rsa advanced security operations center · rsa security analytics rsa advanced ... rsa security...
TRANSCRIPT
1© Copyright 2016 EMC Corporation. All rights reserved.
RSA ADVANCED SECURITY OPERATIONS CENTERDENVER SPITZ – SECURITY CONSULTANT
2© Copyright 2016 EMC Corporation. All rights reserved.
• Threat Landscape
• Challenges in a SOC
• RSA’s Strategy– RSA ECAT
– RSA Security Analytics
– RSA SecOps
– RSA Advanced Cyber Defense Consulting
AGENDA
3© Copyright 2016 EMC Corporation. All rights reserved.
At first, there were HACKS Preventative controls filter known attack paths
EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS
MaliciousTraffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
Corporate Assets
Whitespace Successful HACKS
4© Copyright 2016 EMC Corporation. All rights reserved.
At first, there were HACKS Preventative controls filter known attack paths
Then, ATTACKSDespite increased investment in controls, including
SIEM
EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS
MaliciousTraffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
More Logs
Corporate Assets
SIE
M
Blocked Session
Blocked Session
Blocked Session
Alert
Whitespace Successful ATTACKS
5© Copyright 2016 EMC Corporation. All rights reserved.
Now, successful ATTACK CAMPAIGNS target any and all whitespace.
Complete visibility into every process and network sessions is required to eradicate the attacker
opportunity.
Unified platform for advanced threat detection & investigations
EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS
MaliciousTraffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
Logs
Endpoint Visibility
Corporate Assets
Blocked Session
Blocked Session
Blocked Session
Alert
Process
Network VisibilityNetwork Sessions
Secu
rit
y A
naly
tics
6EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY
VERIZON DATA BREACH INVESTIGATIONS REPORT
Attacker Capabilities
Time to Discovery
ATTACKERS ARE OUTPACING DEFENDERS
Percent of breaches where time to compromise (red)/time to Discovery (blue) was days or less
Time to compromise
Time to discovery
100%
75%
50%
25%
2004
2005
2006
2007
2009
2008
2010
2011
2012
2013
© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required
7EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY
- VERIZON DATA BREACH INVESTIGATIONS REPORT
A LOGS-ONLY APPROACH TO DETECTION ISN’T WORKING
Percent of successful attacks went undiscovered by logs99%
© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required
Percent of incidents that took weeks or more to discover 83%
8EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY
DEFENDER’S CHALLENGES
Existing strategies & controls are failing
Attackers are becoming more sophisticated
The attack surface is expanding
Tools & processes must adapt to today’s threats
Teams need to increase experience
& efficiency
Security teams need comprehensive visibility from
endpoint to cloud
© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required
9© Copyright 2016 EMC Corporation. All rights reserved.
RESOURCE SHIFT NEEDED: BUDGETS & PEOPLE
Today’sPriorities
Prevention80%
Monitoring15%
Response5%
Prevention33%
Future Requirements
Monitoring33%
Response33%
10© Copyright 2016 EMC Corporation. All rights reserved.
RSA ADVANCED SOC PLATFORM: ENABLING DEFENDERS
Detect Respond
Netw
ork
Endpoin
t
Logs
RSA Live
RSA Security Analytics
RSA Advanced Cyber Defense
RSA Incident Response
RSA SecOps
11© Copyright 2016 EMC Corporation. All rights reserved.
RSA ECAT
12© Copyright 2016 EMC Corporation. All rights reserved.
TOP ENDPOINT SECURITY CHALLENGES
• Lack tools & resources
• Manual and labor intensive
• Siloed Views
Slow & Partial Analysis
ESG & VBDIR 2015
• Over-Reliance on signatures
• Network alone not enough
• Lack deep endpoint visibility
• Increased attacker dwell time
• Elevated risk of data loss
• Limited resources
Unknown Scope Lack of Response
Invisible Infected Endpoints
13© Copyright 2016 EMC Corporation. All rights reserved.
SOLUTION
Instantly determine scope and take action
Quickly exposeendpoint threats
Analyze andconfirm faster
Integrate endpoint with network data
Signature-less Prioritizes alerts Answers scope Complete visibility
14© Copyright 2016 EMC Corporation. All rights reserved.
RSA ECAT OVERVIEW
• Detect by behavior of malware rather than a signature
• Deep endpoint visibility & real-time alerting
• Intelligent risk level scoring system to prioritize threats
• Confirm infections quickly & block with precision in real time
ECAT
Scan
Monitor & Alert
Analyze
Take Action
15EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY
HOW RSA ECAT WORKS
ECAT Server
Threat Intelligence | Feeds | RSA ResearchRSA LIVEINTELLIGENCE
Agent• Endpoints, Servers, VMs
• Windows, Linux & Mac OS
• Monitors for suspicious activity
• Scans for full system inventory
• Identify all executables, DLL’s, drivers, etc.
