Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

Similar documents
After the Attack. The Transformation of EMC Security Operations

The session is about to commence. Please switch your phone to silent!

Security Analytics for Smart Grid

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Intelligence Driven Security

Getting Ahead of Advanced Threats

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

The Future of the Advanced SOC

The Next Generation Security Operations Center

Advanced Threats: The New World Order

Joining Forces: Bringing Big Data to your Security Team

Detect & Investigate Threats. OVERVIEW

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Rashmi Knowles Chief Security Architect EMEA

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Using Network Forensics to Visualize Advanced Persistent Threats

Security and Privacy

RSA Security Analytics

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Best Practices to Improve Breach Readiness

Discover & Investigate Advanced Threats. OVERVIEW

Bernard Montel Directeur Technique RSA. Copyright 2012 EMC Corporation. All rights reserved.

RSA Security Anatomy of an Attack Lessons learned

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

What s New in Security Analytics Be the Hunter.. Not the Hunted

How To Create Situational Awareness

RSA Security Analytics the complete approach to security monitoring or how to approach advanced threats

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

A New Perspective on Protecting Critical Networks from Attack:

Accenture Cyber Security Transformation. October 2015

After the Attack: RSA's Security Operations Transformed

Combating a new generation of cybercriminal with in-depth security monitoring

BIG DATA. Shaun McLagan General Manager, RSA Australia and New Zealand CHANGING THE REALM OF POSSIBILITY IN SECURITY

Into the cybersecurity breach

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Data Science Transforming Security Operations

IBM Security Strategy

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Dealing with Big Data in Cyber Intelligence

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Unified Security, ATP and more

SECURITY MEETS BIG DATA. Achieve Effectiveness And Efficiency. Copyright 2012 EMC Corporation. All rights reserved.

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Speed Up Incident Response with Actionable Forensic Analytics

IBM SECURITY QRADAR INCIDENT FORENSICS

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS

Information Risk Management. Alvin Ow Director, Technology Consulting Asia Pacific & Japan RSA, The Security Division of EMC

THE EVOLUTION OF SIEM

The SIEM Evaluator s Guide

Using SIEM for Real- Time Threat Detection

Continuous Network Monitoring

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Endpoint Threat Detection without the Pain

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Security Operations. Key technologies for your Security Operations Center. Davide Veneziano - RSA Technology Consultant

Metrics that Matter Security Risk Analytics

Vulnerability Management

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

Palo Alto Networks. October 6

Analyzing HTTP/HTTPS Traffic Logs

IBM Security IBM Corporation IBM Corporation

HP ArcSight User Behavior Analytics

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1

Advanced Threat Protection with Dell SecureWorks Security Services

DYNAMIC DNS: DATA EXFILTRATION

IBM QRadar Security Intelligence April 2013

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Enabling Security Operations with RSA envision. August, 2009

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

Comprehensive Advanced Threat Defense

End-user Security Analytics Strengthens Protection with ArcSight

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

Ecom Infotech. Page 1 of 6

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Advanced Persistent Threats

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Cyber Security Metrics Dashboards & Analytics

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Security Information & Event Management (SIEM)

Glasnost or Tyranny? You Can Have Secure and Open Networks!

A Case for Managed Security

Can We Become Resilient to Cyber Attacks?

The Five W's of SOC Operations. Kevin

Office 365 Cloud App Security MARKO DJORDJEVIC CLOUD BUSINESS LEAD EE TREND MICRO EMEA LTD.

Transcription:

Advanced SOC Design Next Generation Security Operations Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA 1

! Why/How security investments need to shift! Key functions of a Security Operations Center! Intersection of Visibility, Intelligence, and Management Agenda 2

Traditional Security Is Not Working 99% of breaches led to compromise within days or less with 85% leading to data exfiltration in the same time 85% of breaches took weeks or more to discover Source: Verizon 2012 Data Breach Investigations Report 3

Advanced Threats Are Different 1 TARGETED SPECIFIC OBJECTIVE 2 STEALTHY 3 INTERACTIVE LOW AND SLOW HUMAN INVOLVEMENT System Intrusion Attack Begins Cover-Up Discovery Leap Frog Attacks Cover-Up Complete TIME Dwell Time Response Time Attack Identified Response 1 Decrease Dwell Time 2 Speed Response Time 4

Present Reality The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him. - Sun Tzu, The Art of War 5

