The Future of the Advanced SOC Developing a platform for more effective security management and compliance Steven Van Ormer RSA Technical Security Consultant 1
Agenda Today s Security Landscape and Why Change if it s Working Out So Well? The Rise of Big Data Four Attributes in Managing Advanced Threats Advanced SOC Framework 2
Today s Security Landscape Copyright 2012 EMC Corporation. All rights reserved. 3
Traditional Security Is Not Working Continued over reliance and over investment in prebreach tooling Years of compliance spending have diluted available technical skills and management focus in all but the top orgs Official USG and industry threat models are inadequate need to put the adversary and attacker first and design around them Cyber security needs an overhaul Copyright 2012 EMC Corporation. All rights reserved. 4
What Are You Learning? How Much Do You KNOW? NATION STATE ACTORS Nation states Government, defense industrial base, IP rich organizations, waterholes CRIMINALS Petty criminals Unsophisticated, but noisy Organized crime Organized, sophisticated supply chains (PII, PCI, financial services, retail) NON-STATE ACTORS Insiders Various reasons, including collaboration with the enemy Cyber-terrorists / Hacktivists Political targets of opportunity, mass disruption, mercenary Copyright 2012 EMC Corporation. All rights reserved. 5
Key Security Challenge - TIME 99% of breaches led to compromise within days or less with 85% leading to data exfiltration in the same time 85% of breaches took weeks or more to discover Source: Verizon 2012 Data Breach Investigations Report 6
Attacks lead to compromise and exfiltration within minutes, discovery takes months 7
Attackers Have Too Much Free Time Attacker Surveillance Target Analysis Access Probe Attack Set-up System Intrusion Attack Begins Cover-up Starts Discovery/ Persistence Leap Frog Attacks Complete Cover-up Complete Maintain foothold ATTACKER FREE TIME TIME TIME Physical Security Threat Analysis Defender Discovery Attack Forecast Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/hilf.pdf) Monitoring & Controls Attack Identified Incident Reporting Containment & Eradication Impact Analysis Damage Identification System Reaction Response Recovery 8
Spending is Part of the Problem -- What is the right arithmetic here? Enterprise Security Investment Profile: Known threats and security hygiene Advanced threats and analytics Physical security and supply chain Other stuff you should be doing Total Budget %: 100% 9
Spending is Part of the Problem -- What is the right arithmetic here? Enterprise Security Investment Profile: TODAY Known threats and security hygiene 70% Advanced threats and analytics 15% Physical security and supply chain 5% Other stuff you should be doing 10% Total Budget %: 100% 10
Spending is Part of the Problem -- What is the right arithmetic here? Enterprise Security Investment Profile: BETTER Known threats and security hygiene 50% Advanced threats and analytics 30% Physical security and supply chain 7.5% Other stuff you should be doing 12.5% Total Budget %: 100% Key Factors: 1. Process maturity and repeatability, secure development, lower costs; 2. Increased skills and technology; 3. Program focus, pervasive; 4. Aggressive vs. passive. 11
The Rise of Big Data and Security Intelligence 12
Bottom Line SIEM serves its purpose in terms of basic correlation, alerting, reporting, and compliance management SIEM lacks the content, context, and intelligence provided by the big data and security intelligence Time to respond is critical in a breach situation and SIEM often falls short 13
Security Analyst Use Case Obstacles to Big Data Adoption Skills Data mining, data science, creative thinking Lack of Broader Context Gaining insight from data outside the system (SIEM mindset) Vague Unstructured Data Need a familiar normalized data language ( speaking the language of security ) System Data Reduction Need a sensible approach for filtering unimportant data Automating Daily / Routine Tasks The system must be agile it must perform job functions still leaving time for new analysis 14
Separating Bad from Good is an Increasingly Difficult Problem = BAD = BAD Finite Data Sets / Known Questions Infinite Data Sets / Unknown Questions Understand what bad looks like and look for similarities Antivirus / IDS / IPS Signature-based SIEM Understand what good looks like and look for meaningful differences Network analysis and baselining Anomaly detection Predictive failure analysis 15
Four Attributes Needed For Advanced Threats 16
Four Attributes for Managing Advanced Threats Pervasive visibility know everything, answer anything wait we said this before Deeper analytics examine risks in context and understand behavior Massive scalability expand in scale and scope to handle anything Unified view enable decision-support across many job streams and temporal planes 17
Pervasive Visibility Know Everything, Answer Anything Logs, Full Packet Data, External Data Sources Open Architecture It s not about a partnership of disparate technologies, it s about full architectural integration at every level 18
Deeper Analytics Perform a variety of tasks based on job stream and data intensity Situational awareness, trend analysis, compliance management all reusing the same captured data and APIs Ability to focus on what matters most, such as HVAs, specific TTPs or campaigns Automation and specialized analytics 19
Massive Scalability Time for our industry to stop thinking a single-boxcentric mentality We have to scale to overall needs of storage, processing, memory, and analyst populations Big data and large amounts of intelligence simply means lots of storage and lots of number crunching Data will be decentralized 20
Unified View Analysts at different levels needs all information and tools at their disposal No bottlenecks, latency, or integration issues Ability to move among analytic views without leaving the application Full content and context available immediately from any view Client-agnostic support 21
Future SOC Vision Copyright 2012 EMC Corporation. All rights reserved. 22
Big Data + Security Intelligence = Better Threat Management 23
Summary What You Need To Do Derive context More content and context is better Integrate intelligence Integrating security intelligence from multiple sources can yield spectacular results Go beyond SIEM SIEM and Search outcomes are constrained by performance due to various issues Big Data Security Analytics More data is better more analytics is game changing! 24
Context-Aware Security Intelligence: Risk-Prioritized, Actionable Insight Gartner, Information Security is Becoming a Big Data Analytics Problem, Neil Macdonald, Mar. 23, 2012 25
THANK YOU 26