RSA Security Anatomy of an Attack Lessons learned

Size: px
Start display at page:

Download "RSA Security Anatomy of an Attack Lessons learned"

Transcription

1 RSA Security Anatomy of an Attack Lessons learned Malcolm Dundas Account Executive John Hurley Senior Technology Consultant 1

2 Agenda Advanced Enterprise/ Threats The RSA Breach A chronology of the attack Security Analytics Incident Response and Governance Q & A 2

3 IN 2011 THE DIGITAL UNIVERSE WILL SURPASS 1.8 ZETTABYTES 1,800,000,000,000,000,000,000 3

4 $ 4

5 5

6 The RSA Attack On March 17 th, RSA disclosed it was the target of an Advanced Persistent Threat (APT) Communicated that certain information related to RSA SecurID was extracted during the attack Provided Best Practices guidance and prioritized remediation steps On June 6 th, RSA issued an open letter to customers Shared that the perpetrator's most likely motive was to obtain an element of security information that could be used to target defense secrets and related IP, rather than financial gain, PII, or public embarrassment. Confirmed that information taken from RSA was used as an element in an attempted broader attack against Lockheed Martin Reinforced that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology 6

7 The Initial Vector in the RSA Attack 1 2 Phishing s Some clues about the lead us to believe that this was from some slightly dated research on employees 2 Launch Zero-day One user opened attachment (an Excel spreadsheet) which launches a flash zero-day 3 Attacker gains access to other machines Zero-day exploit installs backdoor (Poison Ivy Rat Variant) which enables extraction of memory resident password hashes X X X X X 7

8 Reducing Attacker Free Time Attacker Surveillanc e Target Analysis Access Probe Attack Setup System Intrusion Attack Begins Discovery/ Persistenc e Cover-up Starts Leap Frog Attacks Complete Cover-up Complete Maintain foothold TIME ATTACKER FREE TIME TIME Physical Security Threat Analysi s Defender Discovery Attack Forecast Monitoring & Controls Attack Identified Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/hilf.pdf) Containme nt & Eradication Incident Reportin g Impact Analysi s Damage Identificati on System Reactio n Respons e Recover y 8

9 From Compromise to Exfiltration 4 Attacker initiates separate network using credentials obtained from steps Attacker moves laterally through organization, heavily using escalation of privileges, to systems containing disparate information that when combined allowed compromise of RSA SecurID-related information ATTACKER 6 Attacker removes data and stages it on a file share within the network 7 Files are encrypted and attacker tries to ex-filtrate to several servers before finding a successful destination. External Server 9

10 Shift in spending 10

11 Asset Criticality Intelligence RSA ACI Asset Intelligence IT Info Biz Context RSA Archer IP Address Criticality Rating Business Unit Facility Asset List Device Owner Device Type Business Owner Device Content Business Unit Criticality Rating RSA NetWitness CMDBs Vuln. Scans Biz Process RPO / RTO Security analysts now have asset intelligence and business context to better analyze and prioritize alerts. 11

12 EMC SOC vs. CIRC SOC = Security Operations Center Level 1 adds, moves and changes, security questions, device health, etc. CIRC = Critical Incident Response Center Manage security incidents, investigate suspicious behavior, vulnerability analysis, malware analysis, threat management, etc. 12

13 RSA Critical Incident Response Team detects file transfer activity DLP Network detects a transfer of encrypted file over FTP protocol 13

14 Alert Critical Incident Response Team RSA SIEM generates alert from two correlated events 1.Successful RDP connection to critical server 2.DLP activity on the same server 14

15 Incident escalation to Security Management Dashboard RSA SIEM alerts sent to RSA egrc platform RSA egrc links this incident with business context and prioritize it as HIGH priority 15

16 Advanced Network Forensics Instant integration from RSA egrc web interface to RSA NetWitness with two clicks SIEMLink transparently retrieves full session detail from RSA NetWitness 16

17 Situation Aware Analysis Context of all network activities to/from critical server Confirm John s machine ( ) as source of RDP session 17

18 Situation Aware Analysis Drill into all network sessions from John s machine Small executable file Transfer over HTTP Suspicious filename & extension Malware?!? Suspicious domain name 18

