Bolster Your IR ProgramEric Sun, Solutions Mgr,Incident Detection & Response@exalted

What is theAttack Chain,and why map toit?Today’s state ofIncident Detection& ResponseRapid7approach toInvestigations

Solutions Manager – IncidentDetection & Response@Rapid7 Behavior analytics / riskmanagement background Custom enterprise mobile appdevelopment – Zco Corporation

Graphical representation ofsteps required to breach acompany Applies across entire range ofattacks Credential-based attacks Malware Vulnerability exploitation Detecting earlier in the chain no chance for data exfiltration

Poker story: “How much youbluff?” Sharks Attack the right targetAnalyze behavior to findweakness Attackers Monetizable data immatureWhat’s worked before? IR Program: Compareagainst attacker maturity, notsimilar sized orgs

Infiltration andPersistence Phish users Use leakedcredentials Connect to network Anonymize access Deploy backdoorsExplore NetworkLateral MovementMission TargetMaintain Presence Get user list Scout targets Find vulnerabilities Access machineswith credentials Collect morepasswords Increase privileges Access critical data Upload data toexternal location Deploy backdoors Continued checkins for future use

Infiltration andPersistence Phish users Use leakedcredentials Connect to network Anonymize access Deploy backdoorsMission Target Access critical data Upload data toexternal location

Unified NetworkCoverage (Step 1)Attacker Recon(Step 2) Cloud services Network scans Remote workers PasswordguessingattemptsCannot detectwith threat intel Present in 63%of confirmeddata breaches**2016 Verizon Data Breach InvestigationsReportCompromised Creds(Step 3)9

1. Collected in Nov 2015:271 Security Professionals2. 24 Questions, 10-15 minsto complete – 86%completion3. LinkedIn, Twitter, R7Community, Rapid7 Staff4. Findings Report & AppleWatch



1. Security Information &Event Management:Deploying and maintainingSIEM2. Reducing Attack Surface:Pen testing, vulnmanagement, web appscanning3. Firewall: Tuning, replacing,and deploying next-gensolutions

Do you use one? (poll) Primary drivers: Incident Detection Compliance Log Search How are they useful? What is beingmonitored?

Confidential and Proprietary16


Security teamsare strainedToo manyalertsLimited resources;gaps in coverage62% orgs receivingmore alerts than theycan investigateInvestigations taketoo longTime-consuming tovalidate; jumpingbetween multipletools18

UNIFYDETECTPRIORITIZECombine SIEM, UBA, and EDRto leave attackers with nowhereto hide.Find unknown threats with UserBehavior Analytics andDeception Technology.Know exactly where to searchwith Security Analytics.

Is this alert real, or afalse positive?Who was impacted?What were the usersdoing?Use experience andcontext to decide.Retrace IP Addressesto the Users BehindThemReview authenticationlogs; Query endpoint;Run forensics onmachineLog Files(e.g. Event, AntiVirus,Firewall, Proxy)SIEM/LogAggregatorDid this happen toanyone else?Gather findings.Create & shareSuper Timeline.Search across logdata; Run a huntCombine data acrosslog search, useractivity, and endpointartifacts Enriched Log Search User BehaviorEndpoint AgentUser BehaviorAnalyticsBrings together: Endpoint Data

Confidential and Proprietary23



“I like the log search and the abilityto bring in logs from anywhere. Notjust from supported sources, butany source.”Chad KliewerInformation Security Officer“When you compare it to ourprevious method of manually goingthrough logs, it’s reducedinvestigation time by roughly 85percent.”Russ SwiftInformation Security Manager“Incident detection andinvestigation has always been acumbersome, manual process.With InsightIDR all the information Ineed to understand and solve aproblem is at my fingertips.”Jordan SchroederSecurity Architect“InsightIDR is a great system. Itgives you that warm feeling insideby catching any suspiciousbehavior on the network monthsbefore you’d otherwise discoverit ”Tom BrownIT Manager“InsightIDR arms my team ofincident investigators with theexact information they need tomake smarter decisions.”Fortune 500 Real Estate InvestmentTrust

