Cymon.io. Open Threat Intelligence. 29 October 2015 Copyright 2015 esentire, Inc. 1

Similar documents

SES / CIF. Internet2 Combined Industry and Research Constituency Meeting April 24, 2012

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Sikkerhet Network Protector SDN app Geir Åge Leirvik HP Networking

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

Open Source Threat Intelligence. Kyle R Maxwell (@kylemaxwell) Senior Researcher, Verizon RISK Team

APPLICATION PROGRAMMING INTERFACE

Can We Become Resilient to Cyber Attacks?

The SIEM Evaluator s Guide

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

Next Generation IPS and Reputation Services

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

ReadySpace Limited Unit J, 16/F Reason Group Tower, Castle PeakRoad, Kwai Chung, N.T.

Enriching Network Threat Data with Open Source Tools to Improve Monitoring

Threat Intelligence is Dead. Long Live Threat Intelligence!

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Applying Machine Learning to Network Security Monitoring. Alex Pinto Chief Data Scien2st

Find the needle in the security haystack

Malware Monitoring Service Powered by StopTheHacker

How To Create An Insight Analysis For Cyber Security

Security Business Intelligence Big Data for Faster Detection/Response

Using SIEM for Real- Time Threat Detection

ThreatSTOP Technology Overview

24/7 Visibility into Advanced Malware on Networks and Endpoints

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

SANS Top 20 Critical Controls for Effective Cyber Defense

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

WHITE PAPER: THREAT INTELLIGENCE RANKING

Unified Security Management and Open Threat Exchange

Monitis Project Proposals for AUA. September 2014, Yerevan, Armenia

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

Performing Advanced Incident Response Interactive Exercise

IBM Advanced Threat Protection Solution

Security Intelligence Blacklisting

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Preetham Mohan Pawar ( )

McAfee Network Security Platform Administration Course

WHY DOES MY SPEED MONITORING GRAPH SHOW -1 IN THE TOOLTIP? 2 HOW CAN I CHANGE MY PREFERENCES FOR UPTIME AND SPEED MONITORING 2

Security Data Analytics Platform

The Big Data Paradigm Shift. Insight Through Automation

DYNAMIC DNS: DATA EXFILTRATION

Federated Threat Data Sharing with the Collective Intelligence Framework (CIF)

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

How to Grow and Transform your Security Program into the Cloud

Analyzing HTTP/HTTPS Traffic Logs

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Ironfan Your Foundation for Flexible Big Data Infrastructure

Cyber Security for Start-ups: An Affordable 10-Step Plan

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Threat Intelligence Buyer s Guide

Symantec Cyber Security Services: DeepSight Intelligence

Whose IP Is It Anyways: Tales of IP Reputation Failures

Modular Network Security. Tyler Carter, McAfee Network Security

Concierge SIEM Reporting Overview

Information Technology Policy

Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway

GeoInt 2015 Watson Workshop

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Good Guys vs. the Bad Guys: Can Big Data Tools Counteract Advanced Threats?

The webinar will begin shortly

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

NGFW is yesterdays news what is next in scope for the firewall in the threat intelligence age

McAfee Public Cloud Server Security Suite

Media Shuttle s Defense-in- Depth Security Strategy

Network Security Monitoring

Unified Security, ATP and more

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

WHEN THE HUNTER BECOMES THE HUNTED HUNTING DOWN BOTNETS USING NETWORK TRAFFIC ANALYSIS

Analytics Drives Big Data Drives Infrastructure Confessions of Storage turned Analytics Geeks

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

McAfee Security Architectures for the Public Sector

Scaling Big Data Mining Infrastructure: The Smart Protection Network Experience

Infoblox Inc. All Rights Reserved. Securing the critical service - DNS

Securing Secure Browsers

Domain Name Abuse Detection. Liming Wang

Memory Forensics & Security Analytics: Detecting Unknown Malware

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Startup guide for Zimonitor

Analyzing large flow data sets using. visualization tools. modern open-source data search and. FloCon Max Putas

INCIDENT RESPONSE CHECKLIST

Botnet Analysis Leveraging Domain Ratio Analysis Uncovering malicious activity through statistical analysis of web log traffic

NERC CIP Version 5 and the PI System

場次 :C-3 公司名稱 :RSA, The Security Division of EMC 主題 : 如何應用網路封包分析對付資安威脅主講人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

Configuration Guide. Websense Web Security Solutions Version 7.8.1

Transcription:

Cymon.io Open Threat Intelligence 29 October 2015 Copyright 2015 esentire, Inc. 1

#> whoami» Roy Firestein» Senior Consultant» Doing Research & Development» Other work include:» docping.me» threatlab.io 29 October 2015 Copyright 2015 esentire, Inc. 2

Agenda» About Cymon» Use Cases» Existing Tools» Machine Learning in Cymon» Architecture and Design 29 October 2015 Copyright 2015 esentire, Inc. 3

ABOUT CYMON

Why Cymon? 253.99.17.148 Malicious? History Network 29 October 2015 Copyright 2015 esentire, Inc. 5

29 October 2015 Copyright 2015 esentire, Inc. 7

About» Largest tracker of security reports» Malware» Phishing» Botnets» Others.. 29 October 2015 Copyright 2015 esentire, Inc. 8

About» 20,000+ unique IPs saved daily 29 October 2015 Copyright 2015 esentire, Inc. 9

About» Almost 200 sources ingested daily» VirusTotal» Phishtank» Blacklists» Antivirus vendors 29 October 2015 Copyright 2015 esentire, Inc. 10

