CONTINUOUS MONITORING THE MISSING PIECE TO SECURITY OPERATION (SOC) TODAY

Transcription

1 CONTINUOUS MONITORING THE MISSING PIECE TO SECURITY OPERATION (SOC) TODAY MATTHIAS YEO Chief Technology Officer - APAC CISSP, CISA, CISM, PMP 1

2 OVER REACTING VS UNDER REACTING Reason for the world today CAR ALARM Security model 2

3 WHAT IS MISSING IN SOC TODAY? 1 Continuous Monitoring 2 Adaptive Security 3 Encrypted Traffic Management 3

4 WHAT IS MISSING IN SOC TODAY? 1 Continuous Monitoring 2 Adaptive Security 3 Encrypted Traffic Management 4

5 BURNING QUESTION TODAY How To Prevent My Organization From Suffering Security Breaches? 5

6 THE REALITY OF OUR SECURITY WORLD Globally, 18% of organizations in the Government & Defense sector reported at least one targeted attack 94% of companies reportedly encountered at least one externally-sourced data security incident within the past 12 months, including phishing attacks, DDoS attacks, and theft of mobile devices. In 28% of these instances, business reported the loss of sensitive business data. 6

7 BURNING QUESTION TODAY How To Prevent My organisation From Suffering Security Breaches? Am I Ready To Respond? 7

8 GARTNER: ADAPTIVE SECURITY ARCHITECTURE PROTECTION FROM ADVANCED ATTACKS On Adaptive Security Architecture Shift your security mindset from "incident response" to "continuous response," wherein systems are assumed to be compromised and require continuous monitoring and remediation Because enterprise systems are under continuous attack and are continuously compromised, an ad hoc approach to "incident response" is the wrong mindset. Gartner, February

9 POST-PREVENTION SECURITY GAP HOW BIG IS IT? Initial Attack to Compromise Initial Compromise to Discovery Days 13% weeks 2% Seconds Hours 60% 11% Minutes 13% Months 62% Years 4% Hours 9% Days 11% Weeks 12% 84% 78% 9

10 USING HUMAN BODY AS AN ANALOGY Preventive Supplements, Multi-vitamins Exercise, Jogging Healthy Eating Sleep Early Repair GP clinics, Dental Diagnosis, X-Rays Remediation, Medication Hospitalisation Preventive IPS, Firewall, Gateway, Web Gateway, AV, Database Security, SIEM Defense in depth? Technology Repair Logs from System? Forensic (Manual)??? 10

11 THE POST BREACH QUESTIONS 2 main questions that all CIO expected from a SOC during a breach What happened? How did the system get compromised? What systems and data were affected? What are we doing about it? Have we done all the remediation? Can we be sure it is over? 11

12 SECURITY ANALYTIC A ROOT CAUSE ANALYSIS Security Analytic A Full Packet Capture of your traffic in your network, for analysis. INTERNET Answer the 2 most important question: - What Happened? - What are we doing about it? FIREWALL SECURITY ANALYTICS 12

13 EXAMPLE - THREAT ASSESSMENTS KEY FINDINGS Critical Findings No Findings Criticality 1 Downloads of malware Very High 2 Indicator of compromised host C&C Very High 3 Access to inappropriate site High Others (Situation Awareness) No Findings Criticality 1 Unusual protocol analyzed Medium 2 Unsecure File Transfer Protocol Medium 3 Visibility of Traffic (Videos) Low 4 Unsecure protocol identified Low 13

14 SECURITY ANALYTICS: FORENSIC CAPABILITY FOR HOSTED SITE Similarly, without proper forensic capability, if there is an attack to our hosted environment, it might be hard to identify how the attack happens INTERNET With a full network packet capture, Security Operator can go back in time to identify the source of the breach using the raw network content, and answers query such as: What was the exploitation done to the servers? FIREWALL How did the server respond to the exploitation? Were there any reconnaissance done before that? Was there any malware loaded into the server? What is the activity after or traffic anomaly after the attack? Are there any loss of information or anomaly activity after the breach? SECURITY ANALYTICS CENTRAL MANAGER File Server Hosted Service ST Sites 14

