An overview of how the Seceon OTM platform can quickly and accurately surface threats within your environment. Executive Summary The sophistication and volume of insider threats and targeted cyber-attacks is greater than ever. Despite significant security investments, companies are increasingly at risk for catastrophic breaches. These breaches impact business operations and result in both direct and indirect costs. Recent publicized breaches have shown these costs range in the hundred millions, when mitigation, fines and brand value impact are considered. As a result, for the first time, CEOs and corporate boards are contemplating issues historically reserved for CISOs and CIOs. As e’ e see i ou tless, high-profile rea hes, e’re losi g the fight agai st hackers because our defe ses are i reasi gl o solete. Traditio al se urit te h ologies are i apa le of addressi g toda ’s targeted threats. Time and time again adversaries demonstrate their ability to slip past the most hardened perimeters. Cybercriminals and cyber spies have moved beyond exploiting known vulnerabilities and using k o al are. The ’re orphi g ali ious eha ior i e er-before-seen ways; learning your people, processes, technologies, and supply chains; and impersonating authorized users - sometimes using no malware at all. These techniques allow adversaries to pass through perimeter defenses, evade detection technologies like IDS, IPS and NGFW, and bypass configuration monitoring, compliance, vulnerability and patch management controls. They can overrun SIEM and log analysis products that fail to prioritize alerts and frequently miss critical security events, even when they have already occurred. The silent threat: No e of toda ’s traditional solutions deal with one of the most harmful threats: the Insider threat. Verizon surveyed large to mid-sized enterprises in their 2015 Threat Report4 and determined that insiders accounted for 40% of acknowledged threats found. These are just the know threats ost of these i siders threats go u dete ted. The i sider usi g their o or so eo e else’s credentials typically knows where to look for data with the most value and if using legitimate credentials will not be picked up by SIEMs, DLPs, endpoint solutions or other traditional security measures. Clearly, internal and er se urit is at a tippi g poi t. To i agai st toda ’s a d to orro ’s threats, enterprises must employ a new way of thinking. Seceon elie es it’s ti e to tur the game arou d . This ea s a al zi g the situatio fro the atta ker’s perspe ti e, u dersta di g their goals, ta ti s, a d techniques, and letting this new vantage point inform your defenses. This strategy is embodied in the Seceon OTM Platform - the i dustr ’s first behavioral detection and response platform that delivers early warning, instant detection, and active remediation to all threats. With its adversary intelligence, state-of-the-art threat detection algorithms, and guided incident remediation, Seceon OTM Platform instantly detects and actively responds to threats. This white paper details modern security challenges and describes how the Seceon OTM Platform enables our customers to surface threats proactively and auto respond to them in real-time. Seceon and the Seceonl logo are registered trademarks of the Seceon, Inc. in the US and/or other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2016 Seceon, Inc. Introduction While big names such as Anthem, Sony, Scottrade, Erade, Home Depot, JPMorgan Chase, and Target have garnered national headlines following extensive data breaches, the truth is that more than 80% of U.S. experienced a successful insider or cyber-attack1 Attacks have become so widespread that virtually no industry today is immune to this new reality. Banking, manufacturing, retail, healthcare, travel, and other sectors face compromise and the ensuing reputational and financial damages. Simply put, adversaries are outpacing security teams and their current security measures. By all accounts, security experts expect the number of attacks to continue growing. For now and the foreseeable future, threat actors have the upper hand against many organizations by wielding targeted, sophisticated attacks that often go undetected by layers of security technologies. Once considered to be strictly an IT problem, cyber security is now a C-level and board-level concern. Given the state of heightened attention to cyber-attack risk, CIOs, senior IT decision makers, and CISOs are now making cyber security a top priority. In fact, a survey by Piper Jaffray shows that is now the top spending priority for CIOs, with an impressive 75 percent indicating that they would increase spending in the coming year2 . However, unless this spending is informed by a new philosophy, it will likely just add another porous layer to the existing pile of ineffective security products. To be effective, that investment must include the deployment of novel methods for protecting digital assets from internal as well as external cyber threats. The status quo of traditional, signature-based or malware-analysis defenses have proven to be woefully inadequate at preventing successful attacks. Targeted Attacks are on the Rise In 2015, for the first time, cyber security was a major topic in the annual State of the Union address. High-profile breaches dominated headlines for the last 18 months, highlighting the reality that catastrophic cyber-atta ks ha e e o e. At their orst, these atta ks are ’t opportunistic endeavors that leverage routine malware. They are targeted attacks with the goals of stealing confidential data or damaging business operations. As a result, the costs inflicted by targeted attacks can be enormous, spanning financial and reputational damages. According to the Ponemon Institute, the average cost of a data breach in 2014 was $3.5 million. After its breach was made public, Target projected more than $148 million