Find the intruders using correlation and context Ofer Shezaf

Transcription

1 Find the intruders using correlation and context Ofer Shezaf

2 Agenda The changing threat landscape What can you do to find intruders? Best practices for timely detection and mitigation HP ArcSight 2

3 Find the intruder at each and every step of the process Research Infiltration Discovery Their ecosystem Capture Our enterprise Exfiltration 3

4 Threat landscape Riskier Enterprises + Advanced Attackers = More Attacks New Technologies Cloud SDN Mobile/BYOD Attacks 24 Million 40 Million 95 Million 101 Million 130 Million Hacktivists Anonymous State funded LulzSec 4

5 243days average time to detect breach 2013 January February March April May June July August September October November December 2014 January February March April 5

6 Since 2009, time to resolve an attack has grown 130% 6

7 Current solutions are not enough Big data Silo d products Limited context No effective way hundreds of apps Apps and devices are in need a domain expert to Too many products, emitting large volumes of silos that don t learn or understand and make vendors, solutions raw machine data share information sense of raw logs 7

8 What can you do to find intruders? Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

9 What can you do to find them? Put the clues together Detect anomalous patterns Profile user behavior Monitor your applications 69% of breaches discovered by an external party 9

10 What can you do to find them? Put the clues together Detect anomalous patterns Profile user behavior Monitor your applications 56% of malware evades sandboxing technologies 10

11 What can you do to find them? Put the clues together Detect anomalous patterns Profile user behavior Monitor your applications 42% of breaches involved social engineering or malicious insiders 11

12 What can you do to find them? Put the clues together Detect anomalous patterns Profile user behavior 84% of breaches occur at the application layer Monitor your applications 12

13 Best practices for timely detection and mitigation Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

14 Transform Big Data into actionable intelligence Collect/correlate up to 100,000 events/ second from 350+ connectors Search 2 million+ events per second Analyze a breach in 4 hours with quick forensic investigation 14

15 Transformation in Detail Capability Collect Enrich Search Store Correlate? Benefit Collect logs from any device, any source, and in any format at high speed Machine data is unified into a single format through normalization and categorization Simple text-based search tool for logs and events without the need of domain experts Archive years worth of unified machine data through high compression ratios Automate the analysis, reporting, and alerting of machine data for IT security, IT operations, and IT GRC 15

16 Adding context to security intelligence Event correlation Users & Roles User monitoring Fraud monitoring Data capture Controls monitoring App Context App monitoring Threat Intelligence Business Asset model Log management Applications 16

17 Assets: Business relevant risk management 17

18 Shared threat intelligence Partners InQuest Open Source Threat Central Private Community Threat DB Privacy Enhanced TC Forum Feeds Sector Community HP Security Research 18 TC Portal Global Community

19 Adding identity and role context The multiple login example Action: login Application: Windows User: johnd Login time: 1/1/14, 10:00pm Place: Sunnyvale, CA, USA Action: login Application: Sales Force User: Login time: 1/1/14, 10:05pm Place: London, UK 19

20 Application Layer Intelligence Example: add user context to database logging SQL User name User name Only by logging through the application database logs can include user information. Events 20

21 HP ArcSight Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

22 Security is complex, ArcSight helps you. Get Control Get Efficient Get Compliant Transform Big Data into actionable security intelligence Faster resolution with fewer resources Automate your compliance out-ofthe box 22

23 HP ArcSight delivers 4 hours to respond to a breach ArcSight enables forensic investigation and a quick response to a data breach that otherwise would take 24 days 10 minutes to fix an IT incident Full-text searching of any data enables incident resolution that otherwise would take 8 hours 5 minutes to generate IT GRC report ArcSight content generates IT GRC reports that otherwise would take 4 weeks 3 days to run an IT audit Search results yield audit-quality logs that otherwise would take 6 weeks 2 days to fix a threat vulnerability Seamless integration allows faster remediation, that otherwise would take 3 weeks 23

24 ArcSight takes the complexity out of Big Data Volume Cross-device, real-time correlation of data across IT Long term archival at 10:1 compression ratio with ArcSight Send it to Hadoop at over 100,000 EPS Velocity SmartConnectors collect logs, events, flows at over 100,000 EPS from almost any log generating source Search data at over 2,000,000 EPS Variety Collects machine generated data from 350+ distinct sources Autonomy collects human generated data from 400+ distinct sources Collect from Hybrid network such as physical, virtual, and cloud VELOCITY 24

25 HP ArcSight named leader in Gartner SIEM MQ 2013 HP ArcSight named A LEADER in the Gartner Magic Quadrant for Security Information and Event Management (SIEM), 10 YEARS IN A ROW. The MOST VISIONARY PRODUCT in the Gartner SIEM MQ 25

26 BMW HP ArcSight ESM has enabled our IT department to be an enabler of the business. We can act very fast on security incidents and can reduce the loss of contracts and financial services due to the improved integrity of our network. Marc Seiffert, Senior IT Specialist BMW Group 26

27 HP ArcSight Information Security Product Family A comprehensive solution for big data security and compliance Universal Log Management Collect, store, analyze machine data from anywhere Cost-effective compliance solution Security Information and Event Next Management Gen FW (SIEM) Leaders in Gartner MQ for 10 years in a row Real-time threat intelligence for big data Big Data Security SOC Appliance for mid-market One box solution for security use cases Delivers value out-of-thebox Security Intelligence and Operations Center Largest number of SOCs built through HP ArcSight Integrated solution with TippingPoint, Fortify, Hadoop, & Autonomy 27

28 Questions?

29 Join Our Conversation We are on your side. Visit our blogs. HP Security Research HP Security Products HP Threat Briefings hp.com/go/hpsrblog hp.com/go/securityproductsblog hp.com/go/threatbriefings 29

30 Thank you