Automate the Hunt. Rapid IOC Detection and Remediation WHITE PAPER WP-ATH-032015



Similar documents
Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC

The SIEM Evaluator s Guide

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Cisco Advanced Malware Protection for Endpoints

Vulnerability Management

Endpoint Threat Detection without the Pain

D. Grzetich 6/26/2013. The Problem We Face Today

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

Cisco Advanced Malware Protection for Endpoints

IBM Security QRadar Vulnerability Manager

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

IBM Security IBM Corporation IBM Corporation

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Concierge SIEM Reporting Overview

Requirements When Considering a Next- Generation Firewall

End-user Security Analytics Strengthens Protection with ArcSight

Security Analytics for Smart Grid

Security Intelligence Services.

APPLICATION PROGRAMMING INTERFACE

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

Extreme Networks Security Analytics G2 Vulnerability Manager

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Seven Things To Consider When Evaluating Privileged Account Security Solutions

QRadar SIEM and FireEye MPS Integration

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

SANS Top 20 Critical Controls for Effective Cyber Defense

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Speed Up Incident Response with Actionable Forensic Analytics

IBM SECURITY QRADAR INCIDENT FORENSICS

I D C A N A L Y S T C O N N E C T I O N

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

See all, manage all is the new mantra at the corporate workplace today.

What is Security Intelligence?

Cisco Process Orchestrator Adapter for Cisco UCS Manager: Automate Enterprise IT Workflows

Advanced Endpoint Protection

IBM Endpoint Manager Product Introduction and Overview

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Best Practices for Building a Security Operations Center

Cisco Network Optimization Service

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

Whitepaper. Advanced Threat Hunting with Carbon Black

High End Information Security Services

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

FireScope + ServiceNow: CMDB Integration Use Cases

Combating a new generation of cybercriminal with in-depth security monitoring

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

Cisco Advanced Malware Protection

Information Technology Solutions

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Detecting Anomalous Behavior with the Business Data Lake. Reference Architecture and Enterprise Approaches.

CloudPassage Halo Technical Overview

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Boosting enterprise security with integrated log management

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Cisco Security IntelliShield Alert Manager Service

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

Q1 Labs Corporate Overview

100 Hamilton Avenue Palo Alto, California PALANTIR CYBER. An End-to-End Cyber Intelligence Platform

CloudPassage Halo Technical Overview

Cyber Security Metrics Dashboards & Analytics

Integrating MSS, SEP and NGFW to catch targeted APTs

The Purview Solution Integration With Splunk

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

Cisco Unified Communications Remote Management Services

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

eguide: Designing a Continuous Response Architecture Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds

Build Your Managed Services Business with ScienceLogic

What s New in Security Analytics Be the Hunter.. Not the Hunted

Sikkerhet Network Protector SDN app Geir Åge Leirvik HP Networking

All Information is derived from Mandiant consulting in a non-classified environment.

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

API Management: Powered by SOA Software Dedicated Cloud

THE TOP 4 CONTROLS.

Maximizing Configuration Management IT Security Benefits with Puppet

IBM Security QRadar Risk Manager

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Transcription:

Rapid IOC Detection and Remediation WP-ATH-032015

EXECUTIVE SUMMARY In the escalating war that is cyber crime, attackers keep upping their game. Their tools and techniques are both faster and stealthier than the IT security pro can handle with the current pace of IT security innovation. To combat these emerging threats, the IT security pro needs an upgraded toolkit. One that powers the ability to rapidly hunt for, find, and investigate thousands of dynamic threat indicators, across platforms, and across the enterprise. Thankfully the Tanium Endpoint Platform, enables the IT security pro to find, investigate and fix compromised systems within seconds, no matter how large, diverse or distributed the network. 2

