Scalar Security Roadshow: Toronto Presentation - April 15, 2015

Scalar Security Roadshow
April 15, 2015
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 1

Vancouver Calgary
Toronto
Ottawa
London
Montreal
100%

We studied the Canadian market
Believe they are winning the
CyberSecurity war
Suffered a breach leading to loss or
disclosure of sensitive data
Average annual number of attacks
Average cost to address a security
breach
41%
46%
34
$200,000

•  Security is more complicated than ever;
hackers are funded and motivated
•  Many organizations struggle to understand
and effectively control security risk
•  Traditional security approaches have not
been effective
•  Companies who invest in security are still
suffering catastrophic breaches
Traditional Approaches Have Failed
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.

“Good Enough” always fails

•  Are more aware of the threat landscape
•  Have a higher percentage of their IT
budget dedicated to security
•  Invest in cutting edge technologies
•  Measure the ROI of those technologies
•  And have a security strategy that is
aligned with their business objectives
and mission
High-performers – 25% less breaches

Be more aware of threats and align your security
strategy with business objectives. Build effective
security programs to protect critical assets.
Design and build robust security solutions using
leading technologies that provide visibility
understanding and control.
Develop or acquire expertise to monitor and respond
to security events. Continuously validate the
effectiveness of security controls.
What do Top Performers do?
Prepare
Respond
Defend

Winning The War
•  Addressing business risk
•  Effective reduction of attack surface
•  Understandable and actionable security
intelligence
•  Rapid incident containment and response
•  Continuous validation and meaningful reporting

Today’s Agenda

Security Architecture 1.0…
Traditional Security Technologies
ANY CO. PLC
usDon’t stop next generation threats

Endpoint: The Path of Least Resistance
THREAT TARGETS
DESKTOPS
USERS
WINDOWS 7
WINDOWS 8.1
LAPTOPS
INTERNET EXPLORER
The key security threat channels are Web
and Email. The key threat vectors are
web-links and downloaded files.
Your security posture is significantly
improved by negating the key security
issues of users clicking malicious web-
links and opening infected attachments
Prioritize
Focus
THREAT VECTORS
VIDEOS
PICTURES
DOCUMENTS
WEBLINKS
MAIL
WEB
THREAT CHANNELS

The Business Problem: The Bromium Cure
SECURE
WEB BROWSING
SECURE
EMAIL
SECURITY
PATCHING

Endpoint Isolation Technology
How It Works – Bromium
ISOLATED. PROTECTED.DISRUPTIVE DAMAGING
HARDWARE
OS KERNEL
Untrusted user tasks and any malware
are isolated in a super-efficient micro-VM.
All micro-VMs destroyed, eliminating all
traces of malware with them.
Hardware-isolated
micro-VMs

Why Bromium?
Open Anything,
From Anyone,
Anywhere…

WhiteHat Security
Application Testing
Rob Stonehouse, CISSP
Chief Security Architect

About WhiteHat Security
•  Application security testing leader in Gartner Magic Quadrant
•  HQ in Santa Clara, California
•  Employees: 300
•  Customers: 650+
•  Sites under management: 30,000+
18

SAST - “Sentinel Source” Static Testing
•  Integrates into your
development process
•  Directly connects to source
code repository
•  Designed for Agile
•  Your code stays onsite
•  Verified vulnerabilities avoid
false positives
•  Assesses partial code, as
often as needed
19

Sentinel Mobile - Secure Mobile Devices
§  Assesses both iOS and Android
applications
§  Tests native mobile code and server-side
APIs
§  Identifies critical vulnerabilities including
OWASP Mobile Top 10
§  Verified findings:
Zero false positives reduce overhead for
developers
Results prioritized by risk
§  Covers traffic analysis between client and
server-side

DAST – Dynamic Application Testing
•  Non-intrusive, non-disruptive, 24x7
coverage
•  Meets and exceeds PCI 6.5/6.6
requirements
•  Full service and support included in
all offerings
•  Unlimited retests, integration
support, and remediation guidance
at no additional charge
•  Persistent, consistent testing and
results
Cross-site scripting
Credential/Session
Prediction
Weak Password
Recovery Validation
Information Leakage
Brute Force
SQL Injection
Insufficient
Authentication

Application Security Lifecycle
Integrated Application
Security Lifecycle
Software
Development
Lifecycle
SAST
22

How to Remediate Vulnerabilities?
Continuous Testing
•  Full SDLC coverage: training, development, QA, and
production
•  Stop using Tiger teams!
Expert hands-on guidance from the Threat Research Center
•  100% verified vulnerabilities, 0 false positives
•  150+ security engineers available by phone/email/WebEx
Retest, Retest, Retest
•  Trending of vulnerabilities across time and continuous
assessment of deployment

