democratising security: update your policies or update your cv
TRANSCRIPT
Democratising Security: Update Your Policies or Update Your CV
Raja MukerjiCo-Founder and President, ExtraHop Networks
Democratising Security: Update Your Policies or
Update Your CVRaja Mukerji
Co-Founder and President, ExtraHop Networks
“You know the things you intend to have in your network. We know the things that are actually in your network.”
Rob JoyceChief of Tailored Access OperationsNational Security Agency
Policy Compliance != Security
Security Policy compliance
Risk visibility
Policy compliance
Secure
Checkbox ComplianceTraditional Risk Mitigation
Holistic Understanding Business Enablement
Analyze Data in Flight to Understand Risk
I can see which people are talking to each other.
I can track the movement of sensitive information around the network.
I can tell very quickly if something has changed, and then figure out why, or at least who I need to ask.
I have an incident, and I can easily find out how widespread it is.
I can check firewall rules against reality and provide auditors with records of observed activity.
Wire Data = Risk Visibility
CVE Detection
Shellshock
HTTP.sys
Turla malware
Heartbleed
FREAK SSL/TLS
POODLE
Logjam
Compliance
SSH tunneling
Non-standard ICMP
Non-standard DNS
Non-standard HTTP
Disallowed file types
Invalid file extension writes
Blacklisted traffic
Encryption Profile
Certificate expiration
Key length
Outdated SSL sessions
MD5/SHA-1 cert signing
SSL traffic by port
Email encryption
Wild card certificates
Protocol Activity
Unencrypted FTP
Telnet
Gopher
TACACS
SNMP v1, v2, v2c
Finger
IRC
Application & User Behavior
Privileged user logins
Unauthorized connections
Lateral network traversal
Brute force attacks
Storage/DB access
Fraudulent transactions
Large data transfers
Unstructured Packets Structured Wire Data
Scaling SecOpsTraditional Model: Enterprise Perimeter
• InfoSec is siloed• Not enough skilled staff• Security controls fail due to complexity
New Model: Micro-Perimeters
• InfoSec is partner (enforcement and advisory)• Equip everyone to make security part of their job• Focus on InfoSec as a service
App A: Assets
App A: Data
App A: Assets
App A: Data
Corporate IT
Specialist IT
Remote Workers
IaaS: Assets
IaaS: Data
SaaS App
App A: Assets
App A: Data
App A: Assets
App A: Data
Corporate IT
Specialist IT
Remote Workers
IaaS: Assets
IaaS: Data
SaaS App
Enrich Your Security Infrastructure
User behavior
Application behavior
System behavior
Network behavior
Open Data Stream
Big Data lake for security
Stream Analytics
Unstructurednetwork packets
• Programmable stream processor for custom metrics• Open Data Stream (syslog, Kafka, HTTP) for any data• Bi-directional REST API for ingest and orchestration
Everything Transacts on the Network
Target Host
Evil
Mail ServerDatabaseDay 30 – Exfiltration of data over a throttled connection.
Day 0 – Target compromised
Day 5 – Rootkit downloaded
Day 5 - Command and control set up.
Day 6 through 14 - Slow port scan
Day 14 through 25 - Low-intensity brute-force login attempts
Day 26 through 29 - Data downloaded over a four-day period.
7 different L7 protocols, various behaviors, and data exchanged
over a 30-day period
SMTPHTTP
SSH
ICMP & TCP
LDAP
FTP
MySQL
Data Exfiltration
Observe and correlate every step of the intrusion lifecycle on the network: malicious email -> malware download -> C&C -> scanning -> brute-force login -> data download -> exfiltration
ICMP Ping and TCP-SYN scanning Failed database logins FTP to internal and external servers
Realization of Threat Intelligence
• Detect attacks based on observed behavior, not signatures
• Reduce alert fatigue with intelligence based on precise activity
• Better than logs: Network observation is always on and cannot be deleted or turned off
Business Process Anomaly Detection
4 hours
Traditional security analytics/intelligence systems are too slow to catch fraud. Example: An online travel management service needed to detect and cancel fraudulent activity before the criminals went to the airport and received cash refunds for the tickets.
Policy violation!
Simplify Compliance Audit
• Track every AD login, CIFS file access, and who connected to sensitive applications
• Store historical data to simplify audit reporting and enable investigation
• Verify existing security controls are working or not
• Monitor encryption use and cipher suite strength