Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.

ENHANCED THREAT INTELLIGENCE

May 14, 2014

Neil King, VP Security Analytics

Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.

Threat Intelligence Landscape: Wild West

2

Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.

Threat Intelligence Taxonomy

3

Threat Category Botnet, Malware, Phishing, Mobile, Policy-based, Vulnerabilities

Threat Entity IP Address, Domain, URL, File, Application

Providers Anti-virus, Network Security, Threat Intelligence Specialists, Non-commercial

Delivery Blocklists, Reports, News/Blogs

Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.

URL Feed Comparison

4

Amongst VirusTotal URL feeds there is little overlap across threat feeds….

Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.

Number of Detections per Threat

5

A majority of threats are detected by 1-2 engines

0

50000

100000

150000

200000

250000

300000

350000

400000

450000

1 2 3 4 5 6 7 8 9 10 11+

Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.

Detection Fragmentation – Full Feeds

6

Vendor'1 Vendor'2 Vendor'3 Vendor'4 Vendor'5 Vendor'6 Vendor'7 Vendor'8 Vendor'9 Vendor'10

Vendor'1 100% 1.40% 0.30% 0.13% 16.33% 6.27% 10.83% 7.57% 0.03% 45.50%

Vendor'2 0.66% 100% 0% 51.33% 34.89% 40.87% 0.03% 3.50% 1.79% 40.27%

Vendor'3 0.00% 0% 100% 0% 0% 0.01% 0% 0.32% 0.03% 0.01%

Vendor'4 0.05% 9.89% 0% 100% 0.02% 11.90% 0% 0% 0.07% 0.57%

Vendor'5 21.40% 0.74% 0% 0.05% 100% 2.42% 9.35% 7.07% 0.09% 27.07%

Vendor'6 0.35% 0.89% 0.06% 1.62% 0.30% 100% 0.19% 1.34% 0.38% 2.31%

Vendor'7 4.97% 0.03% 0% 0% 4.97% 0.20% 100% 0.03% 0% 26.60%

Vendor'8 0.06% 0.07% 0.27% 0% 0.23% 0.35% 0.00% 100% 0.06% 0.64%

Vendor'9 0.26% 1.99% 0.17% 0.26% 0.26% 2.95% 0% 3.38% 100% 2.86%

Vendor'10 9.93% 0.99% 0.03% 0.25% 10.11% 4.55% 6.17% 5.40% 0.24% 100%

Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.

Context Fragmentation

7

    Vendor  1   Vendor  2   Vendor  3   Vendor  4   Vendor  5   Vendor  6   Vendor  7   Vendor  8   Vendor  9   Vendor  10  

Domain              

URL                  

IP                              

Category                  

Risk  Score              

Last  Seen                          

Malware  Name          

File  Hash                  

Hash  Type              

ASN                  

Country                              

Available Derived Not available

Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.

IP Addresses and URLs are great, but what about Mobile Application Reputation?

8

Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.

Some challenges & opportunities for addressing mobile application threats

9

Anti-virus Application

+ See all traffic - Most subscribers don’t have AV

App Store Protection

+ Centralized protection for specific App Store - Miss app downloads from alternative App Stores

Mobile Networks + Opportunity protect downloads from all app stores + Can protect users that don’t have AV

Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.

Identify Mobile Application Downloads….

10

~ Billion events

~ 15,000 APKs downloads

From ~600 unique URLs

Risky APKs

Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.

…and Associate APK reputations with URLs

11

We tried downloading some APKs (~36) and scanning them with Norton Security & Antivirus for Android with the following results

Available Context

•  Package Name

•  Security Score

•  Threat Category

•  APK risks (Location, AdLibrary, device information)

•  Destination of leaked information

•  Battery impact

•  Network impact

•  First Seen (Application, Application Signer)

•  More

5%

42% 53%

Malicious

Not Malicious

Greyware

Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.

Symantec Mobile Insight Metrics

Norton Mobile Insight 12

747,109 Signers (Publishers) Majority of Bad Actors

Russia  

China  

Stores Crawled Continuously

200+  

Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved.

Threat Intelligence Requirements: 7 Cs

13

Coverage Broad coverage of threats increases likelihood of identifying malicious events

Criticality Identify the highest impact threats

Confidence Understanding the confidence level helps prioritize threats, and reduce false positives

Context Understanding context, can help prioritize threats and accelerate investigations

Current Threats change rapidly so intelligence needs to be current

Customization Ability for companies to add specific threats and adjust weightings to apply to their specific situation

Convenience Simplifying the aggregation, enhancement and application of threat intelligence

Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved. 14

Our Approach to Enhanced Threat Intelligence

Threat Intelligence Guavus Customer

Threat Summary

Enhancement & Normalization

Enhanced Threat Feed •  Domain •  URL •  IP Address •  Threat Name •  APK Enhancement •  Threat Category •  Risk Score

Research / Investigation •  Full Description •  Trending •  Geography •  Associated IPs •  Associated URLs •  Associated Threat Names

Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved. 15

How can Service Providers Utilize ETI?

Network Data Analytics Platform

Enhanced Threat Intelligence Feed

URL Rep

IP Rep

App Rep

Use Cases

Threat Detection

Threat Prioritization

Threat Investigation

DPI

Netflow

Other

Guavus Confidential – Do Not Distribute © 2013 Guavus, Inc. All rights reserved. 16

Contact: Neil King neil.king@guavus.com www.linkedin.com/pub/neil-king/0/871/3a8/

Thanks for your time