Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

Size: px

Start display at page:

Download "Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel"

Carmella Bell
8 years ago
Views:

1 Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Ben Smith, CISSP Field CTO (US East), Security Portfolio

2 A Security Maturity Path CONTROLS COMPLIANCE IT RISK BUSINESS RISK MATURITY LEVEL 2

3 A Security Maturity Path Improve Identity Controls Risk-based, step up options Cloud-enabled Automate Compliance Key Regulations CONTROLS COMPLIANCE IT RISK BUSINESS RISK MATURITY LEVEL Defend against known threats Reduce risk of identity-based threats Lower compliance costs 3

COMPLIANCE IT RISK BUSINESS RISK MATURITY LEVEL Defend against known

4 A Security Maturity Path Control Sensitive Information Discover & protect critical assets Improve IT Governance Visibility into IT Risk Change management Business continuity Establish Security Operational Baselines Logs / Packets / Behaviors CONTROLS COMPLIANCE IT RISK BUSINESS RISK MATURITY LEVEL Reduce risk surface Spot advanced attacks Ensure resilience Align investment/risks 4

Security Operational Baselines Logs / Packets / Behaviors CONTROLS COMPLIANCE IT RISK BUSINESS

5 A Security Maturity Path Implement Advanced SOC Capabilities Detection / Incident Response Achieve Full Visibility Real-time internal & external awareness of risks and threats Align Activity with Business Risk Prioritize Assets / Processes / Identities CONTROLS COMPLIANCE IT RISK BUSINESS RISK MATURITY LEVEL Proactive defense Maintain compliance Take advantage of new technology/opportunities 5

Business Risk Prioritize Assets / Processes / Identities CONTROLS COMPLIANCE IT RISK BUSINESS RISK

6 EMC Critical Incident Response Center (CIRC) CIRC Cyber Threat Intelligence Open/All Source Actor Attribution Open/All Attack Source Sensing Actor & Attribution Warning Attack Social Sensing Media & Warning High Value Target Social Media (HVT) High Value Target (HVT) Advanced Tools, Tactics & Analysis Reverse Malware Engineering Reverse Host & Malware Network Eng Host & Network Forensic Forensics Cause & Origin Cause & Origin Determination Determination operations operations Critical Incident Response Eyes-on-Glass End Team User Intake Event Triage Eyes-on-Glass Incident End User Intake Event Containment Triage Incident 24x7 Containment Coverage 24x7 Coverage Content Analytics Team Integration Content Development Reporting Alert and Rule Creation Integration Content Development Reporting Alert and Rule Creation Recon Weaponize Delivery Exploit Install C2 Actions Detection Kill Chain Response 6

Forensics Cause & Origin Cause & Origin Determination Determination Email Email operations operations Critical Incident Response Eyes-on-Glass End Team User Intake Event Triage Eyes-on-Glass Incident

7 Lessons learned/implemented by RSA Post-breach analysis indicated that threat intelligence would have played a major role in detecting this activity earlier on Actions: Built a dedicated Cyber Intelligence group Bought multiple commercial intelligence feeds Joined multiple threat sharing groups Custom developed a threat intelligence portal / database Developed in-house OSINT gathering program But at that time, we found 7

group Bought multiple commercial intelligence feeds Joined multiple threat sharing groups Custom

8 Observed Threat Intel Issues Some threat intel vendors don t understand the difference between Intelligence and Information A bad IP with no context is not actionable! Impact: Resources wasted on searching Why am I searching proxy logs for the IP address of a mail server that was used in a phishing campaign? 8

9 Observed Threat Intel Issues Lack of widely adopted standard for sharing threat intel or IoCs Many IoCs are still shared in unmapped formats CSV, text files, HTML posts, vendor-specific XML Impact: Resources wasted on logging into various portals, mailing lists, feeds and then normalizing the IoCs Impact: Human errors when transferring data 9

vendor-specific XML Impact: Resources wasted on logging into various portals, mailing

10 Observed Threat Intel Issues Limited platforms/applications to house threat intel Avalanche, MITRE CRITs, ThreatConnect Sharing, reviewing/approving, retiring Have you ever retired an IoC? How big are your block lists? Impact: IoC lifecycle management difficulty Impact: Increased burden on security controls 10

retiring Have you ever retired an IoC? How big are your block lists?

11 Observed Threat Intel Issues Quality of product from vendors varies Some do a good job of vetting indicators However, we still see listed as bad Impact: Potential for operational issues Impact: Developed custom tools to vet IoCs 11

12 Observed Threat Intel Issues Justifying the expense to management Lack of obvious wins Early failures due to poor third-party intelligence Still not finding all the bad stuff A lot of custom development 12

due to poor third-party intelligence Still not

13 Lessons learned/implemented by RSA Organizational maturity is required! Threat intel isn t the silver bullet Need to manage expectations Expensive Both in $$$ and human capital Requires constant care and feeding New vendor offerings, quality of data Doesn t always produce tangible results No hits today. Intel failure or nothing going on? 13

$$$ and human capital Requires constant care and feeding New vendor offerings,

14 Next Generation SOC: Modular Components Solution Framework Process (Operations) People (Resourcing) Technology (Controls) Business Alignment Risk Alignment Defense-in-depth Content Intelligence Threat Intelligence Analytic Intelligence Operations & Reporting Security Operations Management Policies, Processes & Procedures Incident Lifecycle Management Standard Operating Procedures Rules of Engagement Personnel & Resourcing Staffing Roles & Responsibilities Education, Training & Awareness Cross-functional stakeholders & third parties Phased delivery & customized rollout Defense-in-depth SIEM, DLP, etc. Infrastructure Hardening Network and Host Monitoring Process Automation Big Data Analysis 14

Management Standard Operating Procedures Rules of Engagement Personnel & Resourcing Staffing Roles & Responsibilities Education, Training & Awareness Cross-functional

15 NextGen SOC: A Sample Resourcing Model SOC Manager Reporting & Metrics Personnel & Ops Management Strategy & Planning Content Analyst Workflow automation Alert & Rule Creation Correlation & Integration Report Development Contextual enrichment Threat Analyst Tracking of TTPs Open source research Subscription feeds Threat Validation Impact Analysis & Attribution Tier 3 Analyst Advanced & Malware Analysis Host & Network Forensics Attribution, cause & origin Web & operations Tier 1 Analyst Event intake, analysis & triage SOPs & Analysis SLA to resolution / escalation Tier 2 Analyst Incident intake, analysis & triage Additional free-form analysis SLA to resolution / escalation 15

Analysis & Attribution Tier 3 Analyst Advanced & Malware Analysis Host & Network Forensics Attribution, cause & origin Web & E-mail operations Tier 1 Analyst Event intake,

16 Bad SOC Design 16

17 Very Bad SOC Design 17

18 Good SOC Design 18

19 RSA Security Operations Management (SecOps) User Personas Security Operations Management Threat Intel Analyst L1 Analyst L2 Analyst SOC Analysts Incident Management Threat Intelligence Management SOC Manager Persona Driven Design CISO/CSO SOC Management Breach Management SOC Program Management Business-driven SOC Management CIO Business Mgr. Privacy Officer Compliance Legal HR Cross Functional Teams IT Security Risk Management 19

Persona Driven Design CISO/CSO SOC Management Breach Management SOC Program Management Business-driven SOC

20 Questions?

After the Attack: RSA's Security Operations Transformed

After the Attack: RSA's Security Operations Transformed Ben Smith, CISSP RSA Field CTO (East), Security Portfolio Senior Member, ISSA Northern Virginia 1 The Environment ~ 2,000 security devices ~55M security