unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)
TRANSCRIPT
![Page 1: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/1.jpg)
Unmask Anonymous Attackers with Advanced Threat IntelligenceJune 29, 2016
![Page 2: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/2.jpg)
2Copyright SecureAuth Corporation 2016
Today’s Speakers
STEPHEN COXChief Security ArchitectSecureAuth
ANDRAS CSERVP, Principal Analyst Forrester Research, Security & Risk
![Page 3: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/3.jpg)
3Copyright SecureAuth Corporation 2016
+ All attendee audio lines are muted + Submit questions via Q&A panel at any time+ Questions will be answered during Q&A at the end of the
presentation+ Slides and recording will be sent later this week+ Contact us at [email protected]
Webinar Housekeeping
![Page 4: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/4.jpg)
June 29, 2016
Unmask Anonymous Attackers with Advanced Threat IntelligenceAndras Cser, VP & Principal Analyst
![Page 5: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/5.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited5
![Page 6: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/6.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited6
Identity Management
Data Protection
Fraud Management
Identity Intelligence
Sea of Data Breaches
Gulf of Security Fiascos
Tropic of Compliance
![Page 7: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/7.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited7
![Page 8: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/8.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited8
![Page 9: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/9.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited9
Cyber threat involves compromised identities and passwords
Data breaches are a huge problem
Forrester estimates that 80% of all data breaches involve misuse of administrative and shared account privileges
Mitigate outsider attacks
API management is a must
Requires behavioral analysis
Network forensics are inadequate and slow
![Page 10: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/10.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited10
![Page 11: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/11.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited1111
Mobile Threats Are Difficult To Detect
› Business has a higher tolerance for mobile fraud
› IP addresses change frequently
› Old MITB detection techniques do not work
› 3DSecure was not designed for mobile devices
› Legacy tools can’t cope with real-time device and location data
![Page 12: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/12.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited12© 2016 Forrester Research, Inc. Reproduction Prohibited 12
Ensure Security using Layered Controls
Encryption at Cloud Vendor/Cloud Service Provider
Encryption in Transit
DLP on Premise and in the Cloud
Identity Context
Encryption on Premise
Risk Assessment
Discovery and Tagging
![Page 13: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/13.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited13
Identity Centric Data Protection
![Page 14: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/14.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited14
How IAM can help
Machine learning
Advanced Threat Intel
Identity and access
management
Understand normaldata usage patterns
Certify access to data assets
Understand normalcy and anomalies in access using patterns
Identityintelligence
![Page 15: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/15.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited15© 2016 Forrester Research, Inc. Reproduction Prohibited 15
How Web SSO supports ATI
›Account takeover threatens data (internal and external)
›Single Sign On reduces password vulnerability
›Single source access policy management and enforcement and audit
![Page 16: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/16.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited16© 2016 Forrester Research, Inc. Reproduction Prohibited 16
How Risk Based Authentication Supports ATI
›We need to move away from passwords – without inconveniencing users (too much ☺)
›Adding new attributes to the authentication process (mobile device location, fingerprint, sensor data, etc.)