What is an IOC? Indicators of Compromise are exactly what they sound like: evidence that an adversary is conducting an attack against a system or systems. Typically, these are written in machine-readable formats (e.g. XML) for consumption by security detection and response tools. How are IOCs developed? IOCs are developed, distributed, and shared by a variety of proprietary sources such as threat intelligence vendors as well as open source communities such as OpenIOC or IOCBucket. Why are they important? IT security professionals can use IOCs to search for evidence of system compromise more effectively, pinpoint endpoints and user accounts that have been compromised and prioritize the systems to be remediated. How are they used? Since they re written in machine-readable format (often XML), they can be fed to a variety of enterprise security tools for threat discovery and alert notifications, and to support additional incident response workflows. Where can I find more information? There are a number of open source and community resources, including projects led by FS-ISAC and MITRE involving structured cyber threat information like STIX, OpenIOC and Yara. INDICATORS OF COMPROMISE The Next Advance in Cyber Defense In the context of IT security, there s been a balancing act between investing in prevention versus detection. The current pendulum swing is towards detection, with the realization that intrusions are nearly inevitable. The latest conventional wisdom among IT security pros is that it s no longer a matter of if, but when. After all, when your adversary is faster and more agile than you, has infinite resources, and only needs to bypass one or two security controls, it s reasonable to assume that he s already entered the building, so to speak. Enterprises need to accelerate the pace at which attacks are detected and neutralized, with as little impact to the business as possible. IOCs: The Basics Indicators of Compromise (IOCs) provide a key tool for the IT security pro when hunting down attacks, and pinpointing compromised systems for remediation. At the most basic level, IOCs are like bread crumbs dropped by your adversary during an attack. IOCs are written in machine-readable format (often XML) and contain attributes and other characteristics consistent with evidence of a system compromise. These forensic artifacts could be malware, or represent evidence of some other nefarious activity. The active use of IOCs is on the rise, as they are more flexible and adaptable than static signatures in detecting advanced threats. Each IOC may contain dozens of attributes and conditional expressions associated with indicators like file registry settings, filenames, IP addresses or domain names, MD5 hashes, and other data elements. IT security pros can feed this intelligence to their endpoint security ecosystem as evidence in hunting down compromised systems, collecting additional evidence and prioritizing system recovery and remediation. The tricky part is automating this detection intelligence quickly into something that s adaptable, integrated, and scalable so that you can respond immediately and with precision across your enterprise. Speed is especially critical since digital bread crumbs do not linger long after an attack has done its damage1. The faster you can find them everywhere on your network the faster you can remediate and stop the risks that impact your business. At the most basic level, IOCs are like bread crumbs dropped by your adversary during an attack. 1 According to a recent FireEye Report, 82% of malware binaries disappear within an hour. Source: http://www2.fireeye.com/rs/fireye/ images/fireeye-advanced-threat-report-2013.pdf 3

The IOC Process By its very nature, threat detection, analysis, and investigation is an iterative exercise. As you track down evidence of a potential compromise, you discover additional evidence that can further inform your investigation, constantly fine-tuning what you re searching for when it comes to emerging threats. In fact, the faster you can pivot, the faster you can hunt down and fight against these dynamic and advanced threats. The goal is to rapidly identity threats and neutralize them before they impact the business. The IOC Detection Process is a Five-Step Cycle 1. Hunt for indicators. Using multiple threat intelligence sources, search for indicators at scale across your enterprise. Some example attributes include: MD5 hash, filename changes, registry key process handles, running processes or other process attributes. 2. 3. Investigate the compromised systems. Perform deeper analysis on compromised systems to discover additional IOCs to expand or modify your search. Collect and share additional evidence with other team and/or community members. Use newly discovered evidence to develop and apply new indicators. Apply the new and improved IOCs across your enterprise to find additional compromised systems. 4. Remediate all compromised systems. Once all compromised systems are identified, implement remediation in a way that provides containment while accelerating recovery and impacting the business as minimally as possible. 5. Repeat steps 1-4. Hunt for indicators Investigate the compromised systems. Repeat Develop and apply new indicators Remediate all compromised systems Putting IOCs to Work: Key Requirements To support this process, organizations need tools that can adapt as emerging threats change, can be easily integrated into the existing security ecosystem and process, and can scale to support hundreds of thousands of endpoints across distributed networks. 4

