from siem to sa: the path forward
Post on 19-Oct-2014
1.066 views
DESCRIPTION
View this webcast to learn how you can accelerate your security transformation from traditional SIEM to a unified platform for incident detection, investigation and advanced security analysis. Understand why organizations are moving to a true big data security platform where compliance is a byproduct of security, not the other way around. More via http://bcove.me/d2e9wpd2TRANSCRIPT
1 © Copyright 2012 EMC Corporation. All rights reserved.
From SIEM to Security Analytics
The Path Forward
Seth Geftic, Product Marketing Manager
Steve Garrett, Product Manager
2 © Copyright 2012 EMC Corporation. All rights reserved.
Agenda
The Shift From SIEM
What is RSA Security Analytics
Beyond SIEM: Intelligence Driven Security
Intelligence Driven Security In Action
3 © Copyright 2012 EMC Corporation. All rights reserved.
The Shift Away From SIEM
4 © Copyright 2012 EMC Corporation. All rights reserved.
The purpose of SIEM has evolved
The original purchase driver behind SIEMs were – Satisfying compliance requirements more easily
▪ Collecting and retaining logs with less operational overhead
▪ Creating compliance reports more easily
– Troubleshooting operational problems ▪ Determining root cause of failures
Making IDS work better was often a driver too – The security team was deluged with IDS alerts
– Many of the IDS rules were crude and fired too often
5 © Copyright 2012 EMC Corporation. All rights reserved.
Why hasn’t SIEM lived up to expectations?
Things have become more complex – IT environments have expanded – Hackers have become more sophisticated – IDS has become less and less relevant
SIEMs response has been to add more log sources – More diversity of sources (Security Device, OS, Application
etc) – Greater volume of sources as the number of critical
systems has expanded
But this has not solved the problem – SIEM has not been able to scale to the volume required – Its impractical to create correlation rules to detect every
complex threat – Many threats no longer even have a footprint in the logs
6 © Copyright 2012 EMC Corporation. All rights reserved.
The result for organizations?
Honeymoon period for customers post implementation
– Compliance reports run more smoothly
– Security teams get at least *some* visibility into activity
Disillusionment follows for many pretty soon after
– As team matures they start to try extract more value from the data
– At this point, performance and correlation limitations come to the fore
7 © Copyright 2012 EMC Corporation. All rights reserved.
Today’s tools need to adapt
Today’s tools need to be able to detect and investigate
– Lateral movement of threats as they gain foothold
– Covert characteristics of attack tools, techniques & procedures
– Exfiltration or sabotage of critical data
Today’s tools need to be able to scale – To collect and store the volume and diversity of data
required
– To provide analytic tools to support security work streams
– Time to respond is critical in a breach situations – and SIEM often falls short
8 © Copyright 2012 EMC Corporation. All rights reserved.
Security Analytics & The Security Maturity Voyage
Incident Detection
Network Monitoring & Investigation
Security Team Sophistication
& Skillset
Visibility and
Understanding
Compliance
SECURITY ANALYTICS
Advanced Analysis
Traditional SIEM
9 © Copyright 2012 EMC Corporation. All rights reserved.
Use Case Needs Grow
Compliance + Tier 1 Security (often met with traditional SIEM)
– Compliance requirements
– Incident detection
– Limited investigations
Moving Beyond SIEM
– Increased visibility
– Deep forensics and investigations
– Supplement traditional SIEM
Advanced Security Operations
– Find more sophisticated attacks
– Increased “hunting” ability
– Conduct complex data analysis for next gen SOC
10 © Copyright 2012 EMC Corporation. All rights reserved.
Comprehensive Visibility
“See everything happening in my environment and
normalize it”
High Powered Analytics
“Give me the speed and smarts to detect,
investigate and prioritize potential threats”
Big Data Infrastructure
“Need a fast and scalable infrastructure to
conduct real time and long term analysis”
Today’s Security Requirements
Integrated Intelligence “Help me understand what to look for and
what others have discovered”
11 © Copyright 2012 EMC Corporation. All rights reserved.
What is RSA Security Analytics
12 © Copyright 2012 EMC Corporation. All rights reserved.
RSA Security Analytics Unified platform for incident detection, investigations, compliance reporting and advanced security analysis
SIEM Log Parsing
Compliance Reports Incident Alerts
Network Security Monitoring
Full Packet Capture Capture Time Data
Enrichment Deep Dive Investigations
RSA Security Analytics
Big Data Infrastructure Comprehensive Visibility High Powered Analysis
Intelligence Driven Context
13 © Copyright 2012 EMC Corporation. All rights reserved.
Incident Response
Endpoint Visibility
& Analysis
Additional Business & IT Context
Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions RSA LIVE
INTELLIGENCE
Capture Time Data
Enrichment
PACKET METADATA
Distributed Data
Collection
PACKETS
LIVE
LIVE
LIVE
PARSING & METADATA TAGGING
LOGS
LOG METADATA
Reporting & Alerting
Investigation & Forensics
Compliance
Malware Analysis
Intelligence Feeds
Big data security analytics: RSA Security Analytics architecture
14 © Copyright 2012 EMC Corporation. All rights reserved.
