Pinpointing Threats with Intelligence-Driven Extended Detection and Response
Transcript
.svg){kind=icon}
ANISSA: Hello, and welcome to pinpointing threats with intelligence-driven extended detection and response.
Today the team will take you through the understanding and quick response to threats with Anomali Match.
I'd like to introduce our speakers today.
We have Joe Ariganello, our Senior Director of Product Marketing here at Anomali, and Gordon Collins, our Product Manager here.
With that, I will give it over to Joe, and he will take you through the presentation.
JOE ARIGANELLO: Thanks, Anissa.
Hey, everyone.
I'm Joe Ariganello, Senior Director of Product Marketing in Anomali.
Thanks for taking the time to join us as we introduce you to Match, our extended detection and response answer.
So as organizations continue to expand and evolve their digital footprint, security staff is struggling to adapt quickly to ensure they're able to effectively detect and respond to incidents in their environment.
They're dealing with a remote workforce, moving technologies to the cloud, changing business requirements, as well as the changing threat landscape.
So because of this, organizations are finding they need to adjust their security approach and how they protect their business overall.
But despite making these adjustments, they're finding, they're still leading to the same old challenges.
Data overload has been a common theme in security for as long as I can remember.
The shift to digital has multiplied that exponentially, creating an endless stream of data for organizations to sift through.
In fact, recent reports state that security teams receive over 10,000 alerts a day, generated from all that noise.
Making it harder for organizations to effectively defend against cyber attacks.
A recent Ponemon study showed that 52% of organizations find correlating data as a key obstacle to being able to effectively respond to cyber attacks.
So what are they doing about it?
Well, as a technology guy myself, you throw more tools at it.
So organizations continue to turn to technology to help deal with these problems.
In fact, recent reports show that enterprises deploy over 47 different cyber solutions and technologies in their environments.
But despite all these deployments, only 16% of organizations believe they can detect threats in real time.
To me, this is an indication of not having the right processes in place, or the fact that teams continue to work in silos, and not talk to each other.
So I already mentioned the influx of alerts.
But what happens when you keep deploying tools?
That's right, even more alerts.
So now we have a ton of alerts, a bunch of tools, and guess what?
No one's looking at those alerts.
So we did a study with Dark Reading that showed 91% of organizations do not investigate more than 75% of the alerts they receive.
In fact, most investigated less than 10% on average.
So to me, this suggests most organizations are not in a position to fully derive value from all of those tech investments that they're making.
So why is that?
It comes back to skills.
Seems like we've been talking about this cyber security skills shortage for as long as I can remember.
Recent reports show there are currently cyber security positions.
And it doesn't look like it's going to get better anytime soon.
I think I read that Ed Amoroso from TAG Cyber, had a good idea about giving free tuition for cyber classes.
And Anomali has our own initiative where we've partnered with James Madison University-- go Dukes! To prepare our students to enter the cybersecurity job market.
But in any case, this continues to be a problem that needs to be solved.
So to summarize, most organizations are suffering from too many alerts, too many tools, and not enough expertise.
They continue to work in silos, and lack the tools and intelligence to understand their threat landscape.
The tech they're deploying is generating too many false positives, and it's hindering them from developing an effective response.
So this is where XDR comes in.
Anomali Match is an intelligence-driven extended detection and response solution, that helps organizations to quickly identify and respond to threats in real-time.
Match automatically correlates all security telemetry against active threat intelligence, to stop breaches and attackers.
With Match, organizations can pinpoint relevant threats, research and prioritize alerts, as well as proactively hunt.
They can assess impact to respond effectively, and determine what needs to be done to help prevent any future attacks.
So as I mentioned, Match collects telemetry across our organization to quickly tell you what happened.
Correlating data with global intelligence that tells you who did it, and enabling you to form an effective response.
With Match, you'll be able to detect threats in real-time, perform a retrospective search in seconds to find any other intrusions into our environment, and have the connected global intelligence to understand how to respond to attack quickly, and effectively.
How quickly?
I'm glad you asked.
This case study looks at the time it would take to do a retrospective search in an environment after alert was received.