Sniffing out the bread crumbs As you evaluate your existing threat detection capability, consider these key requirements for making the most of IOC analysis: Some indicators to look for: Artifacts left by tools or toolkits. Anomalous activity often signaled by changes in Listening ports, system services and drivers, startup or scheduled tasks (e.g. registry settings on Windows systems). File settings (permission or ownership changes). Local user accounts or local firewall settings DNS server settings or IP routing Be Adaptable IOC development is as much an art as a science. Tools that ingest IOC data should therefore power iterative IOC analysis. Speed is critical here, since rapid pivoting and pinpointing results in more agile and faster containment and remediation. Essentially, deploying an adaptable defense requires instantaneous analysis, reporting, and response. Focus on Integration For rapid threat detection, integrate IOCs and other threat intelligence holistically throughout your incident response process and overall toolset. This content can inform and optimize security tools like IDS, Firewall, SIEM, and AV but also systems management infrastructure such as patch management, configuration management, and software distribution. Recovery speeds up significantly when you don t have to stop to switch tools. Scale without Sacrificing Speed Granular IOC analysis of each single endpoint, across the enterprise, can take some tools days to complete. For a network of a hundred endpoints, in the aggregate, this timeframe might be acceptable. But as soon as that number scales to thousands or hundreds of thousands of endpoints, it might be weeks before the results are complete. When the value of threat intelligence lies in its just in-time relevance, you re fighting a losing battle unless you can respond within seconds. Make sure any IOC detection tool or technique you implement enables instantaneous response no matter how large the network. When the value of threat intelligence lies in its just in-time relevance, you re fighting a losing battle unless you can respond within seconds. 5

Tanium IOC Detect: Automating the Hunt Tanium Features Supports industry standard formats such as OpenIOC, STIX, and Yara Integrates IOC definitions from internal sources as well as external threat intelligence providers. Optimizes IOC analysis by normalizing the IOC definition list Analyzes IOCs across millions of endpoints with results in seconds Accommodates extending, adjusting and incorporating additional IOCs on demand Integrates with your existing enterprise security infrastructure (e.g. SIEM, GRC, CMDB, and more) Tanium accelerates the IOC analysis process by automating the hunt, containing and investigating the compromise and executing remediation at scale. Tanium IOC Detect, a module of the Tanium Endpoint Platform, ingests IOCs in a variety of formats, from a variety of sources, and then scans the entire enterprise across all of the endpoints returning results in seconds. Seconds later, Tanium pinpoints compromised endpoints, and then rapidly executes remediation. Tanium Overview and How it Works Because Tanium IOC Detect relies on the Tanium Endpoint Platform s revolutionary communications architecture, it s useful to spend some time describing this revolutionary technology. Based on a resilient linear chain topology, the Tanium Endpoint Platform is able to deliver unparalleled speed, precision and control so that IT security pros and incident responders can respond and remediate threats in seconds, and at scale. Only Tanium lets you ask virtually any question of any endpoint at any time and pivot through tens of thousands of potential analytical positions within seconds. And no scripting is required. Unlike other enterprise technologies, Tanium doesn t rely on a centralized, hierarchical server infrastructure to provide data collection, aggregation, and distribution functionality. Tanium is based on an incredibly efficient, linear chain architecture designed for fault tolerance, transient endpoints, and the global WAN segments typical of today s enterprise. TRADITIONAL COMMUNICATIONS FLOW Server propagates request to all Relay Servers Tanium Server contacts a few Clients Client contacts nearby Client and passes aggregated response over LAN Relay Server collects individual responses from its Clients Relay Server sends series of individual responses back to Server Communication Server Relay Server TANIUM COMMUNICATIONS FLOW Client Last Client sends final aggregated response to Server Communication Firewall Tanium Server Client 6

