Active Response: Automated Risk Reduction or Manual Action?

Similar documents
Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

RSA Security Analytics

Unified Security, ATP and more

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Enabling Security Operations with RSA envision. August, 2009

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

Software that provides secure access to technology, everywhere.

Speed Up Incident Response with Actionable Forensic Analytics

Concierge SIEM Reporting Overview

All Information is derived from Mandiant consulting in a non-classified environment.

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

SANS Top 20 Critical Controls for Effective Cyber Defense

5 Steps to Advanced Threat Protection

Advanced Threats: The New World Order

Evolution Of Cyber Threats & Defense Approaches

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Actionable information for security incident response

Security & Threat Detection: Go Beyond Monitoring

Security Analytics for Smart Grid

Intelligence Driven Security

Cisco Advanced Malware Protection for Endpoints

IBM QRadar Security Intelligence April 2013

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

After the Attack: RSA's Security Operations Transformed

I D C A N A L Y S T C O N N E C T I O N

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

Critical Security Controls

Cyber Defense & Breach Response Privacy Issues

Best Practices in File Integrity Monitoring. Ed Jowett, CISSP ITIL Practitioner Sr. Systems Engineer, Tripwire Inc.

Performing Advanced Incident Response Interactive Exercise

Symantec Enterprise Security: Strategy and Roadmap Galin Grozev

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Cisco Advanced Malware Protection for Endpoints

Persistence Mechanisms as Indicators of Compromise

Next Generation IPS and Reputation Services

Overcoming PCI Compliance Challenges

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Can We Become Resilient to Cyber Attacks?

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Using SIEM for Real- Time Threat Detection

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Data Science Transforming Security Operations

How To Manage Security On A Networked Computer System

SourceFireNext-Generation IPS

Chapter 9 Firewalls and Intrusion Prevention Systems

Breach Found. Did It Hurt?

DYNAMIC DNS: DATA EXFILTRATION

Best Practices to Improve Breach Readiness

Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events

Triangle InfoSeCon. Alternative Approaches for Secure Operations in Cyberspace

One-Man Shop. How to build a functional security program with limited resources DEF CON 22

Cisco RSA Announcement Update

WHITE PAPER: THREAT INTELLIGENCE RANKING

Integrating MSS, SEP and NGFW to catch targeted APTs

Unified Security Management and Open Threat Exchange

UNCLASSIFIED. General Enquiries. Incidents Incidents

EITC Lessons Learned: Building Our Internal Security Intelligence Capability

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

SES / CIF. Internet2 Combined Industry and Research Constituency Meeting April 24, 2012

Security Business Intelligence Big Data for Faster Detection/Response

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

QRadar SIEM and Zscaler Nanolog Streaming Service

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Symantec Advanced Threat Protection: Network

Rashmi Knowles Chief Security Architect EMEA

24/7 Visibility into Advanced Malware on Networks and Endpoints

Orchestrating Software Defined Networks (SDN) to Disrupt the APT Kill Chain

Solera Networks, A Blue Coat Company SOLERA NETWORKS BIG DATA SECURITY ANALYTICS

REVOLUTIONIZING ADVANCED THREAT PROTECTION

D. Grzetich 6/26/2013. The Problem We Face Today

Endpoint Threat Detection without the Pain

Splunk: Using Big Data for Cybersecurity

Analyzing HTTP/HTTPS Traffic Logs

Unified Threat Management, Managed Security, and the Cloud Services Model

McAfee Security Architectures for the Public Sector

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

How Do Threat Actors Move Deeper Into Your Network?

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Into the cybersecurity breach

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

QRadar SIEM and FireEye MPS Integration

The Incident Response Playbook for Android and ios

Cybersecurity: An Innovative Approach to Advanced Persistent Threats

THE EVOLUTION OF SIEM

End-user Security Analytics Strengthens Protection with ArcSight

On-Premises DDoS Mitigation for the Enterprise

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Joining Forces: Bringing Big Data to your Security Team

Transcription:

SESSION ID: CRWD-01 Active Response: Automated Risk Reduction or Manual Action? sec ops dream Monzy Merza Chief Security Evangelist Splunk @monzymerza

Agenda Active Response Drivers Facets of Active Response Balancing Business Risk and Active Response Required Capabilities 2

Sources of Cyber Risk Cyber Criminals Malicious Insiders Nation States 3

Active Response Drivers Constant, Simultaneous Attacks Triaging and False Positives Time to Response Human Resource Constraints 4

