ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks



Similar documents
Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Security Analytics for Smart Grid

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

DYNAMIC DNS: DATA EXFILTRATION

How To Manage Threat Intelligence On A Microsoft Microsoft Iphone Or Ipad Or Ipa Device

IBM QRadar Security Intelligence April 2013

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Rashmi Knowles Chief Security Architect EMEA

REMOVING THE BARRIERS FOR DATA CENTRE AUTOMATION

The Future of the Advanced SOC

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Intelligence Driven Security

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Update On Smart Grid Cyber Security

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Advanced Threat Protection with Dell SecureWorks Security Services

Five Steps For Securing The Data Center: Why Traditional Security May Not Work

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

McAfee Next Generation Firewall Optimize your defense, resilience, and efficiency.

Defending Against Cyber Attacks with SessionLevel Network Security

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Orchestrating Software Defined Networks (SDN) to Disrupt the APT Kill Chain

Unified Security, ATP and more

IBM Security IBM Corporation IBM Corporation

Requirements When Considering a Next- Generation Firewall

I D C A N A L Y S T C O N N E C T I O N

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

Sikkerhet Network Protector SDN app Geir Åge Leirvik HP Networking

Best Practices to Improve Breach Readiness

THE EVOLUTION OF SIEM

Unlock the full potential of data centre virtualisation with micro-segmentation. Making software-defined security (SDS) work for your data centre

Protecting against cyber threats and security breaches

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Advanced Threats: The New World Order

Content Security: Protect Your Network with Five Must-Haves

Stop advanced targeted attacks, identify high risk users and control Insider Threats

Getting Ahead of Advanced Threats

Software that provides secure access to technology, everywhere.

REVOLUTIONIZING ADVANCED THREAT PROTECTION

McAfee Network Security Platform

Vulnerability Management

Breaking the Cyber Attack Lifecycle

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Obtaining Enterprise Cybersituational

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Threat Intelligence: What is it, and How Can it Protect You from Today s Advanced Cyber-Attacks A Webroot publication featuring analyst research

Italy. EY s Global Information Security Survey 2013

You ll learn about our roadmap across the Symantec and gateway security offerings.

Symantec Cyber Security Services: DeepSight Intelligence

Industrial Control System Cyber Situational Awareness. Robert M. Lee* June 10 th, 2015

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Using SIEM for Real- Time Threat Detection

Some Thoughts on the Future of Cyber-security

Solera Networks, A Blue Coat Company SOLERA NETWORKS BIG DATA SECURITY ANALYTICS

Defending Against Data Beaches: Internal Controls for Cybersecurity

Integrating MSS, SEP and NGFW to catch targeted APTs

QRadar SIEM and FireEye MPS Integration

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

The Path Ahead for Security Leaders

Extreme Networks: A SOLUTION WHITE PAPER

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

idata Improving Defences Against Targeted Attack

IBM Security QRadar Risk Manager

IBM Advanced Threat Protection Solution

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

The Comprehensive National Cybersecurity Initiative

The Purview Solution Integration With Splunk

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Enterprise Security Platform for Government

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Accenture Cyber Security Transformation. October 2015

Data Driven Assessment of Cyber Risk:

Extreme Networks Security Analytics G2 Vulnerability Manager

All about Threat Central

Leveraging SDN and NFV in the WAN

AppGuard. Defeats Malware

BlackRidge Technology Transport Access Control: Overview

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

IBM Security QRadar Risk Manager

Transcription:

ADVANCED KILL CHAIN DISRUPTION Enabling deception networks

Enabling Deception Networks Agenda Introduction Overview of Active Defense Process Orchestration in Active Defense Introducing Deception Networks Software-defined Networking as an enabler Taking Action on Insights Getting Started 2

Active Defense Taking action quickly Orchestrating infrastructure changes to automate well-defined and understood processes to mitigate Applying capabilities to contain and understand threats Applying analytics to identify key insights from threat activity In cyber we think of [The OODA loop] as Sensing, Sense-making, Decision-making (with a dial-able level of automated decisionmaking), and Acting To do that you've got to automate manual processes. It's a policy-friendly approach that can, through automation and machine learning, give enterprises a way of staying inside an adversary's OODA loop. Source: CyberWire Interview Philip Quade, COO of Information Assurance National Security Agency 3

Attaining an Agile Security Posture Resilient Turtle: Strong security hygiene, and able to absorb attacks often, but with no ability to keep from getting hit they ll eventually be breached Cuttlefish: Strong security hygiene, with capabilities to have a more agile/adaptive attack surface internally, does not counter-attack threats but will actively disrupt threats inside the organization Leopard: Strong security hygiene, able to dodge or absorb attacks as needed, willing to counter-attack threats if enabled to under policy or law Rhino: Strong security hygiene and able to absorb attacks, willing to counterattack threats aggressively regardless of the legality of the actions Submissive External Orientation Goldfish: Minimal or no security hygiene, often abused by attackers as a proxy host in attacking stronger targets as to avoid attribution Internal Orientation Chihuahua: Minimal security hygiene, often will counterattack threats aggressively regardless of legality or ability to withstand retribution Aggressive Fragile 4

Evolving Active Defense Building blocks towards agility in security Orchestrating Incident Response and Threat Management Incorporating Advanced Active Defense capabilities like Deception Networks Integrating security into an Intelligent Infrastructure and leveraging Software-defined Networking Intelligent Security Leveraging an agile and adaptive infrastructure to change the game in security. Evolving the Core Tackling challenges in Incident Response and Threat Management with new and evolving capabilities Getting Started Improving Incident Response and Threat Management by automating high value processes and workflows Beyond Security Software Defined Infrastructure Enterprise Resiliency Engaging the Adversary Deceptive Networks Decoy Resources Anti-Reconnaissance Resource Shifting Strengthen the Core Response Orchestration Course of Action Automation Asset Identification 5

