TOP INNOVATIONS FOR CYBERSECURITY

Size: px

Start display at page:

Download "TOP INNOVATIONS FOR CYBERSECURITY"

Caren Butler
8 years ago
Views:

1 1

2 TOP INNOVATIONS FOR CYBERSECURITY MATTHEW S TOP 10 SECURITY INNOVATIONS FOR THE PRESENT & NEAR FUTURE MATTHEW GARDINER, SR. MANAGER, RSA SECURITY 2

3 ROADMAP INFORMATION DISCLAIMER EMC makes no representation and undertakes no obligations with regard to product planning information, anticipated product characteristics, performance specifications, or anticipated release dates (collectively, Roadmap Information ). Roadmap Information is provided by EMC as an accommodation to the recipient solely for purposes of discussion and without intending to be bound thereby. Roadmap information is EMC Restricted Confidential and is provided under the terms, conditions and restrictions defined in the EMC Non- Disclosure Agreement in place with your organization. 3

4 IF NOTHING ELSE REMEMBER THIS ADVICE 4

5 HOW MANY OF YOU ARE SECURITY PROS? 5

6 MORE SERIOUSLY MY GUIDING VISION The future is already here it s just not very evenly distributed William Gibson 6

7 AGENDA MATTHEW S TOP 10 SECURITY INNOVATIONS FOR THE PRESENT & NEAR FUTURE Why security innovation is really needed now? Matthew s Top 10 security innovations Drivers, Hurdles, & Examples What do you think should have made my Top 10? Wrapping up 7

8 SECURITY IS GETTING MEASURABILITY WORSE Attacker Capabilities Time To Discovery - VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 8

9 WHY IS SECURITY GETTING WORSE? The attack surface is expanding Attackers are becoming more sophisticated Existing strategies & controls are failing Security teams are missing attacks Teams need to increase experience & efficiency Tools & processes must adapt to today s threats 9

10 MY FOCUS FOR THIS SESSION The attack surface is expanding Attackers are becoming more sophisticated Existing strategies & controls are failing Security teams are missing attacks Teams need to increase experience & efficiency Tools & processes must adapt to today s threats 10

11 BIG PROBLEMS DRIVE INNOVATIONS 11

12 12

13 #10 BEHAVIOR BASED DETECTION Using observed behavior of sessions, executables, machines, people etc Good Doesn t require precise foreknowledge of attack steps Inherently sorts based on risk & certainty Doesn t rely on file signatures or perimeter Hurdles Requires heavy use of non-traditional data sources (often a lot) Ex Network traffic, threat intelligence, identity context Probabilistic results Not black/white decisions! Examples Protocols over non-standard ports & encrypted data to abnormal countries 13

14 #9 APPLICATION OF BIG DATA/DATA SCIENCE TO DETECTION 14

15 #9 APPLICATION OF BIG DATA/DATA SCIENCE TO DETECTION Technique, tools, & analytic platforms are taking world by storm. Good Inherently behavior based data relationships not pre-determined Hypothesis driven Iterative Incorporates learning to improve Internet scale - Designed to analyze massive data sets Hurdles New immature technology Requires heavy use of non-traditional data sources (often a lot) Ex Network traffic, threat intelligence, identity context Data scientist expertise not widely available & is needed Examples Detecting risky users, Internet domains, hosts 15

16 #8 NON-SIGNATURE-BASED TECHNIQUES TO DETECT MALWARE 16

17 #8 NON-SIGNATURE-BASED TECHNIQUES TO DETECT MALWARE LOOKING FOR TELLS THAT INDICATE MALWARE IS PRESENT 17

18 #8 NON-SIGNATURE-BASED TECHNIQUES TO DETECT MALWARE Don t depend on finding previously discovered known-bad files (via AV), find files which show mis-behavior using IOCs (Tells) Good Inherently more flexible Doesn t care about a single bit change Not fooled by advanced malware obfuscation techniques Hurdles Mind shift from preventive -> detective security on hosts Requires visibility in new places - network and/or hosts Requires some malware expertise Is it malware? Examples RSA Security Analytics (network malware detection) & RSA ECAT (Host-based - monitors activity in memory) 18

