Security Analytics The Beginning of the End(Point)

Security Analytics The Beginning of the End(Point) Arie Joosse Arie.Joosse@nexthink.com

It s 10am, what do you know about your endpoints? What applications are running? New ones that you didn t deploy Where does a process connect? To the internet but only from one device How are admin privileges used? Shared local admin accounts Any vulnerable devices? AV not up-to-date or without RTP Are policies really enforced? Not all applications via proxy to the internet How effective are incident responses? Device missed because offline, side effect impacting business service

Threats are inevitable. Will you see the next one?

They did not.

90% 75% 80% 11% of attacks exploited vulnerabilities for which patches were already available of attacks spread from victim 0 to victim 1 in less than 24 hours of malware samples are unique to an organization of end-users click on fishing attachments, 50% within the fist hour

How do you see your IT security today?

From candles to the need of light bulbs, what has changed?

http://en.wikipedia.org/wiki/iloveyou Remember?

Personalization What s the difference? #1

Hyper-connectivity What s the difference? #2

What s the difference? #3 Perimeter??

Sophistication What s the difference? #1 #4

Manage threats not breaches!

Your IT from the end-user perspective, in real-time! all users, all devices, all applications, all connections all the time! User Device Binary Port Destination Domain

Your IT is complex. Securing it shouldn t be! IT Operations Analytics (ITOA) Source: Forrester Research Turning big data inward with IT analytics, JP Garbani, Dec 2012

What Is Analytics? Discovery of meaningful patterns in data that give actionable insight into what you can no longer control and don t have the luxury of time to understand

The truth is in your data. Nexthink finds it Built-in privacy roles Continuous collection and discovery at the endpoints Real-time and scalable analytics platform, open for integrations Ultra-fast and to-the-point visual experience and alerting Zero admin & impact

Access current and historical data in seconds Search and drill-down in seconds Search your entire IT in plain English as if you were Googling it See the network from all devices Visualize thousands of connections in one single screen to identify meaningful patterns and spot exceptions Explore live and historical data Navigate all events and issues encountered by a user, across all their devices, on a single timeline Identify anomalies with full context Identify critical issues and understand their business impact based on self-discovery and behavior analysis Build your own dashboards Communicate with great looking dashboards that consolidate and compare live and historical data Get alerted in real-time Be immediately notified about anomalies and instantly drill-down for informed response

Give your existing security solutions a boost with Nexthink Logs via SIEM only see events which are logged, don t receive much context from endpoints to correlate with (hence lots of false positives). Network security only see network activity, no in-device activity and activity not on your network Endpoint DLP can only see data movement, no device and application behaviors over the network Endpoint Protection/AV/ETDR can only seesomemalware, file execution centric and no global oversight of all applications and user experience

How customers.. are using it?

Goals

Manage IT security at the speed of insight

Analytics at all levels with actionable data Scores for CxO Indicators for Directors Metrics, search and drill-down for Engineers

Discover and close exposure as it happens Don't wait for damages to reveal what's putting your sensitive data at risk, assure security posture and compliance in realtime

Find and respond to intrusion quickly Know immediately when a malware is not detected by the anti-virus or an application accessing a dangerous domain, have all the information to remediate quickly.

Validate and find ways to improve Verify remediation contained and blocked the identified threat, crosscheck no vital operations impacted by remediation. Find commonalities and patterns to improve future security posture. Communicate clearly!

Summary The ENDpointis the STARTpointfor most of the sophisticated attacks and to find the appropriate responses to todays threats Security and IT operations needs to work together as a global response team Nexthink can identify security gaps to close holes before they are exploited Nexthink can enhance current solutions to identify threats faster Nexthink can help investigate attacks to respond quicker and improve defenses Nexthink can show the effectiveness of responses,including the impact on user experience

The Hacking Cases Winning the Battles

Use cases 1. Ransomware - Avoidance & Mitigation 2. Insider Threats 3. Discover infections & abnormal behavior 4. Enhancing APT/ Sandboxing Solutions 5. Identify gaps in your Application Control Policy 6. Post infection/ 7. Security incident analysis

Ransomware - Avoidance & Mitigation

German Broadcasting company got hit by Cryptowall3.0 Network share got encrypted A PC missing Adobe updates was infected while being outside the network A story of ransomware

Adobe Flash & Acrobat, Java and IE are the main attack vectors for ransomware attacks Nexthink identifies legacy applications or application versions known as vulnerable A story of ransomware

Endpoint Security products need to be up to date and real time protection has to be active Nexthink discovers endpoints which do not comply with the security policy A story of ransomware

Incident response and investigation is important to mitigate attacks Nexthink allows the analysis of actual and historical events, providing the whole picture of all endpoints A story of ransomware

08:05:45 found the binary f6b.tmp that runs on no other computers

According to a sandbox analysis web domains belong to the found file Crypto Locker Description "Tesla Crypt" and establishes a connection to 3 domains on -this could be confirmed with Nexthink

From 9:30 to 9:49, 53 internal addresses (several servers) were accessed to attempt encrypting shared drives.

The entire process of infection for encryption lasted over 90 minutes With the help of an automatic alert Nexthink was set the alarm if binaries scan for network drives (to encrypt) securityalerts@acme.de

Insider Threats

Insider threats are more difficult to detect and prevent than attacks from the outside An insider threat can be unintentional by users with high privileges Insider threats Source: Insider Threat Report 2015

Indicator of an insider threat can be logins at unusual times, for example during night Nexthink can provide insights of unusual login activity Insider threats

Access to critical resources e.g. servers can indicate a threat from inside Nexthink can discover access to critical resources with additional information like used applications (SSH/RDP) Insider threats

Keeping track of privileges and user accounts can minimize the danger of insider threats Nexthink helps to identify where high privileges are in use Insider threats

Static AND dynamic user-centric data

Examples of scenarios Password sharing of employee s banking application Employee who resigned and printing files out of working hours Employee s account in use while on annual leave Account used when employee didn t badged into the office

And many more High incorrect logon attempts Valid access credentials but from an external IP address Employee changes job/role Behaviors of users with sensitive authorizations and profiles (e.g. SAP_ALL) Access data base directly (via t-code SE16 in SAP or ODBC in XLS) High risk/sensitive activity out of context (e.g. non-hr employee user HR application) Identifying potential fraud detection (access to sensitive apps such as payroll, customer account, holiday record, etc.) User was granted large number of authorizations Dormant account reactivated Privilege changes into admin Admin group everyone on a machine Activity during irregular hours Activity not in user's regular profile User worked from computer host other than his regular host Application used not in user's profile Host computer used by two usernames Username used on two computers simultaneously Role out of job was assigned to a user User printing on a different printer than usual System Administrator tampering with USB port blocking software

Discover infections & abnormal behavior

Discover infections & abnormal behavior Most attacks and security breaches keep undetected for a long time It is important to detect attacks at an early stage to be able to react and prevent further damage Source: Mandiant M-Trends 2015

Discover infections & abnormal behavior A single AntiVirus vendor can miss a threat or be to late to deliver a signatur for detection Nexthink extends the detection to many vendors by using the VirusTotal Threat Intelligence

Discover infections & abnormal behavior Malware often hides by using legitimate operating system names or/and running from different paths Nexthink can detect executions from uncommon paths and identify non operating system files with identical names

Discover infections & abnormal behavior Abnormal behavior of binaries can indicate an infection Nexthink detects unnormal activity like network scans, port scans, high SMTP or suspicious DNS traffic

Enhancing APT/ Sandboxing Solutions

Why sandboxing solutions It s assumed that signature based Antivirus only detects 40% 50% of malware Signature based protection relies on detection, building and deploying signatures Building 0-Day/APT Malware is easy today An attacker can use Exploit Kits or even MAAS Malware as a service

Files will be inspected, executed in a sandbox and analyzed based on their behaviour

How does Nexthink fit in? Sandboxing is done on the perimeter, analyzing traffic that passes the perimeter Often Sandboxing Solutions are only analyzing mirrored traffic, not blocking malware If you detect an attack at the perimeter, it does not mean it s not already in your network Use Nexthink to extend the analysis to your endpoints

Use the results of the Sandboxing for an Nexthink investigation and see within seconds if the malware is on one of your endpoints!

Identify gaps in your Application Control Policy

Blocking Skype was very difficult when it first was released and got common...

Today, all the major NG Firewalls provide Application Control features, which provide the ability to regulate application usage

Is it really that easy? -No! Hundreds of applications are designed to find their way out of a network without being blocked or detected (Proxy/Anonymizer Tools/ File Sharing etc) They use protocol switching, tunneling or even security gateway specific vulnerabilities like the Palo Alto APP-ID Cache polution to work undected and bypass controls These techniques are enhanced and upgraded on an regular basis to be in front of security products For our Skype example, Skype will detect if there is one PC in the same subnet where Skype is allowed to communicate to outside and use it as an proxy for all Skype installations

What we do With Nexthink, we can analyse and visualize which applications are executed We can see how they communicate Without relying on signatures

Application usage and control It is important to identify applications bypassing existing security controls Nexthink discovers applications bypassing security gateways and proxies

Application usage and control Discovering communication paths of applications is necessary to identify security gaps Nexthink provides out of the box visualization of all network connections, even inside the network and between clients

Application usage and control Identifying which application communicates to the outside can be cumbersome Nexthink provides information all applications with successful outside connections

Post infection/ Security incident analysis

A forensic story Recently, the german Bundestag (Parliament) was hacked, the investigation took several weeks The investigation turned out to be very difficult and took several weeks If available at all, security logs have been only stored for 7 days The investigation provided information of two artifacts found on one host:

Summary of findings

With Nexthink, this information can be easily used for investigations

With Nexthink, this information can be easily used for investigations

Providing instantly a list of machines infected...

...and timeline views of affected machines for further analysis

The Hacking Cases Winning the Battles Ransomware - Avoidance & Mitigation Insider Threats Discover infections & abnormal behavior Enhancing APT/ Sandboxing Solutions Identify gaps in your Application Control Policy Post infection/ Security incident analysis And more Firewall rules management (and validation) Identity and access management, VPN, NAC BYOD, Access control policy validation OS and patching compliance (desktops and servers!) PCI compliance

Ready?