Cyber Analytics: The New Security Dimension

Transcription

1 Cyber Analytics: The New Security Dimension Mario Balakgie Director, Cyber Security Consulting World Wide Technology, Inc Copyright 2014 World Wide Technology, Inc. All rights reserved.

2

3 Industry Assessment of Challenges Primary Security Challenges for 2014: As trust erodes and it becomes harder to define which systems and relationships are trustworthy and which are not organizations face several key issues that undermine their ability to address security with: 1) Greater attack surface area 2) Proliferation and sophistication of the attack model 3) Complexity of threats and solutions *Source: Cisco Annual Security Report 2014

4 Today s Threats THE VICTIM THE CULPRIT THE TARGET THE ATTACK THE CHASE It could be you. Most attacks are perpetrated by external actors. Mainly payment and bank data, which can be quickly converted into cash. Hacking and malware are the most popular attack methods. Attackers have gotten faster at breaching systems. *Source: Verizon Data Breach Investigations Report 2014

5 FIREWALL and Compounded by Never Ending Demand WEB APPS MOBILE BUSINESS HIGH-SPEED INSPECTION OF CONTENT TODAY S REALITY 2500 Data Disclosures 1.1 Billion compromised Records 47,000+ reported security incidents 92% stemmed from external agents 52% utilized some form of hacking 40% incorporated malware 66% took months or more to discover SOCIAL Verizon Data Breach Reports

6 The Silver Bullet Does Not Exist 2000 FIREWALL ANTI-VIRUS CERTIFICATE MGMT INTRUSION DETECTION NETWORK ACCESS CTRL APPLICATION CONTROL % Valid credentials used 243 Median # of days before detection 40 Average # of systems accessed 63% Victims notified by external entity ADVANCED THREATS ARE HARD TO DETECT

7 Next Generation Techniques and Analytics To achieve a reasonable level of protection, organizations must deploy defenses against both known and unknown threats including: ZERO DAY EXPLOITS SPEAR PHISHING TARGETED ATTACKS TIMED ATTACKS LURES AND REDIRECTS SOCIAL MEDIA Stopping known threats with current state of blocking and preventing IS NO LONGER ADEQUATE!

8 Signature Detection Methods are NOT Enough The average timeline for identifying a security breach is measured in weeks or months. We must change the way we view detection of threats FULL IDENTITY MANAGEMENT PACKET AND LOG COLLECTION BIG DATA ANALYTICS Who, what device, connected how Full context of network traffic Analyze large amounts of data

9 A New Security Approach Is Required PAST PLATFORM LAN/Internet Client/Server PC TODAY S PLATFORM Mobile Cloud Big Data Social Mobile Devices IT CONTROLLED PERIMETER-BOUND PREVENTION SIGNATURE-BASED USER-CENTRIC BORDERLESS DETECTION INTELLIGENCE-DRIVEN *Source: RSA

10 Shift in Priorities and Capabilities Monitoring 15% Response 5% Monitoring 33% Response 33% Prevention 80% Prevention 33% Today s Priorities Intelligence-Driven Security *Source: RSA

11 Why Cyber Analytics Architecture? Establishes a Flexible Security Model for the Enterprise Demonstrate Security Best Practices, including: Security Architecture Design Governance, Risk, and Compliance Processes and Tools, Log, and Metadata Generation Security Analysis, Big Data, and Visualizations Security Incident Response Forensics Multi-vendor Integrated Security Solutions Competency around Security, Big Data, Data Center, Networking, Wireless, and other technologies

12 Cyber Analytics Reference Architecture Flexible security model for the enterprise demonstrating security best practices including: Security Architecture Design Governance, Risk, and Compliance Processes and Tools, Log, and Metadata Generation Security Analysis, Big Data, and Visualizations Security Incident Response Forensics Multi-vendor integrated security solutions

13 Shortcomings of Traditional Security Architectures CAMPUS INTERNET INTERNET EDGE DMZ DATA CENTER REMOTE SITES Scattered Approach Limited Visibility Inefficient Error Prone No business context Limited Historical Data Limited Data Types Signature Dependence

14 SECURITY CAPABILITIES Maturing Security Architectures LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 ENTERPRISE CONTEXT ADVANCED ANALYTICS REAL TIME ANALYTICS CORRELATION DISTRIBUTED ARCHITECTURAL MATURITY Distributed Point Sensors Manual Analytic Processes No Correlation or Analytics Correlation between Sensors Ability to Identify Known Signaturebased Threats Relevance to the Business/Mission Owners Priority-based Analysis and Mitigation Anomaly Detection Capabilities Ability to Identify Unknown Threats Correlation of Anomalies to Enterprise Context Real time identification of known threats and unknown anomalies Full enterprise context and prioritization Application of CMMI maturity models to Information Security

15 INTERNET EDGE INTERNET Vulnerability Scanner NGFW NGIPS DMZ DLP Web Security Secure DNS ADC Secure SSL Offload Remote SSL Decrypt Access WAF Security Netflow End User Anti-Virus Malware Protection Patch Mgmt CAMPUS WIPS/WIDS MDM SDN NETWORK CORE Netflow Segmentation ADC Policy Optimization DMVPN ZBFW VRFs Segmentation REMOTE SITES End Users TrustSec/MacSEC Data Protection Enterprise Services (AD, Exchange, etc) Anti-Virus Malware Protection Patch Mgmt DATA CENTER