1. Focus on earlierdetection in the chain2. Avoid duplications perstep to maximizeinvestments3. Identify current gaps inyour program4. Prioritize high-probabilityattacks (e.g. creds)

Eric Sun, eric [email protected], n

InsightIDR Solution ndpointEventsIntruder TrapsApplicationsExisting SecuritySolutions, Alerts,and EventsSecurity er AnalyticsPlatformSSL User BehaviorAnalytics MachineLearning Fully SearchableData SetEnterpriseCloud AppsMobile Devices45

Insight Platform Supported Event SourcesFOUNDATION EVENT SOURCESVALUE-ADD EVENT SOURCESLDAP›››››››››Microsoft Active Directory LDAPActive DirectoryMicrosoftDHCPAlcatel-Lucent VitalQIPBluecatCisco iOSCisco MerakiInfoblox TrinzicISC dhcpdMicrosoftMicroTikSophosUTMDNSVPNIDS / IPSWeb ProxyFirewallE-mail ServersSecurity ConsoleEnterprise Cloud ApplicationsIntruder Traps46

DNSISC Bind9Infoblox TrinzicMicrosoft DNSMikroTikPowerDNSData ExportersFireEye Threat Analytics PlatformHP ArcSight & ArcSight LoggerSplunkVPNBarracuda NGCisco ASACitrix NetScalerF5 Networks FirePassFortinet FortiGateJuniper SAMicrosoft IAS (RADIUS)Microsoft Network Policy ServerMicrosoft Remote Web AccessMobilityGuard OneGateOpenVPNSonicWALLVMware HorizonWatchGuard XTMWeb ProxyBarracuda Web FilterBlue CoatCisco IronPortFortinet FortiGateIntel Security (fka McAfee) WebReporterMcAfee Web ReporterSophos Secure Web GatewaySquidTrendMicro Control ManagerWatchguard XTMWebSense Web Security GatewayZscalar NSSE-mail & ActiveSyncMicrosoft Exchange TransportAgent (Email monitoring)OWA/ActiveSync (Ingressmonitoring, mobile deviceattribution)FirewallBarracuda NGCisco ASA & VPNCisco IOSCisco MerakiCheck PointClavister W20Fortinet FortigateJuniper Junos OSJuniper NetscreenMcAfeePalo Alto Networks & VPNpfSenseSonicWALLSophosStonesoftWatchguard XTMIDS / IPSCisco SourcefireDell iSensorDell SonicWallHP TippingPointMcAfee IDSMetaflows IDSSecurity OnionSnortRapid7Windows Agentless EndpointMonitorMac Agentless Endpoint MonitorHoneypot & Honey UsersMetasploitNexposeSophos Enduser ProtectionSymantec Endpoint ProtectionGoogle AppsOktaSalesforce.comAdvanced MalwareFireEye NXPalo Alto Networks WildFireSIEMs/Log AggregatorsHP ArcSightIBM QRadarIntel Security (fka McAfee)NitroSecurityLogRhythmSplunkVirus ScannersCylance ProtectCheck Point AVF-SecureMcAfee ePOSophosSymantec Enduser ProtectionTrendMicro OfficeScanTrendMicro Control ManagerCloud ServicesApplication MonitoringMicrosoft Office 365Atlassian ConfluenceAWS Cloud TrailsMicrosoft SQL ServerBox.comInsight Platform Event Sources Cont.Duo Security47

Insight Platform Event Sources Cont. DNS ISC Bind9 Infoblox Trinzic Microsoft DNS MikroTik PowerDNS Data Exporters FireEye Threat Analytics Platform HP ArcSight & ArcSight Logger Splunk VPN Barracuda NG Cisco ASA Citrix NetScaler F5 Networks FirePass Fortinet FortiGate Juniper SA Microsoft IAS (RADIUS) Microsoft Network Policy Server Microsoft .