breach discovery

Breach DiscoveryNat KausikCEO, BitglassRich CampagnaVP, Products Bitglass

Polling Question #1Which of the following is currently your biggest

security concern?• Malware & Hacking• Lost Devices• Misuse/ShadowIT• User Errors• None of the above

Breach Stats

*California AG Breach Report 2014

Types of Breaches

Nuisance Breach - Opportunistic hack on vulnerable end-points

Untargeted Breach - Opportunistic hack on vulnerable enterprises

Targeted Breach - Custom hack on specific enterprise

Nuisance Breach

Effectiveness of Defense: Good

Tools: Anti-malware

Target: Vulnerable endpoints

Weapon: Malware

Gain: Fun, botnets, passwords

Effectiveness of Defense: Limited

Tools: Anti-X, NGFW, APT protection

Target: Vulnerable enterprises

Weapon: Malware

Gain: Credit card numbers, etc.

Untargeted Breach

Untargeted Breach

1. 3rd party website “Company Fun

Run”

2. Employees Register with

company creds

4. Log into JPM

5. Exfiltrate data over months

6. 3rd party website hires security guru, notifies JPMorgan

3. Hack 3rd party site to steal creds

Effectiveness of Defense: ???

Tools: ???

Target: Specific enterprises

Weapon: Many

Gain: Geo-political advantage?

Targeted Breach

Targeted Breach

1. April 2014: Spoofed site myhr.we11point.com

3. Employees login with

Anthem creds

4. Anthem creds

5. Log into Anthem

5. Query & steal 80M identities

2. Spear phishing emails

Feb 2015: Anthem IT discovers breach

Polling Question #2How long do you think it would take you to detect

a typical breach?• Less than 1 day• Less than 1 week• Less than 1 month• Less than 6 months• More than 6 months

© 2014 Bitglass – Confidential: Do Not Distribute

The Reality - Breaches Happen

*Source: Mandiant/FireEye

229 67%Average # of days before detection

Victims notified by external sources

“Two kinds of companies, those that were hacked and those that don’t yet know it”

- John Chambers, CEO, Cisco

Bitglass Breach Discovery Limit the Damage

Problem: Corporate data moving outside the firewall

3. At Access: Data theft via hacked devices & accounts

2. In Cloud: Attack on SaaS vendor risks sensitive data

1. On Network: Data breaches - exfiltration & Shadow IT

4. On Device: Lost tablet containing financial records

Clou

d

MobileOn-premise

On-

prem

ise


Breach Discovery - How it Works

Upload Firewall or Proxy logs

Big Data Analysis of Outflows

Bitglass Breach Discovery

Ranked alerts on high-risk outflows

ShadowIT RisksDrill-down investigationNo software

Bitglass Risk Intelligence


Customer Example

Data exfiltration to ~200 TOR nodes 4 high-risk, high-volume Shadow IT apps

Case study at bitglass.com/resources

Transportation company

25,000 Employees

2M log lines per day

Findings


Customer Example

Ten machines infected with malwareCommand & control trafficNext-Gen Firewall ineffectiveCase study at bitglass.com/resources

Wall Street Tech Firm

300 Employees

25K log lines per day

Findings

Polling Question #3Biggest challenge your existing breach detection

tools (i.e. SIEM)?• Too many alerts to be useful• Too difficult to manage and integrate threat

intelligence• We don’t have a SIEM• Other issues not listed• We don’t have any challenges

Prevention-focused tools Bitglass Breach DiscoveryPrevention tools increasingly ineffective against targeted and persistent attacks

Outbound Data Flow Analysis catches breaches early

Existing and emerging anomaly detection technologies throw too many alerts to be useful

Prioritized alerts via cloud-powered big data analytics with proprietary ranking

SIEM requires curation of risk intelligence feeds and ongoing manual interpretation by SMEs

Rapid Deployment - Simply upload logs, nothing to install

Discovery vs Prevention“Determined attackers can get malware into organizations at

will.” Neil MacDonald/Peter Firstbrook, Gartner

Total Data ProtectionOutside the Firewall

breach discovery

Technology