15 WHAT IS MISSING IN SOC TODAY? 1 Continuous Monitoring 2 Adaptive Security 3 Encrypted Traffic Management 15

16 GARTNER: ADAPTIVE SECURITY ARCHITECTURE PROTECTION FROM ADVANCED ATTACKS On Adaptive Security Architecture The goal is not to replace traditional SIEM systems, but rather to provide high-assurance, domain specific, risk-prioritized actionable insight into threats, helping enterprises to focus their security operations response processes on the threats and events that represent the most risk to them. Gartner, February

17 HOW TO ADDRESS THE OVER\UNDER REACTING SYNDROME? Incident Resolution Investigate & Remediate Breach Threat Profiling & Eradication Ongoing Operations Detect & Protect Block All Known Threats Incident Containment Analyze & Mitigate Novel Threat Interpretation 17

18 WHAT IS MISSING IN SOC TODAY? 1 Continuous Monitoring 2 Adaptive Security 3 Encrypted Traffic Management 18

19 MAKING MATTER WORSE SSL ENCRYPTED TRAFFIC IS PERVASIVE SSL Sites on the Web HTTPS traffic booming (20% Y/Y) 2,000,000 1,500,000 1,000, ,000 Enterprise apps Cloud apps i.e., SFDC, Amazon Internet apps i.e., Google, FB Mobile apps More protocols are SSL encrypted HTTP, SPDY, FTP, SMTP, XMPP, IMAP, POP3, etc

20 THE URGENCY OF SSL VISIBILITY SSL increasingly hiding security threats SSL is growing, BUT creates blind spots for enterprise security apps Meet data privacy & compliance regulations Protect security infrastructure Majority of APTs Operate Over SSL 25-70% of Traffic is Encrypted Provide advanced security w/o trading off performance Identify and block hidden malware such as Gameover, Zeus, ShyLock and SpyEye Reduce risk and costs associated with data breaches * 50% of all network attacks will use SSL by 2017 * Gartner Dec

21 NGFW IDS / IPS Host AV Web Gateway SIEM Gateway DLP Web Application Firewall SSL HIDES MALWARE Threat Actors Nation States Cybercriminals Hactivists Insider-Threats Traditional Advanced Threats Known Novel Malware Threats Zero-Day Known Malware Threats Targeted Known Attacks Files Modern Known IPs/URLs Tactics & Techniques Unknown SSL SIGNATURE-BASED DEFENSE-IN-DEPTH TOOLS 21

22 GARTNER: SECURITY LEADERS MUST ADDRESS THREATS FROM RISING SSL TRAFFIC On Rising SSL Traffic An increasing share of enterprise network traffic is encrypted, creating gaps in defense-in-depth effectiveness that security leaders should not ignore Complex sets of laws and regulations on privacy, along with a high risk of conflict with employees, kill most security leaders' outbound Web traffic decryption projects 22

23 IMPORTANT PIECE TO THE PUZZLE - SSL VISIBILITY APPLIANCE Incident Resolution Investigate & Remediate Breach Threat Profiling & Eradication ENCRYPTED TRAFFIC MANAGEMENT Ongoing Operations Detect & Protect Block All Known Threats ADVANCED THREAT PROTECTION LIFECYCLE DEFENSE Incident Containment Analyze & Mitigate Novel Threat Interpretation SSL Visibility Appliance 23

24 CONTINUOUS MONITORING 1. Build Continuous Monitoring, not just incident response 2. Build Adaptive Security Not products Do not be blinded by false positive 3. Encrypted Traffic Management - Remove your security blindfold 24

25 Matthias Yeo Chief Technology Officer - APAC CISSP, CISA, CISM, PMP [email protected] 25