›B2C but also B2B and B2E
›This is where the convergence with ATI and Payment fraud happens primarily
![Page 17: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/17.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited17
Risk Based Authentication is a mustNeed to support Risk Based Authentication to minimize user friction
IP address
User identity
Time of Day
Session speed
Device fingerprintRisk score Mobile token
Biometrics
Behavioral biometrics
SMS/Email token
Aut
hent
icat
ion
Con
text
Aut
hent
icat
or
Security Q&A
![Page 18: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/18.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited18© 2016 Forrester Research, Inc. Reproduction Prohibited 18
How Identity Management and Governance Supports ATI
›Avoid over-privileging users right from the start
›Understand the who has access to what and why *before* breaches happen
›Enforce Separation of Duties for apps and data
›Provide visibility into attestation decision making for the reviewer *before* they approve (avoid rubberstamping of attestation)
›B2E, B2B but increasingly B2C as well
![Page 19: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/19.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited19
![Page 20: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/20.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited2020
Forrester’s Predictions
› Need for Analytics and Prediction in ATI
› IAM context for ATI is of paramount importance
› Bring in network activity, device data, IP geolocation
› Reduce rubber-stamping and fatigue with investigations
![Page 21: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/21.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited2121
Forrester’s Predictions
› Use machine learning and analytics to identify outliers and high-risk users
› Risk Based and Continuous Authentication will take off
› Provide real-time visibility and drill-down to data
› Secure your critical data, infrastructure and application assets across Enterprise and Cloud
![Page 22: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/22.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited22
![Page 23: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/23.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited23Source: http://www.flickr.com/photos/dgonzal111139/7105647869/sizes/l/in/photostream/
![Page 25: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/25.jpg)
Unmasking Anonymous Attackers with Advanced Threat IntelligenceStephen CoxChief Security ArchitectSecureAuth
![Page 26: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/26.jpg)
26Copyright SecureAuth Corporation 2016
+ Heavy use of stolen credentials – May not even need malware– Credentials are easy to
acquire+ Approach with anonymity
– TOR, VPN, “home grown” anonymity services
– May combine approaches+ Very difficult to detect
once in
The Modern Attacker
![Page 27: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/27.jpg)
27Copyright SecureAuth Corporation 2016
The Attack Lifecycle
Initial Penetration
EstablishFoothold
EscalatePrivileges
CompleteMission
LateralMovement
Network Security
Endpoint Security
Endpoint Security
Identity SecurityEndpoint Security
Identity Security
Endpoint Security
Identity Security
Network Security
Identity Security
![Page 28: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/28.jpg)
28Copyright SecureAuth Corporation 2016
Anonymity Explained+ Attackers want to conceal their source (and true
identity)+ Achieved through the use of anonymity
networks+ Can be leveraged at many points in the attack
lifecycle
![Page 29: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/29.jpg)
29Copyright SecureAuth Corporation 2016
The Onion Router (Tor)
+ Public anonymity network+ Low barrier to entry+ Has legitimate uses+ Also a center of cybercrime
![Page 30: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/30.jpg)
30Copyright SecureAuth Corporation 2016
The Infrastructure of APT1+ Threat group discovered and tracked by
Mandiant+ Mandiant released report on them in 2013+ Follow on research pointed at heavy use of
anonymity+ Achieved by compromising a large amount of
machines and software known as HTRAN
![Page 31: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/31.jpg)
31Copyright SecureAuth Corporation 2016
The Terra Cotta VPN Network+ Discovered by RSA
FirstWatchthreat research team
+ Large network of compromised machines
+ Used to achieve anonymity at a large scale
![Page 32: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/32.jpg)
32Copyright SecureAuth Corporation 2016
Cyber Crime
Hacktivism
Anonymous Proxy
Advanced Persistent Threat (APT)
Device Recognition
Threat Service
Identity Store Lookup
Geo-Location
Geo-Velocity
Behavioral Biometrics
Threat Intelligence
Threat Information
Black/White Lists
• Identify & stop attackers, even with valid credentials
SecureAuth Threat ServiceCombining Threat Intelligence and Threat Information for Best-in-Class Security
Allow Access
Require MFA
Redirect
Deny Access
• No User Experience Impact - only present MFA when needed
• Easily integrate with existing infrastructure in hours
![Page 33: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/33.jpg)
33Copyright SecureAuth Corporation 2016
Identity as a Perimeter
![Page 34: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/34.jpg)
34Copyright SecureAuth Corporation 2016
The Value of Alerting on Identity+ Why send more to the SIEM?+ Adaptive authentication data and associated alerts
are high fidelity+ Risk based alerting identifies deliberate actions that
may be suspicious and warrant investigation+ Proactive alerting includes observing identities and
systems
![Page 35: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/35.jpg)
35Copyright SecureAuth Corporation 2016
Identity Data is The Key+ Detecting attackers operating with legitimate
credentials is challenging+ Security policies must shift focus to stolen
credentials and lateral movement+ Adaptive authentication data can fill this blind spot+ Correlation pulls together events and pinpoints
incidents
Source: 2016 Mandiant M-Trends® Report
![Page 36: Unmask anonymous attackers with advanced threat intelligence webinar 6.29 final (1)](https://reader035.vdocuments.mx/reader035/viewer/2022062503/587269521a28ab31498b5549/html5/thumbnails/36.jpg)
Thank You! secureauth.com/threat-service