docHans Irlacher Threat Response – Incident Response
download 
Report Transcription
Hans Irlacher Threat Response – Incident Response
Threat Response – Incident Response Hans Irlacher Manager Presales Engineering CEMEA hirlacher@proofpoint.com Copyright © 2015 Proofpoint, Inc. All Rights Reserved. 1 Proofpoint Portfolio Erkennen Blockieren Protection: Proofpoint Protection Server, Best in Class Email Protection Reagieren TAP: Erkennt zielgerichtete, polymorphe und “Zero-Day” Attacken Threat Response: Umfassendes Incident Handling und schnelle Reaktion Copyright © 2015 Proofpoint, Inc. All Rights Reserved. 2 Geschäftliche und Rechtliche Konsequenzen CSO Online, Dec. 15, 2014 InfoSecurity, Jan. 16, 2015 The Cost of Malware Containment, Ponemon Institute, January 2015 Copyright © 2015 Proofpoint, Inc. All Rights Reserved. 3 Die Wichtigkeit einer schnellen Reaktion 46% 70% Ponemon Institute & Verizon Data Breach Report: http://blog.turner-associates.com/cyber-security-data-breaches-checklist/ Copyright © 2015 Proofpoint, Inc. All Rights Reserved. 4 Das “Neue” Erkennungsproblem Advanced Malware Detection Source Destination Severity 192.168.10.13 8.8.8.8 High SIEM Source Destination Type 10.10.10.213 192.168.10.114 Anomaly IPS Source Destination Severity 10.10.10.123 192.168.10.114 High Copyright © 2015 Proofpoint, Inc. All Rights Reserved. Was jetzt? Security Operations 1. Welcher Alarm ist der wichtigste? 2. Wie erhalte ich mehr Informationen im Kontext? 3. Wie bestätige ich eine Infektion? (ohne “False Positive”) 4. Wie kann ich mich schnell schützen und eingrenzen? 5. Wie kann ich die eigene Effektivität messen? 5 Incident Response Herausforderung Mit nur wenigen Daten sind Alarme nicht zu handhaben Wer wurde attackiert? Welche Art von Attacke ist es? Bedrohung eindämmen & Reimage Bedrohungs Verifikation Bedrohungs Nachforschung Daten zusammenfassen Security Alerts Copyright © 2015 Proofpoint, Inc. All Rights Reserved. Losses Security Operations Woher kommt die Attacke? Time 6 Der “Gewöhnliche” Incident Response Prozess Infizierung Erkennung DHCP server Domain Controller High value targets? AD Server Phonebook/directory High value targets? Copyright © 2015 Proofpoint, Inc. All Rights Reserved. Behebung Intelligence/Rep Meeting Scheduler Geo IP service High value/severe Whois threats? Virus Total Forensic collection/ analysis Infection? Confirm High value/severe threats? Email console(s) AD console(s) Quarantine/Contain? FW/Proxy console(s) Security alert source Ticketing system Incident management Change control Confirm Infection? Contain? 7 Incident Response sollte einfach sein High Value Target? Endpoint infiziert? Copyright © 2015 Proofpoint, Inc. All Rights Reserved. Zentrales Dashboard Quarantäne & Beheben Informationen Zusammenführen 8 Proofpoint Threat Response Virtual Appliance Verstehen Automatisiert Verifizieren Durchgängig Custom Events und mehr… Beheben Unmittelbar und mehr... Copyright © 2015 Proofpoint, Inc. All Rights Reserved. 