Customer Spotlight: Racing Against Time with Tanium A large global retailer was struggling to pinpoint and resolve a malware outbreak they discovered in one of their South American offices. Out of 15,000 endpoints connected to that office, they guessed that 2,000 were infected, and their IT security team struggled to contain the outbreak. They were in a race against time, and their existing toolset had a stalled engine. They had two key operational challenges working against them. First, this was a new piece of malware, which meant they were waiting for an updated DAT file from their AV vendor. And the other was the constrained, highly latent network links connecting them to the region. Their existing solution wasn t flexible enough to evaluate IOCs containing mutexes to identify infected machines, so they turned to Tanium. With Tanium, they were able to verify the infected machines, quarantine them, make registry repairs to roll-back the threat temporarily and then push out an updated DAT file once it was released from their AV vendor. With their existing remediation solution, pushing out a 150MB file across those constrained network links would have failed. Thanks to Tanium, each DAT file reached its destination without error. Tanium also automated a forced AV rescan to put these protections into place immediately. Additionally, as new machines came online, they automatically received the updated AV DAT file from their peers, saving network bandwidth, and eliminating future windows of vulnerability. Through a lightweight and optimized agent, Tanium distributes management intelligence and data directly to the computing devices themselves. This key innovation results in radically faster, more accurate, scalable, and more adaptive security than traditional solutions. Delivering the highest value at the lowest TCO, a single Tanium server can manage over 500,000 endpoint devices, resulting in a level of resilience and efficiency not possible with alternatives. Automated Integration Drives Incident Response In order to drive end-to-end incident response workflows, Tanium was designed with an open and flexible architecture for quick and easy integration with other tools. Through a simple interface that requires no scripting, administrators are able to string together rich endpoint data surfaced through simple queries with one or more connections to back-end systems, data processing tasks, or other services. Tanium IOC Detect Analyzes Data and Converts it to Questions and Actions Open and flexible architecture. Integrated with SIEMs, CMDBs, Trouble Ticketing Systems, etc. This simple framework empowers IT security pros to: Send endpoint events to SIEMs such as Splunk, HP ArcSight, IBM QRadar and others Discover and compare new behavioral data to threat feeds Funnel new data insights into big data analytics tools Share audit and inventory data with CMDBs Feed actionable IOC scan results to trouble ticketing systems via REST API This ability to easily link together configurable connectors allows Tanium to optimize security response activities and workflows - accelerating and empowering security and operations team member s analysis, response, and verification efforts. To continuously identify emerging threats, security teams use Tanium IOC Detect to run automated scans across the enterprise. As new IOCs are discovered, they can be shared across teams and modified, prioritized and scheduled for execution. A list of targeted IOCs can automatically run against new endpoints as they come online or exceed risk thresholds. With Tanium, IT security pros gain immediate visibility into threats across their enterprise, and can quickly seize control for remediation or deeper analysis. Additionally, Tanium can even take automatic action in response to emerging threats. 7

SUMMARY Indicators of compromise (IOCs) provide the essential building blocks to power a much more dynamic defense than traditional approaches can. The challenge is easily and quickly incorporating IOCs into your existing toolset and process. Tanium IOC Detect rapidly converts emerging IOCs into your existing threat detection ecosystem enabling instantaneous detection and remediation across platforms and networks. Additionally, Tanium s adaptability and extensibility supports the iterative nature of IOC hunting and remediation. No matter how large, distributed or varied your environment, Tanium can find and fix vulnerabilities and neutralize emerging threats - within seconds. Need More Info? Please contact us today at sales@tanium.com. We ll provide more information on how Tanium can help you rapidly hunt down and fight against emerging threats for a truly revolutionary approach to IT operations and security. You can also find product overview videos and other resources on our website at www.tanium.com. ABOUT TANIUM Tanium gives the world s largest enterprises and government organizations the unique power to secure, control and manage millions of endpoints across the enterprise within seconds. Serving as the central nervous system for enterprises, Tanium empowers security and IT operations teams to ask questions about the state of every endpoint across the enterprise in plain English, retrieve data on their current state and execute change as necessary, all within seconds. With the unprecedented speed, scale and simplicity of Tanium, organizations now have complete and accurate information on the state of endpoints at all times to more effectively protect against modern day threats and realize new levels of cost efficiency in IT operations. Visit us at www.tanium.com or follow us on Twitter at @Tanium. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information