Removing Blind Spots in Network Visibility to Stop Data...
Transcript of Removing Blind Spots in Network Visibility to Stop Data...
Removing Blind Spots in Network Visibility to Stop Data TheftStephen Newman, CTO, DamballaThursday, October 2911:20 AM - 11:50 AM
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
CLUES TO A CRIME
Photo Source: NBC
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
CYBERCRIMES IN 1H 2015
577 Breaches
155M+ Records
Source: Identity Theft Resource Center, 2015 Data Breach Category Summary
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
DETECTION TAKES TOO LONG
229 days to discover a breach
67% discovered by 3rd parties
Source: Mandiant’s 2014 M-Trends Report
Minutes
11%
Hours
13%
Days
17%
Weeks
25%
Months
29%
Years
5%
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
Tsunami of Noise Layers of Security Prevention Products
BLINDED BY ALERTS
Uncertainty About Actual Threats
Overwhelming volume
High rate of false positives
Snapshot-in-time data
Information without context
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
Unknown indicators
Known indicators
AV HIPS FW DNS FW IDSIPS
WSGProxy
VMSandbox
Endpoint Security Network Security
Proof of Infection
LOTS OF EVIDENCE BUT NO PROOF
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
PREVENTION IS BLIND TO EVASIVE MALWARE
Initial Infection
Dropper
Update/Repurpose
Updater Site Downloader Site
Initial C&C and 2nd Repurpose
C&C Portals
C&C Proxies
Repository
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
Initial Infection
Files Downloaded
HOW CAN YOU REMOVE THE BLINDERS?
Initial C&C and 2nd Repurpose
C&C Portals
C&C Proxies
Automation
Emergent Threat
Domain Fluxing
Update/Repurpose
Queries
P2P Activity
HTTP Attempts
Communications with C&C
Executed files
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
WHAT IF YOU COULD ELIMINATE GUESSWORK?
Slog through alerts
Dig through logs
Chase false positives
Correlate data
Make assumptions
Act/Don’t Act?
Instrument the network for detection
Indicators of compromise are monitored
Pieces of evidence are corroborated
Proof of infection is verified
High-risk devices are prioritized
Data theft is averted
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
NETWORK SECURITY MONITORING BY DAMBALLA
YOUR NETWORK TRAFFIC
& DEVICES
RISK PROFILERSAc
tivity
Impo
rtanc
e
Inte
nt
DETECTION ENGINES
Behaviors
Content
Threats
CASE ANALYZER & MANAGER TRUE POSITIVES CONFIRMED
CLOSED CASES
Threat Discovery
Center
IR TEAM
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA
TAKEAWAYS
Prevent what you canUnderstand how malware evades detectionInstrument the network to discovery hidden threatsA compromise doesn’t have to led to a breachRespond in a prioritized way based on risk factors
Thank [email protected]
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA