Protecting the Crown Jewels

Charles Herring

Last year in the article Looking East and West we examined how lateral visibility can assist in investigations connected to data theft. In that article we examined an attack were Beron’s computer had fallen under the control of an external attacker in Ukraine that used Beron’s computer to extract data from a business critical database server and upload the stolen data to an external FTP server.

Advanced Data Protection in 6.5

In the year that has passed since we first looked at the Beron compromise, Lancope has improved the security processing model, improved feature sets and incorporated advanced threat detection algorithms.

The dashboard below provides histograms of traffic moving from the protected data stores, the authorized users and support services. Beron’s computer resides in the “Crown Jewels Authorized” host group. The database server that is exploited resides in “Crown Jewels Data.”

Relationship Monitoring

On the alarms tab of the dashboard, abnormal transfer rates and totals trigger relationship alarms between the “Crown Jewels Authorized” and “Crown Jewels Data” host groups.

The abnormal transfer can be observed on the traffic tab of the dashboard.

Segmentation policy allows data to flow between these two security zones. StealthWatch inspects the qualities of the transfers to reveal anomalous activity that can indicate insider or advanced threat.

Segmentation Enforcement

StealthWatch 6.5 includes a new Custom Events feature. This feature allows organizations to create custom detection criteria for a number of purposes including segmentation validation. On the alarm tab of the dashboard, three alarms named “Seg Violation – CJ Auth to Invalid Server” are triggered when Beron’s machine communicates with the unapproved Ukraine server.

These custom events are created through the tools section of the new HTML interface.

Data Hoarding

Also new in 6.5 are advanced data hoarding calculations.

StealthWatch observes and baselines how much data a host normally takes and serves to/from other internal hosts. When a host starts “hoarding” too much data, a “Suspect Data Hoarding” alarm is triggered. When a host is serving out too much information to other hosts a “Target Data Hoarding” alarm is triggered. In the case of the Beron compromise, the MySQL dump between Beron’s machine and the business critical database server triggered both of these alarms once the acceptable thresholds were crossed.

Data Loss

The final type of alarm in the breach is a “Suspect Data Loss” alarm. This counter based event triggers when abnormal or prohibited amounts of data are sent out of the network. When Beron’s machine begins the upload of the stolen data out of the network, the alarm is triggered.

Wrap Up

StealthWatch continues to be a powerful tool in incident response and forensics when security breaches occur. With the new features and capabilities wrapped into the 6.5 release advanced attacks targeting protected data can be quickly detected.


More from this contributor:

Recent InfoSec news continues to show the relentless attacks against academic networks. This problem is not new, however. In 1999, Dr. John Copeland...
The UDP Director™ (formerly known as the FlowReplicator) is a high-speed, high-performance appliance that saves configuration time, reduces bandwidth...
Recently I was in a meeting with security executives and managers of a prospective customer. After discussing their initiatives and pain points I...