Hans Irlacher Threat Response – Incident Response

Threat Response – Incident Response

Hans Irlacher Manager Presales Engineering CEMEA

[email protected]

Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

1

Proofpoint Portfolio Erkennen

Blockieren

Protection: Proofpoint Protection Server, Best in Class Email Protection Reagieren

TAP: Erkennt zielgerichtete, polymorphe und “Zero-Day” Attacken

Threat Response: Umfassendes Incident Handling und schnelle Reaktion Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

2

Geschäftliche und Rechtliche Konsequenzen

CSO Online, Dec. 15, 2014

InfoSecurity, Jan. 16, 2015

The Cost of Malware Containment, Ponemon Institute, January 2015 Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

3

Die Wichtigkeit einer schnellen Reaktion

46%

70%

Ponemon Institute & Verizon Data Breach Report: http://blog.turner-associates.com/cyber-security-data-breaches-checklist/ Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

4

Das “Neue” Erkennungsproblem Advanced Malware Detection Source

Destination

Severity

192.168.10.13

8.8.8.8

High

SIEM Source

Destination

Type

10.10.10.213

192.168.10.114

Anomaly

IPS Source

Destination

Severity

10.10.10.123

192.168.10.114

High

Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

Was jetzt? Security Operations

1. Welcher Alarm ist der wichtigste? 2. Wie erhalte ich mehr Informationen im Kontext? 3. Wie bestätige ich eine Infektion? (ohne “False Positive”) 4. Wie kann ich mich schnell schützen und eingrenzen? 5. Wie kann ich die eigene Effektivität messen? 5

Incident Response Herausforderung Mit nur wenigen Daten sind Alarme nicht zu handhaben

Wer wurde attackiert?

Welche Art von Attacke ist es?

Bedrohung eindämmen & Reimage

Bedrohungs Verifikation Bedrohungs Nachforschung

Daten zusammenfassen

Security Alerts

Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

Losses

Security Operations

Woher kommt die Attacke? Time

6

Der “Gewöhnliche” Incident Response Prozess Infizierung

Erkennung

DHCP server

Domain Controller High value targets? AD Server Phonebook/directory High value targets?

Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

Behebung

Intelligence/Rep

Meeting Scheduler

Geo IP service High value/severe Whois threats? Virus Total

Forensic collection/ analysis Infection? Confirm

High value/severe threats?

Email console(s) AD console(s)

Quarantine/Contain? FW/Proxy console(s)

Security alert source

Ticketing system

Incident management

Change control

Confirm Infection?

Contain?

7

Incident Response sollte einfach sein High Value Target? Endpoint infiziert?

Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

Zentrales Dashboard

Quarantäne & Beheben Informationen Zusammenführen

8

Proofpoint Threat Response Virtual Appliance

Verstehen Automatisiert

Verifizieren Durchgängig

Custom Events und mehr…

Beheben Unmittelbar

und mehr... Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

9

Threat Response Use Case Add:

• • • • •

Username Infection history Group Local information Local IP

• • • • •

Malicious file check IP/Domain Reputation Geo-location CNC server check Incident assignment

• • • • •

Put user in “Penalty box” Update Firewalls/Proxies Quarantine email Create audit trail Manage IP lifecycle

Update Threat Response

Security Alert

IP reputation Geolocation WhoIS Virus Total

AD

IOC Verification

Additional Threat Context User Context

Threat Verified Network connections: Registry Changes: File changes: Mutexes:

Yes Yes Yes Yes

Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

Email: AD User: Group: User phone : System IP: Attacker IP: Location:

[email protected] Josephsmith Finance 650-555-1234 56.188.13.218 10.10.10.253 Fargo, ND

Sender IP: Known Malware?: New Domain? Domain Reputation? CNC List? Country?

Known bad actor Trojan.Zbot.X Yes Neutral Y N. Korea

10

Threat Response mit TAP Attachment Defense (AD)

2

Proofpoint TAP

TAP AD

Alert

1

1

2

Nachricht wird dem Nutzer direkt zugestellt. Zeitgleich wird eine Kopie innerhalb der Sandbox analysiert

Threat Response

TAP Alerts werden an PTR gesendet. PTR verbindet sich direkt mit Exchange (O365) und überträgt die Nachricht automatisch in die Quarantäne Exchange/ O365 Quarantine

Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

11

SIEM + Threat Response Logs

Alerts

Events

SIEM Threat Response

Security Analysts Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

• Incident Context • Forensic data collection • Infection Verification • Past infection checking • Threat Scoring • Incident/User/IP history • Incident assignment • User Isolation • Network Containment • Email Quarantine 12

Threat Response schließt die Lücke Erkennung

Nachforschung Verifizieren Priorisieren Reagieren

TAP

Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

13

Kundenvorteile Threat Response beschleunigt den Prozess:

Verstehen & Priorisierung von Bedrohungen Infizierungen bestätigen (Vergleich forensischer Infos) Reagieren auf Bedrohungen (FW/Proxy/AD Integration) Geschäftliche Vorteile: Senkt die Zeit der Nachforschung um > 50%

Um bis zu 20-fache Beschleunigung der Reaktion Reduziert die Belastung und das Risiko bei zeitgleich weniger Arbeit Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

14

Protection Platform Powered by Big Data EMAIL PROTECTION ADVANCED THREAT PROTECTION/RESPONSE

INFORMATION PROTECTION

PROOFPOINT PLATFORM SOCIAL MEDIA PROTECTION

# BIG DATA ANALYTICS ARCHIVING + COMPLIANCE Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

15

DEMO

Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

17

Understand: Who, What, Where What is the Threat

Who is the target

Where is attack coming from

Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

18

Target information: • User • Phone • Department • Special groups • Location • … more

Incident history

Drill down available, one click away Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

19

Verify: Confirm Infection via Forensics

Infection confidence

Summary of Forensics found vs. reported

Forensic Matches Forensic Matches Forensic Matches

Past infection check

Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

20

Contain: Quarantine and Contain Identities and Hosts

Attacker and CNC data drill down

Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

At-a-glance Geo-location

21

Automatic IP Blocking lifecycle

Push-button or automatic protection

Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

22

Push-button or automatic quarantine after email is delivered

Contain: Email quarantine automated or manual Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

23

Incidents by Department

Customizable Reports

With Built-in & Custom

Reports and Views

Copyright © 2015 Proofpoint, Inc. All Rights Reserved.

24