RSA Security Analytics “SIEM-like” deployment
Incident Response
Endpoint Visibility
& Analysis
Additional Business & IT Context
Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions RSA LIVE
INTELLIGENCE
Capture Time Data
Enrichment
LIVE
PARSING & METADATA TAGGING
LOGS
LIVE
LIVE
Reporting & Alerting
Investigation & Forensics
Compliance
Malware Analysis
Intelligence Feeds
Distributed Data
Collection
LOGS LOG
METADATA
15 © Copyright 2012 EMC Corporation. All rights reserved.
Capture Time Data
Enrichment
PACKET METADATA
Distributed Data
Collection
PACKETS
LIVE LIVE
PARSING & METADATA TAGGING
LOGS
LIVE
Alerting
Investigation & Forensics
Malware Analysis
Intel Feeds
3rd Party SIEM
Collection Investigations
Alerts
Alert Triage
Compliance & Reporting
RSA Security Analytics with a traditional SIEM
16 © Copyright 2012 EMC Corporation. All rights reserved.
What Makes SA Different?
Single platform for log & network security monitoring
Capture time data enrichment
Superior event stream & on-request analysis
Incorporates business and IT data, incident response & endpoint visibility
Operationalizes threat intelligence
Security platform where compliance is an outcome, not the other way around
17 © Copyright 2012 EMC Corporation. All rights reserved.
Beyond SIEM – Intelligence Driven Security
18 © Copyright 2012 EMC Corporation. All rights reserved.
What is Intelligence Driven Security?
The process of using all the security-related information available, both internally and externally, to detect hidden threats and even predict future ones.
It is knowledge that enables an organization to make informed risk decisions and take action.
19 © Copyright 2012 EMC Corporation. All rights reserved.
Meet the Adversary: Mr. X
Mr. X
Persona Mission in Life Tactics Primary Data Source(s)
Cyber Criminal, Government sponsored or non-state actor
Exfiltrate any and all data available by creating threat surface specialized for a given target.
Malicious Code, Social Media, Phishing, Spear Phishing
Must Have: Facebook, LinkedIn, Malware Note: Average price of a zero-day exploit generated by the criminal underground is $25.
Combination of Waterhole Attacks with Zero Day Exploits (non-profits and think tanks) – Targeting users who visit very specific websites
– Latest IE 0-day attack focused on a specific non-profit site
– Downloaded and executed shellcode directly from memory, never hit disk
– Dropped non-persistent (Aurora) 9002 RAT
Multiple attack groups on the same victim, steady evolution of adversary backdoors
NO slowdown in attack operations, very specific targeting of intelligence based on attacker taskings (Lawsuits, Key Personnel, C-Suite, M/A activity)
Email Exfiltration – MAPI tool, Theft of Lotus Notes Email
Continued heavy use of Windows Service DLLs, some signed
Mr. X has been busy:
20 © Copyright 2012 EMC Corporation. All rights reserved.
Mr. X – How Does he do it?
A: Web App Vulnerability
B: Drop Webshells or Trojan Backdoor
D: Pass The Hash
F: Gain Access to Trade Secrets
G: Upload Stolen Data to Staging Server
E: Seize Domain Admin Credentials
H: Transmit Stolen Data
IDS SIEM SA
A
B
C
D
E
F
G
H
C: Command and Control
Ability to Detect
Yes Yes – Full Visibility with Logs and Packets with Threat Intelligence Possible
No
Your Network
21 © Copyright 2012 EMC Corporation. All rights reserved.
Intelligence Driven Security with Security Analytics
RSA Live Threat Intelligence May Have Identified Risk of the Transfer as a Starting Point for Investigation
B: Drop Webshells or Trojan Backdoor
A: Web App Vulnerability
22 © Copyright 2012 EMC Corporation. All rights reserved.
Intelligence Driven Security with Security Analytics
Traversing Your Infrastructure
Mr. X use a variety of techniques to communicate while traversing your infrastructure which Security Analytics can detect and parse
– Named Pipes commonly abused (\pipe\hello is NOT from Microsoft) – Abuse of the Windows Task Scheduler over SMB connections via NET USE, allowing
command shell capabilities with SYSTEM privelidges
C: Command and Control
D: Pass The Hash
E: Seize Domain Admin Credentials
F: Gain Access to Trade Secrets
G: Upload Stolen Data to Staging Server
Security Analytics combines Log Data with Packet Data for Deep Visibility
23 © Copyright 2012 EMC Corporation. All rights reserved.
Intelligence Driven Security with Security Analytics
Your Network
RSA Live Threat Intelligence May Have Identified Risk of the Transfer based on Remote Host or Outbound Protocol Anomalies ( such as self-signed certs)
– Security Analytics will flag these sessions as suspicious and identify where the data travelled
– Event reconstruction may be possible
H: Transmit Stolen Data
G: Upload Stolen Data to Staging Server
24 © Copyright 2011 EMC Corporation. All rights reserved.
Anyone see this Movie?
25 © Copyright 2011 EMC Corporation. All rights reserved.