Quick Stats 4.6+ Million 26.2+ Million IP Addresses Security Events 29 October 2015 Copyright 2015 esentire, Inc. 11

Events Acquisition Chart 29 October 2015 Copyright 2015 esentire, Inc. 12

IPs with most sources 29 October 2015 Copyright 2015 esentire, Inc. 13

Web Interface» Free access» Search database for» IPs» Domains» URLs» Hashes 29 October 2015 Copyright 2015 esentire, Inc. 14

Web Interface - Events Timeline 29 October 2015 Copyright 2015 esentire, Inc. 15

IP Reputation Examples» https://cymon.io/112.78.7.162» https://cymon.io/198.50.209.4» https://cymon.io/84.241.182.218 29 October 2015 Copyright 2015 esentire, Inc. 16

Globe Visualization http://cymon.io/globe 29 October 2015 Copyright 2015 esentire, Inc. 17

Map Visualization http://cymon.io/map 29 October 2015 Copyright 2015 esentire, Inc. 18

API Interface» We currently offer free API access for testing» Contact me for details http://docs.cymon.io 29 October 2015 Copyright 2015 esentire, Inc. 19

Twitter Robot» @cymonbot» Replies to tweets containing IP addresses» Natural language responses 29 October 2015 Copyright 2015 esentire, Inc. 20

USE CASES

Firewall RBL» Dynamic block list 29 October 2015 Copyright 2015 esentire, Inc. 22

DGA Analysis» Detect malware domains http://cymon.io/dga 29 October 2015 Copyright 2015 esentire, Inc. 23

Apache Log Analysis https://gist.github.com/0xf1/d27138f40d2254f8de20 29 October 2015 Copyright 2015 esentire, Inc. 24

CYBER MONITORING

Cyber Monitoring» Brands, domains, emails» Supported sources:» Pastebin sites» Bit Torrent sites» Twitter 29 October 2015 Copyright 2015 esentire, Inc. 26

ElasticSearch Data 29 October 2015 Copyright 2015 esentire, Inc. 27

Cyber Monitoring» DNS Monitoring» Alerting when records change» Passive IP Monitoring» Passive Domain Monitoring 29 October 2015 Copyright 2015 esentire, Inc. 28

Event Example: Pastebin 29 October 2015 Copyright 2015 esentire, Inc. 29

Passive Pentesting 29 October 2015 Copyright 2015 esentire, Inc. 30

Dashboard 29 October 2015 Copyright 2015 esentire, Inc. 31

Cymon Alternatives OTHER TOOLS

Soltra Edge 29 October 2015 Copyright 2015 esentire, Inc. 33

Threat Connect 29 October 2015 Copyright 2015 esentire, Inc. 34

Threat Stack 29 October 2015 Copyright 2015 esentire, Inc. 35

MozDef» Helps automate the security incident handling process» https://github.com/jeffbryner/mozdef 29 October 2015 Copyright 2015 esentire, Inc. 36

MozDef += Cymon 29 October 2015 Copyright 2015 esentire, Inc. 37

MACHINE LEARNING 29 October 2015 Copyright 2015 esentire, Inc. 38

Machine Learning Features Prediction Input Output 29 October 2015 Copyright 2015 esentire, Inc. 39

Machine Learning 101» Need lots of data» Two learning methods» Supervised» Unsupervised» The computer will figure it out 29 October 2015 Copyright 2015 esentire, Inc. 40

Starting point myskmlsnvkrgr.cc Starting point yourcloud.com myskmlsnvkrgr Remove TLD yourcloud Extract Features (data points) 29 October 2015 Copyright 2015 esentire, Inc. 41

What data point can we extract?» Length» Entropy» Words» Mean word length» Median word length» Gebberish probability» Domain name 29 October 2015 Copyright 2015 esentire, Inc. 42

Building Training Dataset Good Bad Alexa Top 1M NetCraft DGA Trackers esentire Feed Feature Extraction 29 October 2015 Copyright 2015 esentire, Inc. 43

Building Training Dataset Extracted Features Final Dataset Randomize 29 October 2015 Copyright 2015 esentire, Inc. 44

TECHNOLOGY AND ARCHITECTURE

Technology Stack» Amazon AWS» Django (Python)» Node.js» Docker» ElasticSearch 29 October 2015 Copyright 2015 esentire, Inc. 46

Architecture Benefits» Scale up quickly» Can handle millions of API requests» Highly Available» Clone environment for testing in one click» Automatic database backups and recovery» Extremely detailed infrastructure logs and alerts» Cost savings compared to traditional deployments 29 October 2015 Copyright 2015 esentire, Inc. 47

Architecture Components 1. Data tier 2. Workers tier 3. Web application tier 29 October 2015 Copyright 2015 esentire, Inc. 48

Worker Diagram 29 October 2015 Copyright 2015 esentire, Inc. 49

COMING SOON

Google Chrome Plugin github.com/esentire/cymon-interceptor 29 October 2015 Copyright 2015 esentire, Inc. 51

Integration with Threat Lab www.threatlab.io 29 October 2015 Copyright 2015 esentire, Inc. 52

Created by you» Firefox plugin» Library for Ruby / Node / C#...» Firewall plugin» Proxy plugin» IDS plugin» Maltego Transforms 29 October 2015 Copyright 2015 esentire, Inc. 53

Thank You! github.com/esentire +1 866 579 2200 roy.firestein@esentire.com www.esentire.com @royfire 29 October 2015 Copyright 2015 esentire, Inc. 54