Practical Threat Intelligence. with Bromium LAVA

Similar documents
The evolution of virtual endpoint security. Comparing vsentry with traditional endpoint virtualization security solutions

Making Client-side Java Secure with Bromium vsentry

Unified Security, ATP and more

Report. Bromium: Endpoint Protection Attitudes & Trends Increasing Concerns Around Securing End Users

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

DYNAMIC DNS: DATA EXFILTRATION

Recommended Practice Case Study: Cross-Site Scripting. February 2007

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Symantec Advanced Threat Protection: Network

Streamlining Web and Security

Fighting Advanced Threats

ENABLING FAST RESPONSES THREAT MONITORING

24/7 Visibility into Advanced Malware on Networks and Endpoints

Advanced Endpoint Protection Overview

IBM Security re-defines enterprise endpoint protection against advanced malware

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

White Paper. Time for Integrated vs. Bolted-on IT Security. Cyphort Platform Architecture: Modular, Open and Flexible

Under the Hood of the IBM Threat Protection System

Tech Throwdown: Invincea FreeSpace vs. Micro-Virtualization

Advanced Threat Protection with Dell SecureWorks Security Services

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

SIEM is only as good as the data it consumes

SPEAR PHISHING UNDERSTANDING THE THREAT

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Covert Operations: Kill Chain Actions using Security Analytics

Symantec Cyber Security Services: DeepSight Intelligence

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

Combating a new generation of cybercriminal with in-depth security monitoring

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

The Cloud App Visibility Blindspot

Getting Ahead of Malware

Security Awareness Program Learning Objectives. By Aron Warren Last Update 6/29/2012

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Gregg Gerber. Strategic Engagement, Emerging Markets

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

2016 Trends in Cybersecurity: A Quick Guide to the Most Important Insights in Security

SANS Top 20 Critical Controls for Effective Cyber Defense

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

Anti-exploit tools: The next wave of enterprise security

North American Electric Reliability Corporation (NERC) Cyber Security Standard

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

REVOLUTIONIZING ADVANCED THREAT PROTECTION

SPEAR PHISHING AN ENTRY POINT FOR APTS

Where every interaction matters.


SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Carbon Black and Palo Alto Networks

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Kaspersky Fraud Prevention platform: a comprehensive solution for secure payment processing

Threat Advisory: Accellion File Transfer Appliance Vulnerability

The Hillstone and Trend Micro Joint Solution

Best Practices for Building a Security Operations Center

Sicurezza & Big Data: la Security Intelligence aiuta le aziende a difendersi dagli attacchi

The Fundamental Failures of End-Point Security. Stefan Frei Research Analyst Director

Invincea Advanced Endpoint Protection

Technical Testing. Network Testing DATA SHEET

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Zero day attacks anatomy & countermeasures. By Cade Zvavanjanja Cybersecurity Strategist

Beyond the Hype: Advanced Persistent Threats

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Host-based Intrusion Prevention System (HIPS)

High End Information Security Services

Stephen Coty Director, Threat Research

Security Intelligence Services.

Endpoint Security Transformed. Isolation: A Revolutionary New Approach

Stay ahead of insiderthreats with predictive,intelligent security

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

WEB ATTACKS AND COUNTERMEASURES

WHITE PAPER. Understanding How File Size Affects Malware Detection

Speed Up Incident Response with Actionable Forensic Analytics

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

Extreme Networks Security Analytics G2 Vulnerability Manager

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

HACKER INTELLIGENCE INITIATIVE. The Secret Behind CryptoWall s Success

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

The Benefits of an Integrated Approach to Security in the Cloud

Advanced Endpoint Protection

Cisco Cyber Threat Defense - Visibility and Network Prevention

Bromium vsentry. Defeat the Unknown Attack

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Logging In: Auditing Cybersecurity in an Unsecure World

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Transcription:

