SlideShare ist ein Scribd-Unternehmen logo

Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise

•
•
21CT Inc.
21CT Inc.

In this security insight brief, 21CT researchers look at the malicious network behaviors that concern organizations the most, and how to use security analytics to find them before damage is done. Understanding these 12 indicators of compromise are critical to identifying a network breach.

Technologie
1 von 10
Downloaden Sie, um offline zu lesen
THE 12 INDICATORS OF COMPROMISE 12 Indicators of Compromise Human Behavior • Alert Visibility • Return on Intelligence • Social Engineering Machine Behavior • Autonomous System Behavior • Policy Violations • Botnet C&C Traffic Volumetric Behavior • DDoS Noise Reduction • Unusual Inbound Traffic • Unusual Outbound Traffic Anomalous Behavior • Geographic Anomalies • Protocol Anomalies • Long-Term Trending 21CT.COM Using security analytics to identify patterns of network behaviors that indicate an active network attack As a security analyst, much of your day-to-day operational work involves tracking perimeter defense alerts, responding to end-point alerts, and running down user reports of suspicious activity. While these tasks are important, you know that there’s probably malicious activity on your network beyond the alerts. So how do you find it? Perimeter defense tools identify the identifiable—events they are already aware of and looking for—but these known-knowns are not the whole story. There are unknown-unknowns that perimeter defenses miss that you must find to fully secure your network. Security analytics can guide you directly to the malicious behavior you knew existed, but could never see. Security analytics use fused disparate network data, from IPS/IDS alerts and malware notifications to flow and application metadata, to identify patterns of behavior that are indicative of network compromise. They quickly and (in many cases) automatically identify and classify these malicious behaviors so that you can move fast to remediate infected and misconfigured systems or thwart an ongoing attack missed by the perimeter. In this paper we look at the four categories of malicious behavior that concern organizations the most. It is important to understand these behaviors, what they are, and why they are dangerous. When the presence of any of these behaviors becomes evident using security analytics, they become Indicators of Compromise (IOCs), something discussed throughout the industry including Dark Reading. Understanding these 12 IOCs is critical to identifying network breaches. In the first half of 2014, the security researchers at 21CT will release analytics that you can use to both identify these 12 Indicators of Compromise before they damage your business and, in some cases, prevent the compromise from happening. We will highlight newly published IOCs in our monthly newsletter with links to learn more about the IOCs as well as download the analytics. The 12 Indicators of Compromise
THE 12 INDICATORS OF COMPROMISE Human Behavior Human behavior as used here includes known-known and social engineering behaviors. The known-knowns provide context and visualization around perimeter defense alerts and threat feed blacklists, while social engineering IOCs identify patterns of behavior that deviate from human norms, indicating potential points of exploitation. Alert Visibility Why Alert Visibility? The context surrounding an alert (alert visibility) is important information that security organizations need for a more complete understanding of the activity on their networks. What happened immediately before and after the alerted event? What hosts were the affected systems talking to? What was taken? Security analytics help you find answers to these kinds of questions. Increasing Alert Visibility Using Security Analytics An alert from your anti-malware device that a host on your network has communicated with a new botnet command and control server identifies a known bad host on your network that you can open a ticket on to remediate the host. As a security analyst, you need to remediate that host, but you also want to know if the alert indicates a larger infiltration than just the one host. How was the host infected? How long has it been infected? Who communicated internally with the now infected host? Was it a file download? Using security analytics, you can get answers to these questions for a fuller understanding of the scope of the attack so you can mitigate all affected systems. Security analytics do this by fusing secondary data sources from devices such as next-generation firewalls or application metadata sensors with other network data to transform alerts into indicators of compromise, intelligence that leads to faster and more complete mitigation of a compromise. Using security analytics you can: • Accelerate mitigation of a compromise by extending your perimeter defense to find missed breaches • Increase operational insight by identifying patterns of previously hidden malicious behaviors • Avoid catastrophic damage to your network by quickly identifying suspicious behavior and accelerating your investigation and mitigation • Enable faster, easier, and more repeatable investigations by transforming your experience and creativity into executable analytics • Sigh with relief when you discover your network is more secure Figure 1: Visualization of the context surrounding an alert
THE 12 INDICATORS OF COMPROMISE Return on Intelligence Why Return on Intelligence? Most security organizations subscribe to various threat feeds that deliver monthly, weekly, or even daily updates on known bad domains, IP addresses, MD5 sums, or email addresses. These threat feeds are a potentially rich source of intelligence, but gaining operational value from them is often difficult and time-consuming. Their varying formats are not easily manipulated or searchable, and you can’t scan through them and quickly understand what is important to you and your organization. With security analytics you can leverage the full benefit of this powerful intelligence to gain visibility into the unknown-unknowns. Enhancing Return on Intelligence Using Security Analytics One way to utilize the information in threat feeds would be take a text dump of NetFlow records and write a shell script to grep the text file for blacklisted IPs that have been communicated with. Another way would be to grep Bro sensor logs for the MD5s that may come in from a threat feed. However, with attackers continually changing IP addresses, even if you can utilize the information in the threat feed, you still won’t discover additional instances of an attack from IP addresses not yet known to be bad. Security analytics provide the context you need to truly understand the behavior of your network. With security analytics and threat feeds you can: • Identify connections between internal hosts and known bad external IP addresses • Identify additional hosts that downloaded the same file as those connecting to the known bad IP addresses • Identify additional IP addresses now known to be bad • Reduce time-to-detection and mitigation by utilizing the intelligence you care about in the threat feed With an easy way to gain actionable intelligence from the threat feeds you already subscribe to, you significantly improve their value and can now enhance your security posture even more by subscribing to additional threat feeds. Social Engineering Why Social Engineering? According to Verizon’s 2013 Data Breach Investigations Report, nearly a third of all breaches in 2012 involved social engineering. And because social engineering often uses common low-tech methods like emails and phone calls, these attacks can be some of the most difficult to protect against. Humans are naturally trusting of each other, especially when the appropriate context exists. That said, even social engineering leaves traces in your network that you can identify using security analytics. Mitigating the Effects of Social Engineering Using Security Analytics An employee receives a phone call from a malicious actor who warns of a computer compromise requiring immediate action in order to prevent catastrophe. While the phone call is in progress, at the direction of the caller, the employee visits a website that has never been accessed by anyone in the corporate network and downloads a malware-infected PDF with the pricing of the phantom services the scammer is trying to sell. Since this phone call came into an office desk phone, you have access to the SIP logs and can see that the employee answered the phone call. That host has now been compromised. Using security analytics, you can identify a pattern of the attack: an incoming phone number (and related information such as geographic location), an MD5 sum of the PDF file, and the web domain where the download occurred. You can then use this pattern to search for similar activity elsewhere on the network. In seconds, you can identify the threat and take steps to mitigate it by setting up alerts, blocking domains and phone numbers, and—importantly—creating an alert to flag the MD5 sum even if the attacker changes phone numbers and domains. Furthermore, you can notify employees of the attack pattern to mitigate the front-end risk vector: the human. Using security analytics, you can quickly mitigate the effects of the breach and increase your defense against the same attack in the future... or sigh with relief when you discover that it was a one-off attempt.