in damages, which is likely an optimistic estimate3. Toda ’s ad a ed ad ersaries o stru t atta ks spe ifi all desig ed to bypass the defenses of a chosen target. These attacks are stealthy and designed to move laterally within an organization for weeks or months once they penetrate the perimeter. Their presence remains undetected for an average of 200 days, according to breach reports.4 1 CFO Survey June 2015 - http://www.cfosurvey.org/2015q2/press-release-hacking.pdf Piper Jaffray 2015 CIO Survey 3 “C erse urit Hi dsight a d a Look Ahead at 5, Yoa Leitersdorf a d Ofer “ hrei er, Te hCru h, De e 28, 2014 4 2015 Verizon Threat Report 2 er Seceon and the Seceonl logo are registered trademarks of the Seceon, Inc. in the US and/or other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2016 Seceon, Inc. Bypassing Endpoint Security Despite wielding the latest AV signatures, performing diligent patch management, and purchasing the latest malware detection engine, even the most advanced organizations fall victim to targeted attacks. Why? The answer is that the sophistication of attackers continues to outpace the sophistication of so-called next-generation defenses. Techniques that were once only available to state-sponsored attackers are now easily employed by criminal syndicates and hacker groups. Malware and exploit kits, which are growing in popularity and availability, provide attackers with easy methods to customize and obfuscate signatures to bypass signature-based security measures and rudimentary malware analysis solutions. Combining this with quick-turn exploitation of public vulnerabilities, or zero-day exploits, provides a fully weaponized end-to-end capability to anyone with modest means and malicious intent. I reased o ple it a d frequency of attacks elevate the need for enterprise-scale incident response, APT investigations and a rapid fore si pro ess. ---Gartner This continual permutation of polymorphic signatures allows attackers to remain virtually undetectable by the majority of conventional security defenses, due to their reliance on legacy detection techniques such as hashes and IP blacklisting. To avoid detection within sandboxes or virtualized solutions, many malware. Turn the Game Around; Think like a Hacker It’s o o der the that a re e t sur e reports that t o-thirds of respondents are evaluating new endpoint solutions to augment or replace their existing endpoint defenses. But what new endpoint defense is really effective against these more sophisticated attacks? How can CISOs and CIOs improve their o pa ies’ defe ses, dete t threats faster a d ore a uratel , a d o tai atta ks efore real damage is done? The answer is to start thinking like an attacker and to take advantage of lessons learned from those who ha e studied sophisti ated ad ersaries. Whe ost se urit e perts sa thi k like a atta ker the are advocating penetration testing activities to identify weaknesses in your security systems. However, to be truly effective in thwarting targeted attacks, we need to go a step further. We need to get into the mind of an attacker and understand their goals, tactics, and techniques – in essence their behavior. Throughout their training and operational experience, military commanders are taught to turn the game around in order to understand any situation from the perspective of their adversary. By doing so, one can egi to u dersta d the ad ersar ’s stre gths a d eak esses a d formulate actions and defenses backed by this insight. In the cyber domain, the same strategy is beneficial when defending digital assets. B e turi g o er to the dark side of the I ter et, er se urit e perts an better understand the goals, techniques, tools, and targets of bad actors. From underground hacking forums to online markets hawking cybercrime platforms in China, Russia, or Brazil, these experts learn to think like a hacker. Seceon and the Seceonl logo are registered trademarks of the Seceon, Inc. in the US and/or other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2016 Seceon, Inc. With that i sider i tellige e, a d a etter u dersta di g of the atta ker’s ad a tage, the a help their organizations identify unknown threats that are missed by legacy defenses and respond more quickly and effectively to get between the attacker and the asset or between the asset and the exit. While this approa h is u dou tedl hat’s eeded to ou ter toda ’s targeted atta ks, it’s u realisti to think that hiring dozens or hundreds of specially trained and experienced cyber security experts is the answer for enterprises. How then can a retailer, manufacturer, financial services provider, telecommunications provider, healthcare, energy, or other type of company harness this type of intelligence to protect its digital assets fro ad a tors arou d the orld? That’s h there’s the “e eo OTM Platform. The Evolution of the Seceon OTM Platform With the Seceon OTM Platform, you get behavioral based threat detection and response that combines deep adversarial with advanced analytics to detect sophisticated threats and respond faster to internal and cyber-attacks. By thinking like a hacker, Seceon OTM Platform looks for threats in ways other produ ts do ’t, by anticipating the attackers behavior choices; the solution reduces the hacker’s ad a tage. The result is instant detection and real-time response with impact indication. Seceon OTM Platform analyzes hosts, network devices, application and user behavior to rapidly detect the presence of internal risk and cyber-threats thus accelerating response, preventing damage and loss. Here’s ho it orks: 1. Collection & Control Engine (CCE): “e eo se sor a reside o o itored e dpoi ts or o its’ own for remote collecting high-fidelity data, with minimum impact on host, device or application performance. Seceon CCE Sensors monitor thousands of activities along with attributes, including user, system, application, file and