 Good morning, thank you for coming and joining at Tivo today and to hear a little bit about what we do We're going to do today a couple of things go over a couple of slides just to frame the conversation and Explain what you do and then we'll jump into a demo. I'll show you the actual product and how we do it So what is at Tivo at Tivo focuses on detecting? attacks inside the network So we focus on detecting lateral movement type of attack target that attacks stolen credentials attack Our assumption is the attacker are already inside your network. The reason The attacker are there is that you have multiple vector of entries today and The prevention systems are not keeping the attacker out They're not keeping up with the vector of that attack and when they catch up there'll be new vectors for the attacker to come in So actually I'd like to ask a quick question Anybody here thinks that their network will not be infected in the next 12 months All right, we have a winner so Nobody I mean It's offline. It's not connected You ask me come to mind So Prevention alone is not enough right you have to have the visibility You have to have the ability to see what's going on you have to need you need to have Actionable alerts meaning not 20,000 alerts in a day and say hey I give you a whole the attack and a whole pile of hay around it. It's like what's the needle? Where is the needle give me that and you have to be able also to take advantage of The infrastructure that you already have and take advantage and make it work together to your advantage So this is where we come in and this is how we disrupt the attack cycle so we're able to detect at the stolen stolen credentials so that from that initial compromise and Detect that as well as the lateral movement inside your network doesn't matter as That bot is moving inside the network and trying to gain elevated credentials We're able to detect that and disrupt that attack and shorten the attack Shorten shorten the time that the attacker has inside the network So the way we do it is that we're hosting multiple operating system we support the 10 different operating systems and on them We support multiple programs and services both and traditional network as as well as Kata and IOT and We allow you to completely customize Those environments Sorry, sorry folks. So Not only allow you to customize the content of the systems But also install your own programs to open your own specific ports that Custom ports as well as Import your own golden images of the operating system to run inside our environment to use as engagement servers so our VMs that engages and detect those attackers are completely Transparent in your network and look exactly the same as the rest of your network so the idea is that an attacker somehow gets in and Goes after your assets, right? So when we come in we deploy we deploy very easily Very low friction because we don't need any Customization of the network redirection of the network traffic flow. We are not in line We are not looking at signatures. We are not looking at Logs and data and traffic network traffic What we do is to connect in a trunk port to be logically part of the different v-lands and When we are part of those v-lands we deploy our engagement servers and now the attack servers for the attacker look at something like this and As also what we do is since we have those IPs we Deploy deceptive credentials on the real assets on the VMs on the servers on On the endpoints and this is not an agent. It's simply deceptive credentials data that you are writing in the hard drive in memory and To trick the attacker So now when you have an endpoint or you have a VM that gets infected and It's trying to go attack other targets and get to your data He'll get to our credentials use them and they'll drive them straight to us and We'll detect the infected node Not only will they detect the infected node But we give you very rich forensics around what that node what that attacker is doing and Give you all the tools all the information to go do a remediation and And we also can send that information To your knack to your firewall to the other devices on the network to quarantine and block That device from exfiltrating any data right, so the way we do we do all this is Have a very high-level block diagram of our system the logic around it is that at the base level we have a big database and on top and system and on top of that we're running our VMs, right and those VMs are logically together it doesn't matter where they are deployed and When and they're Instrumented so any Anything that touches them anything that talks to them is caught from the initial reconnaissance from the initial ping To a payload drop or deletion registry changes Think of it as a black box on the plane all that data is sent to our Database and we have a correlation engine that looks across at all that those events and Associated associate all the events together as an attack It doesn't matter if it's happening against one VM or multiple VM So now the method of propagation inside your network is captured and we tell you how that bot is moving from one VM To the other all that within our environment, so we don't let the bot and attacker use it as a platform to attack your network The other thing we do is that when that attacker tries to communicate externally to the Sorry the malware the bot try to communicate externally to the attacker We actually hijacked that traffic and send it to a VM that masquerades as the attacker called the sinkhole We captured the URL of the attacker to complement your blacklist and to block that attacker Also, you have by default that VM is Contained, but you have the ability to turn it into a proxy into a gateway So now we're doing a manual middle attack on the attacker So we're capturing all the traffic that is generating we let that traffic goes to the attacker on a dedicated port or VLAN and If it's a dropper downloading malware We capture the signature of that malware and you know what is going down if it's a command We capture that so you have the full visibility of what's going on Right and of course we interrupt all the alerts everything We interface with your Sam. We send all that to the same right, so Also for the Credentials the way we use the deceptive credential are used is that you push them on your endpoints, right? And these are credentials the fake credentials bogus credentials Nobody is going to use them. Nobody should use them and they will fail if used on the network But an attacker doesn't know that So from in term of density is highly dense this deployment we put them on the endpoints and If used one of three things is going to happen one is that the attacker is going to use them and come straight to us In which case easy we tell you exactly give you all the forensics and tell you what they did To they can use them to attack the actual servers in your network Which is also no big deal because that login attempt is going to fail. It's going to be logged in your sim We communicate with the sim query it for the failed login attempts and Any use of those our credentials anywhere on the network is going to be caught and Three since we're creating the credentials we can also create signatures