Practical Threat Intelligence with Bromium LAVA

Practical Threat Intelligence Executive Summary Threat intelligence today is costly and time consuming and does not always result in a reduction of successful attacks. Bromium has addressed these problems by applying Micro-virtualization technology to threat intelligence with the goal of achieving the following results. 1. Reduce threat analysis time and associated costs 2. Provide timely, accurate and actionable intelligence 3. Increase Security Operations Center effectiveness by decreasing successful attacks This paper details how Bromium Live Attack Visualization and Analysis allows organizations to achieve these goals. Introduction Threat intelligence is a hot topic in security today. Numerous tools, products and solutions are available to help security professionals gather cyber threat intelligence. Information is power, and there is a seemingly limitless amount of information available today. A quick Google search of the term cyber threat intelligence returns more than 2.5 million hits containing information ranging from the latest patches being issued by software vendors to the most recent political developments in far flung corners of the globe. Most of this information is very interesting, and some of it can be very useful in increasing the security of your organization. The real challenge is focusing your efforts and resources on the practical threat information that has a direct impact on your organization and allows you to perform your job more quickly, more easily and with measurable results. Practical Threat Intelligence The type of threat intelligence needed by an organization depends on a great extent on the type, structure and goals of the organization. It is obvious that a national defense organization would focus on different types of threats than a commercial organization, and that a large financial organization might need different information than a mid-sized consumer products manufacturer. However all organizations share a common need for practical and actionable intelligence on the cyber threats they are facing. The following is a list of fundamental questions that all organizations need the intelligence to answer. 1. Am I being attacked? While the answer to this is almost certainly yes in today s connected world it is important to be able to accurately identify you are facing an attack that has a chance of compromising your systems versus a random piece of malware that poses no threat. 2. What kind of attack am I being subjected to? Understanding what an attacker is attempting to achieve is an important fact to consider when determining if and how you need to respond. 3. How does the attack work? Understanding how a specific attack or piece of malware works (the kill chain) provides critical insights into both prioritizing the threat and crafting a response. 4. Is this an isolated incident or part of a pattern? Being able to positively identify and record and correlate the details of all of the attacks against the organization enables you to adjust your response appropriately.

5. Do I have information I can use to respond to the threat? Having reliable information in a simple and understandable form enables you to act immediately to counter the attack. 6. Can I share the information with other people, tools or partners? Information has greater value when you can easily share it with other people and systems. Bromium Live Attack Visualization and Analysis (LAVA) Bromium has developed a new technology, Micro-virtualization, which enables the type of practical threat intelligence outlined above. All Bromium products are built on the Bromium Microvisor, a security focused, purpose built version of the Xen hypervisor. Bromium vsentry uses the Microvisor to leverage advanced CPU hardware capabilities and isolate the execution of untrusted tasks from the protected endpoint in micro-vms. Bromium LAVA analyzes and records malware trapped within a micro-vm using a technique referred to as Microvisor based introspection. Introspection is the process of monitoring a virtual machine from the hypervisor, a vantage point outside of the virtual machine. Microvisor based introspection extends this concept to the myriad of micro-vms that may exist on a protected endpoint running vsentry. Am I Under Attack? Microvisor based introspection has profound implications on the current Threat Intelligence state of the art. Threat Intelligence is a strategic conclusion based on correlating and summarizing a number of different low level tactical data points. The more accurate and relevant the individual data points, the more accurate and relevant the intelligence will be. Microvisor based introspection provides extremely accurate and relevant tactical information that is then assembled into practical intelligence that can be used to immediately to improve the security of an organization. Assembling accurate data points on the existence of an advanced, unknown or zero-day attack presents a number of problems that have made it difficult for the industry to deliver practical threat intelligence. Bromium address these challenges with Micro-virtualization. Micro-virtualization simplifies the complexity of recognizing malicious behavior as each micro-vm contains only one user initiated task or instance of an application. Any suspicious behavior observed can thus be directly attributed to a specific application and an accurate judgment as to the legitimacy of an activity can be easily made. For instance a document opened in Adobe Acrobat Reader would not generally be expected to communicate with a web server located in a different part of the world. However this type of behavior generated by a web browser or an application update utility would be perfectly legitimate. The task isolation aspect of Micro-virtualization thus has a huge impact on the accuracy of one of the key elements that any practical threat intelligence system must provide and that is the ability to accurately and reliably determine if you are under attack by an unknown type of malware.

