securing enterprise from unknown …the behavior from unknown …the behavior way rank : 384 rank :...
TRANSCRIPT
Securing Enterprise from Unknown …the
Behavior Way
Rank : 384 Rank : 48
Security Challenges for HPCL
•Critical National Asset•Rapidly growing Automation Infrastructure•Bigger Attack Surface•Diverse skillsets of End User
Malicious files & actions blocked
LEGEN
D
Known Good
Known Bad
UnknownSecurity Against Unknown Threats
Signature Based Solutions
Behavior Based Solution
DDoSMitigation
Manual
Mitigation
Malicious files & actions blocked
Safe files & actions allowed Safe files & actions
allowed
Residual Risk
Security Solutions’ Orchestration
INTERNET CloudIPS / IDS
Anti‐APT
E‐Mail Gateway
Web Gateway
Threat Intelligence Distribution Platform
PC / Laptop
End‐Points
Server End‐points (DS)
Global Threat
Intelligence (Threat Cloud)
Threat Intelligence Server (HPCL)
Signature Based Solutions
Behavior Based Solution
Final Defence ‐ Human Wall
• Defined Processes for Employees• Regular Advisories and Updates• Engineered Spam & phishing Campaigns
Our Recent Experiences…
Dridex Campaign
• Microsoft Zero Day Vulnerability• Multiple mails having word file with Dridex exploit.• Mail gateway sent files to virtual analyzer.• Detected in Virtual Analyzer• IOCs passed to other security solutions.• Applied patches released by Microsoft
Trickbot Campaign
• Trigger: Abnormal increase (`10x) in sample submission to Virtual Analyzer.
• Analysis revealed symptoms of trickbot campaign.• File extension was .DCO but caught in true file type .DOCX• The IOCs were passed on to mail and internet filters to block further content containing this attachment.
Petya Ransomware
• Targeted mail to one of the senior officer from a Gmail ID on next day of Petya outbreak
• Email gateway couldn’t detect based on signatures.• Attachment passed to the Behavior based solution ‐found to be malicious
• Quarantined at Mail Gateway basis Behavior analysis• IOCs passed on to all other signature based solutions
End Point Behavior Protection
• Protecting Endpoint On Unprotected Network• End Point Activities leading to abnormal behavior• Insider Threat Protection• Data Leak Prevention
Expectations from Industry
• Quality & Quantity of Technical Support Available in India• Graded forensics services• Actionable Inputs• Proactive Solution• Damage Containment• Integration with organizations• Standardized Solutions for OT systems
Challenges to Continue
• Actionable inputs• Should be practical• Too many false positives• Should protect the dumb users• Should protect the ‘Expert’ users• Should give comfort to the paranoid users
• Proactive solutioning• Is Zero day solution enough ?
• Damage containment