The session is about to commence. Please switch your phone to silent! 1
Defend with Confidence Against Advanced Threats Nicholas Chia SE Manager, SEA RSA 2
TRUST? Years to earn, seconds to break 3
Market Disruptors Mobile Cloud Big Data Extended Workforce Networked Value Chains UNLOCKING THE FUTURE ENTERPRISE 2013 APTs Sophisticated Fraud Infrastructure Transformation Less control over access device and back-end infrastructure Business Transformation More hyper-extended, more digital Threat Landscape Transformation Fundamentally different tactics, more formidable than ever 4
Advanced Threats Are Different UNLOCKING THE FUTURE ENTERPRISE 2013 1 TARGETED SPECIFIC OBJECTIVE 2 STEALTHY 3 INTERACTIVE LOW AND SLOW HUMAN INVOLVEMENT System Intrusion Attack Begins Cover-Up Discovery Leap Frog Attacks Cover-Up Complete TIME Dwell Time Response Time 1 Decrease Dwell Time Attack Identified 2 Speed Response Time Response 5
Who Are you Dealing with? UNLOCKING THE FUTURE ENTERPRISE 2013 NATION STATE ACTORS Nation states Government, defense industrial base, IP rich organizations, waterholes CRIMINALS NON-STATE ACTORS Petty criminals Unsophisticated, but noisy Insiders Various reasons, including collaboration with the enemy Organized crime Organized, sophisticated supply chains (PII, PCI, financial services, retail) Cyber-terrorists / Hacktivists Political targets of opportunity, mass disruption, mercenary 6
Organisations view of their security UNLOCKING THE FUTURE ENTERPRISE 2013 Prevention FTW!!!! 7
What It Looks Like to the Advance Adversaries loopholes loopholes 8
9
INCIDENT RESPONSE It starts with identifying the incident 10
Resource Shift: Budgets and People UNLOCKING THE FUTURE ENTERPRISE 2013 Monitoring 15% Response 5% Monitoring 33% Response 33% Prevention 80% Prevention 33% Today s Priorities Intelligence-Driven Security 11
12
Days of Investigation Completed In Hours ALERT!!... Multiple indicators to escalate a potential incident Session Recreated To Investigate PASSWORD 4 Additional Context Answers More Questions Incident Management Initiated 13
Security is Complex! UNLOCKING THE FUTURE ENTERPRISE 2013 SIEM Incident Process Malware Analyst Threat Analysis SOC Analyst Threat Analyst Centralize Alerts SOC Manager Network Manager Host Visibility Breach Coordinator Breach Process Legal Shift Handoff CISO Report KPIs IT HR Measure Efficacy Network Visibility Finance IT Handoff efraud DLP 14
People : Advanced Cyber Defense Training 15
Process : RSA Security Operations User Personas Security Operations Management Threat Intel Analyst L1 Analyst L2 Analyst SOC Analysts Incident Management Threat Intelligence Management SOC Manager Persona Driven Design CISO/CSO SOC Management Breach Management SOC Program Management CIO Business Mgr. Privacy Officer Compliance Legal HR Cross Functional Teams IT Security Risk Management Business-driven Security Operations Management 16
TECHNOLOGY : Advanced Security Ops Center SharePoint Asset Context Incident Management Vulnerability Risk Management RSA Security Operations Management Security Operations Management Windows Clients/Servers File Servers RSA Security Analytics Databases NAS/SAN RSA Data Discovery Enabled by RSA DLP Distributed Data Collection Capture Time Data Enrichment LIVE LIVE RSA ECAT Endpoints RSA Live Intelligence Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports and Custom Actions 17
RSA Security Analytics Malware Analysis Integrated workflow streams enables you to see the before, during and after an event Allows customization of the analytical scoring logic 18
SHOW ME THE BIG DATA 19
Big Data Security Challenges 1. Big Data Infrastructure 2. Common Meta-Framework 3. Analytic Applications FAIL Database Ip.source src_ip Source_IP Ip-source Packet collection & processing Log collection & processing COMMON META FRAME WORK ETL ETL Hadoop HAWQ HIVE PIG R MAHOUT Analytic Application Machine Learning Predictive Analytics Neural Networks 20
BIG DATA Use Cases UNLOCKING THE FUTURE ENTERPRISE 2013 Blacklist IP Generator Identify new traffic that behaviorally consistent in traffic patterns to a known command-and-control IP Social Network Analyzer Discover closely clustered communication events that is known to be associated with infected unmanaged devices and dynamic command-and-control structure Machine Generated Domain Detector Measure readability of domain names to detect malware that uses domain generation algorithm 21
Today s Security Requirements UNLOCKING THE FUTURE ENTERPRISE 2013 Big Data Infrastructure Need a fast and scalable infrastructure to conduct real time and long term analysis Comprehensive Visibility See everything happening in my environment and normalize it High Powered Analytics Give me the speed and smarts to detect, investigate and prioritize potential threats Integrated Intelligence Help me understand what to look for and what others have discovered 22
Nicholas.Chia@RSA.com 23