Speed Up Incident Response with Actionable Forensic Analytics

Similar documents
24/7 Visibility into Advanced Malware on Networks and Endpoints

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Concierge SIEM Reporting Overview

VULNERABILITY MANAGEMENT

Eliminating Cybersecurity Blind Spots

SANS Top 20 Critical Controls for Effective Cyber Defense

IBM Security IBM Corporation IBM Corporation

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Vulnerability Management

Managing Business Risk

Top 20 Critical Security Controls

Continuous Network Monitoring

Detect & Investigate Threats. OVERVIEW

Whitepaper. Advanced Threat Hunting with Carbon Black

SourceFireNext-Generation IPS

Endpoint Threat Detection without the Pain

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Under the Hood of the IBM Threat Protection System

The Cloud App Visibility Blindspot

Discover & Investigate Advanced Threats. OVERVIEW

The Hillstone and Trend Micro Joint Solution

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

REVOLUTIONIZING ADVANCED THREAT PROTECTION

I D C A N A L Y S T C O N N E C T I O N

Enabling Security Operations with RSA envision. August, 2009

Continuous Monitoring for the New IT Landscape. July 14, 2014 (Revision 1)

Unified Security Monitoring Best Practices

Outcome Based Security Monitoring in a Continuous Monitoring World

Security Event Management. February 7, 2007 (Revision 5)

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

June 8, (Revision 1)

The Sophos Security Heartbeat:

Office 365 Cloud App Security MARKO DJORDJEVIC CLOUD BUSINESS LEAD EE TREND MICRO EMEA LTD.

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Breach Found. Did It Hurt?

ENABLING FAST RESPONSES THREAT MONITORING

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

April 11, (Revision 2)

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

IBM QRadar Security Intelligence April 2013

The SIEM Evaluator s Guide

The Symantec Approach to Defeating Advanced Threats

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

February 22, (Revision 2)

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Cisco Cyber Threat Defense - Visibility and Network Prevention

Cisco Advanced Malware Protection for Endpoints

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Cisco Advanced Malware Protection for Endpoints

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

Unknown threats in Sweden. Study publication August 27, 2014

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Automate PCI Compliance Monitoring, Investigation & Reporting

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Trend Micro Cloud App Security for Office 365. October 27, 2015 Trevor Richmond

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Breaking the Cyber Attack Lifecycle

Extreme Networks Security Analytics G2 Vulnerability Manager

From the Bottom to the Top: The Evolution of Application Monitoring

End-user Security Analytics Strengthens Protection with ArcSight

How To Manage Security On A Networked Computer System

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

WildFire. Preparing for Modern Network Attacks

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

FIVE PRACTICAL STEPS

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Security Analytics for Smart Grid

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

WHITEPAPER. Nessus Exploit Integration

Chapter 11 Cloud Application Development

Advanced Threats: The New World Order

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1)

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Comprehensive Advanced Threat Defense

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

AppGuard. Defeats Malware

IBM Global Technology Services Preemptive security products and services

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Continuous Network Monitoring for the New IT Landscape. March 16, 2015 (Revision 4)

Fighting Advanced Threats

Advanced Threat Protection with Dell SecureWorks Security Services

A New Perspective on Protecting Critical Networks from Attack:

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

High End Information Security Services

Payment Card Industry Data Security Standard

Transcription:

WHITEPAPER DATA SHEET Speed Up Incident Response with Actionable Forensic Analytics Close the Gap between Threat Detection and Effective Response with Continuous Monitoring January 15, 2015

Table of Contents Introduction 3 Current Threat Landscape 3 How Typical IT/Security Processes Inhibit Effective Incident Response 4 Typical IT/Security Processes 4 Common Challenges 4 Challenges Specific to Forensic Analytics and Incident Response 5 Actionable Forensic Analytics 5 Flexible Incident Response 5 Tenable Continuous Monitoring Platform 6 Benefits of the Tenable Continuous Monitoring Platform 7 Actionable Forensic Analytics 7 Speeds-up Incident Response 7 Use-Cases 7 Forensic Analysis of Suspicious Activity 7 Incident Response Options 8 Conclusion 9 About Tenable Network Security 9 2

