Threat Response – Incident Response
Hans Irlacher Manager Presales Engineering CEMEA
[email protected]
Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
1
Proofpoint Portfolio Erkennen
Blockieren
Protection: Proofpoint Protection Server, Best in Class Email Protection Reagieren
TAP: Erkennt zielgerichtete, polymorphe und “Zero-Day” Attacken
Threat Response: Umfassendes Incident Handling und schnelle Reaktion Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
2
Geschäftliche und Rechtliche Konsequenzen
CSO Online, Dec. 15, 2014
InfoSecurity, Jan. 16, 2015
The Cost of Malware Containment, Ponemon Institute, January 2015 Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
3
Die Wichtigkeit einer schnellen Reaktion
46%
70%
Ponemon Institute & Verizon Data Breach Report: http://blog.turner-associates.com/cyber-security-data-breaches-checklist/ Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
4
Das “Neue” Erkennungsproblem Advanced Malware Detection Source
Destination
Severity
192.168.10.13
8.8.8.8
High
SIEM Source
Destination
Type
10.10.10.213
192.168.10.114
Anomaly
IPS Source
Destination
Severity
10.10.10.123
192.168.10.114
High
Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
Was jetzt? Security Operations
1. Welcher Alarm ist der wichtigste? 2. Wie erhalte ich mehr Informationen im Kontext? 3. Wie bestätige ich eine Infektion? (ohne “False Positive”) 4. Wie kann ich mich schnell schützen und eingrenzen? 5. Wie kann ich die eigene Effektivität messen? 5
Incident Response Herausforderung Mit nur wenigen Daten sind Alarme nicht zu handhaben
Wer wurde attackiert?
Welche Art von Attacke ist es?
Bedrohung eindämmen & Reimage
Bedrohungs Verifikation Bedrohungs Nachforschung
Daten zusammenfassen
Security Alerts
Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
Losses
Security Operations
Woher kommt die Attacke? Time
6
Der “Gewöhnliche” Incident Response Prozess Infizierung
Erkennung
DHCP server
Domain Controller High value targets? AD Server Phonebook/directory High value targets?
Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
Behebung
Intelligence/Rep
Meeting Scheduler
Geo IP service High value/severe Whois threats? Virus Total
Forensic collection/ analysis Infection? Confirm
High value/severe threats?
Email console(s) AD console(s)
Quarantine/Contain? FW/Proxy console(s)
Security alert source
Ticketing system
Incident management
Change control
Confirm Infection?
Contain?
7
Incident Response sollte einfach sein High Value Target? Endpoint infiziert?
Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
Zentrales Dashboard
Quarantäne & Beheben Informationen Zusammenführen
8
Proofpoint Threat Response Virtual Appliance
Verstehen Automatisiert
Verifizieren Durchgängig
Custom Events und mehr…
Beheben Unmittelbar
und mehr... Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
9
Threat Response Use Case Add:
• • • • •
Username Infection history Group Local information Local IP
• • • • •
Malicious file check IP/Domain Reputation Geo-location CNC server check Incident assignment
• • • • •
Put user in “Penalty box” Update Firewalls/Proxies Quarantine email Create audit trail Manage IP lifecycle
Update Threat Response
Security Alert
IP reputation Geolocation WhoIS Virus Total
AD
IOC Verification
Additional Threat Context User Context
Threat Verified Network connections: Registry Changes: File changes: Mutexes:
Yes Yes Yes Yes
Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
Email: AD User: Group: User phone : System IP: Attacker IP: Location:
[email protected] Josephsmith Finance 650-555-1234 56.188.13.218 10.10.10.253 Fargo, ND
Sender IP: Known Malware?: New Domain? Domain Reputation? CNC List? Country?
Known bad actor Trojan.Zbot.X Yes Neutral Y N. Korea
10
Threat Response mit TAP Attachment Defense (AD)
2
Proofpoint TAP
TAP AD
Alert
1
1
2
Nachricht wird dem Nutzer direkt zugestellt. Zeitgleich wird eine Kopie innerhalb der Sandbox analysiert
Threat Response
TAP Alerts werden an PTR gesendet. PTR verbindet sich direkt mit Exchange (O365) und überträgt die Nachricht automatisch in die Quarantäne Exchange/ O365 Quarantine
Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
11
SIEM + Threat Response Logs
Alerts
Events
SIEM Threat Response
Security Analysts Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
• Incident Context • Forensic data collection • Infection Verification • Past infection checking • Threat Scoring • Incident/User/IP history • Incident assignment • User Isolation • Network Containment • Email Quarantine 12
Threat Response schließt die Lücke Erkennung
Nachforschung Verifizieren Priorisieren Reagieren
TAP
Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
13
Kundenvorteile Threat Response beschleunigt den Prozess:
Verstehen & Priorisierung von Bedrohungen Infizierungen bestätigen (Vergleich forensischer Infos) Reagieren auf Bedrohungen (FW/Proxy/AD Integration) Geschäftliche Vorteile: Senkt die Zeit der Nachforschung um > 50%
Um bis zu 20-fache Beschleunigung der Reaktion Reduziert die Belastung und das Risiko bei zeitgleich weniger Arbeit Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
14
Protection Platform Powered by Big Data EMAIL PROTECTION ADVANCED THREAT PROTECTION/RESPONSE
INFORMATION PROTECTION
PROOFPOINT PLATFORM SOCIAL MEDIA PROTECTION
# BIG DATA ANALYTICS ARCHIVING + COMPLIANCE Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
15
DEMO
Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
17
Understand: Who, What, Where What is the Threat
Who is the target
Where is attack coming from
Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
18
Target information: • User • Phone • Department • Special groups • Location • … more
Incident history
Drill down available, one click away Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
19
Verify: Confirm Infection via Forensics
Infection confidence
Summary of Forensics found vs. reported
Forensic Matches Forensic Matches Forensic Matches
Past infection check
Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
20
Contain: Quarantine and Contain Identities and Hosts
Attacker and CNC data drill down
Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
At-a-glance Geo-location
21
Automatic IP Blocking lifecycle
Push-button or automatic protection
Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
22
Push-button or automatic quarantine after email is delivered
Contain: Email quarantine automated or manual Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
23
Incidents by Department
Customizable Reports
With Built-in & Custom
Reports and Views
Copyright © 2015 Proofpoint, Inc. All Rights Reserved.
24