Joining Forces: Bringing Big Data to your Security Team

Transcription

1 Joining Forces: Bringing Big Data to your Security Team Alaa Abdulnabi, CISSP RSA Regional Pre-Sales Manager Turkey, Middle East & 1

2 Facteurs de mutation du marché Appareils mobiles Cloud Big Data Effectifs étendus Chaînes de valeur interconnectées Menaces avancées persistantes Techniques de fraude élaborées Transformation de l infrastructure Moins de contrôle sur les périphériques d accès et sur l infrastructure back-end Transformation de l entreprise Encore plus hyperétendue et numérique Transformation du paysage des menaces Des tactiques fondamentalement différentes, plus redoutables que jamais 2

3 Old World Threats ATTACK FOCUS ON INTRUSION DEFENSE FOCUS ON PREVENTION 3

4 New World Advanced Threats 85% of breaches weeks or more to discover Breach response under 2 hours 60% reduced risk Source: Verizon 2012 Data Breach Investigations Report 4

5 Des menaces avancées radicalement différentes 1 CIBLÉES OBJECTIF PRÉCIS 2 FURTIVES 3 INTERACTIVES INTERVENTION HUMAINE DISCRÈTES ET LENTES Intrusion dans le système Début de l attaque Découverte de la dissimulation Attaques par rebonds Fin de la dissimulation TEMPS Fenêtre d attaque Temps de réponse 1 Réduire la fenêtre d attaque Identification de l attaque 2 Accélérer le temps de réponse Réponse 5

6 Profile of Attack: Data Exfiltration Unusual Network Traffic Multi-connections tunneled over non-standard port Authentication Check Directory logs authorized credentials from unknown IP 1 PASSWORD ****** Ex-filtration Encrypted ZIP transmitted out of corporate network Authorization Checks VPN & Host log multiple credentials on multiple servers 6

7 Réallocation des ressources budgétaires et humaines Surveillance 15 % Réponse 5 % Surveillance 33 % Réponse 33 % Prévention 80 % Prévention 33 % Priorités actuelles Sécurité intelligente 7

8 To improve detection, investigation, & response organizations need COMPREHENSIVE VISIBILITY Analyze everything that s happening in my infrastructure AGILE ANALYTICS Enable me to efficiently analyze and investigate potential threats ACTIONABLE INTELLIGENCE Help me identify targets, threats & incidents OPTIMIZED INCIDENT MANAGEMENT Enable me to manage the incidents 8

9 IS WHERE SECURITY MEETS BIG DATA 9

10 Traditional: Collect and report on existing data to monitor and manage risk Advanced: Advanced analytics and algorithms generate predictive insights and active controls as direct result of data Security Analytics Source: EMC Study, Data Science Revealed: A Data-Driven Glimpse into the Burgeoning New Field, December 5,

11 Security Analytics Platform Big Data Analytics Governance Data Apps Systems Network Alert & Report Investigate & Analyze SECURITY ANALYTICS + Store Visualize Respond Compliance ARCHER GRC Incident Management Remediation Public & Private Threat Intelligence 11

12 RSA FirstWatch RSA s elite, highly trained global threat research & intelligence team Providing covert and strategic threat intelligence on advanced threats & actors Focused on threats unknown to the security community Malicious code & content analysis Threat research & ecosystem analysis Profiling threat actors Research operationalized automatically via RSA Live 12

13 Prioritize Security Analyst Efforts Finding the Right Needle in a Stack of Needles All Network Traffic & Logs Downloads of executables Type does not match extension! Terabytes of Data 100% of total Thousands of Data Points 5% of total Hundreds of Data Points 0.2% of total Create Critical Asset Alerts A few dozen alerts 13

14 Asset Criticality Intelligence Asset Intelligence Asset List IT Info Device Type Device IDs Content (DLP) Category IP/MAC Add CMDBs, DLP scans, etc. Biz Context Device Owner Business Owner Business Unit Process RPO / RTO RSA ACI Criticality Rating IP Address Criticality Rating Business Unit Facility RSA Security Analytics Security analysts now have asset intelligence and business context to better analyze and prioritize alerts. 14

15 Asset Criticality Intelligence in Security Analytics Helps analyst better understand risk To prioritize investigation & response Asset criticality represented as metadata 15

16 Advanced Incident Management Offload response from security analyst Enhances management visibility Accelerates remediation Manage entire incident lifecycle 16

17 RSA Data Discovery for Security Analytics Discover sensitive data & improve investigations with DLP SharePoint File Servers Databases RSA Data Discovery Data Discovery Feed NAS/SAN Endpoints RSA Security Analytics Content-level Intelligence Security Analyst 17

18 RSA Data Discovery for Security Analytics Investigative Interface Data Discovery attributes available in SA Investigation UI help Security Analysts identify high risk assets and prioritize investigations 18

19 RSA ECAT Key Functionality & Benefits File Whitelisting Multi-engine AV scan Certificate Validation Network Traffic analysis Full System Inventory Direct physical disk inspection Live Memory Analysis X-ray view of what s happening on endpoints Identify behavior related to malware Highlight likely infections with Machine Suspect Level (MSL) Quickly triage results to gain actionable intelligence Find other infected machines & gauge scope of breach Forensic data gathering 19

20 Advanced Threat Detection & Incident Management with RSA SMC Portfolio RSA Security Analytics RSA Advanced Incident Mgmt. for Security (AIMS) Alerts Based on Rules Capture & Analyze NW Packets, Logs & Threat Feeds Syslog alert of high Machine Suspect Levels RSA ECAT Group Alerts Manage Workflows Provide Visibility Business & Security Users Detect suspicious endpoint activity 20

21 21