HOW TO DEAL WITH THE ADVANCED THREAT LANDSCAPE?

HOW TO DEAL WITH THE ADVANCED THREAT LANDSCAPE? MAY 5 TH 2015 Erik Engberg Advanced Threat Defense Specialist Nordics & Benelux 1

THE BURNING QUESTION How To Prevent My Organization From Suffering Security Breaches? 2

WHAT WE ARE DEALING WITH 3

BURNING QUESTION TODAY How To Prevent My organisation organization From Suffering Security Breaches? Am I Ready To Respond? 4

NGFW IDS / IPS Host AV Web Gateway SIEM Email Gateway DLP Web Application Firewall ADVANCED THREATS BYPASSING DEFENCE IN DEPTH APTs Follow a Complex Kill Chain* Methodology SIGNATURE-BASED DEFENSE-IN-DEPTH TOOLS 2 4 6 1 3 5 7 Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions on Objectives * Intelligence-Driven Computer Network Defense, Lockheed Martin, 2011 Traditional Advanced Threats Known Novel Malware Threats Zero-Day Known Malware Threats Targeted Known Attacks Files Modern Known IPs/URLs Tactics & Techniques SSL Create new variant = Back to 0 day! 5

ATTACKERS WINDOWS OF OPPORTUNITY OBJECTIVE: DECREASE TTD & TTR January February March April Time ATTACKER FREE TIME Need to collapse free time Initial Compromise Detection Containment 66% Takes Months or more to be discovered 7

THE INEVITABILITY OF THE CLICK *ThreatSim It only takes one person to compromise your network 8

A NEW DEFENSE REQUIRED Fixed fortifications are monuments to man s stupidity. General George S. Patton 9

GARTNER: FRAMEWORK FOR ADVANCED THREAT PROTECTION The traditional defense-in-depth components are still necessary, but are no longer sufficient in protecting against advanced targeted attacks and advanced malware. Today's threats require an updated layered defense model that utilizes "lean forward" technologies at three levels: network, payload (executables, files and Web objects) and endpoint. Five Styles of Advanced Threat Defense Combining two or all three layers offers highly effective protection against today's threat environment. Gartner, August 2013 10

POST-PREVENTION SECURITY GAP Percentage of Enterprise IT Security Budgets Allocated to Rapid Response Approaches by 2020. Gartner 2014 11

SITUATION IN SUMMARY Prevention alone not working: Strategic shift towards rapid detection and resolution Delay between first attack and vendor update: Increases TTD. >100k+ variants per day Self detection is rare: 67% of attacked discovered by third parties Multi-stage, multi-vector: Difficulty understanding kill chain in a timely manner Firefighting blindly over root cause: Lack of context and lack of content Pervasive by nature: Leveraging Paths of Trust. No Alerts = no visibility 12

THE CALL FOR A NEW SECURITY ARCHITECTURE The Four Stages of an Adaptive Protection Architecture Shift your security mindset from "incident response" to "continuous response," wherein systems are assumed to be compromised. The failure to stop targeted attacks requires security organizations to rebalance investments in all four stages. Source: Gartner (February 2014) Detective, preventive, response and predictive capabilities from vendors have been delivered in non-integrated silos. Source: Gartner, Designing an Adaptive Security Architecture for Protection from Advanced Attacks, 2014 The Gartner document is available upon request from https://www.gartner.com/doc/2665515/designing-adaptive-security-architecture-protection 13

ADVANCED THREAT PROTECTION LIFECYCLE DEFENSE Security Analytics Advanced Web/Mail Gateway Security Analytics Platform with ThreatBlades for nonweb protocols Incident Resolution Investigate & Remediate Breach Threat Profiling & Eradication GLOBAL INTELLIGENCE NETWORK Ongoing Operations Detect & Protect Block All Known Threats SWG & WebFilter Content Analysis Mail Threat Defense DLP Full Visibility with Encrypted Traffic Managment SSL Visibility Web Security Service Incident Containment Analyze & Mitigate Novel Threat Interpretation Dynamic malware analysis Sandboxing 14

BLUE COAT GLOBAL INTELLIGENCE NETWORK 75 Million users 1 Billion+ daily categorized web requests 3.3 Million+ threats blocked daily 80 categories 55 languages Anti-virus AV scanning Whitelisting Central cloud database Dynamic Real- Time Ratings Malware detection Global Intelligence Network Next-Generation Sandboxing 3 rd party feeds Malware expertise Quality checks Effective Advanced Threat Protection Real-time Cloud-based Zero-day Response Performance and Scalability Unrivaled Network Effect Blocks 3.3 million threats per day 15