• Low system impact (2MB on disk, 10-20MB in memory)
Server• Analyzes scan data &
flags anomalies
• Maintain repository for global correlation
• Automatically download unknown files for additional analysis
• Easily scales: 50K agents per server
16© Copyright 2016 EMC Corporation. All rights reserved.
RSA Security Analytics
17EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY
RSA SECURITY ANALYTICS ARCHITECTURE
18© Copyright 2016 EMC Corporation. All rights reserved.
OUT-OF-THE-BOX CONTENT EXAMPLES
Intelligence feeds
APT Domains
Suspicious Proxies
Malicious Networks
Threat blacklists
O-day identifiers
275+ correlation
rules
Data exfiltration
Identity & access anomalies
Unusual connections
Endpoint & network activity
Reconnaissance detection
90+
reports
Compliance templates
Network activity
Operations
Suspicious behavior
User activity
375+
log & network parsers
Abnormal .exe files
Packers
Instant Messenger traffic
Botnets
SQL injection
19© Copyright 2016 EMC Corporation. All rights reserved.
ADVANCED ANALYTICS ENGINE
LEADING INDICATORS OF A PLANNED C2 EXPLOIT
• Real-time Analytics – Data Science algorithms
– Scores on multiple C2 behavior indicators
– Utilizes streaming HTTP activity
• Low False Positives– Learns from ongoing and historical
activity
– Supervised whitelisting option
BeaconingBehavior
Rare DomainsRare
User AgentsMissing
ReferrersDomain Age
(WhoIS)
Suspicious Domains
aggregate score
20© Copyright 2016 EMC Corporation. All rights reserved.
PRIORITIZED ACTION
LIVE
Alerts
Investigation
Workflow
GRC
OnPrem
CloudLOGS
PACKETS
ENDPOINT
NETFLOW
21© Copyright 2016 EMC Corporation. All rights reserved.
RSA Security Operations Management (SecOps)
22© Copyright 2016 EMC Corporation. All rights reserved.
SOC CHALLENGE - EVENT-FOCUSED, REACTIVE
No Centralization of Alerts Lack of Centralized Incident Management
Lack of Context Lack of ProcessLack of Best Practices
23© Copyright 2016 EMC Corporation. All rights reserved.
Dom
ain
RSA S
ecO
ps
Framework & Alignment
People
Process
Technology
Incident Response
Breach Response
SOC ProgramManagement
RSA SECURITY OPERATIONS MANAGEMENT
24© Copyright 2016 EMC Corporation. All rights reserved.
RSA SecOps
AggregateAlerts toIncidents
IncidentResponse
BreachResponse
SOC Program
Management
Dashboard &Report
RSA Archer Enterprise
Management(Context)
RSA ArcherEnterprise Risk
BCM(Optional)
ALERTS
CONTEXT
LAUNCH FOR
INVESTIGATIONS
3rd Party Systems
RSA SECOPS
25© Copyright 2016 EMC Corporation. All rights reserved.
SOC MANAGER / CISO DASHBOARD
26© Copyright 2016 EMC Corporation. All rights reserved.
Beyond Technology:Consulting
27© Copyright 2016 EMC Corporation. All rights reserved.
THE ADVANCED SOC
Tier 2 Analyst
Tier 1 Analyst
Threat Intelligence Analyst
SOC Manager
Analysis & Tools Support Analyst
28© Copyright 2016 EMC Corporation. All rights reserved.
ASOC Design & ImplementationASOC Strategy, Design & Program Development
Technology & Operations Buildout | Residencies, Support & Training
Security Operations ManagementSecOps Strategy & Management | Use Case Development
Incident Response Procedures
Incident ResponseRetainer | Incident Discovery | Incident Response | IR Hunting Services
Breach Management
Cyber Readiness & Capability RoadmapCurrent State & Gap Analysis | Maturity Modeling | Breach Readiness Roadmap |
Net Defender (Cyber Security Framework)
Cyber & Counter Threat IntelligenceProgram Development | Web & E-mail Threat Operations | Best Practices
RSA ADVANCED CYBER DEFENSE SERVICESDEVELOP AND MATURE A PORTFOLIO FOR ONGOING COMPETITIVE ADVANTAGE
29© Copyright 2016 EMC Corporation. All rights reserved.
DEFENDER’S CHALLENGES
Existing strategies & controls are failing
Attackers are becoming more sophisticated
The attack surface is expanding
Tools & processes must adapt to today’s threats
Teams need to increase experience
& efficiency
Security teams need comprehensive visibility from
endpoint to cloud
© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required
Security AnalyticsECAT
Advanced Cyber Defence
SecOps