The Adversary NATION STATE ACTORS Nation states Government, defense contractors, IP rich organizations, waterholes CRIMINALS Petty criminals Unsophisticated, but noisy Organized crime Organized, sophisticated supply chains (PII, PCI, financial services, retail) NON-STATE ACTORS Insiders Various reasons, including collaboration with the enemy Cyber-terrorists / Hacktivists Political targets of opportunity, mass disruption, mercenary 6

Online Trust Alliance Guide to Data Protection and Breach Readiness (2013)! 2,644 Breaches! 267 Million Records! $5.5M cost per Breach! $194 cost per Record! 99% records lost due to external hacking! 97% of data breach incidents were avoidable 7

Verizon Breach Report (2013) Highlights! Victims 37% financial 24% retail & restaurants 20% manufacturing! Perpetrators 92% outsiders 19% state-affiliated actors! Mode 76% exploit weak/ stolen credentials 75% financially motivated! Discovery 69% by external parties 66% took months or more to discover 8

Verizon Report Recommendations! Eliminate unnecessary data! Collect, analyze, share Incident data Threat intelligence! Focus on better and faster detection! Evaluate threat landscape 9

The Environment ~ 2,000 security devices ~55M security events per hour ~60K employees 350 sites 85 countries Core Intellectual Property 10

Security Is Becoming A Big Data Problem! More determined adversary means more data needed to identify attacks! More complex IT environment means even simple attacks can hide in plain sight! Security professionals are struggling to keep up 1 40% of all survey respondents are overwhelmed with the security data they already collect 35% have insufficient time or expertise to analyze what they collect 1 EMA, The Rise of Data-Driven Security, Crawford, Aug 2012 Sample Size = 200 11

Today s Security Requirements Big Data Infrastructure Need a fast and scalable infrastructure to conduct short term and long term analysis High Powered Analytics Give me the speed and smarts to discover and investigate potential threats in near real time Comprehensive Visibility See everything happening in my environment and normalize it Integrated Intelligence Help me understand what to look for and what others have discovered 12

Basic Security Operations.vs. Incident Response Security Operations Critical Incident Response Adds, moves and changes, security questions, password changes, device health, etc. Respond to security incidents, investigate suspicious behavior, conduct vulnerability analysis, malware analysis, threat management, etc. 13

Desired State Protect organizational mission Evolve with the threat environment Operational efficiencies & best practices Process Technolog y People 14

What SOC/CIRCs Need: BROAD VISIBILITY & DETECTION Fusing together massive amounts of telemetry data & threat intelligence to detect even the most advanced attacks CONTEXT Knowing which IT assets are important and the location of sensitive data drives investigative efficiency and prioritization FAST INVESTIGATIONS Complete investigations in minutes versus hours REMEDIATION & OPERATIONS MANAGEMENT Workflow driven incident response and SOC/CIRC operations management 15

Critical SOC/CIRC Elements! Breach readiness/response services! SOC design/optimization services! Anomaly detection! Sensitive data discovery! IT asset information! Threat intelligence! Fast investigations! Malware analytics! Incident management! SOC operations management! Compliance reporting 16

Introducing the RSA Solution Integrated yet modular solution for improving cyber defenses! Services of the RSA ACD Practice! RSA Security Analytics! RSA Live/RSA FirstWatch! RSA ECAT! RSA Data Discovery (DLP)! RSA Archer for security operations 17

Security Operations Management Domain Process People Orchestration Technology Security Operations Management Incident Management Threat Intelligence Management Breach Management SOC Program Management Business-driven SOC Management IT Security Risk Management 18

Integration and Context are Essential People, Process and Technology in a single Operational Model Controls A/V IDS / IPS Logs Firewall/VPN SIEM Platform Alerts Visibility & Management RSA SecOps Business Context Context Line of Business Owner Policy Proxy Packets Incident, Breach & SOC Mgmt Risk Context Assessments Criticality Vulnerability Host File DLP Alerts Alerts Threat Context Subscriptions Community Open Source Device Administrators Workflow automation, rules, alerts & reports Tier 1 Triage Tier 2 Forensics Tier 3 Malware Threat Analysis Data Warehouse Ticketing System Administration Content Intelligence Analytic Intelligence Threat Intelligence IT Expertise 19

Should be a 2 minute investigation for a SOC!! Received by 1046 EMC employees! 17 employees clicked on the link within! Two people clicked through our security warning 20

RSA Security Analytics If you remove the hay, only needles remain All Network Traffic & Logs Terabytes of data 100% of total Downloads of executables Thousands of data points 5% of total Type does not match extension Hundreds of data points 0.2% of total! Create alerts to/from critical assets A few dozen alerts 21