19 Automated Malware Analysis RSA NetWitness instantly provides detailed analysis of the file in question 19

20 Only Security Analytics can tell you the impact of the attack Attack Step Traditional SIEM RSA SA Alert for RDP tunneled over non-standard port Recreate activity of suspect IP address across environment Show user activity across AD and VPN Alert for different credentials used for AD and VPN Reconstruct exfiltrated data No No Yes Yes No Yes Yes Yes Yes Yes 20

21 RSA Methodology: Ripping away the hay with automated queries Start with all network traffic and logs SHOW ME all downloads of executable content (pdf, doc, exe, xls, jar etc) SHOW ME files where file type does not match extension ALERT ME for sessions to/from critical assets 21

22 Security Practices Critical Checklist Business Risk Assessment Identify most critical systems; ensure they are given the highest priorities for all hardening and monitoring activities Active Directory Hardening Minimize number of admins Monitoring and alerting (Windows Event ID #566) Two factor admin access from hardened VDI platform Executable whitelisting on hardened DCs Disable default account and rename key accounts Complex passwords (9 & 15 Char) Service Accounts Review accounts for privilege creep Change passwords frequently Do not embed credentials into scripts Minimize interactive login Restrict login only from required hosts User Education Increase security training for IT Launch security improvement initiative Regular education of users on phishing attacks Regular education on social engineering Increase mail filtering controls Infrastructure & Logging Full and detailed logging & analysis Tighten VPN controls Increase controls on crypto keys Full packet capture at strategic network locations Network segmentation Team trained and focused on APT activity Web Access Block access to high risk and web filter categories Click through on medium risk websites Black hole dynamic DNS domains Authenticated internet access DNS traffic analysis User Machine Hardening Limit local admin and randomize PW- change often Increase patching regime Enable security controls in applications Deep visibility to identify lateral movement Limit use of non-authorized and approved software Copyright 2011 EMC Corporation. All rights reserved. 22

23 5 Forward-leaning Practices Anti-social engineering (anti-vishing, etc.) Zero-day malware detection Deeper analysis and responsiveness to network traffic Adaptive authentication and two factor Proactive web application security Copyright 2011 EMC Corporation. All rights reserved. 23

24 Disintegration of Perimeter Controls Focus on the critical assets Context based security analytics fused with threat intelligence 24

25

The Next Generation Security Operations Center

The Next Generation Security Operations Center The Next Generation Security Operations Center Vassil Barsakov Regional Manager, CEE & CIS RSA, the Security Division of EMC 1 Threats are Evolving Rapidly Criminals Petty criminals Unsophisticated Organized

More information

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR 場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR Minimum Requirements of Security Management and Compliance

More information

Advanced Persistent Threats

Advanced Persistent Threats Advanced Persistent Threats Craig Harwood Channel Manager SADC and Indian Ocean Islands 1 Agenda Introduction Today s Threat landscape What is an Advance persistent Threat How are these crimes perpetrated

More information

Advanced Threats: The New World Order

Advanced Threats: The New World Order Advanced Threats: The New World Order Gary Lau Technology Consulting Manager Greater China gary.lau@rsa.com 1 Agenda Change of Threat Landscape and Business Impact Case Sharing Korean Incidents EMC CIRC

More information

Using Network Forensics to Visualize Advanced Persistent Threats

Using Network Forensics to Visualize Advanced Persistent Threats Using Network Forensics to Visualize Advanced Persistent Threats Dale Long, Sr. Technology Consultant, RSA Security 1 The Problem 2 Traditional Security Is Not Working 99% of breaches led to compromise

More information

RSA Security Analytics the complete approach to security monitoring or how to approach advanced threats

RSA Security Analytics the complete approach to security monitoring or how to approach advanced threats RSA Security Analytics the complete approach to security monitoring or how to approach advanced threats Grzegorz Mucha grzegorz.mucha@rsa.com Advanced Threats Threat Landscape Criminals Petty criminals

More information

After the Attack. The Transformation of EMC Security Operations

After the Attack. The Transformation of EMC Security Operations After the Attack The Transformation of EMC Security Operations Thomas Wood Senior Systems Engineer, GSNA CISSP RSA, The Security Division of EMC Thomas.WoodJr@rsa.com 1 Agenda Review 2011 Attack on RSA

