Metric Matters Dain Perkins, CISSP Dain.Perkins@gmail.com My - - PowerPoint PPT Presentation

metric matters
SMART_READER_LITE
LIVE PREVIEW

Metric Matters Dain Perkins, CISSP Dain.Perkins@gmail.com My - - PowerPoint PPT Presentation

Mar 08, 2024 260 likes •565 views

Metric Matters Dain Perkins, CISSP Dain.Perkins@gmail.com My Perspective Information security metrics do not show us how we need to improve our defenses Image:

slide-1
SLIDE 1

Dain Perkins, CISSP Dain.Perkins@gmail.com

Metric Matters

slide-2
SLIDE 2

My Perspective

Information security metrics do not show us how we need to improve our defenses

slide-3
SLIDE 3

3 Image: http://abcnews.go.com/Sports/2014-fifa-world-cup-us-goalie-tim-howard/story?id=24400295

slide-4
SLIDE 4

4

slide-5
SLIDE 5

You keep using that word…

 Measure: The size, amount, or degree of something  Metric: meta-data derived from analyzing measurements of a given variable over time, or against a specific baseline or target  Correlation: the appearance of statistical dependence between measured events, without a causal relationship  Causation: the direct effect of one measured event on another (cause and effect relationship)  Threat: a malicious attempt to compromise the confidentiality, integrity, availability, authenticity, utility, or possession of a given information asset*  Risk: the probability of loss due to a given threat

* With thanks to Donn Parker who defined the Parkerian Hexad in his book Fighting Computer Crime. New York, NY: John Wiley & Sons. ISBN 0-471-16378-3.

2000 sessions/min 50x the average sessions/min Summers in NYC: More Murders More Ice Cream Hotter Temps More Electricity Malware, Targeted Attack, DOS, Fraud Data Breach

slide-6
SLIDE 6

We’ve got to ask ourselves a question

1) CIS Security Benchmarks

  • Number of applications
  • Mean time to complete changes
  • IS Budget as % of IT Budget

3) 5 Strategic Security Metrics

  • Comparative spend
  • Mean time to compliance
  • % of emergency changes

Are we measuring the right stuff?

2) GIAC / SANS

  • Unauthorized devices
  • Total count, avg hours online/device
  • Infrastructure configurations
  • # of insecure configs, mean time to repair
  • User admin accounts
  • Total, %, mean time to remediate
  • Incident Response
  • Mean time to detect, remediate

http://benchmarks.cisecurity.org/downloads/metrics/ http://www.darkreading.com/analytics/security-monitoring/five-strategic-security-metrics-to-watch/d/d-id/1137170? http://searchsecurity.techtarget.com/tip/Security-that-works-Three-must-have-enterprise-security-fundamentals

slide-7
SLIDE 7

Identify the threats

 Identify causally significant metrics

 Marginal threat levels – immediate feedback  Threat volumes and types – long term  Leverage immediate feedback to address current threat levels  Use long term metrics to refine and improve security posture  Select tools that can best help your team

slide-8
SLIDE 8

One more generic note

Residual Risk Its time to start considering these sorts of technologies, and the intel they can provide as part of the whole equation.

What does Breach Detection address?

slide-9
SLIDE 9

Top Level Classifications

 Recon: find a vulnerability  Initial Exploit: take advantage of recon  Compromise: privilege escalation, spread, etc.  C&C: check in with HQ  Actions: steal, corrupt, interrupt, etc.  Compliance: policy/procedure violations  Hygiene: misconfigured apps, etc. Advanced, targeted, its all the same stuff. The difference comes in the type of recon – specific, or how to hit the most targets.

slide-10
SLIDE 10

Threat Identification Tools

slide-11
SLIDE 11

Network Behavior Analysis

 Volume, Direction, Frequency, and Scale

+ Ubiquitous, easy to scale + Encryption not an issue + Typically allows asset classification / valuation + Statistical analysis baselines and identifies “abnormal behavior” from various measures + Adds significant troubleshooting, performance analysis capabilities (budget / resource sharing)

  • May miss smaller attacks or compromises
  • No packet level analysis
  • Requires some care and feeding
slide-12
SLIDE 12

Network Behavior

Anomaly Identification - > Actions

  • Scales well (netflow is everywhere)
  • Built-in metrics with anomaly detections
  • Build groups to prioritize assets
  • Build alerts to monitor compliance
  • Integrate with authentication, network gear to

immediately identify affected users and devices

What Sorts of Metrics?