So without much, it took over 9 days to receive the alert-- manually parse and research the indicators, restore data, and find the boxes that were infected to pull for additional forensic analysis.
Match was able to perform the same tasks in less than 10 minutes, using big data analytics and machine learning, to transform that data into one decisive response.
With visibility into over five years of security telemetry, millions of IOCs and other data, Match was able to quickly pinpoint the threat and free up the analyst to work on what matters, and to enable a quicker response.
So enough of my talking.
Let's get to the demo.
And now I'd like to introduce Gordon Collins, who will be demonstrating how Match is a differentiated XDR solution that help stop breaches and attacks.
Gordon, take it away.
GORDON COLLINS: Great, Joe, thank you very much.
Let me just share my screen before I kick off, and then introduce myself as well.
And Joe you let me know if I end up showing the wrong screen.
But I think I'm all good.
So hello, everyone.
My name is Gordon Collins, I'm a Product Manager here at Anomali.
And I'm based in the UK.
And I'm going to show you some practical ways Anomali Match helps the extended detection and response of threats that have been identified through the correlation, with your log event data, with the global threat intelligence.
So I'm going to step through those things in three steps.
Firstly, I'm going to talk about the x, and then the D, and then the R.
So here we have Anomali Match on the dashboard, where an analyst would land if they're working within Anomali Match to work through any of those real-time threats that have been detected in your environment.
And by correlating the log event data, that has been adjusted with the global threat intelligence, both indicator and threat model.
I should reiterate.
And so I'm going to do-- just step through into the settings part of the application.
So I'm going to get the little wheel here, and go to Links.
And just pause here for a moment, and show you our universal link which is a critical aspect or a critical tool, that works with Anomali Match, and allows us to-- allows different vendors of different log event data to be forwarded to Anomali Match for ingestion, so that we can in real-time, find threats that are live in your environment.
And you can see here a number of vendors, but I want to just draw your attention to the custom tile here.
Time really doesn't allow me to go into too much detail in terms of the wizard that the application enables, but the point I really want to make here, is that it is possible to extend the data sources.
And when that data is being forwarded to Anomali Match through this wizard, it's possible to transform and parse the content.
First of all to view it-- view the log data, transform and parse and then map it to the appropriate schema within Match, to optimize the matching capability, and to find those matches that are of highest priority.
And I'll come a little bit to the point that Joe was making about the data overload and maybe the alert fatigue.
Some of the tooling within Anomali Match that helps prioritize and ensure that only those highest and most critical alerts are visible for remediation or for response.
So that here is the adding a log source.
Essentially, just showing that it is possible to ingest any type of data source.
Those that we were familiar with have already been mapped for you, and through the custom tooling, then you can build your own.
So I'm going to go back for a second and stay in the same place.
So that's not the only way we can ingest log data and really a nod to the extended aspect of the XDR capability of Anomali Match's that you'll see here, that we already have what we call dedicated length to ingest data from Splunk, ArcSight, and QRadar.
So we've already spent time on their APIs and ingest log event data from those sources into Anomali Match, and allowing us to find threats correlated against global threat intelligence that is also adjusted, and that's my neat segue to the second data set, that is held with an Anomali Match of course, global threat intelligence.
How else are we finding the-- how else are we detecting the threats that are in your environment.
But correlating them against regularly updated bundle of global threat intelligence, not just at an indicator level, but also at a threat model level.
So also, we'll be able to match quickly on the indicator level.
We're also able to help you investigate that a little bit further, based on the matching and occurrence of threat model breaches in your environment.
So that's a significant thing to bear in mind.
So just before I leave this X part of the demo, I'm going to step into one further location.
So what we've had to look at is the mechanisms, and hopefully you'll see that it's fairly straightforward to ingest content from the myriad of different data sources.
Not just your endpoint but from your firewall if necessary, or any cloud network logs, or any other traffic that is of relevance to you.
But the third thing and a nice way that I can illustrate how we enrich the data that matches the detections-- the threat detections, because we're also ingesting asset data.
And here, we'll see.
And this is a demo environment, so bear with the quantity of data here for the assets.
But we'll have the internal IP.
We'll have the operating system of the asset, and of the hostname, but also criticality label.
