IT Security Risk Adding Insight to Security Gennaro Scalo April 2, 2014 1
Where is Security Today? Companies have built layer upon layer of security, but is it helping? Complexity Data Breaches Damage 2
Lack of Insight [The Noise Factor] We believe that doing the right thing should be obvious but for today's IT security organizations it is too often hidden. Web Vulnerability OS Configuration Patch Device Vulnerability Anti-Virus/Malware SEIM/Packets Logical Access IPS/IDS VPNs Firewalls Physical Access Defense in Depth 8:02 AM Malware infection on 10.1.2.30 8:30 AM Voice mail from colleague re: new hacker group 9:00 AM Meeting with QSA re: last week s vulnerability scan 11:15 AM Vulnerability scan on DMZ completed 11:30 AM Meeting with XYZ department on new application being installed next week 12:00 PM Company just like us announced major breach 12:02 PM CVE-2014-123 just released 1:45 PM Meeting with audit committee re: security risks 2:00 PM System outage at Phoenix branch 2:15 PM Weird(?) network traffic reported by network team 2:53 PM Malware outbreak on multiple machines 3:00 PM New contractor onboarding 3:20 PM Present Security awareness training to new employees 4:15 PM Industry ISAC security conference call 4:32 PM HR reports social engineering attempt 5:07 PM Port scan on 192.168.3.45 6:07 PM Security policy meeting 8:02 PM Malware infection on 10.10.2.32 8:30 PM Multiple failed login attempts on 192.168.100.23 11:15 PM Vulnerability scan found 142 critical vulnerabilities 12:00 AM Malware infection on 10.2.3.45 12:02 AM Sun just released a new patch to JRE 5.4.3.2 Do we have a compliance issue? Is this a high risk business function? Which of these are the most important? What are the executive concerns? Is this a coordinated advanced attack? Inappropriate access attempt on top secret information? Meaningless virus infection? 3
The New World of Security It will become increasingly difficult to secure infrastructure We must focus on people, the flow of data and on transactions 4
We Need to Change our Approach Improve monitoring and response capabilities. Monitoring 15% Response 5% Monitoring 33% Response 33% Prevention 80% Prevention 33% Defense in Depth Security Intelligence-Driven Security 5
Signal Clarity and Amplification We provide solutions that disrupt the noise, bring clarity to the signal to amplify your decisions. Visibility Noise Visibility + Analysis = Priority Analysis Priority + Action = Results Action Metrics Results + Metrics = Progress 6
IT Security Risk not a single answer but rather a solution leveraging people, process, and technology as a force multiplier where 1+1 =3. Enable organizations to assess threats, vulnerabilities, and events respond to security incidents define security strategies and objectives, and monitor ongoing effectiveness, including change and compliance Security Compliance Assess Define Identity Respond Monitor Threat & Vulnerability leveraging real-time, intelligencedriven solutions aligned with the business objectives. Security Strategy Security Operations 7
How Does Archer Help? Enable customers to proactively and responsively manage IT security risks by protecting information assets through an understanding of the business objectives of the enterprise, communicating security risks in a language that the business can understand, and offering solutions that are aligned with the risk appetite of the business. 8
IT Security Risk Solutions Vulnerability IT Security Risk Preventative Risk Indicators Scan Results and Metrics Remediation Workflow Threat Correlation Gold Build Images RSA Archer egrc Preventative Measure Outcomes Responsive Incidents & Investigations Breach Crisis SOC Responsive Assets IT Context Regulatory Biz Context Data Foundation Focused UIs Catalogs Foundational Identity Persona Based UI CVE/CVSS CWE Login/Logout Interactive Charts CPE CCE Repositories Searching and Threat Intel UCF Integrations Filtering Workflow Ticketing Reports Exceptions Notifications 9
Vulnerability Today Trying to avoid the vulnerability pit The Vulnerability Scanner finds number of issues on IT systems. Pages of results are delivered to Alice, IT Administrator, to fix. 2 Issue 3 Patch 4 Patches are pushed out or configurations are Carlos, updated CISO, to fix is left wondering: the vulnerabilities. 5 What does this mean for business risk? What about my Some most patches valuable are assets? missed, don t What fix the happens problem, if the or threats there change? isn t enough Can I get time more to get protection to them. quickly? The vulnerability Are we improving? will sit Do we have unaddressed, the right coverage? possibly forever Devices Vulnerability 1 Vulnerability Scanner Brian, IT Security Analyst, runs his vulnerability scanner. 10
What is VRM? Vulnerability Risk allows enterprises to proactively manage IT security risks through the combination of asset business context, actionable threat intelligence, vulnerability assessment results, and comprehensive workflow. 11
Vulnerability Risk VRM IT Security Analyst CISO Vuln. Scan Results (Qualys, McAfee) VULNERABILITY ANALYTICS ARCHER VULNERABILITY RISK MANAGEMENT Vuln. Data Pubs (NVD CVE) Threat Intelligence (US-CERT) INVESTIGATIVE UI ANALYTICS ENGINE Devices Findings Exceptions KPIs INTEGRATION WITH GRC REPORTING AND DASHBOARDS Asset Taxonomies (NVD CPE) Other Asset Data (CSV, CMDB, Etc.) DATA COLLECTOR Administrator WORKFLOW RSA VRM DATA WAREHOUSE INDEXING NORMALIZATION RAW DATA STORAGE 12
IT Security Analyst IT Administrator CISO Asset Discovery and Issue Prioritization Know what you have Issue Lifecycle Tracking Exception and SLA Dashboards and Reporting Measure and Report KPIs Do the right thing Measure effectiveness, not just activity 13
IT Security Risk Solutions IT Security Risk Preventative Indicators Responsive Operations Scan Results Incidents & Investigations and Metrics Remediation Workflow Breach Threat Correlation Crisis Gold Build Images Measure Outcomes RSA Archer egrc SOC Preventative Security Responsive Assets IT Context Regulatory Biz Context Data Foundation Focused UIs Catalogs Foundational Identity Persona Based UI CVE/CVSS CWE Login/Logout Interactive Charts CPE CCE Repositories Searching and Threat Intel UCF Integrations Filtering Workflow Ticketing Reports Exceptions Notifications 14
SOC Challenges Today Event focused and reactive with no centralization of alerts or incident management Lack of Context Lack of Best Practices Lack of Process 15
What is SecOps? Consistent, predictable business process Domain Process Security Operations People Incident Breach Orchestrate & Manage SOC Program Technology IT Security Risk 16
Security Operations RSA SecOps CONTEXT ALERTS Incident Response Breach Response LAUNCH TO SA Aggregate Alerts to Incidents SOC Program Dashboard & Report Capture & Analyze Packets, Logs & Threat Feeds RSA Archer Enterprise (Context) RSA Archer BCM (Crisis Events) 17
The Value of SecOps CISO IT Security Analyst Incident Coordinator Enable SOC/IR Analysts to Be More Effective Optimize SOC Investments Manage IT Security & Business Risk Incident Prioritization Visibility & Biz Context Workflow to guide IR process Threat Intelligence Response Procedures Automation Monitor KPIs Identify gaps & improve Measure Security Controls Manage SOC Team Data Breach Enterprise Risk Vendor Risk Compliance Risk and more 18