CONTINUOUS MONITORING THE MISSING PIECE TO SECURITY OPERATION (SOC) TODAY

Similar documents
REVOLUTIONIZING ADVANCED THREAT PROTECTION

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Advanced Threats: The New World Order

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

KEY TRENDS AND DRIVERS OF SECURITY

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

Networking for Caribbean Development

The Hillstone and Trend Micro Joint Solution

How Attackers are Targeting Your Mobile Devices. Wade Williamson

McAfee Network Security Platform

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.

Security Analytics for Smart Grid

Fidelis XPS Power Tools. Gaining Visibility Into Your Cloud: Cloud Services Security. February 2012 PAGE 1 PAGE 1

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Concierge SIEM Reporting Overview

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Intelligence Driven Security

Unified Security, ATP and more

FROM PRODUCT TO PLATFORM

Palo Alto Networks. October 6

Understanding the Security Vendor Landscape Using the Cyber Defense Matrix

Modular Network Security. Tyler Carter, McAfee Network Security

RSA Security Anatomy of an Attack Lessons learned

The Next Generation Security Operations Center

Analyzing HTTP/HTTPS Traffic Logs

Addressing the blind spots in your security strategy. BT, Venafi & Blue Coat

Agenda , Palo Alto Networks. Confidential and Proprietary.

How To Create Situational Awareness

Protection Against Advanced Persistent Threats

Modern Approach to Incident Response: Automated Response Architecture

The Need for Intelligent Network Security: Adapting IPS for today s Threats

Securing Cloud-Based

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

NEXT GENERATION SECURITY ANALYTICS: REAL WORLD USE CASES KEY FEATURES AND NEW USES FOR THE BLUE COAT SECURITY ANALYTICS PLATFORM

Defending Against Cyber Attacks with SessionLevel Network Security

Security Analytics The Beginning of the End(Point)

RETHINK SECURITY FOR UNKNOWN ATTACKS

Integrating MSS, SEP and NGFW to catch targeted APTs

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

Data Center security trends

HOW TO DEAL WITH THE ADVANCED THREAT LANDSCAPE?

State of Security Monitoring of Public Cloud

Rashmi Knowles Chief Security Architect EMEA

Breaking the Cyber Attack Lifecycle

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

Advanced approach to network security and performance monitoring

THE EVOLUTION OF SIEM

Securely Yours LLC Top Security Topics for Sajay Rai, CPA, CISSP, CISM

Effective Methods to Detect Current Security Threats

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Security and Privacy

Glasnost or Tyranny? You Can Have Secure and Open Networks!

End-user Security Analytics Strengthens Protection with ArcSight

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Combating a new generation of cybercriminal with in-depth security monitoring

IT Security Strategy and Priorities. Stefan Lager CTO Services

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

CALNET 3 Category 7 Network Based Management Security. Table of Contents

The Cloud App Visibility Blindspot

Into the cybersecurity breach

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Using Network Forensics to Visualize Advanced Persistent Threats

The Future of the Advanced SOC

Cyber Security Metrics Dashboards & Analytics

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

This ESG White Paper was commissioned by Blue Coat and is distributed under license from ESG.

DYNAMIC DNS: DATA EXFILTRATION

Detecting Threats Via Network Anomalies. Paul Martini Cofounder and CEO iboss Cybersecurity

Vladimir Yordanov Director of Technology F5 Networks, Asia Pacific Developments in Web Application and Cloud Security

Jort Kollerie SonicWALL

Extreme Networks Security Analytics G2 Vulnerability Manager

Cybercrime: evoluzione del malware e degli attacchi. Cesare Radaelli Regional Sales Manager, Italy cradaelli@paloaltonetworks.com

Effective Methods to Detect Current Security Threats

Bridging the gap between COTS tool alerting and raw data analysis

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

QRadar SIEM and FireEye MPS Integration

Hillstone Intelligent Next Generation Firewall

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Cisco Advanced Malware Protection for Endpoints

