The Future of the Advanced SOC

Size: px

Start display at page:

Download "The Future of the Advanced SOC"

Alexander Boone
8 years ago
Views:

1 The Future of the Advanced SOC Developing a platform for more effective security management and compliance Steven Van Ormer RSA Technical Security Consultant 1

2 Agenda Today s Security Landscape and Why Change if it s Working Out So Well? The Rise of Big Data Four Attributes in Managing Advanced Threats Advanced SOC Framework 2

4 Traditional Security Is Not Working Continued over reliance and over investment in prebreach tooling Years of compliance spending have diluted available technical skills and management focus in all but the top orgs Official USG and industry threat models are inadequate need to put the adversary and attacker first and design around them Cyber security needs an overhaul Copyright 2012 EMC Corporation. All rights reserved. 4

orgs Official USG and industry threat models are inadequate need to put the adversary and attacker first

5 What Are You Learning? How Much Do You KNOW? NATION STATE ACTORS Nation states Government, defense industrial base, IP rich organizations, waterholes CRIMINALS Petty criminals Unsophisticated, but noisy Organized crime Organized, sophisticated supply chains (PII, PCI, financial services, retail) NON-STATE ACTORS Insiders Various reasons, including collaboration with the enemy Cyber-terrorists / Hacktivists Political targets of opportunity, mass disruption, mercenary Copyright 2012 EMC Corporation. All rights reserved. 5

Unsophisticated, but noisy Organized crime Organized, sophisticated supply chains (PII, PCI, financial services, retail) NON-STATE

6 Key Security Challenge - TIME 99% of breaches led to compromise within days or less with 85% leading to data exfiltration in the same time 85% of breaches took weeks or more to discover Source: Verizon 2012 Data Breach Investigations Report 6

exfiltration in the same time 85% of breaches took weeks or

7 Attacks lead to compromise and exfiltration within minutes, discovery takes months 7

8 Attackers Have Too Much Free Time Attacker Surveillance Target Analysis Access Probe Attack Set-up System Intrusion Attack Begins Cover-up Starts Discovery/ Persistence Leap Frog Attacks Complete Cover-up Complete Maintain foothold ATTACKER FREE TIME TIME TIME Physical Security Threat Analysis Defender Discovery Attack Forecast Source: NERC HILF Report, June 2010 ( Monitoring & Controls Attack Identified Incident Reporting Containment & Eradication Impact Analysis Damage Identification System Reaction Response Recovery 8

Threat Analysis Defender Discovery Attack Forecast Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/hilf.

9 Spending is Part of the Problem -- What is the right arithmetic here? Enterprise Security Investment Profile: Known threats and security hygiene Advanced threats and analytics Physical security and supply chain Other stuff you should be doing Total Budget %: 100% 9

security hygiene Advanced threats and analytics Physical security

10 Spending is Part of the Problem -- What is the right arithmetic here? Enterprise Security Investment Profile: TODAY Known threats and security hygiene 70% Advanced threats and analytics 15% Physical security and supply chain 5% Other stuff you should be doing 10% Total Budget %: 100% 10

security hygiene 70% Advanced threats and analytics 15% Physical

11 Spending is Part of the Problem -- What is the right arithmetic here? Enterprise Security Investment Profile: BETTER Known threats and security hygiene 50% Advanced threats and analytics 30% Physical security and supply chain 7.5% Other stuff you should be doing 12.5% Total Budget %: 100% Key Factors: 1. Process maturity and repeatability, secure development, lower costs; 2. Increased skills and technology; 3. Program focus, pervasive; 4. Aggressive vs. passive. 11

30% Physical security and supply chain 7.5% Other stuff you should be doing 12.5% Total Budget %: 100% Key Factors: 1.

12 The Rise of Big Data and Security Intelligence 12

13 Bottom Line SIEM serves its purpose in terms of basic correlation, alerting, reporting, and compliance management SIEM lacks the content, context, and intelligence provided by the big data and security intelligence Time to respond is critical in a breach situation and SIEM often falls short 13

context, and intelligence provided by the big data and security

14 Security Analyst Use Case Obstacles to Big Data Adoption Skills Data mining, data science, creative thinking Lack of Broader Context Gaining insight from data outside the system (SIEM mindset) Vague Unstructured Data Need a familiar normalized data language ( speaking the language of security ) System Data Reduction Need a sensible approach for filtering unimportant data Automating Daily / Routine Tasks The system must be agile it must perform job functions still leaving time for new analysis 14

language ( speaking the language of security ) System Data Reduction Need a sensible approach for filtering unimportant data

15 Separating Bad from Good is an Increasingly Difficult Problem = BAD = BAD Finite Data Sets / Known Questions Infinite Data Sets / Unknown Questions Understand what bad looks like and look for similarities Antivirus / IDS / IPS Signature-based SIEM Understand what good looks like and look for meaningful differences Network analysis and baselining Anomaly detection Predictive failure analysis 15

similarities Antivirus / IDS / IPS Signature-based SIEM Understand what good looks like and look

16 Four Attributes Needed For Advanced Threats 16

17 Four Attributes for Managing Advanced Threats Pervasive visibility know everything, answer anything wait we said this before Deeper analytics examine risks in context and understand behavior Massive scalability expand in scale and scope to handle anything Unified view enable decision-support across many job streams and temporal planes 17

and understand behavior Massive scalability expand in scale and scope to handle

18 Pervasive Visibility Know Everything, Answer Anything Logs, Full Packet Data, External Data Sources Open Architecture It s not about a partnership of disparate technologies, it s about full architectural integration at every level 18

Architecture It s not about a partnership of disparate

19 Deeper Analytics Perform a variety of tasks based on job stream and data intensity Situational awareness, trend analysis, compliance management all reusing the same captured data and APIs Ability to focus on what matters most, such as HVAs, specific TTPs or campaigns Automation and specialized analytics 19

reusing the same captured data and APIs Ability to focus on what matters

20 Massive Scalability Time for our industry to stop thinking a single-boxcentric mentality We have to scale to overall needs of storage, processing, memory, and analyst populations Big data and large amounts of intelligence simply means lots of storage and lots of number crunching Data will be decentralized 20

processing, memory, and analyst populations Big data and large amounts of

21 Unified View Analysts at different levels needs all information and tools at their disposal No bottlenecks, latency, or integration issues Ability to move among analytic views without leaving the application Full content and context available immediately from any view Client-agnostic support 21

23 Big Data + Security Intelligence = Better Threat Management 23

24 Summary What You Need To Do Derive context More content and context is better Integrate intelligence Integrating security intelligence from multiple sources can yield spectacular results Go beyond SIEM SIEM and Search outcomes are constrained by performance due to various issues Big Data Security Analytics More data is better more analytics is game changing! 24

25 Context-Aware Security Intelligence: Risk-Prioritized, Actionable Insight Gartner, Information Security is Becoming a Big Data Analytics Problem, Neil Macdonald, Mar. 23,

26 THANK YOU 26

The Next Generation Security Operations Center

The Next Generation Security Operations Center Vassil Barsakov Regional Manager, CEE & CIS RSA, the Security Division of EMC 1 Threats are Evolving Rapidly Criminals Petty criminals Unsophisticated Organized