Achieving Hi-Fidelity Security by Combining Packet and Endpoint Data

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
David Monahan
Enterprise Management Associates
Research Director, Security and Risk Management
Twitter: @SecurityMonahan
Achieving Hi-Fidelity Security
by Combining Packet and
Endpoint Data

Featured Speaker
David Monahan
Research Director, Risk and Security
David is a senior information security executive with several
years of experience. He has organized and managed both
physical and information security programs, including
security and network operations (SOCs and NOCs) for
organizations ranging from Fortune 100 companies to local
government and small public and private companies.
Slide 2 © 2016 Enterprise Management Associates, Inc.

Logistics for Today’s Webinar
• An archived version of the event recording will be
available at www.enterprisemanagement.com
• Log questions in the Q&A panel located on
the lower right corner of your screen
• Questions will be addressed during the Q&A
session of the event
> QUESTIONS
> EVENT RECORDING

Sponsors

Report Demographics
• 225 Respondents
• Industries
 Education
 Finance/Banking
 Health care/ Pharma
 High Tech
 Retail
 Manufacturing
25%
30%
45%
SMB (<1K)
MidMarket (1K- <5K)
Enterprise (5K+)

INDUSTRY ANALYSIS & CONSULTINGSlide 7 © 2016 Enterprise Management Associates, Inc.
Top Challenges Driving Combining Data
59%
38%
37%
34%
31%
4%
Lack of analysis capabilities in the solutions
Lack of dashboards
Lack of reporting capabilities
Lack of vendor supplied integration
Lack of open APIs
Other

Most Important Business Need for Data Integration
25%
20%
16%
14%
13%
6%
6%
Prevent breaches
Respond to breaches
Analyze attacks
Confirm indicators of breach
Predict attacks
Forensic analysis
Reporting/monitoring state of security

Least Confidence in Security Control
22%
17%
16%
15%
10%
7%
7%
6%
Endpoint Prevention
Endpoint Detection
Concerned equally with more than one
Confident in all four areas
Perimeter Prevention
Perimeter Detection
Incident response (breach investigation capabilities)
Protection (configuration management,…

Which Type of Data is Best to Identify Attacks?
41%
39%
20%
It really depends upon the type of attack
Network data
Endpoint data

Endpoint Program Maturity Definitions
Very Strong
At least 99% of endpoints have active prevention/detection (as applicable) and are actively monitored and managed.
AND
The system generates very few, if any, false positives. The system prevents/detects (as applicable) 99% or greater of the endpoint attacks, including those
classified as APT, ATA, or zero-day.)
Strong
AND
The system generates only a few false positives. The system prevents/detects (as applicable) 95% or greater of the endpoint attacks, some of which would
be those classified as APT, ATA, or zero-day.
Competent
AND
The system generates some but not excessive false positives. The system prevents/detects (as applicable) 90% or greater of the endpoint attacks, some of
which could be those classified as APT, ATA, or zero-day.

Network Program Maturity Definitions
Very Strong
At least 99% of the network segments have active prevention and are actively monitored and managed.
AND
The system generates very few, if any, false positives. The system prevents/detects (as applicable) 99% or greater of the network-based attacks.
Strong
At least 85% of the network segments have active prevention/detection (as applicable) and are actively monitored and managed.
AND
The system generates only a few false positives. The system prevents/detects (as applicable) 95% or greater of the network-based attacks.
Competent
At least 75% of network segments have active prevention/detection (as applicable) and are actively monitored and managed.
AND
The system generates some but not excessive false positives. The system prevents/detects (as applicable) 90% or greater of the network-based attacks.
Underdeveloped
Less than 75% of network segments have active prevention/detection (as applicable) and are not necessarily actively monitored and managed.
OR
The system generates an excessive number of false positives. The system prevents/detects (as applicable) no more than 90% of the network-based attacks.

Endpoint & Network Security Detection Program Maturity
20%
47%
26%
5%
2%
25%
46%
24%
4%
1%
Very Strong
Strong
Competent
Underdeveloped
Endpoint security detection is not a significant focus
of our security program
Endpoint Network

Endpoint & Network Security Prevention Program Maturity
21%
42%
28%
7%
2%
19%
47%
27%
6%
1%
Very Strong
Strong
Competent
Underdeveloped
Endpoint security prevention is not a significant
focus of our security program
Endpoint Network

Endpoint & Network Security Detection Program Maturity
20%
47%
26%
5%
2%
25%
46%
24%
4%
1%
Very Strong
Strong
Competent
Underdeveloped
Endpoint security detection is not a significant focus
of our security program
Endpoint Network

Effectiveness of Endpoint and Network Protection Tools
67%
21%
11%
63%
20%
17%
Effective
Ineffective
I don't know
Endpoint Network

Importance of Automation for Prevention
41%
44%
12%
1%
2%
46%
39%
13%
1%
1%
Very Important
Important
Somewhat Important
Somewhat Unimportant
Not Important at All
Endpoint Network

