As an IT security pro, unless you've been hiding under a rock, you've heard about ransomware threats like Cryptolocker. These threats are typically delivered via an e-mail with a malicious attachment, or by directing a user to a malicious website. Once the Cryptolocker file executes and connects to the command and control server, it begins to encrypt files and demands payment to unlock them. As a result, detecting infection quickly is key to limiting the damage. AlienVault USM uses several built-in security controls working in unison to detect ransomware like Cryptolocker, usually as soon as it attempts to connect to the command and control server. Join us for a live demo showing how AlienVault USM detects these threats quickly, saving you valuable time in limiting the damage from the attack. You'll learn: How AlienVault USM detects communications with the command and control server How the behavior is correlated with other signs of trouble to alert you of the threat Immediate steps you need to take to stop the threat and limit the damage

1. Live Demo: How to Detect a Cryptolocker
Infection with AlienVault USM

2. @AlienVault
About AlienVault
AlienVault has unified the security products, intelligence and
community essential for mid-sized businesses to defend against
today’s modern threats

3. @AlienVault
• More and more organizations are finding
themselves in the crosshairs of various bad
actors for a variety of reasons.
• The number of organizations experiencing high
profile breaches is unprecedented.
• The “security arms race” cannot continue
indefinitely as the economics of securing your
organization is stacked so heavily in favor of
those launching attacks that incremental
security investments are seen as impractical.
Threat landscape: Our new reality
84%
of organizations breached
had evidence of the
breach in their log files…

4. @AlienVault
“There are two types of companies that use
computers. Victims of crime that know they are
victims of crime and victims of crime that don’t
have a clue yet.”
- James Routh, 2007
CISO Depository Trust Clearing Corporation
Prevention is elusive

5. @AlienVault
“How would you change your strategy if you
knew for certain that you were going to be
compromised?”
- Martin Roesch, 2013
Founder & CTO Sourcefire, Author SNORT

6. @AlienVault
Prevent Detect & Respond
The basics are in
place for most
companies…but
this alone is a
‘proven’ failed
strategy.
New capabilities to develop
Get (Very) good at detection & response

7. @AlienVault
Goal is to restrict access to system or files until
ransom paid
Variations have been circulating since 1989
Encrypting ransomware first seen in 2005
In June 2013, McAfee reported that it had collected
over 250,000 unique samples in Q1 2013
• 2X the number collected in Q1 2012
Ransomware / Extortionware

8. @AlienVault
1. Malware delivered via
email or drive-by
2. File executes &
compromises system
3. Trojan connects with
C&C server
4. Encryption & notification
of user begins
CryptoLocker in 4 Easy Steps

9. @AlienVault
File extensions that Cryptolocker attacks include:
.odt, .ods, .odp, .odm, .odc, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm,
.xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd,
.rtf, .wb2, .mdf, .dbf, .psd, .pdd, .pdf, .eps, .ai, .indd, .cdr, .jpg, .jpe, .jpg,
.dng, .arw, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw,
.orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .cer, .crt, .pem, .pfx,
.p12, .p7b, .p7c, .3fr,…
Targeted Filetypes
Source: Softonic.com

10. @AlienVault
CryptoLocker Even Takes Bitcoin

11. @AlienVault
So many security technologies to choose from
Given the 10 most recommended technologies and
the pricing range, an organization could expect to
spend anywhere from $225,000 to $1.46m in its
first year, including technology and staff.
Source: The Real Cost of Security, 451 Research,
April 2013
Factor into this:
 Initial Licensing Costs
 Implementation / Optimization Costs
 Ongoing Management Costs
 Renewal Costs
 Integration of all the security technologies
 Training of personnel/incoming personnel

12. @AlienVault
Many point solutions…integration anyone?
“Security Intelligence through Integration that we do, NOT you”
USM Platform
• Bundled Products - 30 Open-Source
Security tools to plug the gaps in your
existing controls
• USM Framework - Configure, Manage, &
Run Security Tools. Visualize output and
run reports
• USM Extension API - Support for
inclusion of any other data source into
the USM Framework
• Open Threat Exchange –Provides threat
intelligence for collaborative defense

13. @AlienVault
powered by
AV Labs Threat
Intelligence
USM
ASSET DISCOVERY
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software
Inventory
VULNERABILITY ASSESSMENT
• Continuous
Vulnerability Monitoring
• Authenticated /
Unauthenticated Active
Scanning
BEHAVIORAL MONITORING
• Log Collection
• Netflow Analysis
• Service Availability Monitoring
SECURITY INTELLIGENCE
• SIEM Event Correlation
• Incident Response
THREAT DETECTION
• Network IDS
• Host IDS
• Wireless IDS
• File Integrity Monitoring
USM Product Capabilities

14. @AlienVault
Unified Security Management
Complete. Simple. Affordable.
Delivery Options:
Hardware, Virtual, or Cloud-based appliances
Open-Source version (OSSIM) also available
AlienVault USM provides the five essential security
capabilities in one, pre-integrated platform
 Unified Security Management (USM) Platform
 AlienVault Labs Threat Intelligence
 AlienVault Open Threat Exchange

15. @AlienVault
AlienVault Labs Threat Intelligence:
Coordinated Analysis, actionable Guidance
•Updates every 30 minutes
•200-350,000 IP validated daily
•8,000 Collection points
•140 Countries

16. @AlienVault
AlienVault Labs threat intelligence:
Coordinated Analysis, actionable guidance
 Weekly updates that cover all your coordinated rule sets:
 Network-based IDS signatures
 Host-based IDS signatures
 Asset discovery and inventory database updates
 Vulnerability database updates
 Event correlation rules
 Report modules and templates
 Incident response templates / “how to” guidance for each alarm
 Plug-ins to accommodate new data sources
 Fueled by the collective power of the AlienVault’s Open Threat Exchange (OTX)

17. More Questions?
Email Hello@alienvault.com
NOW FOR SOME Q&A…
Test Drive AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site

18. @AlienVault