Introduction Cyber criminals are using advanced targeted attacks and modern malware to bypass traditional security controls and easily steal credit card data, sensitive corporate information, and national secrets. According to the 2014 Ponemon Report 1, the average total organizational cost of a data breach for companies participating in the survey worldwide increased by 15% over the previous year to $3.5 Million. The average cost paid for each stolen record containing sensitive data increased more than 9% from $136 in 2013 to $145 this year. In part, these costs are due to delays in breach detection, which can often take weeks to months after the initial compromise. Delays occur because security teams do not have actionable forensic data to pinpoint compromised hosts or identify sensitive data that has been stolen. Tenable provides a comprehensive continuous network monitoring solution that enables you to rapidly respond to security incidents, by providing actionable forensic data that can help detect incidents more accurately. In this paper, we will explore the forensic analytics and incident response capabilities of Tenable SecurityCenter Continuous View (SC CV), a network security platform that identifies vulnerabilities and threats, reduces risk, and ensures compliance. Topics covered will include: Recognizing how organizational silos and inefficient process inhibit the effectiveness of IT and Security Operations. Gathering actionable forensic analytics data is needed to identify advanced attacks both at the network and host levels. Responding to security incidents requires flexible techniques that leverage both workflows and automation. Current Threat Landscape Fig. 1: Verizon 2014 DBIR Report -Top 10 types of security incidents that resulted in breaches The Verizon 2014 Data Breach Investigation Report (DBIR) 2 covers breaches affecting organizations in 95 countries in 2013. The top 10 categories of security incidents (as shown in Fig. 1) totaled up to approximately 63,000 incidents, out of which 1,367 (2%) resulted in breaches (data disclosure). However, the same four categories of attacks - POS intrusions, web app attacks, cyber espionage, and card skimmers - have contributed to the top breaches between 2011 and 2013. Only 33% of victims discover breaches internally according to Mandiant s 2014 M Trends Threat Report 3. Furthermore, in 67% of the cases, victims were notified by external entities after it was already too late to save the reputation of the company. Security breaches can have a devastating impact on any company. For example, in the Target breach alone, 40 million credit/debit card data records and 70 million total data records were stolen in the month of November 2013. The attack vector used in Target was a known exploit that had impacted other retail chains. This scenario is all too common. Therefore, to protect against advanced attacks and security breaches, a company s IT security strategy should include: Continuous network monitoring for known vulnerabilities and threats. Correlating anomalous activity at the network and host levels to detect the unknown threats. 1 2014 Cost of Data Breach Study: Global Analysis, Ponemon Institute, May 2014. 2 2014 Data Breach Investigations Report, Verizon, April 2014. 3 2014 Threat Report M Trends Beyond the Breach, Mandiant a FireEye Company, April 2014. 3

How Typical IT/Security Processes Inhibit Effective Incident Response Typical IT/Security Processes Fig. 2: Typical IT/Security Operations Processes Typical IT/Security processes (as illustrated in Fig. 2) encompass the following four phases: 1. Prevent: Identify all vulnerabilities in all known/managed assets in your enterprise. Automatically classify them into asset groups based on OS and applications/services running on them. Perform configuration audits and patch them to prevent bad configurations and known vulnerabilities. This enables you to reduce attack surface and prevent known attacks. 2. Detect: Discover unknown/unmanaged assets on your network, including mobile devices, virtual machines and cloud services. Automatically identify operating system and application services that have exploitable vulnerabilities. Detect known threats based on threat intelligence from intrusion detection/prevention devices on your network. 3. Analyze: Correlate anomalous activity with real-time threats (events) and monitor for changes to systems/endpoints to see if they match known indicators of compromise. Collect accurate forensic data and present this in a consumable way. Sophisticated analytics are required to tie together the asset and vulnerability data from across assessment scan, networks sniffed, and log data and produce actionable reports. 4. Respond: Use forensic data to generate alert notifications to take prioritized manual (workflow-based) actions or automated (API-based) actions to prevent threats from resulting in security breaches. Forensic Analytics and Incident Response corresponds to the Analyze and Respond phases (bottom-half) of the IT/Security process. Common Challenges Common challenges encountered by organizations implementing this model include: Organizational Silos: Desktop administration, network, and security operations in medium to large companies are typically managed by three different organizations IT Helpdesk, Network Operations Center (NOC), and Security Operations Center (SOC), who use different tools that do not communicate well with each other. Unmanaged Assets: All assets on the network are not discovered or known to IT, and hence they are not monitored or managed, especially mobile phones, tablets, and virtual environments (e.g., VMware instances), which may have vulnerabilities that can be easily exploited. Unknown Applications/Services: Many unmanaged assets are not hardened or patched to eliminate known vulnerabilities, such as Heartbleed. These assets could be used as launch pads for malware to penetrate the enterprise. Lack of Network Visibility: Any anomalous network traffic to botnets and Command and Control (CnC) servers can go undetected if there are no network monitoring tools with application level (layer 7) visibility looking for traffic to known suspicious destinations. Un-prioritized Vulnerabilities: Vulnerabilities are not prioritized by Common Vulnerability Scoring System (CVSS) scores, asset criticality, or users/ roles. IT will be unable to quantify business risk without such prioritization. 4