MAPPING MALNETS SEARCH ENGINE POISONING MALVERTISING PORN MOBILE PHISHING Attack type doesn t matter. Zero-day exploits don t matter. 16

INTELLIGENT DEFENSE IN DEPTH Block Known Web Block Known Threats Web Threats ProxySG ProxySG Allow Known Good Content Allow Known Analysis System Good Content with Analysis Application System with Application Whitelisting Whitelisting Block Known Bad Block Downloads Known Bad Content Analysis System and with Mail Malware Threat Scanning Defense? Analyze Analyze Unknown Unknown Threats Threats Malware Analysis Appliance Block all known sources/malnets and threats before they are on the network Free up resources to focus on advanced threat analysis Reduce threats for incident containment and resolution Discover new threats and then update your gateways 17

CHALLENGES - ADVANCED MALWARE What is Advanced Malware? VM Evasive Targeted Polymorphic/one-day wonders Multi-Stage and Multi-Vector Sleeper Cell Malware Encrypted 43% percent of incident response engagements were the result of malware missed by perimeter defense and sandbox tools NTT 2014 Global Threat Intelligence Report 18

TRADITIONAL SECURITY MODEL WEAKNESSES REAL-TIME BLOCKING OF ALL THREATS IS NOT REALISTIC LAYERED DEFENSES WILL NEVER FILL ALL OF THE HOLES Unacceptable user delays Never-before-seen threats False sense of security Too many ways in Malware already present Users are the weakest link MODERN MALWARE EASILY DEFEATS TRADITIONAL FRONTLINE DEFENSES 19

STAGE 2: ANALYZE & MITIGATE 1 Ongoing Operations 2Incident Containment 3Incident Resolution Malware Analysis Appliance Next-Generation Sandboxing PC Emulator Virtual Machine 01010 10101 00101 10010 Dual-Detection Hybrid Analysis of Suspicious Samples Closely Replicates Customer s Gold Configurations Automated Risk Scoring and Rich Analysis Quickly analyze and prioritize advanced and zero-day threats for remediation and continuous security improvement 20

WHY ANALYZE MALWARE? CAN T WE JUST BLOCK IT? Malware analysis provides the critical information you need to effectively respond to malicious software threats that elude traditional defenses DETECT Suspicious Files in Your Infrastructure DETERMINE a Suspect File or URL Capabilities LOCATE All Infected Machines and Files UNDERSTAND Exactly How a Breach Occurred REMEDIATE to Reduce Future Vulnerabilities MEASURE and Contain Any Damage Done IDENTIFY Adversaries, Intentions, and Targets 21

BEHAVIORAL DETECTION PATTERNS POLYMORPHIC BINARIES Multiple malware variations with equivalent instructions SINGLE-DAY DOMAINS Malicious websites that disappear within 24 hours Patterns form the Basis of the MAA s Embedded Intelligence Behavior-based malware classification patterns flag events based on malicious activity Kernel-level, application-level, and user-level event detection patterns Open detection rules with custom criteria and relevant risk scoring Highly resistant to polymorphic binaries and auto-generated URLs 22

24

SOC CASE STUDY TALKING TO ANALYSTS 3AM: Nmap scan and buffer overflow detected Time to resolution: Quality of resolution: Assurance: Great, but what ACTUALLY happened before / after? Long (or never) Hard to say Low 25

LACK OF CONTEXT IDS/IPS = SINGLE FRAME (ALSO, THEY ARE SIGNATURE-BASED) 9A 26

BUT WHAT ABOUT OUR SIEM? - LACK OF CONTENT! SIEM ONLY AS GOOD AS THE LOGS BEING MONITORED 27

GO BIG DATA! RECORD AND INDEX ALL TRAFFIC TO ACHIEVE COMPLETE VISIBLITY (Don t forget SSL) 28

STAGE 3: INVESTIGATE & REMEDIATE 1 Ongoing Operations 2Incident Containment 3Incident Resolution Security Analytics Platform The security camera for your network Full Security Visibility of All Network Traffic Forensic Details Before, During and After an Alert Reduce Time-to- Resolution and Breach Impact The Security Camera for Your Network 29

