Transcription
Triage: The Art of Threat Detectionand Risk AssessmentCompany Confidential
Seth GoldhammerDirector of Product ManagementLogRhythmPaul DavisDirector, Advanced Threats SecuritySolution ArchitectsCisco
The Modern Cyber Threat PandemicEXPANDING ATTACK SURFACEWELL-ESTABLISHED CYBER-CRIME ECONOMY 0.10 to 20Endpoint NetworkCloudand SaaSUsersMobileDevicesCredit Card Number,E-mail Accounts (per 1000)IoT 5 to 8MOTIVATED AND WELL-FUNDED THREAT ACTORSCloud Accounts istsCREATIVE AND SOPHISTICATED ATTACKSSocialSpearCustom Zero-DayPhishing Malware Exploits Engineeringper Healthcare NDSCAPESource Symantec, Underground black market: Thriving trade in stolen data, malware, and attack services. November 20, 2015; Medscape, Stolen EHR Charts Sell for 50 Each on Black Market, April 28, 2014Up to 3,500Custom MalwareDDoSUp to 1,000 / dayDDoS Attack
Signs of a good triage processDetecting the “Unknown”Coordination and CommunicationEffectivelyThreat AnalysisSafeThreatEradicationThreatIdentification
Setting the stage Operations roomMillions of eventsSome good, some badCautious of alarm fatigueOperations team Ready to respond Monitor for the unexpectedRandom detection and response doesn’t work Having the Right Tools Is Critical: To detect suspicious events To determine risk To take action
Vigilance requires visibility at every rNetworkEndpointHolistic Attack ndpointUserNetwork
Network wide visibility and analyticsFORENSIC DATANetworking DevicesANALYSIS CONDITIONINGANALYSISSecurity DevicesSystems & ApplicationsIndustry Specific DevicesIdentity Services
LogRhythm: understanding ice tBusiness ValueAsset ClassificationRisk RatingVulnerabilityNormalHostProcessAccessFile ActivityResourcesExternalContextThreat IntelligenceIP ErrorBehaviorManual discovery of what’snormal network activity isimpractical due to the sheervolume of data across multipletypes of dimensions. An unmanageable volume of falsepositives based on benign anomalies Significant blind spots / falsenegativesNeed an automated technology tolearn behavioral attributes acrossmultiple dimensions
The question To escalate or not? RULE: Trust but verify WHY: You’re only as good as your last incident
Showing how AMP Threat Grid enables“Trust but Verify”
AMP Threat GridFeeds Malware Analysis and Threat Intelligence1001 1101 1110011 0110011 101000 0110 00 1001 1101 1110011 0110011 101000 0110 00AMP File Submissions101000 0110 00 0111000 1110100111010000110 00result0111000111010011 101 he samplethatintelligenceis generatedcan 0011a 001100001110001110 1001 1101 1110011011001110100010100001100111000101 1100001 110Analyst or system (API) submits suspicioussample to Threat Gridvarietyof existingor usedof othersamples systemsand billionsofindependently.artifactsThreat Score / Behavioral IndicatorsBig Data Correlation Threat FeedsAn automated engine observes, deconstructs, andanalyzes using multiple techniquesAMP Threat Grid platform allowsyou to correlates the sample resultwith millions of other samples andbillions of artifacts Proprietary techniques for staticand dynamic analysis “Outside looking in” approach 700 Behavioral IndicatorsSample and Artifact Intelligence DatabaseActionable threat content andintelligence is generated that canbe utilized and integrated into avariety of existing systems or usedindependently.
LogRhythm threat intelligence serviceSingle Click to Enable Cisco AMP ThreatGrid IntegrationThreat data immediately leveraged inmachine-based analytics and automaticevidence corroboration
Reduce time to detect, qualify emerging threats On-the-fly Lookups provide key details at the time of needIntegrated case management preserves all evidence to expedite analysis
Reduce time to detect, qualify emerging threats On-the-fly Lookups provide key details at the time of need Integrated case management preserves all evidence to expedite analysis
The triage confirmation
The triage confirmation
Quickly capture scope of incident
Enabling fast effective triageThe marriage of visibility and contextDelivering More confidence Faster decisions Effective response
LogRhythm and Cisco AMP Threat Grid Correlate indicators of compromise (IOCs) to detectand respond to: Dangerous IPs accessing internal infrastructure Users visiting risky URLs Phishing attempts Malware propagation Other high impact activities Corroborate activity and expose behavioral anomalies: Raises prioritization of corroborated activitiesexhibiting compromise or infestation Reduces false positives and delivers even higherqualified alarms
A complete solution: Integrated for ease of use and efficient workflow AMP Threat Grid – Greater Context and Understanding of aThreat LogRhythm - Internal Context, Security Analytics, Detection,Response
Seth GoldhammerDirector of Product ManagementLogRhythmPaul DavisDirector, Advanced Threats SecuritySolution ArchitectsCiscoQuestions?
sample to Threat Grid. File Submissions. An automated engine observes, deconstructs, and analyzes using multiple techniques. Actionable threat content and intelligence is generated that can be packaged and integrated in to a variety of existing systems or used independently. AMP Threat Grid platform correlates the sample result with millions
