner and user identity

6 Determining anomalous credential behaviors three ingredients Behaviors Characteristics Facts What systems were accessed (user and peers) Manner and user identity for system(s) accessed Security alerts attributed to user credential

Putting together the story of an attack one question at a time System automatically asks access context questions User Peer Group Org VPN Access

7 Putting together the story of an attack one question at a time System automatically asks access context questions User Peer Group Org VPN Access Example Time IP VPN Login ISP GEO To Real m ISP GEO To Real m ISP GEO Custom Algorithms Applied From Device To Server To Server C O N F I D E N T I A L 7

Example Time IP VPN Login ISP GEO To Real m ISP GEO To Real m ISP GEO

8 Understanding Normal as Context for what is Anomalous is Critical Important for a learning engine To learn or not to learn that is the question Scoring to account for divergent behavior -- to a point Know when to say, I can t make a determination. Data distribution and amounts

question Scoring to account for divergent behavior -- to a point Know

) When: Did she do it (at the right time?

9 Attack Vector Discovery & Incident Story Telling Who: Barbara Salazar (right person/role?) What: Did she do? (right thing?) When: Did she do it (at the right time?) Where: What systems she touched from where? Why: The track of the attacker can get us to what they want Is this really Barbara? Not likely!

Combining Detection and Response for Efficiency Attack Detection Continuously asks questions of the data in the context of normal behavior Prioritizes anomalous behaviors Develops a

10 Combining Detection and Response for Efficiency Attack Detection Continuously asks questions of the data in the context of normal behavior Prioritizes anomalous behaviors Develops a detection story Attack Analysis Builds a credential activity timeline Shows the intersection of assets and activity Attributes security alerts to credential sessions Adds identity context

detection story Attack Analysis Builds a credential activity timeline Shows the intersection

11 The Golden Hour of Detection and Analysis with UBA Restoration of infected systems Malicious (credential enabled) Code Triggered 4-8 days Time to discovery Real-time Verification of Anomalous Session Containment of Infected systems begins 9 Hours Containment and Restoration Minutes Attack Vector/Chain Identified Real-time Detection and Analysis

Verification of Anomalous Session Containment of Infected systems begins 9 Hours

12 Defining the Solution User Behavior Analytics Solutions Learn and remember historical normal credential access behaviors and characteristics and score what s anomalous (peer group) Assemble the credential behavior data and security data into user sessions (log-on to log-off) Keep state on the user across identity and internet address switches Attribute security alerts to the credential (user) that was in use on the system when the alert occurred Result in security operations efficiencies

user sessions (log-on to log-off) Keep state on the user across identity and internet address switches Attribute security

13 Things we ve seen previously unknown to security Malware on two call center machines attempts to connect to executive machines Payroll services contractor infected by Sality virus, tracked 33 assets accessed in one day Deployed post-breach at a healthcare payer, tracked 4 servers not investigated by IR team User credential connects to VPN from TOR network then switches identities Employee credential connecting to systems in China and Mumbai never connected to before and neither by peers HR Employee connects to 1700 PoS systems over the VPN (even though twofactor authentication in place)

investigated by IR team User credential connects to VPN from TOR network then switches identities Employee credential connecting to systems in China

14 Attackers and employees have divergent goals Employees use credentials to access IT systems to create business value. Attackers use credentials to access systems to steal the business value they create.

15 Thank you

Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes!

We protect your most sensitive information from insider threats. Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes! VARONIS SYSTEMS About Me Dietrich