Improving Visibility Into Cyber Threats Using Security Analytics

Improving Visibility Into Cyber Threats
Using Security Analytics
David Yoslov
Security Engineer, DTCC
Agenda

Introduction

Evaluating the Environment

Choosing Network Capture Points Part 1 and Part 2

Malware Analysis Module

Reporting Module

Application Rules and Correlation Rules

Custom Parsers

Custom Feeds

Changing Default Settings Part 1 and Part 2

Lessons Learned

Other Recommendations

Specific Use Cases
© Copyright 2014 EMC Corporation. All rights reserved.
#RSAsummit
2
Introduction
 Disclaimer: All views expressed are my own
and not of DTCC
 Experience with Security Analytics
 Primary Focus of Presentation
 Company Information
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
3
Evaluating the Environment
 Egress points
 Attack vectors
 Protocols used
 Usage of other security tools
 Processes
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
4
Choosing Network Capture Points Part 1
 Solicit feedback from teams on what they would like
to see
 Passive tap or inline?
 Type of traffic (Web, Mail, FTP, etc.)
 Decryption of traffic
 Can have multiple concentrator/malware views with
proper architecture
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
5
Choosing Network Capture Points Part 2
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
6
Malware Analysis Module
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
7
Reporting Module
 The more specific meta created, the better (within
reason)
 Reference application rules
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
8
Application Rules and Correlation Rules
Application Rules
Correlation Rules
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
9
Custom Parsers
 Why are they useful?
 Customize to your environment
 How to create them
Examples:
 Email response codes
 Root email domain
 HTTP Headers
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
10
Custom Feeds
 Why are they useful?
 Can be stored on local
webserver or online
 CSV format only
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
11
Changing Default Settings Part 1
• Capture Autostart
• Turn Off Mail and HTTP Parsers (if using LUA equivalent)
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
12
Changing Default Settings Part 2
• Turn on SSL within Appliance and Device service
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
13
Lessons Learned
• Consistency in administration
• A better understanding of the network = clearer visibility into
threats
• Inspecting decoder source will spot traffic abnormalities
• Security Analytics Community/Forum (custom parsers
referenced from this presentation will be shared there)
• Health checks (currently manual process)
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
14
Other Recommendations
• Data acquisition capability from host-based agent
• Sending audit logs to a SIEM/Log Collector
• Disabling parsers not applicable to your environment
• Internal documentation and processes
• Customizing needs based on organization’s threat profile
and the organization’s environment
• Enabling X-Forwarded-For (if applicable)
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
15
Specific Use Cases
• Live feeds to detect malicious threats (trojans, botnets, etc.)
• Out-of-date Java or browser versions used in environment
• Alerts/Reports from Custom Feeds
• Some DLP (credit card, passwords, etc.)
• RestAPI Queries
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
16
THANK YOU