why we decided on rsa security analytics for network visibility
Post on 16-Apr-2017
621 Views
Preview:
TRANSCRIPT
Why we decided on RSA Security Analytics
for network visibility
Yumiko MatsubaraManager, Security Architecture Group
Cyber Security Consulting Department
Recruit Technologies Co., Ltd.
Bio
2
Yumiko Matsubara Planning, building and operating IT in Recruit
Technologies’ Internal IT Department
As of 2013, planning and building security
solutions
I like: Golf, motorbikes and wine
Agenda
• Company Info
• Organization Structure for Security
• Turning Point Issue and Related Incident
• Facing Challenges
• POC
• Security Analytics Usage for Speed-up Decision
• Additional Benefits
• Facing Difficulty Prepare for H/W failure
• Voice from Engineer
• Summary and Wish List
3
BUSINESS MODEL
Delivering Value to Clients and Users by Making Life Easier
and More Fulfilling through Optimized Matching
Matching Platform
Consumers
USER
Enterprise
CLIENT
Clients compensate Recruit for linking them to customers.
8
BUSINESS MODEL
Life event area Lifestyle Area
Travel
IT/ TrendLifestyle
Health & Beauty
Job Hunt
Marriage
Job Change
Home Purchase
Car Purchase
Child Birth
Education
Information services that support choice
9
Jobs
Housing
Travel
Dining
Beauty / Fashion
Used Cars
Bridal/Maternity/Baby
Education
Coupon / Daily Deals Online Shopping
BUSINESS MODEL
Strategic IT Company
11
Infrastructure
/SecurityProject
Management
UXD/SEO
Internet MarketingBig Data Solutions
Technology R&D
Systems
Development
Recruit
Holdings
Recruit Career
Recruit Sumai Company
Recruit Lifestyle
Recruit Jobs
Recruit Staffing
Recruit Marketing Partners
Staff Service Holdings
Recruit Technologies
Recruit Administration
Recruit Communications
Business/
Service
Function/
Support
Entire Security Org Structure
13
Recruit Holdings
Recruit Technologies
Security Management OfficeBoard
Business securitySystem
security
Security
Architecture
Group
Strategy
Group
Consulting
GroupSOC IR QM
Security Org Structure in Recruit Technologies
14
Strategy Group
Consulting Group
Security
Architecture Group
Testing and introduction of advanced security
solutions, systems operation
Implementation of overall rules governing security
Review of security measures for new Web
development
SOC
IRG
QM
Security Operation Center
Incident Response
Quality Management
Insourced from
Recruit-CSIRT
Our Implementation in the Past○ Commercial environment threat detection:
Mainly IDS and WAF
Internet
On a Private Cloud basis
attackattack
Our Implementation in the Past
19
○ Office environment threat detection: Sandbox
Internet
In addition to the usual sigunature-type detection,Use Sandbox appliance
20
・ Detected huge number of password list attacks and other
attacks that exploit vulnerabilities
・ Tons of application attack alerts (including false positives)
■ Needed to determine of severity level based on response code
■ Needed to determine the impact after application log investigation
○ Commercial environment threat detection: IDS and WAF
Challenges on Commercial Environment
Challenges on Office Environment
21
○ Office environment threat detection: Sandbox
・ Made C2 communication visible with risks (including false
positives)
■ Needed to Check malware detection log
■ Needed to Test on Aguse and VirusTotal to identify
malicious sites
■ Needed to Analyze Malware manually
■ Needed to do computer forensics in some cases
Needed to Accelerate Decision Speed
22
○ Commercial environment threat
detection: IDS and WAF
○ Office environment threat
detection: Sandbox
■ No way of checking impact on the detected communication (data leak or not)
or whether an attack was successful
■ Even if there was a way, investigations are time-consuming and expensive
■ To ascertain these impacts, we wanted to record all communications and
use them in our investigations
Examination of network forensic products launched
FY2014: POC Tests Run on Multiple Products
24
○ Commercial
environment
○ Office
environment
RSA/SA
Product B
SA selected for both environments for superior searchability,
performance, and cost
Thanks for the good price, RSA!!
× 4 POC tests run on
two products in two
environments
Easy Deep Investigations
■ Traffic comes through TAP
■ SOC can determine escalation is
necessary
■ Monitoring Engineer can deep-investigate
as part of the monitoring process
26
Easy Deep Investigations
■IR: Full packet capture investigation by
analyst
Log starts only after sensor has raised the
alarm
SA traces back before that point, opening
the way for full packet capture investigations
27
Easy Deep Investigations
28
• Once an SQL injection has been detected
by the sensor, a deep investigation is
conducted using SA
• SA also detects sever-side backdoors
inside POST data.
API to Improve Searchbility
29
■ Automatic acquisition of packet data using API
■ Opens the way for more effective monitoring
and incident analysis
■ Correlation analysis with other logs can be used
to seek new threats
Compromised Sites Detection
31
• Recruit Technologies thanked for
discovering compromising of other
companies’ sites
Lack of Replacement Procedure
• DAC (HD) double failure in FY2015
• Long recovery time during which no capture was possible causes major damage
• Failures are unavoidable
• The key issue is being prepared to deal with them
33
Built Recovering Process
• Worked with EMC and maintenance
service company TechMatrix to strengthen
the maintenance frame
• Both sides gained more SA knowledge
• Fortunately, there have been no similar
failures since
34
36
・ Documentation is posted on a public site with no user restrictions.
・ There is a Japanese version of the documentation.
・Being able to display communications data on the analyzer
GUI makes it very operator-friendly
→ Differs from FE-PX in this regard
(FE-PX must be downloaded and manually analyzed, so it is better
suited to experts)
・Metadata for the various types of field information can be easily
overviewed (IP, PORT, URL, etc.)
・Can be linked with other API functions
37
・The portrait view is hard to work with, requiring a scroll-down each time
・The parser is different and hard to customize. Make it easier to customize
by, for example, using an SPL like Splunk?
・The Pcap output file name is always InvestigationExtraction.pcap, so each
file has to be renamed for operation. Link the time and filter content to the file
name with an underscore to reduce the operating burden?
38
・ Lack of product maturity in Customer Support team. We
sometimes see un-matured responses from them. Improve with us!
・Because Web GUI items cannot be copied and pasted, transferring
settings, etc., requires writing them all out by hand, where it is easy
to mistakes.
・There are many strange specs compared to other devices.
snmp polling during the snmpd start-up process results in the loss
of Mib, etc.
・There is no detailed specification/setting documentation… Hope
we could have it soon.
Summary
• Network Forensic reduces time to investigate advanced threats.
• Once a procedure is established, SA is not only for advanced skilled people.
• It is also useful for analysts
• As an invaluable tool, we would like to see greater device reliability and maintenance skills
• Minor changes are also effective in boosting productivity
40
Wish List
• Cloud, Cloud, Cloud!
• Please release a Cloud version as soon as
possible
• I ask RSA to collaborate w/ AWS more!
41
Thank you
42
Email: yumatsu@r.recruit.co.jp
Fb: https://www.facebook.com/yumiko.matsubara.58
Recruit Technologies
Contact Information:
top related