THE 12 INDICATORS OF COMPROMISE Machine Behavior Machine behavior encompasses all the network traffic and activity automatically generated by a computer beyond the user’s control or that violates corporate policy whether explicit or implied. Autonomous System Behavior Why Autonomous System Behavior? In the Human Behavior category, we discussed network activity triggered by some explicit human action (by either the attacker or an unsuspecting employee). But computers also do things autonomously behind the scenes without explicit user interaction such as email retrieval, instant messaging alerts, and OS updates. While autonomous system behavior is essential to a user’s normal day-to-day activity, it can also mask potentially malicious behavior. With security analytics you can quickly filter out normal autonomous system behavior to help you zero in on the abnormal behavior that may indicate a compromise, so remediation is quicker and more complete. Identifying Autonomous System Behavior Using Security Analytics When employees arrive at work and turn on their computers, a flurry of network connections flow from their machines as they download email and sign on to the corporate instant messaging server. A handful of HTTP requests may then go out as employees pull up their personal email or check industry news sites. They may also launch business applications like revision control repositories, financial applications, or other databases. These applications normally exhibit predictable behavior. With web-based traffic, for example, most web pages download pages, images, and scripts of varying sizes. When a host issues HTTP requests to widely different domains, but they’re all returning the same sized HTTP pages, for example, that’s a good indicator of suspicious behavior. A host issuing bursts of HTTP requests is also suspicious. Even more interesting for the security analyst is multiple autonomous system behaviors on a host within a short time. Combinations of indicators are a powerful window into malicious behavior. The graph pattern matching capabilities of security analytics help you identify these combinations of behaviors that are telltale indicators of compromise, helping you to gain operational insight into this previously hidden behavior on your network. Policy Violations Why Policy Violations? While a host may not be violating explicit company policy, it might be violating a well-understood, implied policy. Either way, the result is the same: behavior outside the expected norm. These policies exist to establish a specific baseline that a deviation from would indicate (at best) a misconfigured system or (at worst) a compromised system. Security analytics enable you to quickly distinguish compromised systems from misconfigurations and benign policy violations, dramatically reducing business-critical time to detection and mitigation. Figure 2: Conceptualization of graph pattern matching Figure 3: Visualization of policy violation behavior patterns
THE 12 INDICATORS OF COMPROMISE Identifying Policy Violations Using Security Analytics Internal network clients rarely need to communicate directly with other clients on the network. Most of their activity passes through application servers like instant messaging, email, source code repositories, financial applications, or other enterprise-level business systems. Worm propagation, however, spreads primarily through host-to-host communication. Visualizing host-to-host communication, therefore, would provide insight into a worm that was trying to spread throughout the network. Escalated or de-escalated privileged access to corporate data is another example of policy violations that could indicate a compromise. If the CEO, for example, accesses the source code repository unexpectedly, in most companies this suggests a network breach with data exfiltration as the end goal. Similarly, sudden access of the corporate finance by an engineer would suggest a possible breach with intent to steal corporate financial information. By fusing the data from these disparate systems with other network data, security analytics can detect combinations of these policy violations that are significant indicators of compromise, enabling you to find and mitigate network breaches before serious damage can be inflicted. Botnet C&C Traffic Why Botnet C&C Traffic? The presence of botnet command and control (C&C) traffic represents one of the more obvious indicators of compromise. If C&C traffic is present on your network, you almost certainly have infected hosts, whether they’re acting as C&C servers or, more likely, bots that may be stealing corporate information or acting as drones in DDoS attacks. Security analytics can help you identify C&C traffic and stop it before it causes additional damage. Detecting Botnet C&C Traffic Using Security Analytics Typical web browsing produces web pages compiled from many different page elements from many different hosts and paths as the browser downloads images, scripts, and HTML files, and the resulting page is generally static once compiling is complete. Users do not usually refresh a webpage at regular intervals of, say, every 120 seconds. More likely, frequent and regular page refreshes and requests of only one or two paths to the same host likely indicate a compromised host calling back to the C&C server to give status updates and listen for new commands. The Zeus botnet, for example, almost always calls out to the same host and pulls only a single URI path. Security analytics can help you quickly identify this behavior and discover compromised hosts on your network before they can inflict serious damage. Figure 4: Visual depiction of a security analytic to detect a single URI
THE 12 INDICATORS OF COMPROMISE Volumetric Behavior Volumetric behavior revolves around the amount of traffic being generated by network activity. Significantly higher than normal volumes of network activity could indicate an incoming DDoS attack, compromised hosts exfiltrating data from your network, or simply a legitimate transfer of large files to a trusted customer or partner. As a security analyst, you need to be able to identify an abnormally high volume of network traffic and quickly determine if it is benign or malicious. DDoS Noise Reduction Why DDoS Noise Reduction? Distributed denial-of-service (DDoS) attacks have garnered much attention in recent years as major corporations have suffered very public attacks. While most of the attention is focused on website downtime and resource unavailability, many DDoS attacks are now used as a smokescreen for penetration or exfiltration. As the DDoS attack is happening, security organizations scramble to deploy their best people to fix or mitigate the effects of the attack, while the attackers are busy with their true objective: gaining access to intellectual property and other sensitive corporate information. Using security analytics with all your disparate network data fused and visualized in a single solution, you can quickly filter out the noise to detect and mitigate the stealth attacks, as well as the obvious and noisy ones. Reducing DDoS Noise Using Security Analytics A DDoS attack can be a highly visible indicator of compromise, yet it also may be masking the true intent of the attacker. Understanding the type of DDoS attack that you are investigating is very important in being able to properly reduce the noise so that the normal underlying behavior can be analyzed. When analyzing large datasets, time can be a useful filter to reduce the amount of data that you need to scan. For example, you could look at new inbound connections over only the past 60 minutes rather than over the past 24 hours. This is a useful technique, but during DDoS attacks new inbound connections may be happening orders of magnitude more than during a regular time interval. For example, Slowloris is an HTTP-based attack where bogus HTTP headers are fed from the attacker to the subject HTTP server. These bogus headers are sent in large time intervals where a single request could potentially take hours or even days to complete. When tens or hundreds of thousands of these connections build up over time, the HTTP server is rendered inaccessible because of resource exhaustion. With security analytics you can quickly filter these types of connections out of the larger dataset so that you don’t see millions of bogus connections but can instead focus on the connections that might be trying to deliver server-side exploits. This allows you to truly see infiltration attempts without being distracted by a large volume of otherwise meaningless Slowloris connections. Figure 5: Visual depiction of a security analytic for filtering Slowloris