Logging In: Auditing Cybersecurity in an Unsecure World

Uncover security risks on your enterprise network

Transcription:

CONTINUOUS MONITORING THE MISSING PIECE TO SECURITY OPERATION (SOC) TODAY MATTHIAS YEO Chief Technology Officer - APAC CISSP, CISA, CISM, PMP 1

OVER REACTING VS UNDER REACTING Reason for the world today CAR ALARM Security model 2

WHAT IS MISSING IN SOC TODAY? 1 Continuous Monitoring 2 Adaptive Security 3 Encrypted Traffic Management 3

WHAT IS MISSING IN SOC TODAY? 1 Continuous Monitoring 2 Adaptive Security 3 Encrypted Traffic Management 4

BURNING QUESTION TODAY How To Prevent My Organization From Suffering Security Breaches? 5

THE REALITY OF OUR SECURITY WORLD Globally, 18% of organizations in the Government & Defense sector reported at least one targeted attack 94% of companies reportedly encountered at least one externally-sourced data security incident within the past 12 months, including phishing attacks, DDoS attacks, and theft of mobile devices. In 28% of these instances, business reported the loss of sensitive business data. 6

BURNING QUESTION TODAY How To Prevent My organisation From Suffering Security Breaches? Am I Ready To Respond? 7

GARTNER: ADAPTIVE SECURITY ARCHITECTURE PROTECTION FROM ADVANCED ATTACKS On Adaptive Security Architecture Shift your security mindset from "incident response" to "continuous response," wherein systems are assumed to be compromised and require continuous monitoring and remediation Because enterprise systems are under continuous attack and are continuously compromised, an ad hoc approach to "incident response" is the wrong mindset. https://www.gartner.com/doc/2665515/designing-adaptive-security-architecture-protection Gartner, February 2014 8

POST-PREVENTION SECURITY GAP HOW BIG IS IT? Initial Attack to Compromise Initial Compromise to Discovery Days 13% weeks 2% Seconds Hours 60% 11% Minutes 13% Months 62% Years 4% Hours 9% Days 11% Weeks 12% 84% 78% 9

USING HUMAN BODY AS AN ANALOGY Preventive Supplements, Multi-vitamins Exercise, Jogging Healthy Eating Sleep Early Repair GP clinics, Dental Diagnosis, X-Rays Remediation, Medication Hospitalisation Preventive IPS, Firewall, Email Gateway, Web Gateway, AV, Database Security, SIEM Defense in depth? Technology Repair Logs from System? Forensic (Manual)??? 10

THE POST BREACH QUESTIONS 2 main questions that all CIO expected from a SOC during a breach What happened? How did the system get compromised? What systems and data were affected? What are we doing about it? Have we done all the remediation? Can we be sure it is over? 11

SECURITY ANALYTIC A ROOT CAUSE ANALYSIS Security Analytic A Full Packet Capture of your traffic in your network, for analysis. INTERNET Answer the 2 most important question: - What Happened? - What are we doing about it? FIREWALL SECURITY ANALYTICS 12

EXAMPLE - THREAT ASSESSMENTS KEY FINDINGS Critical Findings No Findings Criticality 1 Downloads of malware Very High 2 Indicator of compromised host C&C Very High 3 Access to inappropriate site High Others (Situation Awareness) No Findings Criticality 1 Unusual protocol analyzed Medium 2 Unsecure File Transfer Protocol Medium 3 Visibility of Traffic (Videos) Low 4 Unsecure protocol identified Low 13

SECURITY ANALYTICS: FORENSIC CAPABILITY FOR HOSTED SITE Similarly, without proper forensic capability, if there is an attack to our hosted environment, it might be hard to identify how the attack happens INTERNET With a full network packet capture, Security Operator can go back in time to identify the source of the breach using the raw network content, and answers query such as: What was the exploitation done to the servers? FIREWALL How did the server respond to the exploitation? Were there any reconnaissance done before that? Was there any malware loaded into the server? What is the activity after or traffic anomaly after the attack? Are there any loss of information or anomaly activity after the breach? SECURITY ANALYTICS CENTRAL MANAGER File Server Hosted Service ST Sites 14