Importance of Automation for Detection
50%
35%
12%
1%
2%
51%
35%
13%
0%
1%
Very Important
Important
Somewhat Important
Somewhat Unimportant
Not Important at All
Endpoint Network

Maintaining Historical Data for
Behavioral Analysis and Anomaly Detection
45%
40%
2%
13%
58%
35%
7%
We maintain historical Data
We do not, but we believe it is important
We do not and do not believe it is necessary
I don't know
Endpoint Network

Summary: Best Data for Early Detection
22%
21%
17%
16%
13%
7%
4%
Access logs
Network Security Logs (Firewall, IDS, DNS, etc.)
Systems Log Monitoring (Application, Server, User
chg, etc)
Network Data (Packets, Flows, etc.)
Endpoint Change Data
Performance Logs
Other

Data Sources Used for Network Security
42%
36%
35%
29%
28%
2%
18%
Network flows (Netflow, IPFIX, etc.)
Deep packet inspection (DPI)
Cloud based API for reporting
Transaction metrics
Time series data/device metrics (SNMP, WMI, etc.)
Other
I don't know

Endpoint Data Used for Security
79%
52%
49%
41%
38%
36%
33%
27%
26%
File system changes (new files, permission changes,
movement, etc)
Successful or Failed logins
Newly installed applications
Registry changes
Unidentified/new processes
Local application logs
Process to network connection mapping
New local users
Disk usage changes

Tools Used to Correlate Network and Endpoint Data
46%
36%
33%
32%
32%
11%
4%
Log management with custom scripts
Security incident and event management (SIEM )
Single-vendor solution with both endpoint and
network prevention or detection capabilities
Vendor-provided APIs to integrate other
monitoring/management tools
Security analytics (UBA, anomaly detection, or
predictive analytics)
We currently do not have the capability and evaluate
these data silos separately
I don’t know

Using Network Data for Security
37%
30%
14%
3%
16%
Yes, but only for critical investigations
No, but we would like to/plan to
Yes, for all investigations
No, and we have no particular need/interest
I don't know

Data Integration Approaches in Used in Security
48%
37%
37%
36%
23%
2%
Vendor-driven technology partnerships/integrations
Vendor-created open APIs
Third-party integration tools
In-house created custom integrations
Third party analysis of data
Other

Metadata: Creation and Value
79%
15%
69%
15%
Collection systems create metadata
Invaluable
Very valuable
Moderately invaluable

Full-Time Equivalent Working Security
30%
32%
19%
19%
<5 FTE
6 to 10 FTE
11 to 20 FTE
>20 FTE

FTE Applied to Event Investigation per Day
34%
24%
30%
9%
2%
1%
1-4 (> 1 FTE)
5-8 (approximately 1 FTE)
9-24 (1-3 FTE)
25-40 (>3- <=5 FTE)
41-80 (>5- <=10 FTE)
81+ (more than 10 FTE)

Alert Volume per Day
60% 40% <100 Alerts / Day
>=100 Alerts / Day

Sever/Critical Alert Volume per Day
50%
23%
15%
7%
5%
0%
<=25
26-99
100-499
250-499
500-999
>=1,000

Severe/Critical Alerts Investigated per Day
67%
21%
6%
6%
10 or fewer
11-25
More than 25
We don't generally investigate security alerts

Network Strengths and Weaknesses:
• Strengths
• Early warning of a network-based attack
• Attack telemetry
• Payload dissection/determination
• Identification of lateral movement (if placed where they can monitor the traffic)
• Weaknesses
• Limited deployment at perimeter hampers internal visibility.
• They provide no warning of attacks that start on endpoint. (e.g. removable media)
• Cannot provide insight if packets are encrypted.
• Dormant or “triggered” attacks may not be detected by network sandboxes.
• May provide “indeterminate” attack success when used alone.

Endpoint Strengths and Weaknesses:
• Strengths
• Provides detailed data:
 Application installation and process changes
 Registry/configuration changes, file changes, and data moves
 User additions, removals, and permission changes
 Process association with network connections
• Weaknesses
• Data can be very compartmentalized so trends may be missed.
• Missing or failing agents cause visibility gaps.
• Gaps in scanning or polling cause visibility gaps.

Summary:
• Over Confidence in Prevention
• Over Confidence in the Security Programs
• Focusing on the Wrong Data
• Lack of Tools (and people)
• Task and Analysis Automation are Key for Success
• Too many alerts to manually investigate
• Both Sets of Data are Valuable but Have Gaps
• Need to get out of Data Silos
• Need better analysis capability using combined data

Questions?
Get the Full Report: http://bit.ly/1mKekfd

Achieving Hi-Fidelity Security by Combining Packet and Endpoint Data

Related slideshows

More Related Content

Achieving Hi-Fidelity Security by Combining Packet and Endpoint Data