More information

RSA Security Analytics

RSA Security Analytics RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources

More information

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT Rashmi Knowles RSA, The Security Division of EMC Session ID: Session Classification: SPO-W07 Intermediate APT1 maintained access to

More information

After the Attack: RSA's Security Operations Transformed

After the Attack: RSA's Security Operations Transformed After the Attack: RSA's Security Operations Transformed Ben Smith, CISSP RSA Field CTO (East), Security Portfolio Senior Member, ISSA Northern Virginia 1 The Environment ~ 2,000 security devices ~55M security

More information

Bernard Montel Directeur Technique RSA. Copyright 2012 EMC Corporation. All rights reserved.

Bernard Montel Directeur Technique RSA. Copyright 2012 EMC Corporation. All rights reserved. Bernard Montel Directeur Technique RSA 1 RSA Security Management Compliance Vision Delivering Visibility, Intelligence and Governance 2 Traditional Security Is Not Working 99% of breaches led to compromise

More information

The Future of the Advanced SOC

The Future of the Advanced SOC The Future of the Advanced SOC Developing a platform for more effective security management and compliance Steven Van Ormer RSA Technical Security Consultant 1 Agenda Today s Security Landscape and Why

More information

BIG DATA. Shaun McLagan General Manager, RSA Australia and New Zealand CHANGING THE REALM OF POSSIBILITY IN SECURITY

BIG DATA. Shaun McLagan General Manager, RSA Australia and New Zealand CHANGING THE REALM OF POSSIBILITY IN SECURITY BIG DATA CHANGING THE REALM OF POSSIBILITY IN SECURITY Shaun McLagan General Manager, RSA Australia and New Zealand 1 Things have changed #2 Buzz word 2012 Big Data only behind something called Fiscal

More information

Getting Ahead of Advanced Threats

Getting Ahead of Advanced Threats Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil Territory Manager Israel & Greece 1 Threats are Evolving Rapidly Criminals Petty criminal s Unsophisticated Organized

More information

Joining Forces: Bringing Big Data to your Security Team

Joining Forces: Bringing Big Data to your Security Team Joining Forces: Bringing Big Data to your Security Team Alaa Abdulnabi, CISSP RSA Regional Pre-Sales Manager Turkey, Middle East & Africa @AlaaAbdulnabi 1 Facteurs de mutation du marché Appareils mobiles

More information

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA Advanced SOC Design Next Generation Security Operations Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA 1 ! Why/How security investments need to shift! Key functions of a Security Operations

More information

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats Jody C. Patilla The Johns Hopkins University Session ID: TECH-107 Session Classification: Intermediate Objectives Get more out

More information

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE Solution Brief SUMMARY New security threats demand a new approach to security management. Security teams need a security analytics architecture that can handle

More information

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

defending against advanced persistent threats: strategies for a new era of attacks agility made possible defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been

More information

Detect & Investigate Threats. OVERVIEW

Detect & Investigate Threats. OVERVIEW Detect & Investigate Threats. OVERVIEW HIGHLIGHTS Introducing RSA Security Analytics, Providing: Security monitoring Incident investigation Compliance reporting Providing Big Data Security Analytics Enterprise-wide

More information

Unified Security, ATP and more

Unified Security, ATP and more SYMANTEC Unified Security, ATP and more TAKE THE NEXT STEP Martin Werner PreSales Consultant, Symantec Switzerland AG MEET SWISS INFOSEC! 27.01.2016 Unified Security 2 Symantec Enterprise Security Users

More information

A Case for Managed Security

A Case for Managed Security A Case for Managed Security By Christopher Harper Managing Director, Security Superior Managed IT & Security Services 1. INTRODUCTION Most firms believe security breaches happen because of one key malfunction

More information

Discover & Investigate Advanced Threats. OVERVIEW

Discover & Investigate Advanced Threats. OVERVIEW Discover & Investigate Advanced Threats. OVERVIEW HIGHLIGHTS Introducing RSA Security Analytics, Providing: Security monitoring Incident investigation Compliance reporting Providing Big Data Security Analytics

More information

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA Advanced Visibility Moving Beyond a Log Centric View Matthew Gardiner, RSA & Richard Nichols, RSA 1 Security is getting measurability worse Percent of breaches where time to compromise (red)/time to Discovery

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer IBM Security QRadar SIEM & Fortinet / FortiAnalyzer Introducing new functionality for IBM QRadar Security Intelligence Platform: integration with Fortinet s firewalls and logs forwarded by FortiAnalyzer.

