Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Similar documents
RSA Security Analytics

Advanced Threats: The New World Order

THE EVOLUTION OF SIEM

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Security Analytics for Smart Grid

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Combating a new generation of cybercriminal with in-depth security monitoring

Unified Security, ATP and more

What s New in Security Analytics Be the Hunter.. Not the Hunted

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

IBM QRadar Security Intelligence April 2013

Rashmi Knowles Chief Security Architect EMEA

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

REVOLUTIONIZING ADVANCED THREAT PROTECTION

The session is about to commence. Please switch your phone to silent!

Integrating MSS, SEP and NGFW to catch targeted APTs

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

The Future of the Advanced SOC

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

End-user Security Analytics Strengthens Protection with ArcSight

RSA Security Anatomy of an Attack Lessons learned

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Can We Become Resilient to Cyber Attacks?

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

DYNAMIC DNS: DATA EXFILTRATION

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Detect & Investigate Threats. OVERVIEW

Active Response: Automated Risk Reduction or Manual Action?

Logging In: Auditing Cybersecurity in an Unsecure World

Evolution Of Cyber Threats & Defense Approaches

ESG Brief. Overview by The Enterprise Strategy Group, Inc. All Rights Reserved.

You ll learn about our roadmap across the Symantec and gateway security offerings.

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Intelligence Driven Security

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

IBM Security IBM Corporation IBM Corporation

Advanced Threat Protection with Dell SecureWorks Security Services

The Cloud App Visibility Blindspot

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Best Practices to Improve Breach Readiness

WHITE PAPER: THREAT INTELLIGENCE RANKING

SourceFireNext-Generation IPS

The Value of QRadar QFlow and QRadar VFlow for Security Intelligence

24/7 Visibility into Advanced Malware on Networks and Endpoints

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Ralf Kaltenbach, Regional Director Germany. Arrow Sommerforum 2015

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Joining Forces: Bringing Big Data to your Security Team

After the Attack: RSA's Security Operations Transformed

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Endpoint Threat Detection without the Pain

IBM Security Strategy

Cisco Cyber Threat Defense - Visibility and Network Prevention

North American Electric Reliability Corporation (NERC) Cyber Security Standard

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

SANS Top 20 Critical Controls for Effective Cyber Defense

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

IBM SECURITY QRADAR INCIDENT FORENSICS

1 Introduction Product Description Strengths and Challenges Copyright... 5

2010 Data Breach Investigations Report

Next Generation IPS and Reputation Services

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Discover & Investigate Advanced Threats. OVERVIEW

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

IBM Security QRadar QFlow Collector appliances for security intelligence

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Bridging the gap between COTS tool alerting and raw data analysis

Speed Up Incident Response with Actionable Forensic Analytics

Comprehensive Advanced Threat Defense

White. Paper. Rethinking Endpoint Security. February 2015

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

CYBER SECURITY OPERATIONS CENTRE

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

APPLICATION PROGRAMMING INTERFACE

Defending Against Cyber Attacks with SessionLevel Network Security

Security Operations. Key technologies for your Security Operations Center. Davide Veneziano - RSA Technology Consultant

Using SIEM for Real- Time Threat Detection

Whitepaper. Advanced Threat Hunting with Carbon Black

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Transcription:

Advanced Visibility Moving Beyond a Log Centric View Matthew Gardiner, RSA & Richard Nichols, RSA 1

Security is getting measurability worse Percent of breaches where time to compromise (red)/time to Discovery (blue) was days or less Attacker Capabilities 100% 75% Time to compromise 50% 25% Time to discovery Time to Discovery 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT Copyright 2015 EMC Corporation. All Confidential rights reserved. and Proprietary. NDA Required 2

A Logs-Only Approach to Detection Isn t Working 99% Percent of successful attacks went undiscovered by logs - VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT Copyright 2015 EMC Corporation. Confidential All rights reserved. and Proprietary. NDA Required 3

Security Strategies Leave Much White Space Threat Actors Firewall IDS/IPS At first, there were HACKS Preventive controls filter known attack paths AntiVirus More Logs Whitespace Successful ATTACKS Corporate Assets 4

Recent Investments - Much White Space Still Threat Actors Firewall IDS/IPS AntiVirus More Logs Blocked Session Blocked Session Blocked Session Alert S I E M At first, there were HACKS Preventive controls filter known attack paths Then, ATTACKS Despite increased investment in controls, including SIEM Whitespace Successful ATTACKS Corporate Assets 5

Lack of Visibility is A Core Problem Copyright 2015 EMC Corporation. All Confidential rights reserved. and Proprietary NDA Required. 6

How to Detect This With Logs Only? Packed file destined to host FOLLOWED BY Encrypted traffic to IP registered in blacklisted country Could be an attacker be compromising host and stealing data! Copyright 2015 EMC Corporation. All Confidential rights reserved. and Proprietary NDA Required. 7