So if the asset is critical-- as you'll see here the last one, when we find the match, and we located a match on a given asset, then we can enhance our risk scoring, and if you pushed the right threat detection to the top of the queue or to the top of the pile.
So that the data overloads, or in mitigating against the data overload problem that Joe had been talking about a little bit earlier.
So that's the if you like, the third leg of our tool.
And so we've got global threat intelligence, both threat models and indicators.
We've got a multitude of data sources ingesting log data, and then our asset data, which helps us to enrich the detections as we go.
And then-- so I'm going to move now to detection, to the D part.
I'm going to go back to the dashboard where I started.
And this is where an analyst would typically land, and this is where they would live.
And so there are two parts to this.
I won't go through all of the aspects at the screen.
I'm going to check on the Match threat models, and we'll go through that in a moment.
And then here in the middle, there's this top 2020 impacted hosts by risk scores.
There are a number of different ways where we can elevate the most critical, or the highest risk detections for further action.
So there are already detectors here.
But the thing that I wanted to show you here, was this is just for the last seven days, these are the matches-- the detections that we have found over the last seven days.
But if I were to alter this, and I'll just draw your attention here before I do, so like five years.
The number of indicators and events and sources, those values will change.
And that's a key aspect of Anomali Match in its ability, and they'll just update.
There we go.
So we're holding a significant amount of indicators anyway, through our ingestion of global threat intelligence, but a significant amount of log event data.
And this is over a five year period.
So you'll see that some of these things have changed.
And I'm going to stick with the five-year period for a moment, and hopefully that will have shown you how fast it is to retrospectively search over a significant period of time that was one of Joe's latest slides.
I go to select the top impacted host, and that will allow me to do a little bit of detection work.
And this is a particular asset which is critical, so we've enriched from our asset data and we can prioritize accordingly.
There's this risk score.
So I'll just hover here, and it'll let you read.
But it's our way in Anomali Match to elevate the most critical detections to the top of the pile, so that they get the attention that they deserve.
And that's based on some of that enriched asset data that we've incorporated as well.
But the thing I wanted to show you here, was this nice neat little slider that goes across the time period.
So in this example, of course, there are a number of CVEs that have been identified as breaches on this particular asset.
And I go to slide back up here through the slider.
And for the benefit of our conversation here, these won't have been remediated.
But there's just a slew of different activities here, whether showing the iType and some further information on the indicator.
So one thing that's possible here.
If I were to select the iType and just have a few of-- then that opens another tab, allows me to remain where I was previously, and this allows me then to select-- Oh, no results found for that one.
So I'll skip and go back.
What I would like to do, is go to the next part, which will show how I can manually update.
There are two different ways that I can inform my response, through following the detection of a given threat.
So I'm back to seven days, and I'm going to go in here.
And this is really to illustrate the fact that we're matching not just on indicators, but also on threat models.
So the one that is occurring the most over this time period, is mummy spider.
So again, I go to select that.
And this is something maybe an analyst might want to do-- just to check which is the threat model that is occurring the most, and is relevant to me.
Is it's something that I should be interested in?
And for instance say, for the sake of argument in this example, I am an analyst working for an organization of financial services.
I can see straight off the bat, through the tagging of this particular threat actor, that they are operating in financial, and attacking financial services organizations.
I can also then check the actor detail, and read up further information on this particular actor.
And I can find then as I scroll down, what geo regions they operated to.
And let say, I'm located in the United Kingdom, which in fact I am, that is a further attribute of this actor that makes me concerned.
And then as a result of that, I have a couple of things available to me.
I can immediately select the set of matches related to this actor, and I can create an incident.
So that's informing one kind of response that remains within Anomali Match, and there is workflow.
Then through another set of users, there's a dashboard to pick off these instance.
So if you like, as an analyst I've detected those things that are of highest priority for me, and push them through to another person who will then work through them.
I won't fill that in, just for the sake of not having you watch me type badly.
And so-- but what I will do is move away.
So what we've looked at there in terms of response is the manual detection, and then a manual option to respond within Anomali Match by creating an instant.
And I'm just going to close this and go back a step.
