Rich CampagnaVP Products, Bitglass

@richcampagna

Nat KausikCEO, Bitglass@bnkausik

Breach Stats

*California AG Breach Report 2014

The Reality - Breaches Happen

*Source: Mandiant/FireEye

205 69%Average # of days before detection

Victims notified by external sources

“Two kinds of companies, those that were hacked and those that don’t yet know it”

- John Chambers, CEO, Cisco

Types of Breaches

Nuisance Breach - Opportunistic hack on vulnerable end-points

Untargeted Breach - Opportunistic hack on vulnerable enterprises

Targeted Breach - Custom hack on specific enterprise

Effectiveness of Defense: Good

Tools: Anti-X

Target: Vulnerable end-point

Weapon: Malware

Gain: Ad inserts, host control....

Nuisance Breach

Effectiveness of Defense: Limited

Tools: Anti-X, NGFW, APT protection

Target: Vulnerable enterprises

Weapon: Malware

Gain: Credit card numbers, etc.

Untargeted Breach

1. 3rd party website “Company Fun

Run”

2. Employees Register with

company creds

4. Log into JPM

5. Exfiltrate data over months

6. 3rd party website hires security guru, notifies JPMorgan

3. Hack 3rd party site to steal creds

Untargeted Breach

Effectiveness of Defense: ???

Tools: ???

Target: Specific enterprises

Weapon: Many

Gain: Geo-political advantage?

Targeted Breach

1. May 2014: Spoofed sites prennera.com, we11point.com

3. Employees login with Corporate

creds

4. Corporate creds

5. Log into Premera, Anthem

5. Query & steal 11M identities

2. Spear phishing emails

Jan 2015/Feb: IT discovers breach

Targeted Breach

Think Like a Hacker

Social Engineering, Phishing, Bribery, Etc.

Anatomy of a Data Breach

1. Bait

2. Infect

3. Arm

4. Explore

5. Exfiltrate

Exploit vulnerability

Install additional malware

Acquire & exfiltrate sensitive data

C&C

C&C

Data

C&CInternal replication / lateral movement

Info

Social Engineering, Phishing, Bribery, Etc.

Anatomy of a Data Breach

1. Bait

2. Infect

3. Arm

4. Explore

5. Exfiltrate

Exploit vulnerability

Install additional malware

Acquire & exfiltrate sensitive data

C&C

C&C

Data

C&CInternal replication / lateral movementTr

aditi

onal

pre

vent

ion

tech

nolo

gies

Info

Social Engineering, Phishing, Bribery, Etc.

Anatomy of a Data Breach

1. Bait

2. Infect

3. Arm

4. Explore

5. Exfiltrate

Exploit vulnerability

Install additional malware

Acquire & exfiltrate sensitive data

C&C

C&C

Data

C&CInternal replication / lateral movementTr

aditi

onal

pre

vent

ion

tech

nolo

gies

Info

Bre

ach

disc

over

y so

lutio

ns

Social Engineering, Phishing, Bribery, Etc.

Think Like a Hacker

1. Bait

2. Infect

3. Arm

4. Explore

5. Exfiltrate

Exploit vulnerability

Install additional malware

Acquire & exfiltrate sensitive data

C&C

C&C

Data

C&CInternal replication / lateral movementTr

aditi

onal

pre

vent

ion

tech

nolo

gies

Info

Bre

ach

disc

over

y so

lutio

ns

Spoofed Domains,

New Domains, ...

Malware Hosts,C&C,

...

ToR, Anonymous Proxies, File

shares, ...

Bitglass Breach Discovery

Breach Discovery - How it Works

Upload Firewall or Proxy logs

Big Data Analysis of Outflows

Bitglass Breach Discovery

Ranked alerts on high-risk outflows

ShadowIT Risks

Drill-down investigation

No software

Bitglass Risk Intelligence

Customer Example

Data exfiltration to ~200 TOR nodes

4 high-risk, high-volume Shadow IT apps

Case study at bitglass.com/resources

Transportation company

25,000 Employees

2M log lines per day

Findings

© 2015 Bitglass – Confidential: Do Not Distribute

Customer Example

Several nodes infected with malwareNew domain contact, phishing attack likely

Case study at bitglass.com/resources

Big Pharma 20,000 Employees

2M log lines per day

Findings

Customer Example

Contact with malware hosts

Command & control traffic

Contact with Dark Web

Bkrtx browser hijack outflows

Fed Agency 2,000 Employees

1GB logs per day

Findings

Prevention-focused tools Bitglass Breach DiscoveryPrevention tools increasingly ineffective against targeted and persistent attacks

Outbound Data Flow Analysis catches breaches early

Existing and emerging anomaly detection technologies throw too many alerts to be useful

Prioritized alerts via cloud-powered big data analytics with proprietary ranking

SIEM requires curation of risk intelligence feeds and ongoing manual interpretation by SMEs

Rapid Deployment - Simply upload logs, nothing to install

Discovery vs Prevention

“Determined attackers can get malware into organizations at will.”

Neil MacDonald/Peter Firstbrook, Gartner

Bitglass Breach DiscoveryLimit the Damage