Many Data Streams Contribute to Visibility Not collecting all necessary logs Lack of PCAP (network) data Not able to monitor endpoints Asset Data VMS Data Previous Incidents Attacker Profiles Intel Intel Intel Intel Target Knowledge Campaign History AV IPS WEB FW Analyst of the Future Analytics, Visualization & Machine Learning Log Capture Full Packet Capture Endpoint Inspection Business Intelligence Data Intelligence Identity Risk (HVA) Strategic Insight Data Classification Data Discovery Intel Cloud Apps Intel Collection, Processing & Counter-Intel Mining 8

Logs Alone Don t Cut It? Shell Crew Example Logs What was targeted? Packets How did the exploit occur? NetFlow: How did the attackers move around once inside? Endpoints Was the endpoint exploited? Were others infected? Intrusion attempts Beaconing & suspicious communications Sticky-keys backdoor Malicious proxy tools WinRAR using encrypted rar files Recreate entire exploit Lateral movement via RDP Time/date stomping Indicators about malicious files and code Scope of infection 9

Threat Intel. is Also Key for Detection/Investigation SOC Analyst(s) Incident Record Alert Records Enriched with Intelligence Threat Intel Analyst Incident Management OSINT Process & Categorize Indicators Alerts Paid Cleared TTPs Tools Network/Host Artifacts Domain Names Threat Intelligence Portal Alerts Middleware CEF IP Addresses Hash Values Sensor Grid Pyramid of Pain, David Bianco, 2013 10

CONTEXT Asset, Identity, Vulnerability, Business Value. Sensor Grid Enrich the incident data before the analyst starts to investigate First contact by analyst Correlating Alert Data Automated Host Interrogation Network Insight Alert Data Host Insight Network Profiling Intelligence Fusion! Enriched Prioritized Incident Record Copyright 2015 EMC Corporation. All Confidential rights reserved. and Proprietary. NDA Required 11

Visibility Also Needs to Include the Public Cloud 12

Network Traffic & Endpoint etc Transforms Visibility Network Flows System Logs Endpoint Data Threat Intel Feeds Security Events Data Aggregation for Improved Incident Handling Network Traffic Identity/ Asset Context Visibility By centralizing these various source of Data into a security monitoring system, The SOC gains actionable insight into Possible anomalies indicative of threat Activity. SECURITY MONITORING SISTEM Analysis Security operations analysts can analyze data from various sources and further interrogate and triage devices of interest to scope an incident. SANS, Building a World-Class Security Operations Center, Alissa Torres, May 2015 Action Based on finding, automated and manual interventions can be made to include patching, firewall modification, system quarantine or reimage, and credential revocation. 13

Security Monitoring Data Privacy? V.S Copyright 2015 EMC Corporation. All Confidential rights reserved. and Proprietary. NDA Required 14

Tokenizing IP Addresses to Preserve Privacy 15

Tokenizing Usernames to Preserve Privacy 16

CUSTOMER SUCCESS: Global Financial Services Moving Beyond Logs RSA engaged to manage an identified incident Bank had been target for 7 years Lack of full visibility allowed campaign to continue RSA Incident Response was used RSA then engaged to improve ongoing SOC program RSA Security Analytics for full visibility & context, as well as live threat feeds. 17

Around the clock monitoring, advanced security technologies and integrated incident response Cybersecurity is about business imperatives and how to embed security into the GOVERNANCE, RISKS & COMPLIANCE CYBER THREAT INTELLIGENCE value chain Global Posture CRITICAL INCIDENT RESPONSE TEAM CYBER FUSION CENTER ADVANCED TOOLS AND TACTICS 18 ADVANCED DATA & CONTENT ANALYTICS 18

Is Greater Visibility Key to Mitigating Advanced Attacks? Threat Actors Firewall IDS/IPS AntiVirus Logs Endpoint Visibility Network Visibility Blocked Session Blocked Session Blocked Session Alert Process Network Sessions Security Analytics Now, successful ATTACK CAMPAIGNS target any and all whitespace. Complete visibility into every process and network sessions is required to eradicate the attacker opportunity. Unified platform for advanced threat detection & investigations Corporate Assets 19

Move From a Log-Centric Approach Organizations need to collect, process, and store a plethora of data sources including asset data, identity information, network traffic (via full packet capture), NetFlow, endpoint forensic information, etc. This data volume is in part what transforms yesterday s security analysis into today s big data security analytics. --JON OLTSIK, ESG, SEPTEMBER, 2014, INFORMATION-DRIVEN SECURITY AND RSA SECURITY ANALYTICS AND RSA ECAT Copyright 2015 EMC Corporation. Confidential All rights reserved. and Proprietary. NDA Required 20

RSA ASOC Portfolio Products RSA Security Analytics Providing centralized threat detection & investigation RSA ECAT Providing endpoint threat detection & investigation RSA Security Operations Management Incident management & SOC orchestration RSA Web Threat Detection Web session intelligence Services RSA Advanced Cyber Defense Practice Breach Readiness, SOC Design, Incident Response, Hunting Services, Analyst Education 21

EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information