Security Operations. Key technologies for your Security Operations Center. Davide Veneziano - RSA Technology Consultant

Transcription

1 Security Operations Key technologies for your Security Operations Center Davide Veneziano - RSA Technology Consultant 1

2 The evolving threat landscape The right route towards a SOC model The RSA advanced SOC portfolio Demo Case studies Agenda 2

3 The evolving threat landscape Increasing threats against organizations of any size and vertical Attack campaigns more targeted and long-lasting Data leakage more than ever linked to external factors Sources: Ponemon 2013 Cost of Data Breach Study, Verizon 2014 DATA BREACH REPORT, Symantec Internet Security Threat Report

4 How should we face this scenario? Traditional Approach IT Operations Focus and budget on preventive technologies Reactive approach New Approach Incident Response & Intelligence Focus on Detection Proactive role SOC/CIRC as a control center aimed to detect, investigate and address cyber-security incidents 4

5 Pursue the right route towards a SOC model Assess your own journey within a Capability Maturity Model Consider and evaluate People, Processes and Technologies to: Enhance the overall governance Improve the standing and the role of IT Security in the organization Provide accurate measurements to management Processes People Technologies 5

6 Incident response and IT Security Incident Response as a key force Incident Response as an emerging security function Ad-Hoc Incident Response 6

7 The fundamentals of our maturity model People Specialization Center of Excellence Focus on intelligence Well-defined roles and responsibilities Processes Best practice driven Repeatable procedures Tight integration with the business Effectiveness measurement Intelligence sharing Technologies Visibility Response time, efficiency, efficacy Integration with the IT and business context Automation 7

8 Implementing a SOC model.. bringing theory into practice Host Visibility SIEM Centralize Alerts Breach Process Analyst L1 Breach Coordinator Incident Process Legal SOC Manager 1 DLP Analyst L2 Shift Handoff CISO Finance SOC Manager 2 Threat Analysis Intelligence Analyst Report KPIs IT Handoff IT HR Network Visibility Measure Efficacy efraud The successfully implementation of a SOC model could be slowed down by a number of factors: Undefined roles and responsibilities Conflicting goals Budgets spread between departments Vague metrics Processes not fully automated Technologies not appropriate 8

9 Roles and Responsibilities Processes Our SOC model Threat Intel Analyst L1 Analyst L2 Analyst Analysts SOC Manager Orchestrate & Manage CISO/CSO SOC Management CIO Business Mgr. Privacy Officer Compliance Legal HR Cross-functional teams Incident Management Breach Management SOC Program Management IT Security Risk Management Bring to each role the information required to effectively support the incident response process 9

10 RSA for implementing an advanced SOC model Three integrated technologies Comprehensive visibility Big Data Analytics IT and Business context integration 10

11 RSA Security Operations Management: beyond the incident management process Manage all aspects of the SOC Repeatable and well-structured processes Persona driven design Out of the box procedures and workflows Clear and accountable metrics 11

12 RSA Security Analytics: comprehensive visibility Combined visibility around log and network traffic Data enrichment at collection time Threat Intelligence Real-time and forensics analysis 12

13 RSA ECAT: assess a compromise Assess and monitor clients and servers Memory analysis and direct physical disk inspection Signature-less approach Measure the suspect level Whitelisting to reduce false positives 13

14 Demo 14

15 Working in SOC with RSA technologies: a realistic use case A suspicious activity is identified based on: Reputation of the destination server Way of communicating Payload of the communication Objective: Identify and reconstruct a complex attack quickly and effectively Assess the actual risk of a threat based on: Identification of the attack s perimeter Measurable impact on the business 15

16 What we have found so far Compromised workstation beaconing to an external server Malicious code running on the system under investigation Another two systems compromised with the same code A data leakage occurred The attacker still maintain access on multiple other systems 16

17 Finally the full picture malware Malicious activity Attacker malware Data leakage malware Persistent access on multiple systems 17

18 Is this enough? 18

19 Are we ready to accept the challenge? Technologies Structured model to face the new threats Advanced threats Processes People Visibility Threat Intelligence Big data and Analytics Organized cybercrime Continuous improvement Quick and effective decisions 19

20 Case studies Jerome Asseray - RSA Technology Consultant 20

21 Etude de cas 1 : Déploiement international Client : Secteur aéronautique Présence mondiale Contraintes Volumétrie importante SLA génération de rapports Activité web utilisateur sur 30 jours < 4 heures Objectifs : Administration et exploitation centralisées Capacité d analyse Performance 21

22 Etude de cas 2 : Service managé Client: Cloud Provider Cible : Clients privés & activité publique stratégiques Contraintes : Fonctionnement isolée (hors ligne) Flexibilité d évolution Disponibilité Objectifs : Visibilité et réactivité Création d offre de service à la demande 22

23 Etude de cas 3 : Investigation Client : Secteur de l armement Présence européenne Contraintes Sensibilité et sécurité des données Contenu insuffisant des journaux d évènements Objectifs : Capture des flux réseau sensibles Capacité d investigation Analyse de code malveillant sans signature 23

24 Etude de cas 4 : association logs et paquets réseau Client : Secteur de l énergie Présence national et filiales internationales Contraintes: Supervision de sites stratégiques Visibilité et réactivité Objectifs Collecte des logs et des paquets Capacité d analyse post mortem 24

25