WEB, MAIL & FILE THREAT IDENTIFICATION WebThreat BLADE inspects all HTTP or HTTPS traffic and identifies malicious communications and files MailThreat BLADE inspects all SMTP, POP3 and IMAP traffic for malicious communications and files FileThreat BLADE inspects all FTP and SMB traffic for malicious communications and files If no clear verdict on content, suspicious files are delivered to a hybrid sandbox for analysis Malware Analysis Appliance 30

SECURITY CAMERA FOR YOUR NETWORK Real-time indicators and retrospective forensics analysis on any attack Full details + All Artifacts = Clear Supporting Evidence = High Assurance Answer the critical post-breach questions that plague CISOs: who? what? where? when? why?... Faster time to identification/action/reaction with Security Analytics allows up to 85% faster resolution Multiple sources for real-time integrity & reputation of URL, IP address, file hash or email address Blue Coat Global Intelligence Network updated with newly-discovered threat intelligence 31

TAKE ADVANTAGE OF THE THREAT INTELLIGENCE NETWORK EFFECT NEW THREAT INTELLIGENCE SHARED LOCALLY AND GLOBALLY Increased system performance through fewer malware scans & detonations Incident Resolution GLOBAL INTELLIGENCE NETWORK Ongoing Operations Newly Identified & Known threats blocked at gateway More robust zero-day threat analysis with fewer false positives Greater accuracy and fewer threats to contain and resolve Incident Containment Efficient, fast and thorough Incident resolution 32

SECURITY ANALYTICS Key Features / Product details Copyright 2015 2014 Blue Coat Systems Inc. All Rights Reserved. 33

SECURITY ANALYTICS SOFTWARE OVERVIEW Web-based interface accessible from any browser Deep analysis of every network event Alerts for up-to-the-minute notification of suspicious, malicious, or prohibited behavior Investigator s interface quickly narrows or expands scope, shifts timeline Event and file recreation through Extractions Interactive reports on essential Layer 2-7 metadata 34

REPORTS Numerous customizable reports to instantly view granular detail of all event activity 35

THREAT RISK Verdicts stored by BLADE and reputation service Description Score Alert importance Very High Risk 10 Critical High Risk 8-9 Critical Moderate Risk 6-7 Warning Unknown 5 Notice Low Risk 3-4 No alert Very Low Risk 1-2 No alert 36

APPLICATION CLASSIFICATION AND DESCRIPTION Powerful Deep Packet Inspection (DPI) Locates evasive applications and malware Classifies network traffic by application fingerprint Extracts metadata to describe identities, actions, and content DPI improves directed search performance by up to 10X 2000+ 30 Application Families Applications and Protocols 6000+ Metadata Attributes I can now see all applications and files, regardless of the port they might be hiding on and digging through GBs of data is fast 37

EXTRACT AND RECONSTRUCT Reassemble packets into sessions and extracts application-layer artifacts See web pages exactly as they were seen by the user Safely exclude unsafe objects Retrieve web components from captured data or current state on web servers Reconstruct IM, email and VoIP sessions Filter instantly within results to find specific artifacts Search by MD5 or SHA1 hash Filename, size, file type, etc. I view an email as an email and a Word doc as a Word doc. Not just a bunch of packets. Nice! Example Artifacts Archive files (zip, rar, rpm) Images (bmp, gif, jpg, png) Multimedia (avi, flash, mov, mpg, wav, wmv), Office files (doc, docx, ppt, pptx, wpd, xls, xlsx), PDF, DLL, EXE, HTML, Java, FTP, email more 38

ARTIFACTS TIMELINE Visual representation of extracted network artifacts over time Helps analyst to quickly visualize a sequence of objects Substantially improves artifact search performance SMB and email are some of the most common transports for malware propagation, and Artifact Timeline lets me see the forest as well as the trees. 39

MEDIA PANEL Quickly analyze all images/audio files recreated from raw packets Filter by file type, extension, size See all associated metadata URL Source IP Destination IP Size MIME Type A Picture is worth a thousand words. No denying what my user saw good or bad. 40

GEOLOCATION Visually identify traffic (and volume of traffic) to locations of interest Filter and alert on traffic to suspect countries Integrated map database requires no external connection Configurable location of private networks Export data and view time-based representation of connections in Google Earth See hotspots of activity and where your traffic is coming from and going to Traffic to North Korea that s not right! 41

PACKET ANALYZER Enter Packet Analyzer through multiple starting points Save time: filter and view packets before transferring PCAPs over the wire No need to launch outside packet analysis applications No more waiting to download a huge file for Wireshark to analyze. It s Wireshark directly on the server that s efficient! 42