THE 12 INDICATORS OF COMPROMISE Unusual Inbound Traffic Why Unusual Inbound Traffic? Most companies should normally receive very little inbound traffic to their corporate networks. Most companies have websites, but they aren’t typically hosted on the internal corporate network. Most are hosted in the cloud or by a third-party provider so there would be no inbound traffic on the corporate network to the corporate web site. Other than VPN connections and requests to the corporate DNS servers, inbound traffic to the corporate network is very rare and is therefore a strong indicator of compromise. Security analytics can help you quickly separate the good traffic from the bad and remediate the cause sooner and mitigate its impact on your business. Detecting Unusual Inbound Traffic Using Security Analytics Inbound SSH connections to externally exposed internal hosts are a strong indicator of compromise, particularly if there is a pattern to the connections. When an SSH brute force attack happens, an analyst would see lots of invalid SSH attempts, followed by a successful one. This could indicate that an external attacker has gained SSH access to an internal host. Inbound connections to ephemeral ports are another indicator of compromise. If there is inbound traffic expected, that traffic will be destined for well-known ports in the sub-1023 range. Inbound traffic for other ports likely indicates attempts to compromise the network or to at least try to gauge the security and openness of the corporate network to gain access. With security analytics, you can quickly and easily detect these types of network behavior patterns, leading to faster mitigation and prevention of large-scale data exfiltration. Unusual Outbound Traffic Why Unusual Outbound Traffic? Unusual outbound traffic is an even more likely indicator of compromise than inbound traffic because it could represent actual data loss and theft. There are very few reasons that anyone on the corporate network should be uploading gigabytes worth of traffic externally. While there are exceptions, this outbound behavior would be a strong indication of compromise and behavior that security analytics can help you detect. Figure 6: Visualization of an SSH brute force attack
THE 12 INDICATORS OF COMPROMISE Detecting Unusual Outbound Traffic Using Security Analytics RAR archives are the preferred archive and compression format for external attackers such as APT1. A spike in the numbers of outbound RAR archives can be a very telling sign. Abnormal database traffic can also be indicative of compromise. If an internal database receives a read request followed by large outbound requests, this may indicate a SQL injection attack where an external user is dumping a large table such as usernames and password hashes. This attack vector has been used to gain access to major corporations’ customer information. Other types of outbound traffic are also pretty unusual. SSH connections that transfer large amounts of data, SCP connections sending data out of the corporate network, and, like with unusual inbound traffic, unusual outbound traffic to ephemeral ports could also indicate compromise and data exfiltration. Using security analytics, you could quickly identify the exfiltration of an unusual number of RAR archives or large amounts of outbound traffic, enabling you to quickly stop an active data exfiltration. Anomalous Behavior Anomalous behavior is network traffic or activity that deviates from an established baseline or does not conform to standard protocol behavior. Geographic Anomalies Why Geographic Anomalies? Many organizations do business with a limited subset of the world or have employees only in certain countries. The presence of geographic anomalies—traffic from unexpected locations—in network traffic can help to indicate compromise from foreign nations. The most convenient part about geographic anomalies is that they are easier to baseline than other traffic baselines. Here, too, security analytics, when run on your full range of fused network data, can identify traffic to and from specific geographic locations or traffic not from a specific geographic location, depending on what is typical on your network. Understanding Geographic Anomalies Using Security Analytics If a company is based solely in the United States, there is little reason why anyone from a foreign country should try to access the corporate network. This traffic would be a red flag that something unexpected was happening. Further, if internal resources were communicating with foreign Figure 8: Visualization of geolocation data on a network Figure 7: Visual depiction of a security analytic for SSH filtration
THE 12 INDICATORS OF COMPROMISE countries that you wouldn’t expect, this too would indicate some kind of compromise. Geographic anomalies are one of the easier indicators to keep the pulse of because so many perimeter devices have geolocation functionality built in. With security analytics, you can take this information and fuse it with other network data to provide the remaining context to more fully understand the behavior of anomalous geographic traffic on your network. Protocol Anomalies Why Protocol Anomalies? All network protocols have distinct behaviors, many of which are well documented either through the IETF’s RFC process or simply from industry standardization. Deviations from these distinct behaviors could be an indicator of compromise, but also could simply indicate a misconfiguration of some kind. Using security analytics you can more easily detect deviations and sort out the suspicious behavior from simple misconfigurations or benign violations. Identifying Protocol Anomalies Using Security Analytics A typical host in an enterprise uses DHCP to retrieve an IP address along with other necessary information like default gateway, netmask, and DNS servers. The use of external DNS servers is rare on corporate networks. A corporate host using an external DNS server indicates at best a grossly misconfigured endpoint and at worst an infected host waiting to unleash havoc in your network. Similarly, HTTP traffic can display behavior that, while valid, is still anomalous. There are likely many different hosts on the corporate network that talk to the same external host. Google.com, Yahoo.com, and Gmail.com are all hosts that many different hosts may talk to on a daily basis as users engage in normal web surfing. While lots of different hosts communicating with a host is not necessarily an indicator of compromise, when every host uses the same user-agent string, a compromise likely exists. Since there will usually be tens if not hundreds of different user agent strings as users surf with different browsers, different service packs, and different versions of the same browser, many different hosts all communicating with the same external server on a single user-agent is a strong indicator of compromise. Using the pattern searching capabilities of security analytics, you can identify this anomalous behavior so you can investigate its root cause and mitigate the behavior quickly to avoid further damage to your network. Long-Term Trending Why Long-Term Trending? Long-term trending can help to identify anomalies occurring on a network. The key is establishing an accurate baseline. Luckily, the human mind typically identifies with establishing norms and identifying deviations, which is why long-term trending is so powerful. Figure 9: Visual depiction of a security analytic for detecting user-agent patterns
About 21CT At 21CT we create investigative analytics products for the way users think, look, and find. Our innovative products and services are used to detect and neutralize healthcare fraud, target and eradicate network security attacks, and more. 21CT solutions shed light on the intelligence hidden within your data. Reward your curiosity at 21ct.com. ©2014 21CT, Inc. All rights reserved. 21CT, LYNXeon, Torch, the 21CT logo, the LYNXeon logo, and the Torch logo are trademarks, service marks, or registered trademarks of 21CT, Inc. 21CT, Inc. Corporate Headquarters 6011 W. Courtyard Drive Building 5, Suite 300 Austin, TX 78730 Phone: 512.682.4700 Fax: 512.682.4701 info@21ct.com www.21CT.com Long-term Trending Using Security Analytics Establishing an appropriate baseline represents a difficult challenge for many organizations. Companies that are growing at a rapid pace will likely see a corresponding increase in their network traffic. Also, the implementation of new applications makes previously established baselines obsolete. Many trending advocates go with the high-level aggregate traffic view, but many times baselining specific protocols is actually the path that could yield more fruit. Another way to look at baselining traffic is directionality. For example, even if your company is growing, the unusual inbound traffic volume likely would not change. Thus, it becomes easier to baseline that traffic and use security analytics to identify the outliers. A core benefit of security analytics is their flexibility in allowing you to turn your experience and creativity into an executable analytic, making the process of baselining easier and more repeatable. Bonus: Time While not technically an indicator of compromise, time is a lens through which to view the previous indicators of compromise. Take for example the policy violations indicator of compromise. If a CEO accesses the source code repository, it may not really be unusual if that access happens during the lunch hour and the CEO happens to have a technical background and is just perusing the code out of curiosity. But if that same CEO accesses the repository at 2:00 am, that is a likely indicator of compromise. Adding the dimension of time to the other indicators of compromise adds another investigative element that can yield real actionable insight. Increase Your Operational Awareness with Security Analytics Security analytics and visualization can help you quickly and effectively identify and eliminate common network behaviors that may indicate a network compromise in ways that perimeter defenses—which identify only events they know about—cannot. This gives your organization much greater insight into the activity on your network, leading to faster remediation and a more resilient network security posture. During the first half of 2014, the security researchers at 21CT will regularly publish new IOC use cases and security analytics available for you to download to help your organization increase operational awareness of your network.

