Integrated Active Cyber Defense Reducing Your Risk of Compromise Through Integrated & Automated Active Cyber Defense
2 We think it [the future of Cybersecurity] lies in leveraging automation and integration to be able to detect and mitigate Cybersecurity risk in real time.
Our Moderators Today Pat Arvidson Director for Defending DoD Networks and Mission Assurance OSD, Office of the Principal Cyber Advisor (Moderator) Russell Glenn Director, Cybersecurity ACD Integration KEYW Corp. (Moderator) 3
Our Panelists Today Travis Rosiek Federal CTO FireEye (Panelist) Chris Fedde President Hexis Cyber Solutions (Panelist) Ryan Gillis Vice President, Cybersecurity Strategy and Global Policy Palo Alto Networks (Panelist) John Stoner Federal Security Strategist Splunk (Panelist) 4
State of Cyber Defense 5
State of Cyber Defense Cyber Network Defenders Overwhelmed Burdened under fog of alerts Unable to focus on APT/Nation State attacks Cyber Network Defenders Need Tools/processes that automatically handle basic threats (80%) Enables operators to hunt advanced threats with enriched threat intel Leveraging policy driven automation is not a new idea Ex: Automated System Lock out, Anti-virus 6
SHORTSTOP Architecture L4 L3 L2 Analytics Mission Threads Integration L1 NGFW Heuristic/ Sandbox ERD Compliance 7
Incident Response Story Current Incident Response Threat Incident Occurs Incident response team responds Incident analysis occurs from logs and existing data Threat is identified and damage assessment and Cleanup occurs So what if we created Automated Incident Response? What would it look like. 8
Integrated Approach + Logical Architecture The SHORTSTOP layered approach to cyber security leverages the traditional military strategy of the decision cycle Observe, Orient, Decide, and Act (OODA) applying it to all major threat vectors. SHORTSTOP System Analytics Mission Threads, Mission Effects Observe Integration, Data Enrichment / Splunk Act Observe Orient Sensor Analytics Sensor Analytics Sensor Analytics Sensor Analytics Act Orien t Sensor Threat Feeds Next Generation Firewall Heuristic / Sandbox Endpoint Remediation Device Compliance Decide Decide 9
SHORTSTOP Reference Architecture SHORTSTOP is provided as a turn-key system, or reference design, to deploy best-in-class cyber defense: Central management/threat aggregation layer for threat correlation Course Of Action development based on enterprise environment and threat posture Commercial security technologies to address all major threat vectors Detection and Heuristics at the perimeter, internal/external networks, and the endpoint. Continuous, automated, policy-driven response to confirmed threats 10
SHORTSTOP Reference Architecture Architecture Components Perimeter Network Inbound network IOC detection. On demand threat blocking. Internal network IOC detection, primarily sandboxing or threat replay technology, detecting advanced IOC. Endpoint Detect malicious activity and outbound threats emanating from host. Verify network threats existence on the endpoint. Apply policy driven countermeasures to remove the threat. Command/Control/Orchestration/Integration Correlate sensors and IOCs from Endpoint and Network. Provide common visibility of threat. Automate response to the threat at the endpoint and network layer.` Initial Deployment 11
SHORTSTOP Benefits to Enterprise Security Reduce incident response times through policy driven automation: Confirm host infections, increase detection effectiveness and reduce false positives. Automate response actions with HawkEye G s policy based response capabilities to more rapidly and efficiently contain and remove threats at machine speeds. Coordinate threat identification and tool integration with Splunk as the integration layer to automatically respond to threats Cyber Situational Awareness: Improve visibility through a unified solution architecture that combines detection at all layers of the enterprise into common visual representation with Splunk and HawkEye G Increase Blue/Hunt capabilities: Provide additional analytic and hunting capabilities by leveraging Splunk to collect, synthesize, and enrich all threat indicators from HawkEye G, Palo Alto Networks, and FireEye. 12
SHORTSTOP Benefits to Operations Operators: Increase capability of existing work force by leveraging automated technology Improve efficiency of incident response (Decrease onsite hunting, automate common threat response, correlate threats to prioritize alerts) Tools: Integrate with existing tools and investments Ease of integration of new tools and capabilities Coordination of sensor data improves threat identification, incident response, and hunting Custom development for analytics and COAs still enabled Processes: Simplify operational processes for operators Lower barrier for entry for trained forces 13