More information

Networking for Caribbean Development

Networking for Caribbean Development Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n

More information

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION How ThreatBLADES add real-time threat scanning and alerting to the Analytics Platform INTRODUCTION: analytics solutions have become an essential weapon

More information

The Next Generation IPS

The Next Generation IPS The Next Generation IPS Comprehensive Defense Against Advanced Persistent Threats Contents Introduction.............................................. 1 What Are Advanced Persistent Threats?.............................

More information

Security Analytics for Smart Grid

Security Analytics for Smart Grid Security Analytics for Smart Grid Dr. Robert W. Griffin Chief Security Architect RSA, the Security Division of EMC robert.griffin@rsa.com blogs.rsa.com/author/griffin @RobtWesGriffin 1 No Shortage of Hard

More information

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics TRADITIONAL SIEMS ARE SHOWING THEIR AGE Security Information and Event Management (SIEM) tools have been a

More information

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current

More information

Locking down a Hitachi ID Suite server

Locking down a Hitachi ID Suite server Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime

More information

Cyber Defense & Breach Response Privacy Issues

Cyber Defense & Breach Response Privacy Issues Cyber Defense & Breach Response Privacy Issues Kevin Boyle Partner 17 November 2014 Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised

More information

Rashmi Knowles Chief Security Architect EMEA

Rashmi Knowles Chief Security Architect EMEA Rashmi Knowles Chief Security Architect EMEA AGENDA Transformation of IT New cyber-security challenges Intelligence Driven Security Security Analytics Q&A 2 ENTERPRISE DATA CENTER ADVANCED SECURITY A UNIQUE

More information

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix Cybercrime myths, challenges and how to protect our business Vladimir Kantchev Managing Partner Service Centrix Agenda Cybercrime today Sources and destinations of the attacks Breach techniques How to

More information

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge Targeted Intrusion Remediation: Lessons From The Front Lines Jim Aldridge All information is derived from MANDIANT observations in non-classified environments. Information has beensanitized where necessary

More information

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture Using LYNXeon with NetFlow to Complete Your Cyber Security Picture 21CT.COM Combine NetFlow traffic with other data sources and see more of your network, over a longer period of time. Introduction Many

More information

Under the Hood of the IBM Threat Protection System

Under the Hood of the IBM Threat Protection System Under the Hood of the System The Nuts and Bolts of the Dynamic Attack Chain 1 Balazs Csendes IBM Security Intelligence Leader, CEE balazs.csendes@cz.ibm.com 1 You are an... IT Security Manager at a retailer

More information

Hunting for Indicators of Compromise

Hunting for Indicators of Compromise Hunting for Indicators of Compromise Lucas Zaichkowsky Mandiant Session ID: END-R31 Session Classification: Intermediate Agenda Threat brief Defensive strategy overview Hunting for Indicators of Compromise

More information

Enterprise Cybersecurity: Building an Effective Defense

Enterprise Cybersecurity: Building an Effective Defense Enterprise Cybersecurity: Building an Effective Defense Chris Williams Oct 29, 2015 14 Leidos 0224 1135 About the Presenter Chris Williams is an Enterprise Cybersecurity Architect at Leidos, Inc. He has

More information

Detect, Prevent and Remediate the Cyber attack Nelson Yuen

Detect, Prevent and Remediate the Cyber attack Nelson Yuen Detect, Prevent and Remediate the Cyber attack Nelson Yuen Senior Systems Engineer Overview of the Local Security Landscape IP camera footages broadcasted live online In September, 2014, more than 1,000

More information

IT Security Risk Management

IT Security Risk Management IT Security Risk Adding Insight to Security Gennaro Scalo April 2, 2014 1 Where is Security Today? Companies have built layer upon layer of security, but is it helping? Complexity Data Breaches Damage

More information

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Chris Poulin Security Strategist, IBM Reboot Privacy & Security Conference 2013 1 2012 IBM Corporation Securing

More information

Incident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com

Incident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices

More information

GAINING THE ADVANTAGE. Applying Cyber Kill Chain Methodology to Network Defense

GAINING THE ADVANTAGE. Applying Cyber Kill Chain Methodology to Network Defense GAINING THE ADVANTAGE Applying Cyber Kill Chain Methodology to Network Defense THE MODERN DAY ATTACKER Cyberattacks aren t new, but the stakes at every level are higher than ever. Adversaries are more

More information

Enterprise Cybersecurity: Building an Effective Defense

Enterprise Cybersecurity: Building an Effective Defense : Building an Effective Defense Chris Williams Scott Donaldson Abdul Aslam 1 About the Presenters Co Authors of Enterprise Cybersecurity: How to Implement a Successful Cyberdefense Program Against Advanced

More information

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer. THE 2014 THREAT DETECTION CHECKLIST Six ways to tell a criminal from a customer. Telling criminals from customers online isn t getting any easier. Attackers target the entire online user lifecycle from

More information

Software that provides secure access to technology, everywhere.

Software that provides secure access to technology, everywhere. Software that provides secure access to technology, everywhere. Joseph Patrick Schorr @JoeSchorr October, 2015 2015 BOMGAR CORPORATION ALL RIGHTS RESERVED WORLDWIDE 1 Agenda What are we dealing with? How

More information

Top 20 Critical Security Controls

Top 20 Critical Security Controls Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need

More information

Compliance Risks in APT Response & Defense

Compliance Risks in APT Response & Defense Compliance Risks in APT Response & Defense Jennifer Archie, Partner Kevin Boyle, Partner The Security-Privacy Paradox No Privacy without security Effective security has impacts on privacy Key privacy requirement

More information

Secret Server Qualys Integration Guide

Secret Server Qualys Integration Guide Secret Server Qualys Integration Guide Table of Contents Secret Server and Qualys Cloud Platform... 2 Authenticated vs. Unauthenticated Scanning... 2 What are the Advantages?... 2 Integrating Secret Server

More information

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief RSA Solution Brief Streamlining Security Operations with Managing RSA the Lifecycle of Data Loss Prevention and Encryption RSA envision Keys with Solutions RSA Key Manager RSA Solution Brief 1 Who is asking

More information

Concierge SIEM Reporting Overview

Concierge SIEM Reporting Overview Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts

More information

APPLICATION PROGRAMMING INTERFACE

APPLICATION PROGRAMMING INTERFACE DATA SHEET Advanced Threat Protection INTRODUCTION Customers can use Seculert s Application Programming Interface (API) to integrate their existing security devices and applications with Seculert. With

More information

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis? Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis? This paper presents a scenario in which an attacker attempts to hack into the internal network

More information

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved. Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control

More information

The session is about to commence. Please switch your phone to silent!

The session is about to commence. Please switch your phone to silent! The session is about to commence. Please switch your phone to silent! 1 Defend with Confidence Against Advanced Threats Nicholas Chia SE Manager, SEA RSA 2 TRUST? Years to earn, seconds to break 3 Market

More information

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE

More information

Critical Security Controls

Critical Security Controls Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter The Critical Security Controls The Critical Security

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013 CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control

More information

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs? A Special Primer on APTs DETECTING THE ENEMY INSIDE THE NETWORK How Tough Is It to Deal with APTs? What are APTs or targeted attacks? Human weaknesses include the susceptibility of employees to social

More information

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow Agenda Background & Threat landscape Breach: A Case Study Incident Response Best Practices Lessons Learned

More information

SIEM Orchestration. How McAfee Enterprise Security Manager can drive action, automate remediation, and increase situational awareness

SIEM Orchestration. How McAfee Enterprise Security Manager can drive action, automate remediation, and increase situational awareness SIEM Orchestration How McAfee Enterprise Security Manager can drive action, automate remediation, and increase situational awareness Scott Taschler, Solution Architect, McAfee Table of Contents Introduction

More information

Ovation Security Center Data Sheet

Ovation Security Center Data Sheet Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations

More information

Enabling Security Operations with RSA envision. August, 2009

Enabling Security Operations with RSA envision. August, 2009 Enabling Security Operations with RSA envision August, 2009 Agenda What is security operations? How does RSA envision help with security operations? How does RSA envision fit with other EMC products? If

More information

IBM QRadar Security Intelligence April 2013

IBM QRadar Security Intelligence April 2013 IBM QRadar Security Intelligence April 2013 1 2012 IBM Corporation Today s Challenges 2 Organizations Need an Intelligent View into Their Security Posture 3 What is Security Intelligence? Security Intelligence

More information

WHY ATTACKER TOOLSETS DO WHAT THEY DO

WHY ATTACKER TOOLSETS DO WHAT THEY DO WHY ATTACKER TOOLSETS DO WHAT THEY DO (or.. Reasons they just keep working ) Matt McCormack OVER THE LAST YEAR 50+ engagements Good chunk of different verticals, industries, etc. Varying qualities and

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention Your Security Challenges Defending the Dynamic Network! Dynamic threats 䕬 䕬 䕬 䕬 Many threats

More information

How We're Getting Creamed

How We're Getting Creamed ed Attacks How We're Getting Creamed By Ed Skoudis June 9, 2011 ed Attacks - 2011 Ed Skoudis 1 $ cut -f5 -d: /etc/passwd grep -i skoudis Ed Skoudis Started infosec career at Bellcore in 1996 working for

More information

Evolution Of Cyber Threats & Defense Approaches

Evolution Of Cyber Threats & Defense Approaches Evolution Of Cyber Threats & Defense Approaches Antony Abraham IT Architect, Information Security, State Farm Kevin McIntyre Tech Lead, Information Security, State Farm Agenda About State Farm Evolution

More information

The SIEM Evaluator s Guide

The SIEM Evaluator s Guide Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are designed to collect, store, analyze, and report on log data for threat detection,

More information

Endpoint & Server Protection. Brent Biernat First Vice President Network Services May 13, 2014

Endpoint & Server Protection. Brent Biernat First Vice President Network Services May 13, 2014 Endpoint & Server Protection Brent Biernat First Vice President Network Services May 13, 2014 The Evolution of Cyber Crime 1878 Bell Telephone Teenage Switchboard Operator Disconnected calls, eavesdropped,

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

Security Information & Event Management (SIEM)

Security Information & Event Management (SIEM) Security Information & Event Management (SIEM) Peter Helms, Senior Sales Engineer, CISA, CISSP September 6, 2012 1 McAfee Security Connected 2 September 6, 2012 Enterprise Security How? CAN? 3 Getting

More information

APT Advanced Persistent Threat Time to rethink?

APT Advanced Persistent Threat Time to rethink? APT Advanced Persistent Threat Time to rethink? 23 November 2012 Gergely Tóth Senior Manager, Security & Privacy Agenda APT examples How to get inside? Remote control Once we are inside Conclusion 2 APT

More information

Security Analytics The Beginning of the End(Point)

Security Analytics The Beginning of the End(Point) Security Analytics The Beginning of the End(Point) Arie Joosse Arie.Joosse@nexthink.com It s 10am, what do you know about your endpoints? What applications are running? New ones that you didn t deploy

More information

Agenda. 3 2012, Palo Alto Networks. Confidential and Proprietary.

Agenda. 3 2012, Palo Alto Networks. Confidential and Proprietary. Agenda Evolution of the cyber threat How the cyber threat develops Why traditional systems are failing Need move to application controls Need for automation 3 2012, Palo Alto Networks. Confidential and

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

Targeted attacks: Tools and techniques

Targeted attacks: Tools and techniques Targeted attacks: Tools and techniques Performing «red-team» penetration tests Lessons learned Presented on 17/03/2014 For JSSI OSSIR 2014 By Renaud Feil Agenda Objective: Present tools techniques that

More information

05 June 2015 A-000061-MW TLP: GREEN

05 June 2015 A-000061-MW TLP: GREEN 05 June 2015 Alert Number A-000061-MW Please contact the FBI with any questions related to this FLASH Report at either your local Cyber Task Force or FBI CYWATCH. Email: cywatch@ic.fbi.gov Phone: 1-855-292-3937

More information

Analyzing HTTP/HTTPS Traffic Logs

Analyzing HTTP/HTTPS Traffic Logs Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that

More information

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES By James Christiansen, VP, Information Risk Management Executive Summary Security breaches in the retail sector are becoming more

More information

FISMA / NIST 800-53 REVISION 3 COMPLIANCE

FISMA / NIST 800-53 REVISION 3 COMPLIANCE Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security

More information

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro Staying Secure After Microsoft Windows Server 2003 Reaches End of Life Trevor Richmond, Sales Engineer Trend Micro Windows Server 2003 End of Life- Why Care? The next big vulnerability (Heartbleed/Shellshock)

More information

Covert Operations: Kill Chain Actions using Security Analytics

Covert Operations: Kill Chain Actions using Security Analytics Covert Operations: Kill Chain Actions using Security Analytics Written by Aman Diwakar Twitter: https://twitter.com/ddos LinkedIn: http://www.linkedin.com/pub/aman-diwakar-ccie-cissp/5/217/4b7 In Special

More information

Overview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015

Overview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015 Overview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015 Tripwire Evolution 18+ Years of Innovation 1997 Tripwire File System Monitoring from open source

More information

Comprehensive Advanced Threat Defense

Comprehensive Advanced Threat Defense 1 Comprehensive Advanced Threat Defense June 2014 PAGE 1 PAGE 1 1 INTRODUCTION The hot topic in the information security industry these days is Advanced Threat Defense (ATD). There are many definitions,

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response workflow guide. This guide has been created especially for you for use in within your security

More information

REVOLUTIONIZING ADVANCED THREAT PROTECTION

REVOLUTIONIZING ADVANCED THREAT PROTECTION REVOLUTIONIZING ADVANCED THREAT PROTECTION A NEW, MODERN APPROACH Blue Coat Advanced Threat Protection Group GRANT ASPLUND Senior Technology Evangelist 1 WHY DO I STAND ON MY DESK? "...I stand upon my

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS Joe Goldberg Splunk Session ID: SPO-W09 Session Classification: Intermediate About Me Joe Goldberg Current: Splunk - Security Evangelist

More information

UNCLASSIFIED. http://www.govcertuk.gov.uk. General Enquiries. Incidents incidents@govcertuk.gov.uk Incidents incidents@govcertuk.gsi.gov.uk.

UNCLASSIFIED. http://www.govcertuk.gov.uk. General Enquiries. Incidents incidents@govcertuk.gov.uk Incidents incidents@govcertuk.gsi.gov.uk. Version 1.2 19-June-2013 GUIDELINES Incident Response Guidelines Executive Summary Government Departments have a responsibility to report computer incidents under the terms laid out in the SPF, issued

More information

Modern Approach to Incident Response: Automated Response Architecture

Modern Approach to Incident Response: Automated Response Architecture SESSION ID: ANF-T10 Modern Approach to Incident Response: Automated Response Architecture James Carder Director, Security Informatics Mayo Clinic @carderjames Jessica Hebenstreit Senior Manager, Security

More information

THE EVOLUTION OF SIEM

THE EVOLUTION OF SIEM THE EVOLUTION OF SIEM WHY IT IS CRITICAL TO MOVE BEYOND LOGS Despite increasing investments in security, breaches are still occurring at an alarming rate. 43% Traditional SIEMs have not evolved to meet

More information

Cisco Advanced Malware Protection for Endpoints

Cisco Advanced Malware Protection for Endpoints Data Sheet Cisco Advanced Malware Protection for Endpoints Product Overview With today s sophisticated malware, you have to protect endpoints before, during, and after attacks. Cisco Advanced Malware Protection

More information

Securing OS Legacy Systems Alexander Rau

Securing OS Legacy Systems Alexander Rau Securing OS Legacy Systems Alexander Rau National Information Security Strategist Sample Agenda 1 Today s IT Challenges 2 Popular OS End of Support & Challenges for IT 3 How to protect Legacy OS systems

More information