Empfohlen

VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT InfomagnumARUN REDDY M
 
Achieving high-fidelity security
Achieving high-fidelity securityAchieving high-fidelity security
Achieving high-fidelity securitybalejandre
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudSwapna Shetye
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Darktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalDarktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalJerome Chapolard
 
Enterprise Immune System
Enterprise Immune SystemEnterprise Immune System
Enterprise Immune SystemAustin Eppstein
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept*****Dominic A Ienco
 
Darktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalDarktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalCMR WORLD TECH
 

Empfohlen

VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT InfomagnumARUN REDDY M
 
Achieving high-fidelity security
Achieving high-fidelity securityAchieving high-fidelity security
Achieving high-fidelity securitybalejandre
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudSwapna Shetye
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Darktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalDarktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalJerome Chapolard
 
Enterprise Immune System
Enterprise Immune SystemEnterprise Immune System
Enterprise Immune SystemAustin Eppstein
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept*****Dominic A Ienco
 
Darktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalDarktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalCMR WORLD TECH
 
Idps
IdpsIdps
Idpsiskrena
 
Antigena Overview
Antigena OverviewAntigena Overview
Antigena OverviewAustin Eppstein
 
CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016 CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016 Bolaji James Bankole CCSS,CEH,MCSA,MCSE,MCP,CCNA,
 
Intrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIntrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIRJET Journal
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015Andreanne Clarke
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Phil Legg
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attackAndreanne Clarke
 
JP Morgan Paper
JP Morgan PaperJP Morgan Paper
JP Morgan PaperGerasimos Zapantis
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA PresentationMarc Crudgington, MBA
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in HealthcareQuick Heal Technologies Ltd.
 
Whitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppWhitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppEric Zhuo
 
SME Cyber Insurance
SME Cyber Insurance SME Cyber Insurance
SME Cyber Insurance Netpluz Asia Pte Ltd
 
The Next Generation Cognitive Security Operations Center: Network Flow Forens...
The Next Generation Cognitive Security Operations Center: Network Flow Forens...The Next Generation Cognitive Security Operations Center: Network Flow Forens...
The Next Generation Cognitive Security Operations Center: Network Flow Forens...Konstantinos Demertzis
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thUnited Technology Group (UTG)
 
10 things you should know about cybersecurity
10 things you should know about cybersecurity10 things you should know about cybersecurity
10 things you should know about cybersecurityUnited Technology Group (UTG)
 
Healthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemHealthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemCheapSSLsecurity
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey FireEye, Inc.
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011Felipe Prado
 
Intelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseIntelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseEMC
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackWebinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackAujas
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultSOCVault
 

Weitere ähnliche Inhalte

Was ist angesagt?