19 #7 NETWORK PACKET CAPTURE FOR DETECTION & INVESTIGATION 19

20 #7 NETWORK PACKET CAPTURE FOR DETECTION & INVESTIGATION The network sees all! Key opportunity for visibility & understanding Good Attacks generally traverse your network Why not leverage this? Can see exactly what, when, & who Excellent for both detection & investigation (forensics) Hurdles Requires large source of new data Don t have visibility outside your data centers (SaaS applications) Best used by Security Operations Centers Examples RSA Security Analytics 20

21 #6 THE RISE OF THE SECURITY OPERATIONS CENTER (SOC) Tier 1 Analyst Tier 2 Analyst Security Architects Threat Intelligence Analyst SOC Manager 21

22 #6 THE RISE OF THE SECURITY OPERATIONS CENTER (SOC) Specialized team (or MSSP) that provides full-time incident detection, investigation, & response services for the org. Good Treats attack detection/investigation as an ongoing issue (which it is) Prioritizes & accelerates the management of incidents Reduces the need for surge incident response contracts Hurdles Requires new budget, staffing, expertise, processes, & technology Examples EMC & many other companies have impressive teams & MSSPs are investing here as well 22

23 #5 SHARING OF THREAT INTELLIGENCE 23

24 #5 SHARING OF THREAT INTELLIGENCE Sharing details of attacker tools, tactics, & techniques so that detection is accelerated globally (Skynet for good!) Good Organizations are no longer islands defending alone Can dramatically accelerate detection & understanding Hurdles What are the economics benefits of sharing? What about the liability of sharing flawed threat information? Who determines what data is good enough for distribution? Standardized ways of sharing content Examples TI vendors (RSA), Information Sharing & Analysis Centers (ISACs), US-CERT 24

25 #4 CREATION/EXPANSION OF CLOUD SECURITY APIS 25

26 #4 CREATION/EXPANSION OF CLOUD SECURITY APIS Security can be managed consistently for both on-premise & cloud applications Good Greater consistency of security controls across extended enterprise Increased visibility of security related controls Detection & investigations can more easily include the cloud Hurdles Limited availability of cloud security APIs No standardization Limited security vendor support Examples AWS CloudTrail, Azure - TBD, Office365 - TBD, WorkDay TBD, SalesForce.com Custom scripting required to grab logs, Vmware Vcloud API, Apache CloudStack 26

27 #3 USING A RISK BASED APPROACH.VS. PEANUT BUTTER APPROACH 27

28 #3 USING A RISK BASED APPROACH.VS. PEANUT BUTTER APPROACH Shouldn t protect everything equally/match security controls to business risk Good More efficient application of resources Don t over secure low-valued resources or under secure high-valued resources Hurdles How does the security team identity, track, & differentiate assets & their business value? Examples Security Framework NIST Cybersecurity Framework (CSF) Tool RSA Archer IT Security Risk Management Module 28

29 #2 USE OF MOBILE DEVICES FOR USER AUTHENTICATION 29

30 #2 USE OF MOBILE DEVICES FOR USER AUTHENTICATION Mobile devices are very powerful, always with you, & have great context about you Fingerprint, face, voice, pulse, location, social network position, apps, etc Good Great ease of use potential Very strong verification Hurdles Has a creepy factor Compliance with local data privacy laws Examples iphone 6 30

31 #1 SECURING THE INTERNET OF THINGS A TRANSFORMATION OF OPPORTUNITY AND RISK 31

32 #1 SECURING THE INTERNET OF THINGS Billions of consumer, industrial, & M2M communications occurring in support of every aspect of life & business Would a cybercriminal/nation state like to collect from or disrupt this activity? Hurdles How to keep the system open to the good guys & closed to the bad Can the security controls scale into the billions of devices? Industrial control system.vs. Driverless car.vs. Refrigerator What is privacy when everything around is emanating data? How will vulnerabilities be fixed with billions of devices? 32

33 WRAPPING UP What do you think should have made my Top 10? Focus on: Detecting behavior (not detecting known malware samples) Making security monitoring & incident response an equal partner Not being a security island Not providing everything equal protection Be active participant in technology innovations 33

RSA Security Analytics

RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources