User Behavior Analytics: A New Approach to Detection and Response



Similar documents
Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes!

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Securing Remote Vendor Access with Privileged Account Security

Using Behaviors, Facts and User Session Assembly to Identify User Impersonation

Software that provides secure access to technology, everywhere.

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Speaker Info Tal Be ery

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Splunk: Using Big Data for Cybersecurity

Additional Security Considerations and Controls for Virtual Private Networks

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

SIEM is only as good as the data it consumes

Agenda , Palo Alto Networks. Confidential and Proprietary.

Advanced Threats: The New World Order

Information Technology General Controls And Best Practices

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

All Information is derived from Mandiant consulting in a non-classified environment.

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

HP ArcSight User Behavior Analytics

KEY STEPS FOLLOWING A DATA BREACH

CyberArk Privileged Threat Analytics. Solution Brief

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

September 20, 2013 Senior IT Examiner Gene Lilienthal

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

How To Manage Security On A Networked Computer System

Into the cybersecurity breach

Implementing a User Activity & Behavior Monitoring program

2010 Data Breach Investigations Report

Endpoint Threat Detection without the Pain

Office 365 Adoption & Risk Report

The Role of Security Monitoring & SIEM in Risk Management

SANS Top 20 Critical Controls for Effective Cyber Defense

Security Analytics The Beginning of the End(Point)

Teradata and Protegrity High-Value Protection for High-Value Data

Vanguard. Two Factor Authentication Solutions

The session is about to commence. Please switch your phone to silent!

Multi-factor authentication

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

RSA Security Anatomy of an Attack Lessons learned

V ISA SECURITY ALERT 13 November 2015

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

The Cloud App Visibility Blindspot

Critical Security Controls

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.


Privilege Gone Wild: The State of Privileged Account Management in 2015

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Seven Strategies to Defend ICSs

Developing Secure Software in the Age of Advanced Persistent Threats

Cyber Security Metrics Dashboards & Analytics

USM IT Security Council Guide for Security Event Logging. Version 1.1

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Cybersecurity and internal audit. August 15, 2014

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Persistence Mechanisms as Indicators of Compromise

Next Generation Jump Servers for Industrial Control Systems

Top 20 Critical Security Controls

Privilege Gone Wild: The State of Privileged Account Management in 2015

IT Security Incident Management Policies and Practices

That Point of Sale is a PoS

Xerox Litigation Services. In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk

Stay ahead of insiderthreats with predictive,intelligent security

Metric Matters. Dain Perkins, CISSP

Hunting for Indicators of Compromise

NATIONAL CYBER SECURITY AWARENESS MONTH

University System of Maryland University of Maryland, College Park Division of Information Technology

Top Five Security Must-Haves for Office 365. Frank Cabri, Vice President, Marketing Shan Zhou, Senior Director, Security Engineering

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

2016 EMEA EDITION M-TRENDS MANDIANT CONSULTING SPECIAL REPORT / JUNE 2016 AUTHORS. Bill Hau Matt Penrose Tom Hall Matias Bevilacqua

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Advanced Analytics For Real-Time Incident Response A REVIEW OF THREE KNOWN CASES AND THE IMPACT OF INVESTIGATIVE ANALYTICS

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

After the Attack: RSA's Security Operations Transformed

Hillstone Intelligent Next Generation Firewall

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

RETHINKING ORC: NRF S CYBER SECURITY EFFORTS. OMG Cross Domain Threat & Risk Information Exchange Day, March 23, 2015

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Central Agency for Information Technology

Transcription:

User Behavior Analytics: A New Approach to Detection and Response

The Typical CEO Data Breach Letter Attackers gained unauthorized access I personally apologize to each of you. Information accessed may have included names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, employment information, including income data Believe it happened over the course of several weeks beginning in early December 2014 contacted the FBI / retained Mandiant

The big detection problems 1 2 3 Attackers using valid credentials are unseen Lost in a sea of nonprioritized alerts Can t tell a complete incident story

Current State of Cyber Attack Detection and Response 5. Restoration of infected systems Malicious (credential enabled) Code Triggered 4-8 Days 3. Containment of Infected systems 9 Hours 1. Time to Discovery 2. Attack Vector Identified Incident Story 30 Hours >200 Days

Credentials Use Enables the Attack Chain Maintain Presence Move Laterally Initial Recon Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission POSSIBLE CREDENTIAL USE S o u r c e : F i r e Ey e M a n d i a n t A P T 1 r e p o r t ( F e b 2 0 1 3 ) Hours Weeks or Months Hours C O N F I D E N T I A L 5

Determining anomalous credential behaviors three ingredients Behaviors Characteristics Facts What systems were accessed (user and peers) Manner and user identity for system(s) accessed Security alerts attributed to user credential

Putting together the story of an attack one question at a time System automatically asks access context questions User Peer Group Org VPN Access Example Time IP VPN Login ISP GEO To Real m ISP GEO To Real m ISP GEO Custom Algorithms Applied From Device To Server To Server C O N F I D E N T I A L 7

Understanding Normal as Context for what is Anomalous is Critical Important for a learning engine To learn or not to learn that is the question Scoring to account for divergent behavior -- to a point Know when to say, I can t make a determination. Data distribution and amounts

Attack Vector Discovery & Incident Story Telling Who: Barbara Salazar (right person/role?) What: Did she do? (right thing?) When: Did she do it (at the right time?) Where: What systems she touched from where? Why: The track of the attacker can get us to what they want Is this really Barbara? Not likely!

Combining Detection and Response for Efficiency Attack Detection Continuously asks questions of the data in the context of normal behavior Prioritizes anomalous behaviors Develops a detection story Attack Analysis Builds a credential activity timeline Shows the intersection of assets and activity Attributes security alerts to credential sessions Adds identity context

The Golden Hour of Detection and Analysis with UBA Restoration of infected systems Malicious (credential enabled) Code Triggered 4-8 days Time to discovery Real-time Verification of Anomalous Session Containment of Infected systems begins 9 Hours Containment and Restoration Minutes Attack Vector/Chain Identified Real-time Detection and Analysis

Defining the Solution User Behavior Analytics Solutions Learn and remember historical normal credential access behaviors and characteristics and score what s anomalous (peer group) Assemble the credential behavior data and security data into user sessions (log-on to log-off) Keep state on the user across identity and internet address switches Attribute security alerts to the credential (user) that was in use on the system when the alert occurred Result in security operations efficiencies

Things we ve seen previously unknown to security Malware on two call center machines attempts to connect to executive machines Payroll services contractor infected by Sality virus, tracked 33 assets accessed in one day Deployed post-breach at a healthcare payer, tracked 4 servers not investigated by IR team User credential connects to VPN from TOR network then switches identities Employee credential connecting to systems in China and Mumbai never connected to before and neither by peers HR Employee connects to 1700 PoS systems over the VPN (even though twofactor authentication in place)

Attackers and employees have divergent goals Employees use credentials to access IT systems to create business value. Attackers use credentials to access systems to steal the business value they create.

Thank you www.exabeam.com @exabeam

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information