Idps
IdpsIdps
Idpsiskrena
 
Intrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIntrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIRJET Journal
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015Andreanne Clarke
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Phil Legg
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attackAndreanne Clarke
 
Whitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppWhitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppEric Zhuo
 
The Next Generation Cognitive Security Operations Center: Network Flow Forens...
The Next Generation Cognitive Security Operations Center: Network Flow Forens...The Next Generation Cognitive Security Operations Center: Network Flow Forens...
The Next Generation Cognitive Security Operations Center: Network Flow Forens...Konstantinos Demertzis
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thUnited Technology Group (UTG)
 
Healthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemHealthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemCheapSSLsecurity
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey FireEye, Inc.
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011Felipe Prado
 
Intelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseIntelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseEMC
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackWebinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackAujas
 

Was ist angesagt? (20)

Idps
IdpsIdps
Idps
 
Antigena Overview
Antigena OverviewAntigena Overview
Antigena Overview
 
CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016 CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016
 
Intrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIntrusion Detection System using Data Mining
Intrusion Detection System using Data Mining
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
 
JP Morgan Paper
JP Morgan PaperJP Morgan Paper
JP Morgan Paper
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in Healthcare
 
Whitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppWhitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6pp
 
SME Cyber Insurance
SME Cyber Insurance SME Cyber Insurance
SME Cyber Insurance
 
The Next Generation Cognitive Security Operations Center: Network Flow Forens...
The Next Generation Cognitive Security Operations Center: Network Flow Forens...The Next Generation Cognitive Security Operations Center: Network Flow Forens...
The Next Generation Cognitive Security Operations Center: Network Flow Forens...
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
 
10 things you should know about cybersecurity
10 things you should know about cybersecurity10 things you should know about cybersecurity
10 things you should know about cybersecurity
 
Healthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemHealthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend Them
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
 
Intelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseIntelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and Response
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackWebinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
 

Ă„hnlich wie Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise

Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultSOCVault
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationE.S.G. JR. Consulting, Inc.
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationKen Flott
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
Improve network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicImprove network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicNetmagic Solutions Pvt. Ltd.
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber securitySandip Juthani
 
4777.team c.final
4777.team c.final4777.team c.final
4777.team c.finalAlexisHarvey8
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...MohamedOmerMusa
 
Anomali Product Brochure
Anomali Product BrochureAnomali Product Brochure
Anomali Product BrochureTodd Helfrich
 
Ethical hacking.docx
Ethical hacking.docxEthical hacking.docx
Ethical hacking.docxHabeebUllah10
 
F5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker FinalF5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker FinalShallu Behar-Sheehan FCIM
 
29386971 hacking
29386971 hacking29386971 hacking
29386971 hackingjoeymar143
 
Interset-advanced threat detection wp
Interset-advanced threat detection wpInterset-advanced threat detection wp
Interset-advanced threat detection wpCMR WORLD TECH
 
Securing And Protecting Information
Securing And Protecting InformationSecuring And Protecting Information
Securing And Protecting InformationLaura Martin
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516Yasser Mohammed
 
Cybersecurity a short business guide
Cybersecurity a short business guideCybersecurity a short business guide
Cybersecurity a short business guidelarry1401
 

Ă„hnlich wie Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise (20)

Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVault
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
Improve network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicImprove network safety through better visibility – Netmagic
Improve network safety through better visibility – Netmagic
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber security
 
185
185185
185
 
4777.team c.final
4777.team c.final4777.team c.final
4777.team c.final
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
 
Anomali Product Brochure
Anomali Product BrochureAnomali Product Brochure
Anomali Product Brochure
 
Ethical hacking.docx
Ethical hacking.docxEthical hacking.docx
Ethical hacking.docx
 
F5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker FinalF5 Hero Asset - Inside the head of a Hacker Final
F5 Hero Asset - Inside the head of a Hacker Final
 
29386971 hacking
29386971 hacking29386971 hacking
29386971 hacking
 
Interset-advanced threat detection wp
Interset-advanced threat detection wpInterset-advanced threat detection wp
Interset-advanced threat detection wp
 
Securing And Protecting Information
Securing And Protecting InformationSecuring And Protecting Information
Securing And Protecting Information
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
 
Cybersecurity a short business guide
Cybersecurity a short business guideCybersecurity a short business guide
Cybersecurity a short business guide
 

KĂĽrzlich hochgeladen

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
WhatsApp 9892124323 âś“Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 âś“Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 âś“Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 âś“Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

KĂĽrzlich hochgeladen (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
WhatsApp 9892124323 âś“Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 âś“Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 âś“Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 âś“Call Girls In Kalyan ( Mumbai ) secure service
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise

  • 1. THE 12 INDICATORS OF COMPROMISE 12 Indicators of Compromise Human Behavior • Alert Visibility • Return on Intelligence • Social Engineering Machine Behavior • Autonomous System Behavior • Policy Violations • Botnet C&C Traffic Volumetric Behavior • DDoS Noise Reduction • Unusual Inbound Traffic • Unusual Outbound Traffic Anomalous Behavior • Geographic Anomalies • Protocol Anomalies • Long-Term Trending 21CT.COM Using security analytics to identify patterns of network behaviors that indicate an active network attack As a security analyst, much of your day-to-day operational work involves tracking perimeter defense alerts, responding to end-point alerts, and running down user reports of suspicious activity. While these tasks are important, you know that there’s probably malicious activity on your network beyond the alerts. So how do you find it? Perimeter defense tools identify the identifiable—events they are already aware of and looking for—but these known-knowns are not the whole story. There are unknown-unknowns that perimeter defenses miss that you must find to fully secure your network. Security analytics can guide you directly to the malicious behavior you knew existed, but could never see. Security analytics use fused disparate network data, from IPS/IDS alerts and malware notifications to flow and application metadata, to identify patterns of behavior that are indicative of network compromise. They quickly and (in many cases) automatically identify and classify these malicious behaviors so that you can move fast to remediate infected and misconfigured systems or thwart an ongoing attack missed by the perimeter. In this paper we look at the four categories of malicious behavior that concern organizations the most. It is important to understand these behaviors, what they are, and why they are dangerous. When the presence of any of these behaviors becomes evident using security analytics, they become Indicators of Compromise (IOCs), something discussed throughout the industry including Dark Reading. Understanding these 12 IOCs is critical to identifying network breaches. In the first half of 2014, the security researchers at 21CT will release analytics that you can use to both identify these 12 Indicators of Compromise before they damage your business and, in some cases, prevent the compromise from happening. We will highlight newly published IOCs in our monthly newsletter with links to learn more about the IOCs as well as download the analytics. The 12 Indicators of Compromise
  • 2. THE 12 INDICATORS OF COMPROMISE Human Behavior Human behavior as used here includes known-known and social engineering behaviors. The known-knowns provide context and visualization around perimeter defense alerts and threat feed blacklists, while social engineering IOCs identify patterns of behavior that deviate from human norms, indicating potential points of exploitation. Alert Visibility Why Alert Visibility? The context surrounding an alert (alert visibility) is important information that security organizations need for a more complete understanding of the activity on their networks. What happened immediately before and after the alerted event? What hosts were the affected systems talking to? What was taken? Security analytics help you find answers to these kinds of questions. Increasing Alert Visibility Using Security Analytics An alert from your anti-malware device that a host on your network has communicated with a new botnet command and control server identifies a known bad host on your network that you can open a ticket on to remediate the host. As a security analyst, you need to remediate that host, but you also want to know if the alert indicates a larger infiltration than just the one host. How was the host infected? How long has it been infected? Who communicated internally with the now infected host? Was it a file download? Using security analytics, you can get answers to these questions for a fuller understanding of the scope of the attack so you can mitigate all affected systems. Security analytics do this by fusing secondary data sources from devices such as next-generation firewalls or application metadata sensors with other network data to transform alerts into indicators of compromise, intelligence that leads to faster and more complete mitigation of a compromise. Using security analytics you can: • Accelerate mitigation of a compromise by extending your perimeter defense to find missed breaches • Increase operational insight by identifying patterns of previously hidden malicious behaviors • Avoid catastrophic damage to your network by quickly identifying suspicious behavior and accelerating your investigation and mitigation • Enable faster, easier, and more repeatable investigations by transforming your experience and creativity into executable analytics • Sigh with relief when you discover your network is more secure Figure 1: Visualization of the context surrounding an alert
  • 3. THE 12 INDICATORS OF COMPROMISE Return on Intelligence Why Return on Intelligence? Most security organizations subscribe to various threat feeds that deliver monthly, weekly, or even daily updates on known bad domains, IP addresses, MD5 sums, or email addresses. These threat feeds are a potentially rich source of intelligence, but gaining operational value from them is often difficult and time-consuming. Their varying formats are not easily manipulated or searchable, and you can’t scan through them and quickly understand what is important to you and your organization. With security analytics you can leverage the full benefit of this powerful intelligence to gain visibility into the unknown-unknowns. Enhancing Return on Intelligence Using Security Analytics One way to utilize the information in threat feeds would be take a text dump of NetFlow records and write a shell script to grep the text file for blacklisted IPs that have been communicated with. Another way would be to grep Bro sensor logs for the MD5s that may come in from a threat feed. However, with attackers continually changing IP addresses, even if you can utilize the information in the threat feed, you still won’t discover additional instances of an attack from IP addresses not yet known to be bad. Security analytics provide the context you need to truly understand the behavior of your network. With security analytics and threat feeds you can: • Identify connections between internal hosts and known bad external IP addresses • Identify additional hosts that downloaded the same file as those connecting to the known bad IP addresses • Identify additional IP addresses now known to be bad • Reduce time-to-detection and mitigation by utilizing the intelligence you care about in the threat feed With an easy way to gain actionable intelligence from the threat feeds you already subscribe to, you significantly improve their value and can now enhance your security posture even more by subscribing to additional threat feeds. Social Engineering Why Social Engineering? According to Verizon’s 2013 Data Breach Investigations Report, nearly a third of all breaches in 2012 involved social engineering. And because social engineering often uses common low-tech methods like emails and phone calls, these attacks can be some of the most difficult to protect against. Humans are naturally trusting of each other, especially when the appropriate context exists. That said, even social engineering leaves traces in your network that you can identify using security analytics. Mitigating the Effects of Social Engineering Using Security Analytics An employee receives a phone call from a malicious actor who warns of a computer compromise requiring immediate action in order to prevent catastrophe. While the phone call is in progress, at the direction of the caller, the employee visits a website that has never been accessed by anyone in the corporate network and downloads a malware-infected PDF with the pricing of the phantom services the scammer is trying to sell. Since this phone call came into an office desk phone, you have access to the SIP logs and can see that the employee answered the phone call. That host has now been compromised. Using security analytics, you can identify a pattern of the attack: an incoming phone number (and related information such as geographic location), an MD5 sum of the PDF file, and the web domain where the download occurred. You can then use this pattern to search for similar activity elsewhere on the network. In seconds, you can identify the threat and take steps to mitigate it by setting up alerts, blocking domains and phone numbers, and—importantly—creating an alert to flag the MD5 sum even if the attacker changes phone numbers and domains. Furthermore, you can notify employees of the attack pattern to mitigate the front-end risk vector: the human. Using security analytics, you can quickly mitigate the effects of the breach and increase your defense against the same attack in the future... or sigh with relief when you discover that it was a one-off attempt.