WHAT IS MISSING IN SOC TODAY? 1 Continuous Monitoring 2 Adaptive Security 3 Encrypted Traffic Management 15

GARTNER: ADAPTIVE SECURITY ARCHITECTURE PROTECTION FROM ADVANCED ATTACKS On Adaptive Security Architecture The goal is not to replace traditional SIEM systems, but rather to provide high-assurance, domain specific, risk-prioritized actionable insight into threats, helping enterprises to focus their security operations response processes on the threats and events that represent the most risk to them. Gartner, February 2014 16

HOW TO ADDRESS THE OVER\UNDER REACTING SYNDROME? Incident Resolution Investigate & Remediate Breach Threat Profiling & Eradication Ongoing Operations Detect & Protect Block All Known Threats Incident Containment Analyze & Mitigate Novel Threat Interpretation 17

WHAT IS MISSING IN SOC TODAY? 1 Continuous Monitoring 2 Adaptive Security 3 Encrypted Traffic Management 18

MAKING MATTER WORSE SSL ENCRYPTED TRAFFIC IS PERVASIVE SSL Sites on the Web HTTPS traffic booming (20% Y/Y) 2,000,000 1,500,000 1,000,000 500,000 Enterprise apps Cloud apps i.e., SFDC, Amazon Internet apps i.e., Google, FB Mobile apps More protocols are SSL encrypted HTTP, SPDY, FTP, SMTP, XMPP, IMAP, POP3, etc. 0 2007 2008 2009 2010 2011 2012 19

THE URGENCY OF SSL VISIBILITY SSL increasingly hiding security threats SSL is growing, BUT creates blind spots for enterprise security apps Meet data privacy & compliance regulations Protect security infrastructure Majority of APTs Operate Over SSL 25-70% of Traffic is Encrypted Provide advanced security w/o trading off performance Identify and block hidden malware such as Gameover, Zeus, ShyLock and SpyEye Reduce risk and costs associated with data breaches * 50% of all network attacks will use SSL by 2017 * Gartner Dec 2013 20

NGFW IDS / IPS Host AV Web Gateway SIEM Email Gateway DLP Web Application Firewall SSL HIDES MALWARE Threat Actors Nation States Cybercriminals Hactivists Insider-Threats Traditional Advanced Threats Known Novel Malware Threats Zero-Day Known Malware Threats Targeted Known Attacks Files Modern Known IPs/URLs Tactics & Techniques Unknown SSL SIGNATURE-BASED DEFENSE-IN-DEPTH TOOLS 21

GARTNER: SECURITY LEADERS MUST ADDRESS THREATS FROM RISING SSL TRAFFIC On Rising SSL Traffic An increasing share of enterprise network traffic is encrypted, creating gaps in defense-in-depth effectiveness that security leaders should not ignore Complex sets of laws and regulations on privacy, along with a high risk of conflict with employees, kill most security leaders' outbound Web traffic decryption projects http://www.gartner.com/technology/reprints.do?id=1-1t7qe3b&ct=140421&st=sg&src=&lg=&elqemailname=. 22

IMPORTANT PIECE TO THE PUZZLE - SSL VISIBILITY APPLIANCE Incident Resolution Investigate & Remediate Breach Threat Profiling & Eradication ENCRYPTED TRAFFIC MANAGEMENT Ongoing Operations Detect & Protect Block All Known Threats ADVANCED THREAT PROTECTION LIFECYCLE DEFENSE Incident Containment Analyze & Mitigate Novel Threat Interpretation SSL Visibility Appliance 23

CONTINUOUS MONITORING 1. Build Continuous Monitoring, not just incident response 2. Build Adaptive Security Not products Do not be blinded by false positive 3. Encrypted Traffic Management - Remove your security blindfold 24

Matthias Yeo Chief Technology Officer - APAC CISSP, CISA, CISM, PMP Matthias.Yeo@bluecoat.com 25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information