Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com blog.coresecurity.com
Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions Change is coming and it s coming fast. Like many sophisticated organizations, yours has discovered that two decades of investment in conventional IT security technology such as antivirus software, firewalls and intrusion detection tools are no longer enough to stop hackers armed with spear phishing e- mail messages, automated, web- based exploit kits and SQL injection attacks. These sophisticated adversaries - some driven by profit, others by political or ideological aims troll for sensitive information, vulnerable and misconfigured systems that can be used to throw open the doors to your critical IT assets. For your IT staff, this great and widening imbalance between threats and defenses demands new tools and strategies tailored to the attacks you now face. To keep the attackers at bay, you have a forest of security products: Firewalls. Antivirus. Intrusion detection. Access Management. Log management. Data leak protection. Vulnerability scanners. It s a complicated, silo d environment that has grown ever more crowded in the last decade, as each wrinkle in the threat landscape or new regulation spawns a new security solution. At the center of this is your RSA envision Security Information and Event Management (SIEM) system. It s your most important tool in keeping your network secure and compliant. Properly deployed and configured, SIEM systems like RSA envision enable you to capture, store, analyze and recall logged data from a wide range of network devices, applications, security tools, endpoints and storage infrastructure. EnVision s powerful analysis and reporting tools help you sift through and understand the output of networked infrastructure and security products and give you insight into what activity is transpiring in your environment. There s just one problem. Your SIEM can t help you with the issue you really care about: knowing what sophisticated hackers are thinking, and what they ll do before they do it. That s where CORE Security s CORE Insight Enterprise comes in. Optimizing Controls: Automated Attack Path Analysis with CORE Insight True: your envision deployment saves you thousands or tens of thousands of dollars merely by culling out duplicate and low- priority events. By automating log collection, aggregating data feeds and filtering out false positives, envision leaves your IT staff to deal with the dozens or hundreds of events that actually matter. But the fact is that there are limits to what your SIEM can do in its current configuration. Yes, it helps you to isolate the signal of meaningful security events from the noise of server logs and IDS events. But could that database breach your SIEM detected in Toronto lead to your Category 5 Market Sensitive Data? And how does the Toronto incident relate (if at all) to the file server compromise in the Boston office? Are they part of the same, larger attack, or are they isolated incidents? CORE Insight helps you answer those questions in real- time by helping you to better understand how a skilled hacker might attack your network. 2
CORE s patented, Predictive Security Intelligence Engine collects data about your network, then thinks like a hacker - - traversing all the possible paths attackers could use to get to high value assets, then identifying and predicting the paths that are most likely to succeed. Rather than relying on educated guesswork to make sense of envision s output, Insight s one- of- a- kind attack correlation engine collects and inspects alerts from SIEM products like RSA envision and validates them against known attack paths specific to your current network configuration with an eye to assessing each against factors such as exploitability, asset value and business impact. Using Insight, your team can fast- forward or predict a potential attacker s moves, pinpointing exploitable weaknesses in your network defenses and the business impact they could have. After the analysis is complete, that information is then turned back to envision in the form of high- value correlation rules in a fraction of the time it would take your IT staff to create similar rules manually. Once your IT team understands the downstream effects of an incident or threat detected in your environment and isolated by your SIEM, prioritizing and responding to it are simple matters. 3
Enforcing Security Best Practice with Real- time Intelligence Your IT environment is complex and growing more so every day. Sophisticated organizations today run distributed IT environments that span multiple geographic locations and comprise traditional network infrastructure along with virtual IT assets, cloud computing environments and mobile endpoints. Add to this the tendency of compliance programs to be narrowly focused, rather than broad in scope, and you have a recipe for chaos: as too few IT staff chase overlapping compliance objectives across a fast- changing and distributed environment. Tools like RSA s Archer egrc help connect the dots between disparate regulations and compliance programs and actual IT controls. But a critical blind spot still exists, namely: what is the actual security and compliance posture of the network at any moment in time? By marrying Insight s predictive security intelligence with envision s monitoring and alerting features and RSA s Archer egrc, you can verify that your IT controls are working as intended and your compliance requirements are aligned with the corporate plans. How? CORE Insight couples an automated system- wide threat assessment and attack planning security solution with powerful artificial intelligence (AI) that continuously and proactively assesses the security of critical information assets in real time. Customers define critical IT assets that are important to their organization, including systems handling sensitive data, data types, transactions, operations controls, and more. Next, Insight allows companies to emulate advanced attacks against those targets in a safe and controlled manner, making the same decisions that malicious hackers would make in traversing exploitable web application, network and client- side weaknesses in your environment. Rather than simply noting conformity with the letter of your organization s security policies, Insight s AI engine allows you to spot gaps in your compliance framework and verify that security controls like firewalls or policies actually thwart the kinds of attacks they were designed to stop, and immediately provides documented proof. At the same time, CORE Insight s attack intelligence is continually learning and adapting: replaying attacks that fail to find alternative paths to vulnerable systems and, in the process, discovering IT assets that your organization may not have considered important or even known about. The results of those iterative tests can then be fed back into your egrc and SIEM platforms, helping to tweak and refine policies and security infrastructure to account for alternative attack methods. 4
The Value of Security Intelligence to your Security Ecosystem Crippling attacks can happen to any organization, regardless of means. In an age of advanced persistent threats and targeted attacks, even sophisticated and well- resourced companies fall victim to faceless hackers if they fail to secure and monitor critical assets. After all: stopping a receptionist or support desk employee from clicking on a malicious Web link may be impossible. However, hardening application servers, databases that store critical customer account information or transaction processing systems is a more defined and achievable task. And, when critical systems are properly secured, the attacks that inevitably come will be less likely to succeed or spread from less sensitive to more sensitive systems, limiting the scope of compromises. Your organization has invested heavily in tools to help with this massive task. Technology like RSA s envision SIEM and Archer egrc help you make sense of your complex IT environment and map your security controls to actual compliance objectives. However, more is needed. To prevent state- of- the- art attacks, you need to do more than monitor your environment. You need to think and act like a hacker. This means identifying the exploitable vulnerabilities on their network and likely paths of attack that sophisticated hackers might use to gain access to sensitive systems and data. CORE Insight adds a valuable layer of security intelligence to your SIEM deployment that allows your staff to see your network in the way that likely adversaries see it with a focus on critical exposures and at risk data and systems. By predicting and mimicking the actions of hackers, Insight enhances the value of your other security investments: providing a layer of security intelligence and ongoing monitoring and measurement so that products like envision will get a real- time picture of an organization s security posture highlighting the highest risk for compromise within your IT ecosystem. To learn more about CORE Insight and how it can add value to your RSA envision and Archer egrc deployments, visit CORE s web site. (http://www.coresecurity.com/content/core- INSIGHT- Enterprise) About CORE Security CORE Security is the leading provider of predictive security intelligence solutions. We help more than 1,400 customers worldwide preempt critical security threats and more effectively communicate business risk. Our award- winning enterprise solutions are backed by over 15 years of expertise from the company s CORE Labs research center. Learn more at www.coresecurity.com. 5
41 Farnsworth Street Boston, MA 02210 USA Ph: +1 617.399.6980 www.coresecurity.com Blog: blog.coresecurity.com Twitter: @coresecurity Facebook: CORE Security LinkedIn: CORE Security 2012 CORE Security and the CORE Security logo are trademarks or registered trademarks of CORE SDI, Inc. All other brands & products are trademarks of their respective holders. 6