network connections funneling observations back to the Seceon and the Seceonl logo are registered trademarks of the Seceon, Inc. in the US and/or other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2016 Seceon, Inc. Seceon APE. The CCE also has the ability take action on an internal or cyber threat after receiving instruction from the APE. 2. Analytic Processing Engine (APE): Seceon’s loud-based analytic engine aggregates application, network, file, and configuration details from all sensors and devices. Using context-based behavioral analysis and machine learning modeling, suspicious behavior is quickly identified, and tracked in real time as it evolves. This includes correlating threat activity that is related and part of the same chain of activity. Real-time visualization identifies malicious behavior, and compromised or targeted hosts, applications, and devices, enabling an operator to act in time. 3. Seceon Automated Response: The Seceon OTM Platform guides your security team enabling fast, effective investigation and response without requiring expert-level skills and knowledge. It produces guidance that dramatically reduces the signal-to-noise ratio, empowering security teams to take control in real-time. 4. Seceon Threat Intelligence: Seceon OTM Platform is powered by more than 40 best of breed threat intelligence feeds. Our platform has the ability in real-time to aggregate and distill the most critical threat intelligence from these feeds identify evolving threats, giving our customers the earliest warning of new techniques, and the technology stacks they are targeting, by industry and geography. This intelligence is used as threat model input by the Seceon Analytics Processing Engine to identify and prioritize known and unknown threats that evade traditional defenses. Why Seceon With the Seceon OTM Platform, you can defend against targeted attacks with: Organization Wide Situational Visability Seceon’s approa h starts ith an ability to monitor all activity on the network and on the critical devices which host or provide access to high value information. “e eo ’s CCE application collects, digests and turns monitored devices log and network flow data into meaningful information. It summarizes activities and passes this meta data back to the centralized APE to be put through it threat detection and prediction analysis processes. The CCE’s lightweight software application can run in virtualized as well as cloud environments. The CCE can be distributed to monitor thousands of activities and attributes, including user, system, application, file and network connections, with minimum network performance impact. Real-time Detection “e eo ’s loud-based Analytic Processing Engine aggregates application, network, host, file, user, and configuration details from all CCE sensor. Using machine learning, which feeds threat models that correlate activities into context-based behavioral analysis, suspicious behavior is quickly identified and tracked in real time as it evolves. Visualization identifies malicious behavior, and compromised or targeted hosts, device, applications and users enabling an operator to act in time. Real-time Response Seceon and the Seceonl logo are registered trademarks of the Seceon, Inc. in the US and/or other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2016 Seceon, Inc. The Seceon OTM Platform guides your security team enabling fast, effective investigation and response without requiring expert-level skills and knowledge. It produces guidance that dramatically reduces the signal-to-noise ratio, empowering security teams to take control in real-time. This is a stark difference from the volume of meaningless and repetitive alerts generated by traditional security products. Advanced Threat Intelligence Seceon OTM Platform is powered by more than 40 best of breed threat intelligence feeds. Our platform has the ability in real-time to aggregate and distill the most critical threat intelligence from these feeds identify evolving threats, giving our customers the earliest warning of new techniques, and the technology stacks they are targeting, by industry and geography. This intelligence is used by the Seceon Analytics Processing Engine to identify and prioritize known and unknown threats that evade traditional defenses. Conclusion Hackers continue to reach new levels of innovation and resourcefulness as they pursue goals of theft or disturbance. These attackers are schooled in evasive behavior that eludes the layers of defenses protecting toda ’s organizations. Signature-based technologies and so-called next-generation defenses have all proven inadequate. As a result, victims have seen both their reputation and financial performance threatened or severely damaged. Lastly but most importantly, true insider threats need to be detected and thwarted before critical information is compromised or exfiltrated. Today more often than not such loss goes undetected. To reverse these trends, defenders need better tools that not only detect such threats before real damage is done, but do so automatically in seconds without the need for expert human analysis to quantify and determine the scope of such threats. Tools that allow an organization’s security posture to be greatly improved while allowing staff to spend less time reacting and more time on proactive activities. By turning the game around organizations will be able to rapidly detect and respond to adversaries, mitigating loss and damage. Seceon harnesses state-of-the-art behavioral based threat detection algorithms to detect advanced threats that traditional defenses miss. With the Seceon OTM Platform you can take total control. To learn more about the Seceon OTM Platform, visit: www.seceon.com Seceon and the Seceonl logo are registered trademarks of the Seceon, Inc. in the US and/or other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2016 Seceon, Inc.