And then you'll see here, that I was able-- when I clicked on that mummy spider in my dashboard, it brought me to here and affected a search in essence.
And I'm going to save that search.
And then I'm going to show-- the last part of this walk through, is how I can create an alert, which automatically sends a set of the highest priority and detections outside to inform response outside of Anomali Match.
So let me first of all, just show you that this is-- I'm just going to use a very simple example to create my site search, which I can then use in my filter later on, in my alert later on.
But there are a number of other capabilities that you can extend and fine tune your filter, so that you are picking up the most pertinent detections that are right for you.
Again, and now to Joe's point earlier about data overload, and also try and spend a lot of time manually sifting through detections, and this is a new capability.
So I'm going to save this.
I'm not going to add anything more to it, I'm just going to save it, and I'm going to call it mummy spider.
And hopefully and I'm going to call it Tuesday, just so that we can find it, just for the sake of our example.
I'll save that, and then we'll remember that for when I come to my next and third element of the R.
So XDR.
So we've had a little look through the X, and the extended data ingestion within Anomali Match, being the full myriad of log event data, the global threat intelligence, whether it's indicator or threat model, and how we enrich any of the detections using the assets that have been loaded.
And then we've had a little look at the manual detection using the dashboard, and also the threat model detection, and now the final part of the response part.
And we did a manual response.
So I mean, alerts have gone back into my settings area.
This is a piece of maybe configuration, easily done, easily created.
So I'm going to create a new alert.
So many applications will have this, and I'm going to call it mummy spider.
Just again, for the sake of expediency during this demo.
And as you can see through this widget, there are four steps.
And I can decide to set up my rule based on indicator matches, threat bulletins, actors, campaigns, TTPs, vulnerabilities, and other things.
So there's a number of ways I can slice and dice the refinement of the way I'm alerting.
Again, with a nod to the data overload that we're refining.
Where these alerts are looking, what is triggering them.
I'm going to stick with my actor thread.
So first part is, I've got a rule called mummy spider, it's a source based on actor.
I can then depending on-- choose a different type of matching, so I'm just going to stick with simple, but there are spike detection and frequency detection and things you would expect to see.
And I've got time periods, I can choose to have this alert run from a given start and end date.
Or, but I could hold onto continuous right now.
Again, I can select some tags, again, to help me, allow to, refine the alerts that are generated.
So I'm not just flipping one big pile into another big pile, I am refining and prioritizing as I go, even as I'm creating this alert.
I'll hit next, and then we find the filter that I was looking for.
There we go, mummy spider Tuesday.
And that's going to refine further the data that I have gathered-- the detections that I have gathered, that I'm making available for my response.
And the final thing, is all well and good.
I found all of these-- these matches matched, based on a correlation of global threat intelligence, and the lack of any data that's been ingested.
I can do a number of things with this.
So I can post it back to my dashboard, so that somebody else can work through it.
I can as well, in addition, I can send an email to another person or another mailbox.
I can create an incident as we've already done for further workflow within Anomali Match.
I can run a script.
So this is really quite a neat thing.
With a nod to also, what Joe was saying about the number of applications that are running-- that organizations are using to assist in threat detection and response.
So mindful of the fact that one or other application may be a preferred application for managing remediation response, noting the-- what I would think is a pretty unique capability of Anomali Match to match both, in real-time and retrospectively fast.
You could run a script-- a custom script, that sends these detected threats to your preferred environment, transformed in the way that your script would mandate.
You could also-- again, with a nod to the preferences of the analyst team, who may actually prefer to continue working with the detected threats in another environment, such as a SIEM.
Then we can forward this content to syslog for further processing through another environment.
Or finally as another example, I just highlight the elasticsearch.
Again, with a nod to the fact that there are many different ways that a security ecosystem could be set up, and one of those is where an organization has chosen to build rather than buy.
And if you have an ELK Stack, then we're thinking ahead for that as well.
So these are just a number of different ways that we can inform response through those applications as well.
So I think I've probably spoken long enough at this point.
I'll pose that stage, and just remind myself to go through my checklist.
The X of XDR is really the ingestion of log event data from multiple sources, not just an endpoint application.