for the credentials that we give to complement the signatures in The firewall So now if the bot tried to exfiltrate that attack and send it to the attacker The firewall has a chance of blocking that exfiltration at them because it knows what it's looking for right so Now what not only do you have real-time detection you have actionable alerts because Nobody's supposed to talk to us. There are no real services. Nothing valid. That's running What's going on with this? that's running inside the The system so if somebody touches one of our IPs He's guilty So we give you the needle. We give you the forensics. We give you the visibility and We deploy on multiple platform and we're available as a VM where we're available as open for open stack AWS as well as an appliance and Microsoft Azure is coming next for open stack Doesn't matter which infrastructure layer you have which a hypervisor which controller We live in In the application layer right in the VMs you import our management VM through your heat or orchestration template and then you use it to deploy our VMs and The way you deploy them is that you can deploy them across tenant in tenant in as their own tenant right and Those VMs are talking back to our management server and giving you this one pane of glass to look and to look at the attacks and If you have multiple Instances of the management servers basically multiple virtual appliance we have a central manager that can aggregate from multiple machines and Look at those alerts Unless you want to get everything to go to your sim so the other feature that we help with is the crypto locker attacks and I promise last slides before I jump in the In the demo so the way we help here is that part of the credentials that we deploy we also deploy Map drive. We're able to deploy map drives to our system so now what when patient zero get infected and Encrypt that machine it'll go after the map drive and come and encrypt us Which is great news for us. We actually like that so what we do is We detect the source of the attack patient zero we quarantine it and We raise the alert and We recover automatically so there's no need to worry about us or what we just destroyed that VM and rebuild it up So now that crypto attack that potentially could spread across the network is limited to one machine Okay, so This is actually a sample the ransomware that black energy that the Ukraine energy Got hit with we ran it on our system and you see what the output? So I believe this is one more one more slide So basically what we do is turn the whole network into a trap We turn your end points your data center your end devices Local data center a cloud doesn't matter We turn every asset you have into a trap that's helping you to close that window of opportunity and To find that infected system and those back doors on your network Okay, so Since we have about five minutes left six minutes left. I'm going to quickly jump into the demo and Walk you through some some of our features The idea behind at Tivo is that the user experience behind us is that it doesn't matter what flavor you have It's the same user experience. It's the same functionality. It's the same value. So AWS VMware opensack The actual appliance they all look the same the only difference is in the method of Deploying the virtual machines what you see on the left-hand side is Visibility on the network because we're deployed on that trunk port. We're able to collect information from the broadcast and multicast packets So we give you Information about how many IP is how many are the HCP based the MAC address associated with the IP the OS associated and so forth and The different V lines we see We also give you attack information by phase by Severity by timeline and the most important thing is These little guys these are the attackers or the infected machine inside the network that you'll need to go address And everything here is Clickable so we give you the IP addresses we give you the type of attacks that we saw Against what service against which OS so let's click one you click on it we derive drill down hopefully and Now you have a view of that one machine the type of attack it did Over a sequentially for each one you have the ability to drill down So here this endpoint did a file drop against us We give you the signature of the file the time and Of course for all of them you have the ability to generate Sticks report IOC report CSV report or the actual p-cap for of the actual engagement to replay it So the other ability for forensics that we provide with all this is the ability to drill down To capture to actually take a snapshot of the VM exported out to do deep forensics on the VM And that captures not only the VM, but the memory dump as well So in term of variation configuration deployment is very straightforward You basically select Which host IP the username password to deploy that initial VM you deploy a private network to connect the engagement VMs and then To deploy the VMs themselves It's really straightforward. You just select the version of OS you want to deploy on which subnet and The number of IP addresses you want to deploy you click say, okay The system creates the rules for you. You're done so deployment of the system Half an hour in real time in the middle of the day without disrupting traffic without worrying about Other departments, it's very very straightforward. We actually done that in at customers financials healthcare others that Goes literally is this complex So since we have a couple of minutes Love to take a couple of questions from if there are any clarifications yes yes, everything is available through APIs as well and Actually, there's one feature Well around that is that since we have the VMs you have the ability to specify those VMs to be Analysis VMs so you can drop a payload on the system Through email or manually and we give you the full view of What that look like actually here? Let me show you That so tell you what that payload did so you can see even if it's a polymorphic Attack it doesn't matter we generate the signatures So you can see here. We're giving you the show on of the Initial payload we can we check against virus total and tell you if it's a zero-day attack or known attack We give you the process ID What this malware did by process into in registry in In file deletion and so forth Screen capture of what it did as well as a description CNC information where it tried to reach and The services it used as well in this particular malware didn't do but we also give you the lateral movement method Which services it used against which OS it went to so if you have an infection now you can take a report like this and go For remediation, right? So we have actually a customer who got hit with a variant of quackbot and Running using our system. They were able to generate The report needed for remediation and after fighting the malware for a couple of weeks They were evaluating our stuff in the system our system in the lab. So they dropped it on us generated this report and Within couple of days they found 65 systems infected system in their network that they remediated It's a great Webinar actually it's on our website. I encourage you to go listen to it Okay, thank you very much