16 Malware Defense Boundary Defense Wireless Access Control Application Software Security Inventory & Authorization of Devices Inventory & Authorization of Software Secure Config of Mobile Devices, Laptops, Workstations, Servers Secure configurations for network devices Continuous Vulnerability Assessment & Remediation Limitation & Control of Network Ports, Protocols, and Services Controlled Use of Administrative Privileges Controlled Access Based on Need to Know Account Monitoring and Control Secure Network Engineering Data Protection Level 1 Defense Checklist

17 SECURITY CAPABILITIES Maturing Security Architectures LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 ENTERPRISE CONTEXT ADVANCED ANALYTICS REAL TIME ANALYTICS CORRELATION DISTRIBUTED ARCHITECTURAL MATURITY Distributed Point Sensors Manual Analytic Processes No Correlation or Analytics Correlation between Sensors Ability to Identify Known Signaturebased Threats Relevance to the Business/Mission Owners Priority-based Analysis and Mitigation Anomaly Detection Capabilities Ability to Identify Unknown Threats Correlation of Anomalies to Enterprise Context Real time identification of known threats and unknown anomalies Full enterprise context and prioritization Application of CMMI maturity models to Information Security

18 INTERNET Vulnerability Scanner INTERNET EDGE NGFW NGIPS DMZ 1. Sensors 2. Analytics & Operations DLP Web Security Secure DNS ADC Secure SSL Offload Remote SSL Decrypt Access WAF Security Netflow End User Anti-Virus Malware Protection Patch Mgmt CAMPUS WIPS/WIDS MDM SDN TrustSec/MacSEC Data Protection Enterprise Services (AD, Exchange, etc) NETWORK CORE Netflow Segmentation ADC Policy Optimization Anti-Virus Malware Protection Patch Mgmt DMVPN ZBFW VRFs Segmentation REMOTE SITES End Users SECURITY ANALYTICS & OPERATIONS DATA CENTER

19 INTERNET Vulnerability Scanner INTERNET EDGE NGFW NGIPS DMZ 1. Sensors 2. Analytics & Operations DLP Web Security Secure DNS ADC Secure SSL Offload Remote SSL Decrypt Access WAF Security Netflow End User Anti-Virus Malware Protection Patch Mgmt CAMPUS WIPS/WIDS MDM SDN NETWORK CORE Netflow Segmentation ADC Policy Optimization DMVPN ZBFW VRFs Segmentation REMOTE SITES End Users TrustSec/MacSEC Data Protection Enterprise Services (AD, Exchange, etc) DATA CENTER Anti-Virus Malware Protection Patch Mgmt RSA Security Analytics Splunk SECURITY ANALYTICS & OPERATIONS

20 SECURITY CAPABILITIES Maturing Security Architectures LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 ENTERPRISE CONTEXT ADVANCED ANALYTICS REAL TIME ANALYTICS CORRELATION DISTRIBUTED ARCHITECTURAL MATURITY Distributed Point Sensors Manual Analytic Processes No Correlation or Analytics Correlation between Sensors Ability to Identify Known Signaturebased Threats Relevance to the Business/Mission Owners Priority-based Analysis and Mitigation Anomaly Detection Capabilities Ability to Identify Unknown Threats Correlation of Anomalies to Enterprise Context Real time identification of known threats and unknown anomalies Full enterprise context and prioritization Application of CMMI maturity models to Information Security

21 INTERNET EDGE INTERNET Vulnerability Scanner NGFW NGIPS DMZ DLP Web Security Secure DNS ADC Secure SSL Offload Remote SSL Decrypt Access WAF Security Netflow End User Anti-Virus Malware Protection Patch Mgmt CAMPUS WIPS/WIDS MDM SDN NETWORK CORE Netflow Segmentation ADC Policy Optimization DMVPN ZBFW VRFs Segmentation REMOTE SITES End Users TrustSec/MacSEC Data Protection Enterprise Services (AD, Exchange, etc) DATA CENTER Anti-Virus Malware Protection Patch Mgmt RSA RSA Security Archer Analytics (GRC) SECURITY ANALYTICS & OPERATIONS

22 SECURITY CAPABILITIES Maturing Security Architectures LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 ENTERPRISE CONTEXT ADVANCED ANALYTICS REAL TIME ANALYTICS CORRELATION DISTRIBUTED ARCHITECTURAL MATURITY Distributed Point Sensors Manual Analytic Processes No Correlation or Analytics Correlation between Sensors Ability to Identify Known Signaturebased Threats Relevance to the Business/Mission Owners Priority-based Analysis and Mitigation Anomaly Detection Capabilities Ability to Identify Unknown Threats Correlation of Anomalies to Enterprise Context Real time identification of known threats and unknown anomalies Full enterprise context and prioritization Application of CMMI maturity models to Information Security