It is however, correlated with global threat intelligence indicator threat models.
We're working with [INAUDIBLE] to enrich that to help prioritization.
And then there is a manual response capability or an automated response capability that are both triggered either or from detection activities that are run through Anomali Match.
So as I keep talking then, that's a chance for us, Joe, just to check in and see what kind of questions are coming through.
ANISSA: Yeah.
This is Anissa.
I will jump in.
I do have a few questions teed up here for you guys.
So let's see, this looks like-- Gordon, it's a little technical, so I'm going to tee this one up for you.
We need TTP behavior detection, not just IOC detection.
Does Match help with that?
GORDON COLLINS: Yeah.
So I'm aware that I might have spoken at speed, but I hopefully ticked into this particular question.
And I guess it's a fundamental question that anyone would ask in relation to threat detection.
Yes, short answer is yes.
So because of the nature of our real-time correlation with Global Threat Intelligence, we're correlating against indicators and also the threat model.
So I was hoping that by stepping through that example with the [INAUDIBLE] wizard that that illustrated as well how well Anomali Match will correlate against the more complex kinds of adversarial behaviors such as those things-- as well as TTPs.
So mine was an actor example, but we can work with thread bulletins and other threat models, as well.
So yes, short answer, yes.
Anomali Match will manage and detect TTP threats both, and just to repeat, in real-time today but also retrospectively if a given threat has been live in your environment for a long period of time but through the global threat intelligence, we only understand that now, we'll find that too.
So hopefully, that went some way to answering the question there.
ANISSA: Thank you, Gordon.
Joe, we'll have you do this one.
We're worried about malware and fraud these days.
How does Match help there.
JOE ARIGANELLO: Sure, I'll take that one since Gordon's been talking for the past 15 minutes.
So typically, organizations learn about new IOCs four to six months after they're active.
So this means that the breach possibly has already occurred, investigation's been closed, and just everything's been done.
So there's a good chance that the data was never correlated or just stored with the installed tech that they have in their environment.
So they'll never see a match because that's already happened in the past.
You don't have that historical data online, in your SIEM, or other technology.
There is not a way for manual searching to happen, so you'll never be able to identify whether you've had this activity or these known bad IOCs.
So what Match does is it takes hundreds of millions of active indicators and searches across the historical logs to find matches to any malware or fraud indicators.
It uses metadata to search the historical event data for indicators, TTPs, threat actors, or vulnerabilities.
And helps put an answer up in seconds or minutes, so people are able to understand.
ANISSA: All right.
Thank you, Joe.
I have one left here.
This looks like a SIEM and we already have one.
How would Match be different?
GORDON COLLINS: I'm on mute, I think.
I might take that one, Anissa, thanks.
So yeah, I can see why the question asker or the questioner would say that.
There are a couple of key things to bear in mind.
And the one thing that-- yes, SIEM can find matches.
But it's really the number of IOCs that are persisted within the environment.
That's one of the key differentiators, I think, between Anomali Match and a SIEM.
So for instance, when I showed the difference between the seven-day period and the five-year period, Anomali Match does hold a significantly larger number of IOCs for matching, much more so than a typical SIEM would tend to do.
So there's that difference in how they persist historical data.
But not only how they persist and know to really how we do it, how is that we scale so well with such a large volume of data.
And really, it's the way that we capture some of the metadata on each of the log events that are ingested.
And that allows us to retrospectively search over a longer period.
But also, we don't have to tee it up so it's there.
As we saw, SIEM, you kind of have to go back and find it, if you like, search, find, and report on that content so that makes it available.
But in a Match, it's there and ready to go already and it hasn't been consigned as you might find on maybe some of your SIEMs to the cold storage that has to be retrieved.
Match holds it and makes it available in a much more timely way.
And so it doesn't allow for that correlation of new intelligence against existing, if you like, historical log data quickly so you don't have to go out of your way to do it.
So hopefully, that describes a little bit how it might look like a SIEM.
But it does offer significant performance and detection capabilities over and above what your SIEM might do.
ANISSA: All right, I think we are set.
So thank you everyone for joining today.
I want to thank Joe and Gordon for a great overview of Match.