Microvisor based introspection runs directly at the point of attack, the endpoint system. Being installed directly on the system ensures that attacks detected are actually a threat to that particular machine and ensures that y ou will know if you are under attack no matter where the machine is located. What Kind of Attack Am I Under? Understanding the type of attack being targeted at the user is another important strategic consideration. There are a broad range of goals pursued by attackers today. There are personal types of attacks such as click fraud or banking fraud and then there are more organizational types of attacks such as password stealing or the installation of a remote access Trojan that may pose a greater concern to the organizations security team. Answering this question with traditional security intelligence tools can be one of the most time consuming and expensive aspects of the process. To understand the type of attack under way generally requires the malware itself to be analyzed by a forensics or security analyst. Attackers have been going to great lengths in recent years to obfuscate or hide the intentions of all aspects of their malware. Analysts may have to try dozens of different tools to unpack and de-obfuscate malware once they receive a sample which can consume many hours or days of time. Bromium LAVA analytics observe and record the interaction of the malware with the micro-vm after the malware has detonated. This approach completely bypasses all of the time consuming unpacking and de-obfuscation tricks implemented by the attacker as the malware itself must perform these functions before it is able to run. LAVA monitors, correlates and visualizes a large range of parameters within the micro-vm enabling quick identification of the specific type of attack being observed. How Does the Attack Work? Knowing how the attack works allows the security operations center (SOC) to quickly judge the vulnerability of other systems in the organization. The unique visualization of the complete kill chain provided by LAVA connects the dots and enables the SOC to respond in minutes rather than days to mitigate the overall risk to the organization and without having to wait for a detailed analysis by the specialists.

Is This an Isolated Incident or Part of a Pattern? Understanding the relationship between a unique or unknown attack and the numbers, names and roles of targeted victims enables the SOC to quickly determine if an attack is being targeted at a specific area of the organization. For instance a unique form of malware that contains file stealing capabilities detected in one system is a cause for concern. If the identical piece of unknown code is detected in 3 machines, and the users involved are all members of the engineering development team for a secret new project, the implications of the attack are much greater. LAVA provides full integration with the organizations Active Directory infrastructure enabling the SOC team to determine the implications of a new attack just by comparing the system users with their place within the organizational structure. This level of strategic threat intelligence enables to security team to take additional mitigation steps, both technical and non-technical within minutes. Do I Have Information I Can Use to Respond To the Threat? LAVA automatically generates cryptographic hashes of binaries it observes that can be automatically exported as signatures for use by other security systems in the organization such as a network IPS.

All network traffic is observed and recorded including the addresses and URLs of malicious servers and command and control server. This information can be used by perimeter defenses such as web security gateways, next generation firewalls or by the web browsers installed on other endpoints to automatically block access. In short LAVA actually generates signatures for use by other systems rather than consuming signatures after an attack has successfully compromised an organization. Can I share the information with other people, tools or partners? Because the malware executes within the confines of the micro-vm under the full control of the Microvisor, LAVA is able to record all of the information, including complete executable images of scripts and executable droppers during the course of the attack. These images are forwarded to the Bromium Management Server (BMS) where they form a comprehensive Malware Archive that analysts can use to completely reverse engineer the malware, validate samples against public attack information services or forward to partners and vendors for further study. The full intelligence gathered by LAVA can be automatically formatted and exported in the STIX/ MAEC format developed by NIST to enable high level intelligence sharing with other organizations of government agencies.

Comprehensive reporting on incidents, their severity and the outcome of the attack are provided within the BMS dashboard. This information can provide a valuable audit trail when endpoint security policy compliance data is needed within the organization. Conclusion Micro-virtualization is a key component of a practical threat intelligence solution. Bromium LAVA enables an organization to; 1. Reduce threat analysis time and associated costs 2. Provide timely, accurate and actionable intelligence 3. Increase Security Operations Center effectiveness by decreasing successful attacks Bromium LAVA provides rich integration capabilities and enables organizations to enhance the effectiveness of their existing security infrastructure and share information with partners and other stake holders while reducing the overall risks to the organization.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information