  • 4. THE 12 INDICATORS OF COMPROMISE Machine Behavior Machine behavior encompasses all the network traffic and activity automatically generated by a computer beyond the user’s control or that violates corporate policy whether explicit or implied. Autonomous System Behavior Why Autonomous System Behavior? In the Human Behavior category, we discussed network activity triggered by some explicit human action (by either the attacker or an unsuspecting employee). But computers also do things autonomously behind the scenes without explicit user interaction such as email retrieval, instant messaging alerts, and OS updates. While autonomous system behavior is essential to a user’s normal day-to-day activity, it can also mask potentially malicious behavior. With security analytics you can quickly filter out normal autonomous system behavior to help you zero in on the abnormal behavior that may indicate a compromise, so remediation is quicker and more complete. Identifying Autonomous System Behavior Using Security Analytics When employees arrive at work and turn on their computers, a flurry of network connections flow from their machines as they download email and sign on to the corporate instant messaging server. A handful of HTTP requests may then go out as employees pull up their personal email or check industry news sites. They may also launch business applications like revision control repositories, financial applications, or other databases. These applications normally exhibit predictable behavior. With web-based traffic, for example, most web pages download pages, images, and scripts of varying sizes. When a host issues HTTP requests to widely different domains, but they’re all returning the same sized HTTP pages, for example, that’s a good indicator of suspicious behavior. A host issuing bursts of HTTP requests is also suspicious. Even more interesting for the security analyst is multiple autonomous system behaviors on a host within a short time. Combinations of indicators are a powerful window into malicious behavior. The graph pattern matching capabilities of security analytics help you identify these combinations of behaviors that are telltale indicators of compromise, helping you to gain operational insight into this previously hidden behavior on your network. Policy Violations Why Policy Violations? While a host may not be violating explicit company policy, it might be violating a well-understood, implied policy. Either way, the result is the same: behavior outside the expected norm. These policies exist to establish a specific baseline that a deviation from would indicate (at best) a misconfigured system or (at worst) a compromised system. Security analytics enable you to quickly distinguish compromised systems from misconfigurations and benign policy violations, dramatically reducing business-critical time to detection and mitigation. Figure 2: Conceptualization of graph pattern matching Figure 3: Visualization of policy violation behavior patterns
  • 5. THE 12 INDICATORS OF COMPROMISE Identifying Policy Violations Using Security Analytics Internal network clients rarely need to communicate directly with other clients on the network. Most of their activity passes through application servers like instant messaging, email, source code repositories, financial applications, or other enterprise-level business systems. Worm propagation, however, spreads primarily through host-to-host communication. Visualizing host-to-host communication, therefore, would provide insight into a worm that was trying to spread throughout the network. Escalated or de-escalated privileged access to corporate data is another example of policy violations that could indicate a compromise. If the CEO, for example, accesses the source code repository unexpectedly, in most companies this suggests a network breach with data exfiltration as the end goal. Similarly, sudden access of the corporate finance by an engineer would suggest a possible breach with intent to steal corporate financial information. By fusing the data from these disparate systems with other network data, security analytics can detect combinations of these policy violations that are significant indicators of compromise, enabling you to find and mitigate network breaches before serious damage can be inflicted. Botnet C&C Traffic Why Botnet C&C Traffic? The presence of botnet command and control (C&C) traffic represents one of the more obvious indicators of compromise. If C&C traffic is present on your network, you almost certainly have infected hosts, whether they’re acting as C&C servers or, more likely, bots that may be stealing corporate information or acting as drones in DDoS attacks. Security analytics can help you identify C&C traffic and stop it before it causes additional damage. Detecting Botnet C&C Traffic Using Security Analytics Typical web browsing produces web pages compiled from many different page elements from many different hosts and paths as the browser downloads images, scripts, and HTML files, and the resulting page is generally static once compiling is complete. Users do not usually refresh a webpage at regular intervals of, say, every 120 seconds. More likely, frequent and regular page refreshes and requests of only one or two paths to the same host likely indicate a compromised host calling back to the C&C server to give status updates and listen for new commands. The Zeus botnet, for example, almost always calls out to the same host and pulls only a single URI path. Security analytics can help you quickly identify this behavior and discover compromised hosts on your network before they can inflict serious damage. Figure 4: Visual depiction of a security analytic to detect a single URI
  • 6. THE 12 INDICATORS OF COMPROMISE Volumetric Behavior Volumetric behavior revolves around the amount of traffic being generated by network activity. Significantly higher than normal volumes of network activity could indicate an incoming DDoS attack, compromised hosts exfiltrating data from your network, or simply a legitimate transfer of large files to a trusted customer or partner. As a security analyst, you need to be able to identify an abnormally high volume of network traffic and quickly determine if it is benign or malicious. DDoS Noise Reduction Why DDoS Noise Reduction? Distributed denial-of-service (DDoS) attacks have garnered much attention in recent years as major corporations have suffered very public attacks. While most of the attention is focused on website downtime and resource unavailability, many DDoS attacks are now used as a smokescreen for penetration or exfiltration. As the DDoS attack is happening, security organizations scramble to deploy their best people to fix or mitigate the effects of the attack, while the attackers are busy with their true objective: gaining access to intellectual property and other sensitive corporate information. Using security analytics with all your disparate network data fused and visualized in a single solution, you can quickly filter out the noise to detect and mitigate the stealth attacks, as well as the obvious and noisy ones. Reducing DDoS Noise Using Security Analytics A DDoS attack can be a highly visible indicator of compromise, yet it also may be masking the true intent of the attacker. Understanding the type of DDoS attack that you are investigating is very important in being able to properly reduce the noise so that the normal underlying behavior can be analyzed. When analyzing large datasets, time can be a useful filter to reduce the amount of data that you need to scan. For example, you could look at new inbound connections over only the past 60 minutes rather than over the past 24 hours. This is a useful technique, but during DDoS attacks new inbound connections may be happening orders of magnitude more than during a regular time interval. For example, Slowloris is an HTTP-based attack where bogus HTTP headers are fed from the attacker to the subject HTTP server. These bogus headers are sent in large time intervals where a single request could potentially take hours or even days to complete. When tens or hundreds of thousands of these connections build up over time, the HTTP server is rendered inaccessible because of resource exhaustion. With security analytics you can quickly filter these types of connections out of the larger dataset so that you don’t see millions of bogus connections but can instead focus on the connections that might be trying to deliver server-side exploits. This allows you to truly see infiltration attempts without being distracted by a large volume of otherwise meaningless Slowloris connections. Figure 5: Visual depiction of a security analytic for filtering Slowloris