Challenges Specific to Forensic Analytics and Incident Response No Actionable Forensic Data: Security and network operations staff are inundated with security events for which they do not have the right actionable data. This includes indicators of compromise for advanced attacks that go undetected by traditional defenses. Inflexible Incident Response: Security and network operations staff have limited ways in responding to incidents, e.g., generating notifications and reports, initiating manual work flows, or spawning automated actions. Having the flexibility to associate different types of response actions with alerts enables IT/Security Operations to speed up incident response and reduce business risk. Actionable Forensic Analytics The typical requirements for actionable forensic analytics include the following capabilities: Network Forensics: Logs of all network traffic, which includes packet capture or meta-data captures from network sensors, application flow data from switches and routers, and application logs from network proxies. This data is useful for identifying suspicious traffic that can be attributed to botnets or CnCs to or from bad sites without deploying any agents on endpoints. Host Forensics: Monitoring hosts and endpoints for file integrity, system configurations, processes, DNS queries, and network connections. This typically requires credential-based scanning of endpoints, or agents running on endpoints to gain evidence (using tell-tale signs of indicators of compromise). Log Correlation: Encompasses behavioral and statistical analysis to determine anomalies in network and host forensic data. Infuses contextual information about asset location and user identity, and also filters logs using blacklists from external threat intelligence sources. These correlation features are vital for zeroing-in on security incidents that need immediate attention. Actionable forensic data should include monitoring for: Network meta-data: Source and target of attack: IP address, host name, port/protocol associated with botnets or CnC traffic URL/domain name of server hosting malware Sender/recipient email address of phishing attack Host Indicators of Compromise: IP address or hostnames of compromised endpoints Hashes of malware files/binaries System configurations or auto-runs that should be checked for integrity OS registry changes and processes associated with malware Flexible Incident Response Any solution that identifies security incidents should further enable you to respond to them with the following types of configurable response actions, based on the simplicity or complexity of the problem identified. Notifications/Email: Send notifications via the console or by email, and include the recommended action. Dashboards/Reports: Automatically update a dashboard or generate a report with the current state of incidents in progress, assigned to appropriate personnel. Work Flows: Trigger trouble tickets with workflows assigned to the person responsible for follow through. Especially useful for the most complex and the least understood incidents. Automated Actions: Automatically invoke scripts or application programmatic interfaces (APIs), which perform specific actions such as adding a URL to the blacklist of a web gateway or update an ACL on a firewall to automatically block CnC servers. Automated actions are most applicable for frequently occurring incidents that are well understood. 5

Tenable Continuous Monitoring Platform Fig. 3: The Tenable Platform Continuous Monitoring of Vulnerabilities, Threats, and Compliance Tenable SecurityCenter Continuous View breaks down silos between IT, network, and security operations, and delivers actionable forensic data, asset information, and vulnerability context, to speed up incident response. The SecurityCenter Continuous View platform (depicted in Fig. 3) includes the following Tenable products and components: Nessus : is the industry s most widely-deployed vulnerability, configuration, and compliance scanner. Nessus features high-speed discovery, configuration auditing, asset profiling, malware detection, sensitive data discovery, patch management integration, and vulnerability analysis. Nessus Manager provides a scalable on premise solution to manage multiple Nessus scanners. The SaaS version, Nessus Cloud adds external perimeter scanning and PCI ASV scan validation. Passive Vulnerability Scanner (PVS): is a non-intrusive network monitoring tool that discovers all devices, applications, services, and their relationships currently active on your network. It automatically pinpoints potential security risks posed by vulnerable assets and new or unknown rogue systems, including SaaS and IaaS services being accessed by users. Log Correlation Engine (LCE): collects and correlates logs from Nessus, PVS, and external sources on the network including firewalls, switches, routers, endpoints, and servers. It can also generate alerts when malware matching indicators of compromise from external threat intelligence sources (e.g., Reversing Labs and IID) are encountered. All log data is compressed and stored in an indexed file system and can be rapidly searched using keywords. SecurityCenter Continuous View (SC CV): enables continuous monitoring of vulnerabilities, threats, and compliance violations discovered by Nessus, PVS, and LCE. It provides one management console with configurable dashboards, reports, and notifications to provide a comprehensive visualization (as shown in Fig. 4 below) of a company s vulnerabilities, threats, and compliance posture. Fig. 4: SecurityCenter Executive Summary Dashboard 6

Benefits of the Tenable Continuous Monitoring Platform Tenable s Security Center Continuous View breaks down silos between IT, network, and security Operations and enable you to gather actionable forensic data, information about assets, and vulnerability context to speed up incident response efforts. Actionable Forensic Analytics Automatically discovers and tags 100% of assets physical, virtual, mobile, and cloud Performs audits to discover known vulnerabilities based on security policies Discovers advanced threats by scanning for indicators of compromise Continuously monitors network traffic to detect hidden attack paths and suspicious activity Speeds-up Incident Response Provides asset and vulnerability context for every incident detected Identifies residual risk with correlated vulnerability and threat data Automatically generates alerts with configurable response options manual and automated Provides actionable information in customizable dashboards and reports Use-Cases The following use cases illustrate how Tenable SecurityCenter Continuous View (SC CV) gathers accurate forensic data to detect advanced attacks and set up flexible responses to prevent security incidents and breaches. Forensic Analysis of Suspicious Activity SecurityCenter Continuous View, which includes SecurityCenter, Nessus, PVS, and LCE, can be used to track both inbound and outbound suspicious network traffic to zero in on advanced attacks. Inbound: Detect downloads of malware from an external web server and validate if an endpoint was truly compromised. Tenable PVS can be used to capture all inbound network traffic, and LCE can be used create a watchlist of internal assets that exhibit suspicious file/exe downloads from known botnets and websites, as shown in Fig. 5 below: Fig. 5: Indicators dashboard to track inbound/outbound suspicious activity Tenable Nessus can be used to scan a watchlist of assets to look for advanced malware using known Indicators of Compromise (IoC). If IoCs are found on an endpoint (as shown in Fig. 6 below), then the endpoint is confirmed to be compromised. 7

Fig. 6: Indicators of Compromise (IoC) found on a compromised endpoint Outbound: Detect an internal host already compromised trying to beacon out to botnet/cnc server. PVS can be used to capture an anomalous set of failed DNS queries to a known CnC server, which indicates a compromised host that is trying to beacon out to potentially exfiltrate information. Fig. 7 below depicts how such anomalies can be identified in PVS. Fig. 7: Anomalous outbound communication identified by PVS Incident Response Options SC CV allows you to set up actions for every alert. The following types of actions can be configured for each alert: Alert Sample Targeted IDS New Host Discovered Telnet Server Detected Host has a compliance failure Critical exploitable vulnerability on Windows endpoint Configurable Action Email NOC Launch a compliance scan Generate a report of services on host Notify compliance officer Notify appropriate systems administrator 8

Fig. 8 below shows a screen shot of the Alerts window with configurable options in SC CV. Fig. 8: Configurable response actions for an alert in SC CV Conclusion While enterprise IT and security teams deploy and manage an expanding array of defensive technologies, many remain challenged to detect and assess the impact of threats until long after vulnerable systems are compromised. Tenable Network Security addresses this situation with its industry-leading continuous monitoring platform - SecurityCenter Continuous View, a comprehensive solution for vulnerability, threat and compliance management. SecurityCenter Continuous View transforms organizational silos and operational processes by providing meaningful and actionable forensic analytics with which enterprises can dramatically accelerate incident response. About Tenable Network Security Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Our family of products includes SecurityCenter Continuous View, which provides the most comprehensive and integrated view of network health, and Nessus, the global standard in detecting and assessing network data. Tenable is relied upon by many of the world s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense. For more information, please visit tenable.com. For More Information: Please visit tenable.com Contact Us: Please email us at sales@tenable.com or visit tenable.com/contact Copyright 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. EN-JAN282015-V4 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information