COMPARATIVE REPORTING Compare data to previous periods to identify abnormal patterns Establish a baseline and target deviations Understand trends over time I can compare traffic against a normal window of traffic and identify anomalies or discover trends. 43

FAVORITES/ALERTS/ACTIONS Rule-based alerting Use built-in attributes, custom objects (Favorites), or both Import custom favorites Tunable notification frequency Automate common queries and actions for additional analysis Automatically export a PCAP Send to file share Analyze with 3 rd -party tools like DLP You ll notify me if any interesting values or identified threats are seen on my network? Now you re telling me things I didn t know. That s what I need! 44

ROOT CAUSE EXPLORER You ve made one of the most time-consuming, rote functions of my job as simple as pushing a button That was easy! easy Automates tracing of HTTP referrer chains Correlates relevant email, IM, and HTTP information for quick analysis 45

REPUTATION SERVICES/ DATA ENRICHMENT On-demand Reputation Checks, including: ISC/SANS Google SafeBrowse VirusTotal Bit9 LastLine Domain Age RobText SORBS WHOIS I can lookup IPs, URLs, files and hashes against multiple reputation services? Multiply 12 keystrokes and 2 browser tabs by 100x a day and you just gave me an extra day a month! 46

PCAP IMPORT Rich analysis now applied to PCAPs from other sources Optimize available appliance storage - save captured data to PCAP for later import as needed Allows analyst to obtain high-level information quickly to aid investigation targeting Packet Renaissance It s like I ve traveled back in time and made my old data more valuable. 47

EXTENDED METADATA RETENTION Independent allocation of storage for metadata and full packets Allows for retention and analysis of multiple generations of metadata (months/years/ ) Enables long-term trend analysis window Optimize limited amount of storage I can save full packet data for a comfortable window of a few weeks or a month, but can save the metadata for a year or more to see trends. 48

PLAYBACK HISTORICAL DATA Transmit captured data flows to third party tools for further analysis Regenerate traffic with less than 1 ms of latency, even on 10GBps networks Throttle traffic playback so other tools don t bog down Replay traffic to other tools to validate effectiveness This is the DVR for my network. I can confirm that my other security tools are effective after signature updates. 49

FILTER AND REPLAY NETWORK TRAFFIC Replay any traffic Combine segments Throttle playback Filter Inbound/Outbound Traffic by protocol, IP, MAC address, payload type, or unique bit pattern Filter at the header or payload level Multiple filters start and stop at any time, continue to capture Import filters using standard Berkley Packet Filter (BPF) format I can optimize the use of my available storage and capture and replay just want I need to 50

SIZE IT UP https://www.bluecoat.com/storage-calculator OS Meta Packet On board storage: 6TB or 22TB OS Meta SAS Attached Storage Packet Max Supported for 40 TB modules = 240TB of packet capture storage (6x40TB JBODS) 51

ENTERPRISE SCALABILITY WITH CENTRAL MANAGER Single point of management Security Analytics 10G Appliance Security Analytics 10G Appliance + Storage Directed searches Aggregate searches Security Analytics Virtual Appliance Security Analytics 2G Appliance Arbitrary groups and sub-groups Role-Based Access Control with Data Access Controls Security Analytics Central Manager Dashboard Reports Supports 200+ distributed devices Extractions 52

EASY DEPLOYMENT easy 1 Select the Security Analytics Platform you need 2 Select the Security Analytics Storage you need 3 Select the ThreatBLADES you need Flexible, Simple to Deploy and Centrally Managed 2G WebThreat BLADE MailThreat BLADE 2G 10G FileThreat BLADE 53

ENABLING ADVANCED THREAT PROTECTION DLP IPS 1) Encrypted Traffic Management SSL Visibility Appliance Internal Network 4) Incident Resolution & Analysis 3) Unknown Threat Protection Security Analytics Platform Malware Analysis Appliance SSL offloading in v4.0 2) Known Threat Protection ProxySG Content Analysis System Global Intelligence Network 5) Collaborative, Real-time Advanced Threat Database 54

SOLUTION VALUE Business Objectives Operate with integrity Increase Revenue Protect Intellectual Property Operational Objectives Mitigate Incidents Improve Security Posture Technical Objectives Reduce Attack Surface Enforce Acceptable Use Policy Increase Network Visibility 55

PARTNER ECOSYSTEM Threat Intelligence Big Data Security Analytics Security Visibility Integration Layer 56