Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Transcription

1 Advanced Visibility Moving Beyond a Log Centric View Matthew Gardiner, RSA & Richard Nichols, RSA 1

2 Security is getting measurability worse Percent of breaches where time to compromise (red)/time to Discovery (blue) was days or less Attacker Capabilities 100% 75% Time to compromise 50% 25% Time to discovery Time to Discovery VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT Copyright 2015 EMC Corporation. All Confidential rights reserved. and Proprietary. NDA Required 2

3 A Logs-Only Approach to Detection Isn t Working 99% Percent of successful attacks went undiscovered by logs - VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT Copyright 2015 EMC Corporation. Confidential All rights reserved. and Proprietary. NDA Required 3

4 Security Strategies Leave Much White Space Threat Actors Firewall IDS/IPS At first, there were HACKS Preventive controls filter known attack paths AntiVirus More Logs Whitespace Successful ATTACKS Corporate Assets 4

5 Recent Investments - Much White Space Still Threat Actors Firewall IDS/IPS AntiVirus More Logs Blocked Session Blocked Session Blocked Session Alert S I E M At first, there were HACKS Preventive controls filter known attack paths Then, ATTACKS Despite increased investment in controls, including SIEM Whitespace Successful ATTACKS Corporate Assets 5

6 Lack of Visibility is A Core Problem Copyright 2015 EMC Corporation. All Confidential rights reserved. and Proprietary NDA Required. 6

7 How to Detect This With Logs Only? Packed file destined to host FOLLOWED BY Encrypted traffic to IP registered in blacklisted country Could be an attacker be compromising host and stealing data! Copyright 2015 EMC Corporation. All Confidential rights reserved. and Proprietary NDA Required. 7

8 Many Data Streams Contribute to Visibility Not collecting all necessary logs Lack of PCAP (network) data Not able to monitor endpoints Asset Data VMS Data Previous Incidents Attacker Profiles Intel Intel Intel Intel Target Knowledge Campaign History AV IPS WEB FW Analyst of the Future Analytics, Visualization & Machine Learning Log Capture Full Packet Capture Endpoint Inspection Business Intelligence Data Intelligence Identity Risk (HVA) Strategic Insight Data Classification Data Discovery Intel Cloud Apps Intel Collection, Processing & Counter-Intel Mining 8

9 Logs Alone Don t Cut It? Shell Crew Example Logs What was targeted? Packets How did the exploit occur? NetFlow: How did the attackers move around once inside? Endpoints Was the endpoint exploited? Were others infected? Intrusion attempts Beaconing & suspicious communications Sticky-keys backdoor Malicious proxy tools WinRAR using encrypted rar files Recreate entire exploit Lateral movement via RDP Time/date stomping Indicators about malicious files and code Scope of infection 9

10 Threat Intel. is Also Key for Detection/Investigation SOC Analyst(s) Incident Record Alert Records Enriched with Intelligence Threat Intel Analyst Incident Management OSINT Process & Categorize Indicators Alerts Paid Cleared TTPs Tools Network/Host Artifacts Domain Names Threat Intelligence Portal Alerts Middleware CEF IP Addresses Hash Values Sensor Grid Pyramid of Pain, David Bianco,

11 CONTEXT Asset, Identity, Vulnerability, Business Value. Sensor Grid Enrich the incident data before the analyst starts to investigate First contact by analyst Correlating Alert Data Automated Host Interrogation Network Insight Alert Data Host Insight Network Profiling Intelligence Fusion! Enriched Prioritized Incident Record Copyright 2015 EMC Corporation. All Confidential rights reserved. and Proprietary. NDA Required 11

12 Visibility Also Needs to Include the Public Cloud 12

13 Network Traffic & Endpoint etc Transforms Visibility Network Flows System Logs Endpoint Data Threat Intel Feeds Security Events Data Aggregation for Improved Incident Handling Network Traffic Identity/ Asset Context Visibility By centralizing these various source of Data into a security monitoring system, The SOC gains actionable insight into Possible anomalies indicative of threat Activity. SECURITY MONITORING SISTEM Analysis Security operations analysts can analyze data from various sources and further interrogate and triage devices of interest to scope an incident. SANS, Building a World-Class Security Operations Center, Alissa Torres, May 2015 Action Based on finding, automated and manual interventions can be made to include patching, firewall modification, system quarantine or reimage, and credential revocation. 13

14 Security Monitoring Data Privacy? V.S Copyright 2015 EMC Corporation. All Confidential rights reserved. and Proprietary. NDA Required 14

15 Tokenizing IP Addresses to Preserve Privacy 15

16 Tokenizing Usernames to Preserve Privacy 16

17 CUSTOMER SUCCESS: Global Financial Services Moving Beyond Logs RSA engaged to manage an identified incident Bank had been target for 7 years Lack of full visibility allowed campaign to continue RSA Incident Response was used RSA then engaged to improve ongoing SOC program RSA Security Analytics for full visibility & context, as well as live threat feeds. 17

18 Around the clock monitoring, advanced security technologies and integrated incident response Cybersecurity is about business imperatives and how to embed security into the GOVERNANCE, RISKS & COMPLIANCE CYBER THREAT INTELLIGENCE value chain Global Posture CRITICAL INCIDENT RESPONSE TEAM CYBER FUSION CENTER ADVANCED TOOLS AND TACTICS 18 ADVANCED DATA & CONTENT ANALYTICS 18

19 Is Greater Visibility Key to Mitigating Advanced Attacks? Threat Actors Firewall IDS/IPS AntiVirus Logs Endpoint Visibility Network Visibility Blocked Session Blocked Session Blocked Session Alert Process Network Sessions Security Analytics Now, successful ATTACK CAMPAIGNS target any and all whitespace. Complete visibility into every process and network sessions is required to eradicate the attacker opportunity. Unified platform for advanced threat detection & investigations Corporate Assets 19

20 Move From a Log-Centric Approach Organizations need to collect, process, and store a plethora of data sources including asset data, identity information, network traffic (via full packet capture), NetFlow, endpoint forensic information, etc. This data volume is in part what transforms yesterday s security analysis into today s big data security analytics. --JON OLTSIK, ESG, SEPTEMBER, 2014, INFORMATION-DRIVEN SECURITY AND RSA SECURITY ANALYTICS AND RSA ECAT Copyright 2015 EMC Corporation. Confidential All rights reserved. and Proprietary. NDA Required 20

21 RSA ASOC Portfolio Products RSA Security Analytics Providing centralized threat detection & investigation RSA ECAT Providing endpoint threat detection & investigation RSA Security Operations Management Incident management & SOC orchestration RSA Web Threat Detection Web session intelligence Services RSA Advanced Cyber Defense Practice Breach Readiness, SOC Design, Incident Response, Hunting Services, Analyst Education 21

22 EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.