How Deep to Test?
§  Sentinel PE (Fully Targeted / High Risk)
•  Ideal for high impact sites with sensitive
user and financial information
•  Technical and business logic
vulnerabilities, complete WASC v2
§  Baseline Edition (Static Webpages)
•  Unauthenticated, Verified Results
§  Standard Edition (Directed/Opportunistic)
•  Custom configured logins and multi-step
sequences
•  Comprehensive coverage for technical
vulnerabilities

Scalar Security Roadshow: Toronto Presentation - April 15, 2015

Flexible Reporting
§  Web & PDF Based
§  Bi-Directional XML API
§  Integration with popular technologies like
Jira, Archer, F5 & Imperva

Command Execution
§  Buffer Overflow
§  Format String Attack
§  LDAP Injection
§  OS Commanding
§  SQL Injection
§  SSI Injection
§  XPath Injection
Information Disclosure
§  Directory Indexing
§  Information Leakage
§  Path Traversal
§  Predictable Resource Location
Business Logic: Hands-on Inspection
Authentication
§  Brute Force
§  Insufficient Authentication
§  Weak Password Recovery Validation
Authorization
§  Credential/Session Prediction
§  Insufficient Authorization
§  Insufficient Session Expiration
§  Session Fixation
Logical Attacks
§  Abuse of Functionality
§  Insufficient Anti-automation
§  Insufficient Process Validation
Premium Edition Baseline Edition Standard Edition
WhiteHat Sentinel Vulnerability Coverage
Client-Side
§  Content Spoofing
§  Cross-site Scripting
§  HTTP Response Splitting
§  Insecure Content

Protecting the Network with
LogRhythm
Nyron Samaroo, Security Architect

Introduction
Questions:
•  What is SIEM?
Answers:
•  Security Information and Event Management (SIEM) is a
tool used to gather and report on security information.
•  Who is LogRhythm?
•  LogRhythm is a global leader in security intelligence and
analytics empowering organizations to rapidly detect,
respond and neutralize cyber threats. Their Security
Intelligence platform unifies next-gen SIEM, log
management, network and endpoint forensics, and
advanced security analytics.
•  How will LogRhythm
defend my network?
•  Through the process of Intelligent and Behavioral
Analytics LogRhythm is capable of detecting and
protecting in near real-time security events not just on
the network but on critical assets residing on the
network.

LogRhythm in Motion
LogRhythm Agents
Workstations and Servers
Archiving
AI Engine
Log Manager
LogRhythm Personal
Dashboard / Web UI
Event Manager
Network Devices
Identification
Classification
Normalization
Prioritization
Aggregation
Events
Console
Reporting
Alarming
Configuration
Behavior Analytics /
Advanced Correlation

The Platform for Security Intelligence
Input Analytics Output

LogRhythm System Monitor
Host Activity Monitoring
•  Independently collects forensic detail
•  Ideal for hosts with sensitive data or critical applications
•  Support for Microsoft, Linux, and Unix platforms
File Integrity and
Windows Registry
Monitoring
•  Meet Compliance Requirements
•  Recognize “who” performed unauthorized
file changes or moves
•  Build whitelists for recognizing malware
or blacklists of undesired applications
•  Identify new, non-whitelisted network
services
•  Detect anomalous network activity
indicating data exfiltration or botnet C&C
•  Monitor unauthorized data movement to
prevent data theft
Process Monitoring
Network
Connection
Monitoring
Data Loss Defender

LogRhythm Network Monitor
1.  True Application Identification for over 2800
applications
2.  SmartFlow™: Search and analyze packet data from
each network session up to Layer7
3.  SmartCapture™: Full or selective packet capture
for deeper forensic analysis
Google Docs
PostGres
SMTP
Facebook Apps
TorSkype DropBox
XBoxLive
AWS
BitTorrent
GoToDevice
Gmail
Source IP: 192.168.12.59
Destination IP: 192.168.2.84
Command: smb2 change
Filename: SethMy Documents
todayspreso.ppt
Path: serverfileUsers
ApplicationPath: /tcp/netbios/smb
Login: seth.goldhammer
Bytes: 4.52 Mb
Time Start: 2013/10/10 19:30:38
Time Updated: 2013/10/10
………………
Samba
Source IP: 192.168.12.59
Destination IP: 192.168.18.2
Sender: seth@logrhythm.com
Receiver: kbroughton@recruiter.com
Attachment File Name: SethMy Docs
employeedata.txt
Mime Type: http/text
Bytes: 4.52 Mb
Time Start: 2013/10/10 19:30:38
Time Updated: 2013/10/10
………………