  • Session count
  • Volume by port, app, device
  • Drill down by group, port,

application, or device

  • Malware propagation
  • Typical connection peers

Riverbed Cascade

slide-13
SLIDE 13

Behavior Clues

Lancope StealthWatch

Netflow and Packet Analysis

  • Add application specific data points
  • Visually significant anomalies with drill

down capabilities allow for quick investigation

Identify credible threats via Volumetric Analysis

  • DNS
  • CnC traffic from malware outbreak?
  • External? -> Block outbound DNS
  • Internal? -> Check Server
  • ICMP
  • DOS, DDOS ?Botnet?
  • External? -> Block ICMP
  • Internal? -> Investigate
  • SMTP
  • Identify hosts & targets
  • External? -> Block SMTP
  • Internal? -> Check policies and reqs
  • Data Breach
  • Should that critical asset be

communicating with remote countries?

  • Why did Alice’s salesforce connection

volume increase by 400%?

  • HTTP Session Count
  • Increase by 200%? Adware, Click Fraud?
  • User Ed? Content filtering?
  • Bad headers? Stealth C&C?
slide-14
SLIDE 14

Network Breach Detection

+ Typically combine IDS type functions with advanced malware id

C&C / DGA analysis, obfuscated comm. channels, etc.

+ Able to correlate multiple attacks to a single host over time + Able to track small threats as well as more obvious ones

  • Can combine with other tools for SSL analysis
  • May require larger investments in architecture for full coverage
  • Performance reqs. may limit deployment options
  • Direct remediation available
slide-15
SLIDE 15

Breach Analysis

Risk Based Prioritization Aggregate Measures

Damballa Failsafe

slide-16
SLIDE 16

Threat Categorization

Alerts by threat type leads to immediate possibilities for focusing remediation

AlienVault USM

slide-17
SLIDE 17

Suspicious Details

Damballa Failsafe

slide-18
SLIDE 18

Asset View

Alerts by Asset Category Built In Metrics

Damballa Failsafe

slide-19
SLIDE 19

Intelligent Alert Management

Filter and quickly address multiple alerts to minimize information overload

Damballa Failsafe

slide-20
SLIDE 20

Threat Analysis

Alert correlation and detailed threat assessment

AlienVault USM

slide-21
SLIDE 21

Major Challenges

 Focus on the unknown

 No CVE, focus is on behavior  Requires understanding of malware communications channels

 Scope and Breadth of analysis

 Aggregation of metrics, reporting  500 “breaches” are just as difficult to manage as 500 SIEM events

 Still immature market & too much FUD

slide-22
SLIDE 22

Challenge Accepted

Breach Detection -Sans Top 20!  Use behavioral analysis as top incident risk identification

 As a front end tool, then leverage with SIEM, etc.  Or pipe detections into existing SIEMs

 Review data

 Fine detail for individual, credible threats  10km view for general insight into your network  Combine with other tools for more context  Threat feeds, reputations lists, etc.  Firewall / IDS / Sandbox / Server logs

slide-23
SLIDE 23

Open Formats

"The ideal scenario is that everyone and every vendor uses the same format for indicators of compromise," he says. "You can use it to share threat data, so all of us can benefit.” Jaime Blasco Director, AlienVault

http://www.darkreading.com/analytics/security-monitoring/red-october-response-shows-importance-of-threat-indicators/d/d-id/1139034?

slide-24
SLIDE 24

Ways to help the transition

 Integrate Breach Detection

 Apply new technologies to mitigate risks before it’s a tool for residual risk

 Reporting

 500 discrete “Credible Threats” can be much more painful to deal with than 10,000 identified CVEs

 Integration of external intel

 The more the merrier

 Asset Valuation

 Prioritize alerts based on value of involved assets

 Open Integration

 IOCs, Observables, Veris, etc.

slide-25
SLIDE 25

Malware Types by Remediation

Veris threat sources

 Adware, click fraud, browser attacks, etc.  Recon, brute force, SQLi  Command & Control  Spam, DGA, DOS  Policy Violation

Remediation Ideas

 Better user education, additional content controls  Tighten admin controls  Leverage threat intel  Tighten Outbound controls  Address violation, training

http://veriscommunity.net

slide-26
SLIDE 26

Asset Classification

  • A realistic asset classification system is a must (at least 3 priorities)
  • Preferably custom groupings to allow Risk based prioritization as

well as group based reporting for remediation focus

  • Even better – ability to tie into existing asset value frameworks

Lancope StealthWatch

slide-27
SLIDE 27

Aggregate Metrics

How bad are things today?

AlienVault USM

slide-28
SLIDE 28

Conclusion

 We’re losing everyday because we tend to focus on the attacks that we stop – looking at the known issues.  We need to start learning from the new, existing, and evolving threats that are already in our networks and leverage that data to improve across the field of information security Thanks for your time!