detect unknown threats, reduce dwell time, accelerate response
Post on 21-Mar-2017
42 Views
Preview:
TRANSCRIPT
RSΛ NetWitness® Suite
Detect Unknown Threats.Reduce Dwell Time.
Accelerate Response.
Rohit Malhotra
email: rohit.malhotra@rsa.com
Organizations Face Difficult Security Challenges
A real scarcity of skilled security analysts forces enterprises to get
creative to combat threats and protect the enterprise.
GROWING SHORTAGE OF SKILLED SECURITY STAFF
More Endpoints in the enterprise, in the field, and in the cloud means more potential entry points for attacks.
A GREATLY EXPANDING ATTACK SURFACE
The days of simple malware or APTs are gone. Today’s attacks are targeted,
lengthy, and multifaceted.
MORE SOPHISTICATED ATTACK CAMPAIGNS
“Organizations took weeks or more to discover that a breach even occurred.” - Verizon 2016 Data Breach Report
So They Take Preventive Steps to Protect Themselves
ConfidentialDataEndpoints
NGFW IDS / IPS SIEM NGFW
80% of security staff, budget, and activity is generally dedicated to preventive action
But Breaches Still Occur. What’s Happening?
ConfidentialDataEndpoints
NGFW IDS / IPS SIEM NGFW
NGAV misses UNKNOWN, NEW threat NGFW has no
rule for/against threat traffic
IPS has no signature for the threat packets
SIEM captures logs, but will it
trigger an alert?
NGFW has no rule for/against
threat traffic
Missing the Little Things Rapidly Adds Up to One Bigger Problem
How big is the compromise?How long has it been there?
Just how bad is this?What did the attacker do?
5
The security paradigm must change
PREVENTION DETECTION & RESPONSE
Shift priorities and capabilities
Today’s Priorities
PreventionResponse
MonitoringMonitoring
Prevention
Response
Future State
6
Advanced Threats Are Different
SpeedResponse Time2Decrease
Dwell Time1
TIME
Attack Identified Response
SystemIntrusion
AttackBegins
Cover-UpComplete
Cover-Up DiscoveryLeap Frog Attacks
Dwell Time Response Time
Evolution of Threat Actors & Detection Implications
Firewall
Threat Actors
IDS/IPS
AntiVirus
Corporate Assets
Whitespace Successful HACKS
Network Visibility
Endpoint Visibility
Logs/SIEM
Complete visibility into every process and network sessions is required to eradicate the attacker
opportunity.
Unified platform for advanced threat detection & investigations
Blocked Session
Blocked Session
Blocked Session
Alert
Process
Network Session
Secu
rity
Ana
lytic
s
RSA Security Analytics
ModularRSA Advanced SOC Solution
NETWORK FORENSICS
SIEM & BEYOND
ENDPOINT THREAT
ANALYSIS
• Shows how an attacker got in
• Shows what the attacker did
• Helps to determine the source of the attack
• Shows suspicious communication• Beaconing• Data Exfiltration• Outbound encrypted communication• Service communication over a non-standard port
• Detect advanced threats using Behavior Analytics
• Communication to and from the infected system
• See the complete attack picture
• Reconstruct the malicious payload or exploit
RSA NetWitness® Packets
Providing real-time analysis and full visibility of everything going in and out of your network.
HTTP Headers
Basic Packet Capture
Attachment
File Fingerprints
Session Size
Country Src/Dst
URL
Hostname
IP Alias Forwarded
Directory
File PackersNon Standard
Content Type
Ethernet Connection
Embedded Objects
Top Level Domain
Access Criticality
Sql QueryMac Address Alias
Email AddressCookie
Browser
Credit CardsProtocol
Fingerprints
Database Name
SSL CA/Subject
URL in Email
Referrer
Language
Crypto Type
PDF/ Flash Version
Client/ServerApplication
User Name
PortUser Agent
IP Src/Dst
Session Characteristics
Deep Network Forensics
225+ metadata
fields
“You can't hide a packet once it's traversed the wire, you can't unsend it”
Prevention
DetectionRemediation
/Control
A BALANCED APPROACH TO ENDPOINT SECURITY SOLUTION
EPP:For Blocking and Prevention
EDR:For Rapid detection and Response
Why RSA NetWitness Endpoint?
Detect by threat behaviorrather than by signature
Rapid Response Enabled by Full Scope Visibility
Intelligent Risk-Level Scoring System
More rapidly expose new, unknown, and non-
malware threats on endpoints
Eliminate white noise; prioritize threats more efficiently & accurately
Provide all data needed to confirm threats and
quickly take action
73RISK
!!
!!
!!
!
!! !
!
!
Rapidly and Accurately Analyze ALL Threats
IP/Domain Information & Geo
Threat Intelligence + RSA Community
YARA Rules EngineBlacklisting (Multi-A / V )
File / App Whitelisting & Reputation“Gold Image” Baselining
Certificate ValidationLive Memory Analysis
Direct Physical Disk InspectionUser-Initiated Suspicious Behavior
Endpoint/Module Behavior Analytics
73
85
99
21
87
RSA NetWitness Endpoint combines multiple detection methodologies to detect both KNOWN and UNKNOWN threats faster and more accurately.
How Customers Use RSA NetWitness Endpoint
Proactive Assessments of Key AssetsSelectively deploy, monitor, and protect your most valuable, at-risk corporate assets
Protective Endpoint Monitoring and AlertingGain greater visibility, detect threats faster, and focus response more effectively
Hunting Tool for Incident ResponseInvestigate compromised systems to collect incident data for forensic analysis
Deeper Understanding of the Full Scope of an IncidentFully eradicate a threat actor by leveraging both network and endpoint visibility and analysis
Detect Unknown Threats. Reduce Dwell Time. Accelerate Response – Gartner
“Traditional defense-in-depth components are still necessary, but are no longer sufficient in protecting against advanced targeted attacks and advanced malware” – Gartner
Source: Gartner’s “Five Styles of Advanced Threat Defense”
Network Traffic Analysis
RSA
Payload Analysis
Endpoint Behavior Analysis
RSA
Network Forensics
RSA
Endpoint Forensics
RSA
Where to Look
Network
Payload
Endpoint
Time
Detect Unknown Threats. Reduce Dwell Time. Accelerate Response - Frost & Sullivan
The network security team at Frost and Sullivan views Advanced Persistent Threat (APT) defense as not a singular technology, but rather as a collection of technologies used in concert. Network security forensics is the requisite technology used when a suspected security breach has occurred.
What Do Organizations Need to Be Successful?
Enterprises need accelerated detection, analysis, and response capabilities that go beyond preventive and “what’s known”.
Effective means to help overburdened and unfocused security teams investigate and respond rapidly to REAL threats.
Capabilities to accurately detect new, never-seen-before, targeted and even “file-less” threats on their endpoints
Deep visibility and insight into everything that is actually happening on their endpoints at any time
Must be ARMED to quickly identify and respond to attacks before they can damage the business
Constant compromise does not mean constant loss
Security Attacks are Inevitable
THANK YOU
top related