Security Visibility Architecture Enrichment Data Logs Packets DISTRIBUTED COLLECTION EUROPE NORTH AMERICA ASIA REAL-TIME WAREHOUSE THE ANALYTICS Reporting and Alerting Investigation Malware Analytics Administration Complex Event Processing Correlation Metadata Tagging Incident Management Asset and Data Criticality Endpoint Visibility LONG-TERM RSA LIVE INTELLIGENCE Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports and Custom Actions 22

Integrated Intelligence Know What To Look For RSA LIVE INTELLIGENCE SYSTEM Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports and Custom Actions 1 2 3 Gathers advanced threat intelligence and content Aggregates & consolidates data Automatically distributes correlation rules, blacklists, parsers, views, feeds OPERATIONALIZE INTELLIGENCE: Take advantage of what others have already found and apply against your current and historical data 23

Endpoint Forencsics Server Agent Supports Windows, 32/64-bit Full system inventory Identify all executables, DLL s and drivers Agent status via UDP, full report via SSL Unknown files sent to repository, scanned and analyzed Global repository of scan results ECAT Server 24

Complete Endpoint & Network Visibility RSA ECAT & RSA Security Analytics RSA Security Analytics Capture & Analyze Packets, Logs & Threat Feeds Syslog alert of high Machine Suspect Levels RSA ECAT Directly query SA from ECAT! Advanced threat detection on endpoints! Complete network and endpoint visibility! Faster investigations to shorten attacker dwell time Detect suspicious endpoint activity 25

Data Discovery Discover sensitive data & improve investigations with DLP SharePoint File Servers Databases RSA Data Discovery Data Discovery Feed NAS/SAN Endpoints RSA Security Analytics Content-level Intelligence Security Analyst 26

Data Discovery for Visibility Data Discovery provides context Data Discovery attributes available in SA Investigation UI help Security Analysts identify high risk assets and prioritize investigations 27

People & Process Technology requires talent and discipline 28

Security Operations Management User Personas Security Operations Management Threat Intel Analyst L1 Analyst L2 Analyst SOC Analysts Incident Management Threat Intelligence Management SOC Manager Persona Driven Design CISO/CSO SOC Management Breach Management SOC Program Management Business-driven SOC Management CIO Business Mgr. Privacy Officer Compliance Legal HR Cross Functional Teams IT Security Risk Management 29

RSA Archer Security Analytics RSAIntelligence Security Analytics + RSA ECAT RSA Live +for RSA Security Analytics RSA Security + RSA Archer for Security RSA Data Discovery/RSA DLP! Team & + Shift Management! Open/All Source Actor Attribution! KPI Monitoring Tier 2 Analyst! Attack Sensing & Warning CLICK FOR DETAILS! Incident Queue Management! Social Media Tier 1 Analyst! Reporting & Business Impact CLICK FOR DETAILS! High Value Target (HVT) Analysis! Eyes-on-Glass Reverse Malware Engineering!! Integration! Event Triage Host & Development Network Forensic!! Content! Preliminary Investigation Threat Intelligence Analyst CLICK FOR DETAILS Cause & Origin Determination!! Reporting! Incident Containment Dataand Exfiltration Evaluation!! Alert Rule Creation! 24x7 Coverage Analysis & Tools Support Analyst CLICK FOR DETAILS SOC Manager CLICK FOR DETAILS 30

Critical Results! The Ability to Measure Event time to Assignment to Escalation to Resolution Average time to closure! Scan every image file for.exe content! 55M events per hour become 2-3K incidents per month 90 incidents for 94 person hours per day! Time to closure is now about 1 day! Program can Scale 31

CIRC Dashboard! Multiple metrics! Live Data! Tracked by analyst! One-click access to incidents 32

CIRC Dashboard! Average Time to Close Low Medium High! Incident Totals by Month 3521 DEC, 2012 2053 JAN, 2013 1579 FEB, 2013 2308 MAR, 2013 2819 APR, 2013 33

CIRC Dashboard! Common Threats 34

CIRC Dashboard! Events Per Day 35

Advanced Cyber Defense Program NextGen SOC Design & Implementation Security Operations Management Vulnerability Risk Management Cyber Threat Intelligence Incident Response Strategy & Roadmap Readiness, Response & Resilience 36

A journey with many intersections Networking Policy Analytics Log Data Intelligence Alerting Staffing Cloud Facilities Big Data Baselining Access Controls Reporting Workflow 37

Thank you!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information