9 Threat Response Use Case Add: • • • • • Username Infection history Group Local information Local IP • • • • • Malicious file check IP/Domain Reputation Geo-location CNC server check Incident assignment • • • • • Put user in “Penalty box” Update Firewalls/Proxies Quarantine email Create audit trail Manage IP lifecycle Update Threat Response Security Alert IP reputation Geolocation WhoIS Virus Total AD IOC Verification Additional Threat Context User Context Threat Verified Network connections: Registry Changes: File changes: Mutexes: Yes Yes Yes Yes Copyright © 2015 Proofpoint, Inc. All Rights Reserved. Email: AD User: Group: User phone : System IP: Attacker IP: Location: joe@myco.com Josephsmith Finance 650-555-1234 56.188.13.218 10.10.10.253 Fargo, ND Sender IP: Known Malware?: New Domain? Domain Reputation? CNC List? Country? Known bad actor Trojan.Zbot.X Yes Neutral Y N. Korea 10 Threat Response mit TAP Attachment Defense (AD) 2 Proofpoint TAP TAP AD Alert 1 1 2 Nachricht wird dem Nutzer direkt zugestellt. Zeitgleich wird eine Kopie innerhalb der Sandbox analysiert Threat Response TAP Alerts werden an PTR gesendet. PTR verbindet sich direkt mit Exchange (O365) und überträgt die Nachricht automatisch in die Quarantäne Exchange/ O365 Quarantine Copyright © 2015 Proofpoint, Inc. All Rights Reserved. 11 SIEM + Threat Response Logs Alerts Events SIEM Threat Response Security Analysts Copyright © 2015 Proofpoint, Inc. All Rights Reserved. • Incident Context • Forensic data collection • Infection Verification • Past infection checking • Threat Scoring • Incident/User/IP history • Incident assignment • User Isolation • Network Containment • Email Quarantine 12 Threat Response schließt die Lücke Erkennung Nachforschung Verifizieren Priorisieren Reagieren TAP Copyright © 2015 Proofpoint, Inc. All Rights Reserved. 13 Kundenvorteile Threat Response beschleunigt den Prozess: Verstehen & Priorisierung von Bedrohungen Infizierungen bestätigen (Vergleich forensischer Infos) Reagieren auf Bedrohungen (FW/Proxy/AD Integration) Geschäftliche Vorteile: Senkt die Zeit der Nachforschung um > 50% Um bis zu 20-fache Beschleunigung der Reaktion Reduziert die Belastung und das Risiko bei zeitgleich weniger Arbeit Copyright © 2015 Proofpoint, Inc. All Rights Reserved. 14 Protection Platform Powered by Big Data EMAIL PROTECTION ADVANCED THREAT PROTECTION/RESPONSE INFORMATION PROTECTION PROOFPOINT PLATFORM SOCIAL MEDIA PROTECTION # BIG DATA ANALYTICS ARCHIVING + COMPLIANCE Copyright © 2015 Proofpoint, Inc. All Rights Reserved. 15 DEMO Copyright © 2015 Proofpoint, Inc. All Rights Reserved. 17 Understand: Who, What, Where What is the Threat Who is the target Where is attack coming from Copyright © 2015 Proofpoint, Inc. All Rights Reserved. 18 Target information: • User • Phone • Department • Special groups • Location • … more Incident history Drill down available, one click away Copyright © 2015 Proofpoint, Inc. All Rights Reserved. 19 Verify: Confirm Infection via Forensics Infection confidence Summary of Forensics found vs. reported Forensic Matches Forensic Matches Forensic Matches Past infection check Copyright © 2015 Proofpoint, Inc. All Rights Reserved. 20 Contain: Quarantine and Contain Identities and Hosts Attacker and CNC data drill down Copyright © 2015 Proofpoint, Inc. All Rights Reserved. At-a-glance Geo-location 21 Automatic IP Blocking lifecycle Push-button or automatic protection Copyright © 2015 Proofpoint, Inc. All Rights Reserved. 22 Push-button or automatic quarantine after email is delivered Contain: Email quarantine automated or manual Copyright © 2015 Proofpoint, Inc. All Rights Reserved. 23 Incidents by Department Customizable Reports With Built-in & Custom Reports and Views Copyright © 2015 Proofpoint, Inc. All Rights Reserved. 24