Event Stream Analysis: Intelligence Driven Security in Action
26 © Copyright 2011 EMC Corporation. All rights reserved.
Intelligence Driven Security with Security Analytics – Event Stream Analysis
• Full Visibility – Log Data and Packet
Data normalized into Meta Data
– Additional Context may be added into ESA from other business systems
18k EPS
24k EPS
2 GB/s
LIVE
LIVE
LIVE
Additional Context
Concentrator
ESA
Log Decoder
Concentrator Log Decoder
Concentrator Packet Decoder
27 © Copyright 2011 EMC Corporation. All rights reserved.
Intelligence Driven Security with Security Analytics – Event Stream Analysis • Leverage the power of ESA’s Correlation Engine to Create Dynamic Risk
Categorization using Context Windows
• Suspicious Internal Hosts IP List based on Packet Analysis and RSA Live Threat Intel
• As an example, any host running a named pipe such as “\pipe\hello”
• Entries age out after preconfigured time (8 hours for instance)
Suspicious Internal IP
DYN
AMIC
CO
NTE
XT Suspicious Internal IP
10.221.32.12 161.169.207.15 .. ..
• Critical Asset List may come from Feed File or CSV file which provides Business Context
• Entries can be configured to be static and not age out
• Suspicious Host Alias List based on Packet Analysis and RSA Live Threat Intel
• Entries age out after preconfigured time (12 hours for instance)
Ssl-irc.scumware.org Mirror.wikileaks.info Updatekernal.com …
Suspicious Host Alias
DYN
AMIC
CO
NTE
XT
10.100.32.10 10.100.32.104
Critical Asset List
STAT
IC
CON
TEXT
28 © Copyright 2011 EMC Corporation. All rights reserved.
Intelligence Driven Security with Security Analytics – Event Stream Analysis • When one of the Suspicious Hosts attempts to login on one of the Critical Assets, you
may deem this as an elevation of Risk, and choose to add the IP address of the Host to a new list
• Elevated Risk Internal IP List based on Log Data from Domain Controller
• ESA determines that a host in the Suspicious Host IP list attempted to login to a host in the Critical Asset List
• ESA places this IP address into the Elevated Risk Internal IP list, which can be configured to age out after a preconfigured time
• Context Window can be referenced with the Incoming Event Streams and used to make a more intelligent decision to fire an Alert
Suspicious Internal IP Elevated Risk Internal IP 10.221.32.12 161.169.207.15 .. ..
DYN
AMIC
CO
NTE
XT
If A->B->C AND the Host IP address is included in the Elevated Risk Context Window, then tell me about it!”
29 © Copyright 2011 EMC Corporation. All rights reserved.
RSA Security Analytics
• Cornerstone in the Security Operations journey
• Flexible platform that grows with your needs – Compliance incident detection investigation
and forensics advanced analysis
– From logs packets or packets logs
• Security platform where compliance is a byproduct, not the other way around
30 © Copyright 2013 EMC Corporation. All rights reserved.
RSA Advanced Cyber Defense Services
• Strategy & Roadmap
Current strategy review and
recommendations for desired
future state
• Incident Response
Rapid breach response service
and SLA-based retainer
• NextGen Security Operations
SOC/CIRC evolution and security
program transformations; moving
from reactive to proactive
A portfolio of services to help you achieve security operations excellence
www.rsa.im/ACDpractice
31 © Copyright 2013 EMC Corporation. All rights reserved.
RSA Advanced Cyber Defense Training
• Focus on proven
methodologies for
operating and
managing a
CIRC/SOC
• Hands-on labs
designed around
real-world use cases
and teamwork in a
CIRC/SOC
• Delivered by highly
experienced RSA
Security Practitioners
A comprehensive learning path for security analysts
www.emc.com/rsa-training
33 © Copyright 2011 EMC Corporation. All rights reserved.
Create alerts to/from critical assets A few dozen alerts
Terabytes of data 100% of total
Thousands of data points 5% of total
Hundreds of data points 0.2% of total
Reimagining Security Analysis: Removing Hay vs. Digging For Needles
All Network Traffic & Logs
Downloads of executables
Type does not match extension
!
34 © Copyright 2011 EMC Corporation. All rights reserved.
Integrated Intelligence Know What To Look For
Automatically distributes
correlation rules, blacklists, parsers,
views, feeds
OPERATIONALIZE INTELLIGENCE: Take advantage of what others have already found and apply
against your current and historical data
RSA LIVE INTELLIGENCE SYSTEM Threat Intelligence – Rules – Parsers – Alerts – Feeds – Apps – Directory Services – Reports and Custom Actions
3
Aggregates & consolidates data
2
Gathers advanced threat intelligence
and content
1
35 © Copyright 2011 EMC Corporation. All rights reserved.
SA vs. SIEM
Attack Step Traditional
SIEM RSA Security
Analytics
Alert for access over non-standard port No Yes
Recreate activity of suspect IP address across environment
No Yes
Show user activity across AD and VPN Yes Yes
Alert for different credentials used for AD and VP
Yes Yes
Reconstruct exfiltrated data No Yes