Intelligence Driven Security RSA Advanced Cyber Defense Workshop Shane Harsch Senior Solutions Principal, RSA 1
Agenda Approach & Activities Operations Intelligence Infrastructure Reporting & Top Findings 2
Present Reality The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him. - Sun Tzu, The Art of War 3
Objective Readiness Completely prepared for immediate action Responsiveness The ability to adjust quickly to suddenly altered conditions Resilience The ability to return to the original state after an incident 4
Focus Areas Operations Infrastructure Intelligence Business & Risk Alignment Organization Structure, Roles & Responsibilities Incident Handling processes & procedures Education & Awareness Vulnerability Assessment & Remediation Capabilities SIEM, DLP, IAM & GRC Posture and Application Ingress/Egress/Lateral Visibility Capabilities Cyber Intelligence Trending & Analytics APT Modeling & Simulation Counter Threat Operations + Attack Sensing & Warning 5
Evaluation Criteria Contribution (binary) Maturity (scaled) Readiness Responsiveness Resilience 0 Non-Existent Management processes are not applied at all 1 Initial/Ad-Hoc Processes are ad hoc and disorganized 2 Repeatable But Intuitive Processes follow a regular pattern 3 Defined Process Processes are documented and communicated 4 Managed & Measurable Processes are monitored and measured 5 Optimized Good practices are followed and automated 6
Additional Activities Marketing Legal Network Facilities Storage Other IT Profile PR disclosure readiness Brand impact analysis Map relations with law enforcement and third parties, etc. Architecture and Topology Segmentation and Zoning Profile SOC layout Determine upgrade requirements Business Continuity Planning Back-up, Recovery & Archiving Big Data Analysis Ticketing 7
Business & Risk Alignment Review of organizational mission and security strategy 8
Organizational Structure User Personas Threat Intel Analyst L1 Analyst L2 Analyst SOC Analysts SOC Manager Persona Driven Design CISO/CSO SOC Management CIO Business Mgr. Privacy Officer Compliance Legal HR Cross Functional Teams Incident Management Threat Intelligence Management Breach Management SOC Program Management IT Security Risk Management 9
Incident Response Review of roles, responsibilities and workflow 10
People & Process 11
Defense-In-Depth Review of traditional and advanced countermeasures Review of overall defense-indepth capabilities, including traditional security countermeasure & capabilities Enables Breach Management to be considered within the larger context of the organizations overall security posture Source: CyberEdge Group, 2014 12
Content Intelligence Review of capabilities for collecting controls intelligence SIEM DLP Packet Data Host Data File Data Security Controls Data Parsing & Correlation Content Intelligence Getting the right data from the right controls! 13
Analytic Intelligence Review of capabilities for analyzing actionable intelligence Example: Proactive traffic review for unusual country destinations, actions and host names e.g. Analysis of traffic going to Russia and finding POST actions for aus-post.info Malware dropper downloaded Malware analyzed in sandbox Bogus certificates & beaconing confirmed Analytic Intelligence results in IOCs Downloader site C2 site Self signed certificate (named mojolicious ) Destination IP addresses for Downloader & C2 14
Threat Intelligence Review of capabilities for tracking adversary intelligence 15
A journey with many intersections Networking Policy Analytics Log Data Intelligence Alerting Staffing Cloud Facilities Big Data Baselining Reporting Access Controls Workflow 16
Security Operations If you cannot measure it, you cannot manage it. - Ancient Business Proverb 17
Reporting & Metrics Review of metrics tracking process and capabilities Source: NIST SP 800-55 Performance Measurement Guide Metrics include: SIEM Maturity level; Incident Response; Vulnerability Management; Patch Management ; Configuration & Change Management; Application Management, etc. 18
Top Gaps People Inadequate security resources R&R not clearly defined No user awareness training for advanced threats Process Ad hoc processes/procedures Poor patch management No post-incident lessons learned Technology No IR tracking/workflow system No centralized or real-time monitoring/alerting No forensic analysis capabilities No cyber threat intelligence capability 19
Security Objective Readiness Responsiveness Resilience People Process Technology 20
Intelligence Driven Infrastructure A/V IDS/IPS Firewall/VPN Proxy DLP Content SIEM Log Alerts DLP Alerts Visibility Single UI Incident Management & Reporting Context Business Context Risk Context Line of Business Owner Policy Assessments Criticality Vulnerability Packets Host File Signatureless Alerts Threat Context Subscriptions Community Open Source Workflow & Automation, Rules, Alerts & Reports Content Intelligence Level 1 Triage Level 2 Triage Analytic Intelligence Expertise Level 3 Triage Threat Triage Threat Intelligence 21
Q&A 22