Transcription
Vectra.AI – лидер рынка NDRNetwork Detection and ResponseOctober 2020Netwell, официальный u
Современный SOCневозможен без сети.SOC VisibilityTriadNetwork-based technologies enabletechnical professionals to obtainquick threat visibility across an entireenvironment without using agents.SOARSource: Applying Network-Centric Approaches for Threat Detection and ResponseMarch, 2019ID Number: G00373460All statements in this report attributable to Gartner represent Vectra’s interpretation of data, research opinion or viewpoints published as part of a syndicated subscriptionservice by Gartner, Inc., and have not been reviewed by Gartner. Each Gartner publication speaks as of its original publication date (and not as of the date of this presentation.The opinions expressed in Gartner publications are not representations of fact, and are subject to change without notice.CONFIDENTIAL2
Временная шкала Network SecurityIDSNetflowNetwork Forensics(NFT)MetadataNTANDRSignature basedapproachdesigned itoringwith detectionadded asbonus(Tech lookingfor problem)Packet capturewith searchcapabilities(Net VCR)Packet-headercapturewith addedsearchcapabilitiesMachineLearningapproach todetectingthreatsMachineLearning andthreatintelligencebehaviouralbaseddetection andresponseSourcefireStealth IAL3
Использование ИИ помогает бороться с известными инеизвестными атаками и векторами атакTTPs /MethodsPersistentToolsDetection ThreatIntelDomainIPDurable coverage through Vectra AI Focused on what the threat actor is doing Both novel and known attacks Cover attack vectors: IT, IoT, IaaS & O365Labeled coverage of known threats Vectra Threat Intelligence is fully managedand curated by Vectra Domains, IP addresses and in-use attackertoolsHashKnownThreat CoverageNovelTTP Tactics, Techniques and proceduresCONFIDENTIAL4
Threat Detection & ResponseSource: NIST Cyber Security FrameworkCONFIDENTIAL5
Vectra останавливает инциденты предотвращая взломы.Детектирование атаки по поведениюCONFIDENTIAL6
Типовая атака на компаниюWhat a sophisticated attacker, an APT group and malware do through the Cyber Kill ChainInitial access andcompromise Inside attackerPhishing emails and websitesExploiting vulnerabilitiesHardware additionsRemovable mediaCompromised accountsSaaS control planeCommand&controland persistenceGain moreprivileges and accessSteal or deletedataReconnaissanceMove laterallyEncrypt andmanipulate dataHidden communicationwith attacker’s systems.Setting up utilities onthe compromised systems.Searching the network forfor accounts, hosts, serviceand data.CONFIDENTIALElevating privilege levelsand moving towards theobjective.Accessing and compromisingadditional systemsand accounts.Hijack resources andbuild botnetsThe breach.7
Объединяем анализугроз и науку оданных.Data scientists and security researches buildand continually tune self-learning behavioralmodels that enrich metadata with machinelearning-derived security information.Security ResearchData ScienceFundamental attacker behaviorssourced from securing the world’smost sensitive assetsTeam of PhD data scientists whocodify behaviors across unsupervised,supervised and deep learning modelsSecurity Analyst in Software97% of the MITRE ATT&CK frameworkSecurity enrichments (e.g. privilege)Automate Tier-1 activities: 34X workload reductionCONFIDENTIAL8
Vectra использует науку о данныхGlobal LearningЧто: Найти скрытые черты, которыеесть у угроз в общемЗачем: Быстрое детектированиеплохого поведения, не требуетсялокальное обучениеКак: Supervised machine learningПример: Random Forest (алгоритммашинного обучения)CONFIDENTIALLocal LearningIntegrated IntelligenceЧто: Обучение нормальномуповедению и поиск признаковатакЧто: Автоматический скоринг хостовчтобы показать общий уровеньзараженности в сетиЗачем: Выявить следы атаки,уникальные в сетиWhy: Быстро отбросить ненужныесобытия, чтобы показать ключевыемоменты атакиКак: Unsupervised machinelearningПример: K-means clustering(метод кластеризации)How: Отслеживание событий вовремени во всех фазах атакиПример: Bayesian network(графовая вероятностная модель)9
Vectra детектируетповедение злоумышленников по всей цепочке атакиCommand and ControlReconnaissanceLateral MovementExfiltrationExternal Remote AccessInternal Darknet ScanPrivilege Anomaly (multiple)Data SmugglerHidden DNS TunnelPort ScanSuspicious Remote ExecSmash and GrabHidden HTTP/S TunnelPort SweepSuspicious Remote DesktopHidden DNS TunnelMulti-homed TunnelSMB Account ScanSuspicious AdminHidden HTTP/S TunnelSuspicious RelayKerberos Account ScanShell KnockerO365 Power automateSuspect Domain ActivityFile Share EnumAutomated ReplicationO365 Mail forwardingMalware UpdateSuspicious LDAP QueryBrute-Force AttackPeer-to-PeerRDP ReconSMB Brute-ForcePulling InstructionsRPC ReconKerberos Brute ForceSuspicious HTTPM365 Suspicious activities(several)Kerberos Server ActivityTOR ActivityRansomware File ActivityThreat Intel MatchSQL Injection ActivityStealth HTTP PostM365 Prilege & accountanomalies (several)M365 Account compromise(several)CONFIDENTIALBotnet MonetizationAbnormal Web or Ad ActivityCryptocurrency MiningBrute-Force AttackOutbound DoSOutbound Port SweepOutbound Spam10
Низкий шум & высокая точностьVectra дает вам этоБольшинство NDR делают это 200K hosts monitoredSophisticated detection capabilityAccuracy/relevance of detected behaviorsБизнес получает Снижение нагрузки на SOCCognito отделяет высокоточные сигналы от ежедневного шумаSource: Actual customer environment in a large multinational enterpriseCONFIDENTIAL11
Наиболее точное и эффективное решениедля детектирование известных и неизвестных угрозSIEM/logs не дают полный, глубокий, детализированный вид.EDR не везде установлены и могут быть обмануты. Когда что-то случается,это всегда видно в сети.à Vectra может детектировать такие атаки, которые другие не могутVectra’s AI комбинирует как поведение атакующего, так сетевыеаномалии при помощи продвитой аналитики и корреляцииà Лучшее детектирование “signal to noise ratio” в реальномвремениVectra интегрируется в экосистему SOCà Прямо из коробки с большинством систем, открытый APIБезагентское внедрение, самообучение, ий интерфейсà Продуктивность работы аналитика вырастает в разыМинимум ложных срабатываний, приоритезация угроз, автоматизацияреагирования на инцидентыà 34x снижение временных затрат SOC Level-1,Переход от анализа инцидентов к триажу всей атакиза считанные минутыCONFIDENTIALDetect On-prem & CloudNo decryption of trafficNo signaturesMaps 97% Mitre Att@ckCan run 100% air-gappedComes with curated threat intelVectra is a pioneer in AI & NDRTrusted by 500 organizations12
Безопасность, которая думает.Сценарии использования и положительное влияние на ости SOCВыполнение ктирование атаки впроцессе; изация ROIАдаптация имание масштаба атакиРеагирование на правильныеинциденты в правильноевремяПростая интеграция ссуществующимирешениями ИБСнижение риска взломаCONFIDENTIALБезопасность в ний SaaSЗащита цифровойтрансформации13
Платформа Vectra CognitoVectra UIwith Dashboards, Investigation,Reports and Response AutomationSIEM, Data LakeVectra Apps forSIEM solutionsSecurity enrichedmetadataStreaming and salgorithmsПолучение сетевого трафика из сети и облаковPhysical Sensors(HW or SW)VirtualSensorsCloudSensorsM365syslogsPort mirroring (SPAN), Network tap, Virtual tap, Office365 logsCONFIDENTIALThreat intelIntegrationsfor contextenrichmentEDRDNSAD Интеграция сосредствамиавтоматизации иреагированияEDR, Firewall, SOAR, 14
Интеграция Vectra с инфраструктурой ИБVectra Apps forSIEM solutionsVectra UISecurity enrichedmetadataStreaming and EventsAnalyticsSecurity icsalgorithmsThreat intelIntegrations forcontextenrichmentCapture and Digest Traffic from the Network and CloudPhysical Sensors(HW or gsIntegrations forresponse automation15
Визуализация сети и облаков на 360ºInternetAppsfront endCoreSwitchBrain nganddatastoresData CentersPublic Cloud16
Основные конкуренты - NDRCONFIDENTIAL17
Куда продаем?ØЗамена IDS/IPSØSOC (Gartner)ØПереход в облакаCONFIDENTIAL18
Рынок IDS/IPS движется в сторону NDRCONFIDENTIAL19
Проблемы рынка IDS/IDPSIDPS ведет к усталостиот тревогиIDPS недостаткивизуализацииIDPS громоздки IDPS основаны на сигнатурах истатичных правилах длядетектирования угроз IDPS в составе FW не могутдетектировать LateralMovement Правила и сигнатуры IDPSтребуют постоянногообновления и настройки. Без дополнительного контекста(как например поведения хоста)генерят огромное количестволожных срабатываний инизкоуровневых алертов Сигнатуры могутдетектировать толькоизвестные атаки; неизвестныеатаки или современные атакиоснованные на учетныхзаписях остаются невидимы Требования регуляторовтребуют статичные установки,что не дает полноценноработать решению, а сигнатурыбыстро устаревают.CONFIDENTIAL20
Value PropositionKeyCriteriaFor:Product is:Ideal for:Better than:Because:Ideal CustomerProfileProduct PitchUse CasesCompetitionDifferentiation andProof Points Any organizationthat has an IDPSdeployed Director/Managerof IT/SecurityOur Product IT SecurityAnalystsCONFIDENTIALVectra Cognito, with its realtime automated threathunting capabilities, is theideal replacement for today’sIDPS products that cannotblock contemporary cyberattacks and cannot detecthidden attacker behaviorsinside your network.The Cognito Platformfocuses on detecting andmitigating active threatsinside the network – fromusers to IoT devices to datacenters and the cloud. Detect advanced, postcompromise behavior Reduce Alert Fatigue Visibility intoUnknown threats Network-basedIntrusion detection Shifting to a behavioralapproach for threatdetection IDPS Vendors NDR VendorsAttacker behavior instead ofGeneric Anomaly DetectionProof point: American University“We want to spend more time doingwhat’s beneficial for the university,which is protecting it – not upgradingcustom software and sifting throughsignatures”Prioritize Threat Detection andInvestigationProof point: ED&F Man Holdings"Cognito was to install and we getimmediate visibility into attackerbehaviors that hide in traffic"Proof point: Gartner MG for IDPS“Vectra addresses the issue of alertfatigue. This solution excels at theability to roll up numerous numbersof alerts to create a single incident toinvestigate that describes a chain ofrelated activities, rather than isolatedalerts that an analyst has to piecetogether.”21
Ideal Customer ProfileTarget Market (who they are)Annual Revenue 50M - 500M # Employees500 – 50,000 IndustryManufacturing, Healthcare, Energy & Utilities, Financial Services, Higher Education, SLED, Government, TechnologyNeedsMeet Compliance Regulations, stop attacks that have made it past perimeter defense, reduce workload on security analystsEnvironment (their situation)TechnologyLandscapeExisting IDPS Users, has implemented or looking into next generation technologies (CrowdStrike, Splunk, etc.)Business Buyer PersonaTechnical Buyer PersonaTitleDirector/MGR of IT, IT Security, SOCTitleSecurity Analyst, SOC Analyst, Network Analyst, IT AnalystResponsibilityResponsible for IT infrastructure/securityResponsibilityManages IDPSTechnologySkillsBasic understanding of IT/security tools.TechnologySkillsRuns the cybersecurity arm to protect the businessesinfrastructurePain-pointsPoor ROI on existing security investments, staff burn-out,incomplete understanding of the attack surface, reactive tothreatsPain-pointsToo many alerts, too many signatures to maintain, lack ofvisibility into what’s inside of the networkPositioningBehavioral approach, automation, prioritized threats andhigh-fidelity alertsPositioningCONFIDENTIALPosition SOC efficiency, improved ROI across securityprogram, increased staff productivity22
