enhanced threat intelligene for s ps v3
TRANSCRIPT
Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
ENHANCED THREAT INTELLIGENCE
May 14, 2014
Neil King, VP Security Analytics
Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Threat Intelligence Landscape: Wild West
2
Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Threat Intelligence Taxonomy
3
Threat Category Botnet, Malware, Phishing, Mobile, Policy-based, Vulnerabilities
Threat Entity IP Address, Domain, URL, File, Application
Providers Anti-virus, Network Security, Threat Intelligence Specialists, Non-commercial
Delivery Blocklists, Reports, News/Blogs
Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
URL Feed Comparison
4
Amongst VirusTotal URL feeds there is little overlap across threat feeds….
Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Number of Detections per Threat
5
A majority of threats are detected by 1-2 engines
0
50000
100000
150000
200000
250000
300000
350000
400000
450000
1 2 3 4 5 6 7 8 9 10 11+
Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Detection Fragmentation – Full Feeds
6
Vendor'1 Vendor'2 Vendor'3 Vendor'4 Vendor'5 Vendor'6 Vendor'7 Vendor'8 Vendor'9 Vendor'10
Vendor'1 100% 1.40% 0.30% 0.13% 16.33% 6.27% 10.83% 7.57% 0.03% 45.50%
Vendor'2 0.66% 100% 0% 51.33% 34.89% 40.87% 0.03% 3.50% 1.79% 40.27%
Vendor'3 0.00% 0% 100% 0% 0% 0.01% 0% 0.32% 0.03% 0.01%
Vendor'4 0.05% 9.89% 0% 100% 0.02% 11.90% 0% 0% 0.07% 0.57%
Vendor'5 21.40% 0.74% 0% 0.05% 100% 2.42% 9.35% 7.07% 0.09% 27.07%
Vendor'6 0.35% 0.89% 0.06% 1.62% 0.30% 100% 0.19% 1.34% 0.38% 2.31%
Vendor'7 4.97% 0.03% 0% 0% 4.97% 0.20% 100% 0.03% 0% 26.60%
Vendor'8 0.06% 0.07% 0.27% 0% 0.23% 0.35% 0.00% 100% 0.06% 0.64%
Vendor'9 0.26% 1.99% 0.17% 0.26% 0.26% 2.95% 0% 3.38% 100% 2.86%
Vendor'10 9.93% 0.99% 0.03% 0.25% 10.11% 4.55% 6.17% 5.40% 0.24% 100%
Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Context Fragmentation
7
Vendor 1 Vendor 2 Vendor 3 Vendor 4 Vendor 5 Vendor 6 Vendor 7 Vendor 8 Vendor 9 Vendor 10
Domain
URL
IP
Category
Risk Score
Last Seen
Malware Name
File Hash
Hash Type
ASN
Country
Available Derived Not available
Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
IP Addresses and URLs are great, but what about Mobile Application Reputation?
8
Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Some challenges & opportunities for addressing mobile application threats
9
Anti-virus Application
+ See all traffic - Most subscribers don’t have AV
App Store Protection
+ Centralized protection for specific App Store - Miss app downloads from alternative App Stores
Mobile Networks + Opportunity protect downloads from all app stores + Can protect users that don’t have AV
Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Identify Mobile Application Downloads….
10
~ Billion events
~ 15,000 APKs downloads
From ~600 unique URLs
Risky APKs
Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
…and Associate APK reputations with URLs
11
We tried downloading some APKs (~36) and scanning them with Norton Security & Antivirus for Android with the following results
Available Context
• Package Name
• Security Score
• Threat Category
• APK risks (Location, AdLibrary, device information)
• Destination of leaked information
• Battery impact
• Network impact
• First Seen (Application, Application Signer)
• More
5%
42% 53%
Malicious
Not Malicious
Greyware
Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Symantec Mobile Insight Metrics
Norton Mobile Insight 12
747,109 Signers (Publishers) Majority of Bad Actors
Russia
China
Stores Crawled Continuously
200+
Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.
Threat Intelligence Requirements: 7 Cs
13
Coverage Broad coverage of threats increases likelihood of identifying malicious events
Criticality Identify the highest impact threats
Confidence Understanding the confidence level helps prioritize threats, and reduce false positives
Context Understanding context, can help prioritize threats and accelerate investigations
Current Threats change rapidly so intelligence needs to be current
Customization Ability for companies to add specific threats and adjust weightings to apply to their specific situation
Convenience Simplifying the aggregation, enhancement and application of threat intelligence
Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved. 14
Our Approach to Enhanced Threat Intelligence
Threat Intelligence Guavus Customer
Threat Summary
Enhancement & Normalization
Enhanced Threat Feed • Domain • URL • IP Address • Threat Name • APK Enhancement • Threat Category • Risk Score
Research / Investigation • Full Description • Trending • Geography • Associated IPs • Associated URLs • Associated Threat Names
Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved. 15
How can Service Providers Utilize ETI?
Network Data Analytics Platform
Enhanced Threat Intelligence Feed
URL Rep
IP Rep
App Rep
Use Cases
Threat Detection
Threat Prioritization
Threat Investigation
DPI
Netflow
Other
Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved. 16
Contact: Neil King [email protected] www.linkedin.com/pub/neil-king/0/871/3a8/
Thanks for your time