Real-time Forensic Monitoring
System Monitoring
•  Capture host activities not
represented by log data
•  Gain deep visibility on valuable
hosts, sensitive data
Network Monitoring
•  Capture network activities not
captured by standard flow data
•  Recognize applications and perform
Deep Packet Inspection (DPI) on all
network traffic
Independent collection of forensic detail is
CRITICAL for recognizing high risk activities

Data Classification
• LogRhythm not only structures incoming
data but adds contextual information
such as:
• Classification
• Common Event
• Risk Score
• Reduces time required for analysis and
ensures query results are complete
• Provides deep intelligence on more than
600 different systems, devices, apps,
databases, etc.
• 20-30 added each quarter
Confidential Information
0
100
200
300
400
500
600
700
Total
Customer Relations Management
Data Loss Prevention
File Integrity Monitor
Network Controllers
Unified Threat Managers
UPS
Anti-Spam
Physical Security
Encryption
Wireless Access Management
Vulnerability Assessment
Directory Services
Point-Of-Sale
VOIP
Storage
Virtualization
Wireless Access Point
Remote Access
VPN
E-Mail Security
Load Balancers
Content Inspection/Filters
Routers
Anti-Virus
Email Servers
Switch
Access Control
Other
Databases
Web Servers
Network Management
IDS/IPS
Firewalls
Applications
Operating Systems

Scenario Building Blocks
Log
Observed

Log
Not
Observed

Log
Not
Observed

Scheduled

Threshold
Observed

Threshold
Not
Observed

Threshold
Not
Observed

Scheduled

Unique
Value
Observed

Unique
Value

Not
Observed

Unique
Value
Not

Observed
Scheduled

Whitelist

Trend

Sta;s;cal

Scenario Examples
Log
Observed

Log
Observed

Account
Created

Account
Deleted

Account=Account

Short
;me
period

Log
Observed

Log
Not
Observed

Secure
Panel
Accessed

No
Badge
Swipe

Short
;me
period
before

Detec%ng
Temporary
Accounts
Detec%ng
Forced
Physical
Access

Complex Scenario
Trend

Abnormal
Access
and
Authen%ca%on
Failures

Log
count

comparison
of

auth
and
access

failures
per
user

Trend

Abnormal
Authen%ca%on
Behavior

Histogram
of
auth

success
and

failures
per
user

Trend

Abnormal
Authen%ca%on
Loca%ons

Histogram
of
auth

success
loca;ons

per
user

Unique
Value
Observed

Same
user

with
mul;ple

anomalies

Event
Loop
Back

Smart Response (closing the loop)
SmartResponse™ delivers immediate
action on real-world issues, such as when
suspicious behavior patterns are detected,
specific internal or compliance-driven
policies are violated, or critical
performance thresholds are crossed.
•  Pull Attacking IP from Alarm and add to firewall
ACL. Terminating dangerous access to network
•  Suspend or remove newly added or recently
modified privileged user account until activity is
verified as legitimate
•  Remove suspicious users from network during
investigative period
•  Restart operational processes from alarms

Analytics Driven Defense Modules

Privileged User Monitoring
Use Case: Detect a rogue
administrator account
Details: Identify when a privileged
user is abusing authority, indicating
either insider threat activity or
compromised credentials
AIE Rules look for:
•  New Admin Activity
•  Mass Object Deletion
•  Users added to privileged group
•  Recently disabled privileged account activity

Retail Cyber Crime Module
Use Case: Detect Compromised Back
Office Systems
Details: Identify suspicious changes on
back office systems and the network
activity they generate.
AIE Rules look for:
•  New processes
•  New authentications
•  New FIM access events
•  Any FIM modification event
•  Any DLD Activity
•  New Common Event
•  New Network Activity

Analytics Modules
Rapid-Time
to-Value
Knowledge
•  Industry
experts

•  Machine
Data

Intelligence

•  Security

•  Compliance

•  Advanced
Threat
Research

•  Embedded
Exper;se

•  Ready-‐to-‐use
content

•  Frequent,
automa;c

updates

•  Knowledge
aligned
to

organiza;onal
goals

•  Quick
beneﬁt

recogni;on

•  Ongoing
addi;onal
value

Thank you

Download our 2015 Security Study: The Cyber
Security Readiness of Canadian Organizations
Download Here: http://blog.scalar.ca/security-
study-2015
What’s Next?

Connect with us!
© 2014 Scalar Decisions Inc. 53
facebook.com/scalardecisions
@scalardecisions linkedin.com/company/scalar-decisions
slideshare.net/scalardecisions

Scalar Security Roadshow: Toronto Presentation - April 15, 2015

More Related Content

What's hot (19)

Viewers also liked (20)

Similar to Scalar Security Roadshow: Toronto Presentation - April 15, 2015 (20)

More from Scalar Decisions (20)

Recently uploaded (20)

Scalar Security Roadshow: Toronto Presentation - April 15, 2015