Qualification CriteriaCriteriaDescriptionAnnual Revenue50M – 500M ContactManager, Director, VP, or C-Level Decision-MakerBuying StageEvaluation/Purchase to be completed within 9 monthsNeedAdhere and meet compliance, detect and respond to threats that have passed perimeter defensesDesireActionable alerts guided response, less maintenance and tuning work for security analystsTechnology fitAny organization that currently has an IDPS deployedActionsProspect Agreed to an introduction call to discuss their pain (Before Scenario/Negative Consequence) anddiscuss their ideal state (After Scenario)CONFIDENTIAL23
Ключевые моменты для разговора о замене IDPSЧем недоволен заказчик?CONFIDENTIAL123Усталость от �ые атакиСодержание иподдержка(отношение сигнал/шум)IDPS генерят оченьмного событийIDPS основанына сигнатурахIDPS требуютпостоянной настройки итюнинга24
IDS vs IPS vs Firewall vs NDRParameterFirewall/IPSIDPSNDRAbbreviation forFirewall/IntrusionPrevention SystemIntrusion Detectionand PreventionSystemNetwork Detectionand ResponseUsageFilters ingoing andoutgoing traffic basedon manual rules Inspect ingoing andoutgoing traffic, stopsknown attacks basedon signaturesMonitors traffic,sends alerts on policyviolations or knownattacks.Monitors allnetwork traffic,uses AI combinedwith signatures tostop threatsPrinciple ofworkingFilter based on IPand Port Looks forsignatures of attack,prevent that attack.Looks for trafficpatterns orsignatures, generatealert.Leverage AI withsignatures to lookfor known andunknown attacksand stop themPlacementInline at networkperimeter (Firewall)Non-inline via Spanport, or tapNon-inline viaSpan port, or tapVendorsPalo Alto Cisco (Sourcefire) Alert Logic Trend Micro(Tipping Point) McAfee(Intrushield/NetworkSecurity Platform) BroDarktraceExtraHopCorelight / ZeekAwakePAN – CortexBricataCheckpointCiscoCONFIDENTIALWhere's the IDScomparison***25
Что дает NDRИспользование NDR для замены IPS/IDSЭффективность SOC Аналитик переключаетсяс настроек сигнатур наанализ приоритезированных событий ипоиска угроз. Объединенное ий регуляторов AI-based triaging Детектирование При выполнении Перевод �цидентов)требований х инеизвестных атак.алертов в поведение Показ полногодля ЦОД и облаковVectra will provide a 90% efficiencyimprovement from current anomalybased detection approachesСнижение рискаповедения в контекстеCompliance with (PCI DSS) v3.2And (PA-DSS)Automate Tier-1 activities:34X workload reduction26
This is Vectra.Hundreds ofglobal customers.Highlyrecommended.Dozens offive-star ratings.Vibrantcybersecuritycommunity.Recognized innovator and industry leader.Only visionary in2018 MQ for IDPSTechnology innovatorby EMA researchVisionary innovationby Frost and SullivanDeloitte 500 fastestgrowing technologyApproved for CDMPhase 3 DEFENDRed Herring Global100 WinnerIDC Innovators: AISecurity SolutionsCyberSecurityBreakthrough AwardsComputingSecurity Awards97% ONGARTERCreated by security professionalsfor security professionals.Our core team consists of security researchers,data scientists, platform engineers, and UI designers.CONFIDENTIAL27
Copyright 2020 Vectra.AI, Inc.
IDS Netflow Network Forensics NTA (NFT) Metadata NDR Signature based approach designed for detecting without responding Packet capture with search capabilities (Net VCR) Packet-header capture with added search capabilities Network performance monitoring with detection added as bonus (Tech looking for problem) Machine