HUMAN TIME RESPONSE IS UNTENABLE 5

Human-Enabling Active Reponse Risk Based 101111101010010001000001 111011111011011111010100 100010000011110111110101 001 Connecting Data and People 101111101010010001000001 111011111011011111010100 100010000011110111110101 001 Context & Intelligence 6

Facets of Active Response Transparency and human enablement is core to risk based active response 7

Conventional Active Response Block and tackle Config changes on endpoints, network or gateways Policy changes on access/auth or business systems Attach back Fire packets at the attack source Interact via CnC or payload 8

Conventional Active Response Challenges Complex business and mission requirements Distributed and diverse infrastructure Repercussions Advantages Block-and-tackle cause and effect is well understood Action is decisive Attack back is human mediated 9

Facets of Active Response Risk Based Context through post-processing Enrichment of event data asset, identity, access lookup Tiered analysis submit malware to a sanbox Signaling and messaging Expert system communication start packet capture Summarization forward summary data to ticketing system Evidence preservation Disk forensic snapshot Move event data out of rotation repository 10

Risk-Based Active Response Challenges Technology managed by different teams Integration challenges lack of open APIs No central broker or nerve center Advantages Low business risk in case of errors Analyst has deeper context and knowledge Not making any configuration changes 11

AND NOW FOR SOMETHING CONTROVERSIAL 12

LOW OR HIGH CONFIDENCE AS IT RELATES TO BUSINESS RISK 13

Confidence Drives Depth of Decision What is the business risk? How complete is the threat context? What/who will be impacted by change? How hard is it to revert the change? Who has the Get Out of Jail Free Card? 14

Natural Remedy for Active Response Focus on business risk and mission Let the machines be machines Enable the human to be human 15

BALANCING BUSINESS RISK AND ACTIVE RESPONSE 16

Who Does What Machine Correlate Auto-collect Message, signal Execute action Human Contextualize Prioritize Mediate action Apply gut feel 17

Production Active Response Actions High Confidence Alert on correlations Block on IP or domain Modify configs Report on actions taken Low Confidence Alert on correlations Contextualize alerts Gather more data for alert artifacts Kick off secondary analysis Prepare for human 18

Examples of Confidence High Confidence Threat feed matches from ISAC or internal sources Trigger from inline dynamic analysis engine Correlation alert for beaconing activity Low Confidence Threat feed match from a free intel feel Correlation alert from a statistical engine Individual signature match from IDS/IPS 19

THE MACHINE CAPABILITY 20

Key Technical Capabilities Security instrumentation Aggregation, correlation, alert Integration across the instrumentation A nerve center orchestration, messaging Tracking of all actions and messages 21

Security Instrumentation Network Endpoint Threat Intelligence Authentication 22

Security Instrumentation Core Capabilities Persist, Repeat Threat intelligence Third-party threat intel Open source blacklist Internal threat intelligence Reputation services, known relay/c2 sites, infected sites, IOC, attack/campaign intent and attribution Network Endpoint Firewall, IDS, IPS DNS Email AV/IPS/FW Malware detection Endpoint forensics Web proxy NetFlow Network Config mgmt OS logs File system Who talked to whom, traffic, malware download/delivery, C2, exfiltration, lateral movement Running process, services, process owner, registry mods, file system changes, patching level, network connections by process/service Access/Identity Directory services Asset mgmt Authentication logs Application Services VPN, SSO Access level, privileged use/escalation, system ownership, user/system/service business criticality 23

Building Confidence for Active Response Persist, Repeat Threat intelligence Third-party threat intel Open-source blacklist Internal threat intelligence Update threat lists. Enrich threat list info with new knowledge. Network Endpoint Firewall, IDS, IPS DNS Email AV/IPS/FW Malware detection Endpoint forensics Web proxy NetFlow Network Config mgmt OS logs File system Add to custom policy groups: vlans, watch list, bad actors, policy groups. Start/stop packet capture. Acquire config info, invoke snapshots, submit files to sandbox, update local signatures, clean up infected files, start/stop processes and services. Access/Identity Directory services Asset mgmt Authentication logs Application Services VPN, SSO Acquire business info, groups, travel, organizational priority. Modify membership, revoke tokens or certs. 24

25

High Confidence Policy Change IDS Alerts Layer 7 FW Corp Machine Attack Bypass FW Block IDS Event to a Critical Server

Low Confidence Aggregation Dynamic analysis alert Did it detonate on the endpoint? Check for endpoint logs Check for AV logs Take a snapshot proc list, netstat Start packet capture Disk forensic snapshot

Active Response Is Survival Attack volume is high Human time response is not tenable Active response enables the human analyst Active response!= cutting people s Internets

Thank You Questions? More discussions: monzy@splunk.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information