Orchestrating an Agile Organization Automating Processes Identifying processes that benefit from automation Instrumenting human incident response and threat management workflows Defining courses of action to automate in the infrastructure Coordinating between automated actions and human workflows for approval Reference Architecture for Infrastructure Orchestration 6

Orchestration Use Case Phishing Attacks Technology Overlay E-mail monitoring tool picks up a URL in an e-mail Threat Protection Malicious URL Web Proxy Orchestration receives the URL and sends it to a Threat Protection service to verify if it s malicious or benign Threat Protection service reports back it is malicious Orchestration updates web proxy to block the domain/ip used by the e-mail Orchestration generates a workflow request to remove the malicious e-mail from the recipients mailbox Detection of potential threat activity 1) Email monitoring tool detects a URL in an email Threat Protection 2) Orchestration receives URL and forwards to Threat Protection Security Orchestration Infrastructure Orchestration Incident Response Runbook Infrastructure Orchestration 3) Threat Protection reports back whether URL is malicious or benign Benign URL End of Process Malicious URL 4) Orchestrator updates Proxy to block domain/ip Runbook 5) Orchestrator generates workflow request to remove malicious email from inbox 7

Threat Management with Active Defense Threat Intelligence Service Internal Intelligence Global Insights SIEM & Advanced Analytics Responses Targets to Monitor Active Defense Commercial Feeds Information Technology Operational Technology Physical Controls Security Orchestration Peer Exchange Government Feeds Threat Indicators Actionable Insights Infrastructure Orchestration Threat Intelligence Service SIEM & Advanced Analytics Active Defense This service ingests from as well as shares with external and internal threat intelligence. It identifies the key indicators and observables within those intelligence feeds. It helps users contextualize and better understand events in their environment. It pushes awareness out to monitoring and response capabilities. Supported by SIEM, Analytics, and Visualization capabilities, the solution ingests IT, OT, and Physical data sources, and provides monitoring of patterns and anomalies indicative of threat activity within an organization, as informed by Threat Intelligence Supported by Security and Infrastructure Orchestration capabilities, the solution takes insights and findings from Threat Intelligence, SIEM, and Analytics, and provides automated or semiautomated infrastructure changes and service management ticketing to mitigate the impact of identified threats. 8

Introducing Deception Networks Enable an organization to protect against threats by automating and orchestrating the process of understanding and mitigating threat activity Understanding Threats Mitigating Threats Use Honeypots, decoys, and deep packet inspection to target investigation of threat activity Operationalize the understanding gained to proactively mitigate threats elsewhere in the organization 9

Deception Networks Apply network agility, deep packet inspection, and honeypots to track threat activity Apply analytics to identify high value indicators of compromise Normalize and Contextualize internal threat intelligence, with external feeds Apply mitigations automatically using infrastructure orchestration, and existing monitoring and preventive security capabilities 10

Software-defined Networking in Deception Networks Software-defined Networking provides an opportunity for security to engage the adversary Passive Engagement Active Engagement Enable efficient re-use of Honeypots Deploy targeted Deep Packet Inspection Spoof network topology Generate White Noise Manipulate Data Prevent Network Intrusion Deploy IP Blackholes Contain Breaches 11

Threat Indicator Analytics Understanding the noise Drivers Need to generate threat intelligence Harvest indicators of compromise generated internally Understand high value indicators to address Apply indicators to the infrastructure for mitigation Threat Indicator Analytics Solution Benefits A data analytics application to address identifying key insights in threat activity Aggregates threat activity generated internally Applies analytics to understand high value insights to operationalize Leverages big data analytics platform and data visualization tools Continuous Improvement in Threat Management Operationalize indicators of compromise to prevent spread of the threat internally Improve profiling of threat actors and motivations against the organization Enable an organization to participate in threat exchanges amongst peers 12

Operationalizing the Insights Taking action Apply Infrastructure Orchestration to push indicators of compromise To endpoint systems for increased inspection and blocking To SIEM and Network Analytics for increased monitoring Use Software-defined Networking capabilities to block or re-direct network based observables Share insights with peer organizations through Threat exchanges Integrate insights into Security Orchestration workflows 13

Getting Started The Building Blocks Get a handle on your Threat Intelligence Utilize Analytics to get actionable intelligence Understand how to generate internal threat intelligence Orchestrate incident response and threat management run-books Establish well defined processes Instrument the run-books for consistent human workflows Automate processes to address security challenges Explore Network Virtualization Test environments for Softwaredefined Networking Options to virtualize at a datacenter level Re-introduce honeypots to security Not just external facing systems How to mimic production environments likely to be targeted 14

THANK YOU

Detailed View Internet Redirecting malicious traffic or known hostile IP SDN Switch SDN Switch SDN Switch SDN Controller Threat Intelligence Sharing (TIS) Threat Data Honeypot Sandboxed Threat Indicator Analytics New Observables Agent Sandboxed In-Production Format Threat Intelligence Infrastructure Orchestrator Policy Enforcement SIEM IDS/IPS Endpoint Protection 16

Technology Overlay Internet Redirecting malicious traffic or known hostile IP SDN Switch SDN Switch SDN NFV VMware NSX SDN Switch Threat Intelligence Sharing (TIS) Sandboxed Sentinel Production Threat Data New Observables Threat Indicator Analytics Haven App Agent Sentinel Threat Intelligence Security Orchestrator Copyright 2013 Accenture All rights reserved. SIEM RSA Archer Policy Enforcement TippingPoint Sentinel 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information