23 INTERNET EDGE INTERNET Vulnerability Scanner NGFW NGIPS DMZ DLP Web Security Secure DNS ADC Secure SSL Offload Remote SSL Decrypt Access WAF Security Netflow End User Anti-Virus Malware Protection Patch Mgmt CAMPUS WIPS/WIDS MDM SDN TrustSec/MacSEC Data Protection Enterprise Services (AD, Exchange, etc) NETWORK CORE Netflow Segmentation ADC Policy Optimization Anti-Virus Malware Protection Patch Mgmt DMVPN ZBFW VRFs Segmentation REMOTE SITES End Users ATC Big Data Cluster (with Splunk) DATA CENTER SECURITY ANALYTICS & OPERATIONS

24 SECURITY CAPABILITIES Maturing Security Architectures LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 ENTERPRISE CONTEXT ADVANCED ANALYTICS REAL TIME ANALYTICS CORRELATION DISTRIBUTED ARCHITECTURAL MATURITY Distributed Point Sensors Manual Analytic Processes No Correlation or Analytics Correlation between Sensors Ability to Identify Known Signaturebased Threats Relevance to the Business/Mission Owners Priority-based Analysis and Mitigation Anomaly Detection Capabilities Ability to Identify Unknown Threats Correlation of Anomalies to Enterprise Context Real time identification of known threats and unknown anomalies Full enterprise context and prioritization Application of CMMI maturity models to Information Security

25 Threat Intel INTERNET EDGE CYBERSECURITY ANALYTICS REFERENCE ARCHITECTURE INTERNET Vulnerability Scanner NGFW NGIPS DMZ DLP Web Security Secure DNS Secure Remote Access ADC SSL Offload SSL Decrypt WAF Security Netflow End User Anti-Virus Malware Protection Patch Mgmt CAMPUS WIPS/WIDS MDM SDN TrustSec/MacSEC Data Protection Enterprise Services (AD, Exchange, etc) NETWORK CORE Netflow Segmentation ADC Anti-Virus Malware Protection Patch Mgmt Policy Optimization DMVPN ZBFW VRFs Segmentation REMOTE SITES SIEM Ops & Incident Response GRC Identity Services Analysis Vuln Scanners End Users Real Time Analytics AAA Network Config Mgmt Network Access Control Netflow Analysis Policy Mgmt Mobility Services DATA CENTER Inventory Discovery CYBERSECURITY ANALYTICS & OPERATIONS App Whitelisting

26 Improving the Analytics Cycle Prepare Enterprise; Advance Analytics BEFORE INITIAL REPEATABLE DEFINED MANAGED OPTIMIZED Adapt; Remediate; Tune ADAPT DURING Reduce Attacker Free Time; Predictive Analytics AFTER Analyze Anomalies; Forensic Analysis

27 Use Cases Security Event Stratification What are the most important events? Which events can I ignore? Which events are actionable? What actions should be taken? Malware Analysis and Impact What malware currently exists? Which of my systems are vulnerable? Which immediate patches or upgrades? Prioritized risk scoring of malware Exploit & Attack Prediction What are the signs of imminent attack? Where and how would such an attack occur? Which IT systems are vulnerable? What would be the impact of such an attack? Insider Threat What employees are at a security risk? Who has access to sensitive data? Are they exhibiting anomalous behavior? Where and when are they accessing the system?

28 Use Cases (Cont.) Enterprise Risk Management What assets are non-compliant? What threats exist against those assets? What has changed in the environment? Where is the sensitive data and who has access? Incident Management and Forensics Where did the attacker go? What was the timeline of the breach? What was taken? What was left behind, if anything? Insider Detection Who is a normal user? What is abnormal behavior? How do they interact with the system? Where and when are they accessing the system?

29 Summary Cyber Analytics provides: Multi-vendor integrated architecture for defense, detection, response, and continuous improvement Individuals products can be changed Core functions remain constant Aligns Enterprise IT, Security and Big Data Flexibility in Use Case Design and Implementation

30 Thank You!

31 End-to-End Expertise PUBLIC SECTOR SERVICE PROVIDER COMMERCIAL IT PRODUCTS, SERVICES & SUPPLY CHAIN SOLUTIONS NETWORK SECURITY COLLABORATION DATA CENTER SUPPLY CHAIN Enterprise Campus/Branch Data Center Networking High-End Routing & Optical Wireless & Mobility Software-Defined Networking Access Control Network & Data Protection Security Management & Analysis Risk & Compliance Unified Communications Video Conferencing & Client Experience Contact Center Facilities Information Storage & Backup Compute & Virtualization Data Center Transformation Big Data Integration Technology Center Global Inventory Management Staging and Logistics Product Configuration Serial # and Asset Tagging ADVANCED TECHNOLOGY CENTER ARCHITECTURAL SOLUTIONS PROFESSIONAL & ADVANCED SERVICES

32 Advanced Technology Center (ATC) ATC Vision To create a collaborative ecosystem to design, build, educate, demonstrate and deploy innovative technology products and integrated architectural solutions for our customers, partners and employees around the globe.

33