  • 7. THE 12 INDICATORS OF COMPROMISE Unusual Inbound Traffic Why Unusual Inbound Traffic? Most companies should normally receive very little inbound traffic to their corporate networks. Most companies have websites, but they aren’t typically hosted on the internal corporate network. Most are hosted in the cloud or by a third-party provider so there would be no inbound traffic on the corporate network to the corporate web site. Other than VPN connections and requests to the corporate DNS servers, inbound traffic to the corporate network is very rare and is therefore a strong indicator of compromise. Security analytics can help you quickly separate the good traffic from the bad and remediate the cause sooner and mitigate its impact on your business. Detecting Unusual Inbound Traffic Using Security Analytics Inbound SSH connections to externally exposed internal hosts are a strong indicator of compromise, particularly if there is a pattern to the connections. When an SSH brute force attack happens, an analyst would see lots of invalid SSH attempts, followed by a successful one. This could indicate that an external attacker has gained SSH access to an internal host. Inbound connections to ephemeral ports are another indicator of compromise. If there is inbound traffic expected, that traffic will be destined for well-known ports in the sub-1023 range. Inbound traffic for other ports likely indicates attempts to compromise the network or to at least try to gauge the security and openness of the corporate network to gain access. With security analytics, you can quickly and easily detect these types of network behavior patterns, leading to faster mitigation and prevention of large-scale data exfiltration. Unusual Outbound Traffic Why Unusual Outbound Traffic? Unusual outbound traffic is an even more likely indicator of compromise than inbound traffic because it could represent actual data loss and theft. There are very few reasons that anyone on the corporate network should be uploading gigabytes worth of traffic externally. While there are exceptions, this outbound behavior would be a strong indication of compromise and behavior that security analytics can help you detect. Figure 6: Visualization of an SSH brute force attack
  • 8. THE 12 INDICATORS OF COMPROMISE Detecting Unusual Outbound Traffic Using Security Analytics RAR archives are the preferred archive and compression format for external attackers such as APT1. A spike in the numbers of outbound RAR archives can be a very telling sign. Abnormal database traffic can also be indicative of compromise. If an internal database receives a read request followed by large outbound requests, this may indicate a SQL injection attack where an external user is dumping a large table such as usernames and password hashes. This attack vector has been used to gain access to major corporations’ customer information. Other types of outbound traffic are also pretty unusual. SSH connections that transfer large amounts of data, SCP connections sending data out of the corporate network, and, like with unusual inbound traffic, unusual outbound traffic to ephemeral ports could also indicate compromise and data exfiltration. Using security analytics, you could quickly identify the exfiltration of an unusual number of RAR archives or large amounts of outbound traffic, enabling you to quickly stop an active data exfiltration. Anomalous Behavior Anomalous behavior is network traffic or activity that deviates from an established baseline or does not conform to standard protocol behavior. Geographic Anomalies Why Geographic Anomalies? Many organizations do business with a limited subset of the world or have employees only in certain countries. The presence of geographic anomalies—traffic from unexpected locations—in network traffic can help to indicate compromise from foreign nations. The most convenient part about geographic anomalies is that they are easier to baseline than other traffic baselines. Here, too, security analytics, when run on your full range of fused network data, can identify traffic to and from specific geographic locations or traffic not from a specific geographic location, depending on what is typical on your network. Understanding Geographic Anomalies Using Security Analytics If a company is based solely in the United States, there is little reason why anyone from a foreign country should try to access the corporate network. This traffic would be a red flag that something unexpected was happening. Further, if internal resources were communicating with foreign Figure 8: Visualization of geolocation data on a network Figure 7: Visual depiction of a security analytic for SSH filtration
  • 9. THE 12 INDICATORS OF COMPROMISE countries that you wouldn’t expect, this too would indicate some kind of compromise. Geographic anomalies are one of the easier indicators to keep the pulse of because so many perimeter devices have geolocation functionality built in. With security analytics, you can take this information and fuse it with other network data to provide the remaining context to more fully understand the behavior of anomalous geographic traffic on your network. Protocol Anomalies Why Protocol Anomalies? All network protocols have distinct behaviors, many of which are well documented either through the IETF’s RFC process or simply from industry standardization. Deviations from these distinct behaviors could be an indicator of compromise, but also could simply indicate a misconfiguration of some kind. Using security analytics you can more easily detect deviations and sort out the suspicious behavior from simple misconfigurations or benign violations. Identifying Protocol Anomalies Using Security Analytics A typical host in an enterprise uses DHCP to retrieve an IP address along with other necessary information like default gateway, netmask, and DNS servers. The use of external DNS servers is rare on corporate networks. A corporate host using an external DNS server indicates at best a grossly misconfigured endpoint and at worst an infected host waiting to unleash havoc in your network. Similarly, HTTP traffic can display behavior that, while valid, is still anomalous. There are likely many different hosts on the corporate network that talk to the same external host. Google.com, Yahoo.com, and Gmail.com are all hosts that many different hosts may talk to on a daily basis as users engage in normal web surfing. While lots of different hosts communicating with a host is not necessarily an indicator of compromise, when every host uses the same user-agent string, a compromise likely exists. Since there will usually be tens if not hundreds of different user agent strings as users surf with different browsers, different service packs, and different versions of the same browser, many different hosts all communicating with the same external server on a single user-agent is a strong indicator of compromise. Using the pattern searching capabilities of security analytics, you can identify this anomalous behavior so you can investigate its root cause and mitigate the behavior quickly to avoid further damage to your network. Long-Term Trending Why Long-Term Trending? Long-term trending can help to identify anomalies occurring on a network. The key is establishing an accurate baseline. Luckily, the human mind typically identifies with establishing norms and identifying deviations, which is why long-term trending is so powerful. Figure 9: Visual depiction of a security analytic for detecting user-agent patterns
  • 10. About 21CT At 21CT we create investigative analytics products for the way users think, look, and find. Our innovative products and services are used to detect and neutralize healthcare fraud, target and eradicate network security attacks, and more. 21CT solutions shed light on the intelligence hidden within your data. Reward your curiosity at 21ct.com. ©2014 21CT, Inc. All rights reserved. 21CT, LYNXeon, Torch, the 21CT logo, the LYNXeon logo, and the Torch logo are trademarks, service marks, or registered trademarks of 21CT, Inc. 21CT, Inc. Corporate Headquarters 6011 W. Courtyard Drive Building 5, Suite 300 Austin, TX 78730 Phone: 512.682.4700 Fax: 512.682.4701 info@21ct.com www.21CT.com Long-term Trending Using Security Analytics Establishing an appropriate baseline represents a difficult challenge for many organizations. Companies that are growing at a rapid pace will likely see a corresponding increase in their network traffic. Also, the implementation of new applications makes previously established baselines obsolete. Many trending advocates go with the high-level aggregate traffic view, but many times baselining specific protocols is actually the path that could yield more fruit. Another way to look at baselining traffic is directionality. For example, even if your company is growing, the unusual inbound traffic volume likely would not change. Thus, it becomes easier to baseline that traffic and use security analytics to identify the outliers. A core benefit of security analytics is their flexibility in allowing you to turn your experience and creativity into an executable analytic, making the process of baselining easier and more repeatable. Bonus: Time While not technically an indicator of compromise, time is a lens through which to view the previous indicators of compromise. Take for example the policy violations indicator of compromise. If a CEO accesses the source code repository, it may not really be unusual if that access happens during the lunch hour and the CEO happens to have a technical background and is just perusing the code out of curiosity. But if that same CEO accesses the repository at 2:00 am, that is a likely indicator of compromise. Adding the dimension of time to the other indicators of compromise adds another investigative element that can yield real actionable insight. Increase Your Operational Awareness with Security Analytics Security analytics and visualization can help you quickly and effectively identify and eliminate common network behaviors that may indicate a network compromise in ways that perimeter defenses—which identify only events they know about—cannot. This gives your organization much greater insight into the activity on your network, leading to faster remediation and a more resilient network security posture. During the first half of 2014, the security researchers at 21CT will regularly publish new IOC use cases and security analytics available for you to download to help your organization increase operational awareness of your network.