Scribd Logo
Upload

Welcome to Scribd!

  • SQRRL Reservior RSAC 2016 1

    Uploaded by

    Raghav
    27 views13 pages

    Original Title

    Sqrrl-Reservior-RSAC-2016-1

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    27 views13 pages

    SQRRL Reservior RSAC 2016 1

    Uploaded by

    Raghav

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 13

    Target. Hunt.

    Securely Disrupt.
    explore your data

    R-SCOPING THE HUNT

    An integrated solution with


    THE DETECTION AND RESPONSE GAP

    Proxy
    What?

    IPS
    205 days on average to detect a breach
    Advanced adversaries

    IdM
    Firewa
    ll
    Perimeter defenses and current detection not sufficient
    Why?
    1 Limited effectiveness 2 Increased attack surface 3 Drowning in 4 Not enough
    of signatures and rules and hacking tool availability alerts and data security ninjas

    Faster and more powerful detection and response capabilities are required
    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved 2
    WHAT IS THREAT HUNTING?

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved 3


    HUNTING PROCESS FRAGMENTED BY TOOLS

    HR data Visualization
    Business context
    Asset configuration Email Machine Learning
    Logs Link Analysis
    Alerts
    Search
    Threat Intel SIEM

    Courses of Action Matrix Attack chain modeling


    Signatures Intrusion reconstruction
    Behavioral Algorithms Campaign analysis
    Statistics Breach / response timelines
    A new technology approach is needed!
    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved 4
    HOW YOU’RE PROBABLY HUNTING NOW
    Log-oriented techniques can only get you so far
    Davids-MacBook-Pro-2:/Users/bianco/temp> grep 6d01739d1d56c64209098747a5756443 *.log
    files.log:922712498.188977 Fz892b2SFbpSayzLyl 172.16.113.204 194.7.248.153
    Cr4RV91FD8iPXBuoT6 SMTP 1 MD5,SHA1 text/x-c 0.000000 T F 1522 - 0
    0 F - 6d01739d1d56c64209098747a5756443 0d1c6b7dcc82b05c719d4cc9dd8d8577e8cb36cb
    -
    Davids-MacBook-Pro-2:/Users/bianco/temp> grep Cr4RV91FD8iPXBuoT6 *.log
    conn.log:922712498.086765 Cr4RV91FD8iPXBuoT6 194.7.248.153 1027 172.16.113.204 25 tcp
    smtp 0.113325 1923 336 SF ShAdDafF 13 2447 12 820 (empty)
    files.log:922712498.188977 Fz892b2SFbpSayzLyl 172.16.113.204 194.7.248.153
    Cr4RV91FD8iPXBuoT6 SMTP 1 MD5,SHA1 text/x-c 0.000000 T F 1522 - 0
    0 F - 6d01739d1d56c64209098747a5756443 0d1c6b7dcc82b05c719d4cc9dd8d8577e8cb36cb
    -
    smtp.log:922712498.119932 Cr4RV91FD8iPXBuoT6 194.7.248.153 1027 172.16.113.204 25 1
    delta.peach.mil <hamishs@delta.peach.mil> <tierneyr@goose.eyrie.af.mil> Mon, 29 Mar 1999
    08:01:38 -0400 - tierneyr@goose.eyrie.af.mil - <19990329080138.CAA2048> - Phonetics
    software Tech, - (from mail@localhost) by delta.peach.mil (SMI-8.6/SMI-SVR4)\x09id: CAA2048; Mon, 29
    Mar 1999 08:01:38 -0400 - 250 Mail accepted 172.16.113.204,194.7.248.153 - F
    Fz892b2SFbpSayzLyl F

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved 5


    HUNTING TECHNOLOGY REQUIREMENTS
    •Variety •Search
    •Long term •Visualization
    retention •Exploration
    •Velocity

    Data Tools

    Analytics Collaboration

    •Behavioral •Common threat


    •Extensible ontology
    •Shared insight

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved 6


    SQRRL BEHAVIOR GRAPH
    Unique approach to managing security data

    KEY CAPABILITIES:
    • Asset / activity modeling
    • Visualization, exploration, search
    EXFIL
    • Behavioral analytics

    LATERAL MOVEMENT
    • Big data scale & security

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved 7


    SOLUTION: THREAT HUNTING PLATFORM (THP)

    A unified environment for:


    • Collecting and managing big security data
    • Detecting and analyzing advanced threats
    • Visually investigating attack TTPs and patterns
    • Automating hunt techniques
    • Collaborating amongst security analyst teams

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved 8


    SQRRL ENTERPRISE
    Sqrrl’s approach to the THP

    Incident Proactive
    Investigation Threat
    Hunting

    User and
    Entity
    Behavior
    Analytics
    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved 9
    SECURITY DATA CONTEXT GAP

    Endpoint Protection Files, Hashes, Certs, Comms, C2 Malware Analysis

    Firewall & VPN Applications, Location, Owner Asset Management

    IDS & IPS TTPs, Certificates, Files, Hashes Threat Intelligence

    Network Exposure, Criticality, CVEs Vulnerability Mgmt


    Infrastructure
    • Orphaned Data
    • Latent Information
    • Low Fidelity Alerts
    • Low Value
    Sqrrl Enterprise
    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved 10
    R-SCOPE BRIDGES THE CONTEXT GAP

    Endpoint Protection Malware Analysis

    Firewall & VPN Asset Management

    IDS & IPS Threat Intelligence

    Network Vulnerability Mgmt


    Infrastructure

    Sqrrl Enterprise
    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved 11
    THE BEST THREAT HUNTING EXPERIENCE

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved 12


    THANK YOU!
    How To Learn More?
    To learn more about Sqrrl:

    • Download Sqrrl’s Threat Hunting eBook from our website


    • Download the Sqrrl Product Paper from our website
    • Request a Test Drive VM from our website
    • Reach out to us at info@sqrrl.com

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved

    You might also like