Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evolved requirements A Business-Driven Security Strategy for Threat Detection & Response Laura MacDonald Field CTO Laura.MacDonald@rsa.com.

Published byBrook Quinn Modified over 6 years ago

Similar presentations

Presentation on theme: "Evolved requirements A Business-Driven Security Strategy for Threat Detection & Response Laura MacDonald Field CTO Laura.MacDonald@rsa.com."— Presentation transcript:

1 Evolved requirements A Business-Driven Security Strategy for Threat Detection & Response Laura MacDonald Field CTO

2 Is your SIEm finding the attacks that matter?
Ponder this for a moment ...

3 A Logs-Only Approach to SIEM Isn’t Working
99% Percent of successful attacks went undiscovered by logs 99% of successful attacks went undiscovered by logs. Source: VDBIR In only 1% percent of cyber-espionage cases victims learned about their breach from internal log review. In almost every major breach the victim had a log-centric SIEM approach. Most attacks are missed until a 3rd party lets them know about it (not good) and it takes way to long to discover the attack. From the VDBIR: Examining discovery timelines and methods for espionage incidents reveals ample room for improvement. While this information is often not known or provided (for various reasons, including the visibility and focus of our contributors), there’s enough to discern the general state of affairs. it typically takes victims months or more to learn they’ve been breached and it’s usually an outside party notifying them. 67% took months or more to discover, with 5% lasting years VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT

4 Goals Versus reality of siem 1.0
Single compliance & security interface Analyze & prioritize alerts across various sources The cornerstone of security operations Goals The original intent of SIEMs were good, but they have not delivered the security value that teams need for today’s threat landscape. SIEMs have been around since the mid-1990’s and have emerged to become a highly strategic element of the security team’s monitoring function. They were designed primarily for two objectives: 1. Collect, analyze, report and store log data from hosts, applications and security devices to support security policy compliance management and regulatory compliance initiatives 2. Process and correlate in real time event data from security devices, network devices and systems to identify security issues that pose the biggest risk to an organization. While most SIEM solutions have met objective number 1, a big majority of these solutions struggle to meet objective number 2. These SIEM solutions do not have the scale and real-time analytics capabilities for identifying issues that can compromise an organization before an attacker achieves their objective, and have limited capabilities to prioritize the sea of alerts analysts are facing based on true business risk. Compliance solved, but breaches causing business damage are on the rise Limited detection due to reliance on logs from preventative controls & signatures Weak at investigation & incident response. Hard to find full scope of attack Reality

5 The challenge for security teams
First, let’s briefly discuss the challenges that security operations teams are facing today.

6 Attackers Quickly Turn Compromises into Breaches
Minutes Hours Days Weeks Months Spear Phishing Attack Malware Installed Initial compromise 3rd Party Detection Communicate to External Server (C2) Breach Lateral Movement Discover Critical Assets Data Exfiltration Breach Detected It goes without saying that stories of cyber attacks and major breaches are all over the news today. As we look at what is happening in these breaches, a few trends become apparent. In short, attackers are gaining access faster – usually within minutes <<CLICK>>, nearly all attackers are extracting sensitive data within a matter of days, and they are staying longer…. <<CLICK>>typically inflicting greater damage over this time. Most breaches take months to discover. And the overwhelming majority are not detected by internal systems, rather external sources such as customers or authorities. Suffice to say, there is a direct correlation between “dwell time” (the amount of time that attackers have access to your network) and the impact that attacks will have on your business. compromised in MINUTES 82% of exfiltration occurred in DAYS 99% discovered in MONTHS 64%

7 Logs Provide Only Limited Visibility
Malware Tool misses UNKNOWN, NEW threat NGFW has no rule for/against threat traffic IPS has no signature to stop the threat traffic NetFlow Analyzer sees lateral movement but from a known user AV misses user downloading Unknown Malware VMs further inhibit visibility into threats Visibility into Threats in the Cloud is an even bigger challenge IDS / IPS NGFW NGFW Confidential Data Why are the attackers outpacing the defenders? - One reason is that most organizations are still relying on logs for detection. But the truth is that logs can only provide a limited understanding of what is happening. For example, logs are very useful for identifying when a preventive control triggers an alert. But today, sophisticated adversaries are increasingly adept at navigating around those same preventive controls. For example, in most cases, previously unseen malware (or zero day, which is used most often in advanced attacks) will not trigger an alert on endpoint AV. The same is generally also the case for IDS/IPS. If a Next Gen Firewall has no rule to block or alert on certain threat traffic, security teams will have no way of knowing. Compounding the problem of limited visibility; as organizations migrate applications, data, and everyday computing to the cloud ~ we may have varying (if any) visibility into events occurring outside our traditional network environments. Also, expanding use of virtualization may present additional blind spots. Are alerts and other data pertaining to virtualized network traffic being collected? Also, is there visibility of every newly spun up Virtual Machine? Is endpoint visibility accounted for on all hypervisors and clusters? Relying on logs alone is not enough.

8 The Flood of Data from Other Sources Can Be Overwhelming
NetFlow Collector / NBAD Full PCAP / Network Forensics Endpoint Security Data Capture across Cloud The need for visibility drives organizations to add more data sources SIEM / Logs ! ! ! ! ! But too much data from disparate sources can obfuscate real threats Today many organizations are starting to understand that they need greater visibility. They are collecting as much data as possible, frequently adding multiple point security solutions. This is to make sure that they have all their bases covered – as few blind spots as possible. While they may have NetFlow, some type of packet capture, endpoint, and cloud data; it’s all happening in silos: with a narrow fields of focus. This means organizations are being flooded with information from individual data sources, with absolutely no correlation across them. Every new point solution that is introduced requires added expertise within the security team. And even when that expertise exists, those individuals are probably choking on data, unable to separate important alerts from false alarms and ‘noise’; and they don’t have the ability to recognize the connecting data between each function. In fact, adding additional point solutions may, in some cases, have an inverse effect on the effectiveness of security teams. Each new point product adds an additional set of variables that should be correlated with other data – making correlation orders-of-magnitude more difficult with each new dataset. However, this is not to say that more data from more sources isn’t good. In fact, the more information available relative to a particular event, the more effective both the analysis and response can be. It’s really a Catch-22. We need the data, but it’s making us less-effective because the computational requirements simply exceed human capabilities. We cannot effectively sort through and react to the massive amount of enterprise security information; certainly not with the speed that is required to keep up with the threats we discussed in the previous slides. Manual correlation and analysis make it NEARLY IMPOSSIBLE to respond in time and prevent breaches

9 Security Teams Struggle to Assess and Act
Is this a real incident? Did any new processes execute on the target? Were there any communications back to the attacker? What’s the scope of the incident? Based on the initial incident, are there other systems affected? What’s the impact of the incident? What data was exfiltrated? What actions are required to mitigate? ! ? Meanwhile, as security and technical experts struggle to keep up with the flood of alerts, business leaders (who frequently are making the resourcing decisions that will ultimately determine how or if these issues are addressed) are demanding to understand the reason, scope, impact, and response to attacks; and how to better manage cyber-risk in the future. This phenomenon can be referred to as “The Gap of Grief”. Security teams struggle to meet the needs of the business; while the business struggles to gain perspective on what is actually happening – meanwhile both the direct cyber threat and the organization’s paralysis in meeting the challenges can hamper progress; or even put the entire business at substantially greater risk. How can we better function to adequately answer these questions on the right side of this screen? How do we effectively answer the question, “How bad is it?” How can we make sure the team doesn’t have blind spots and can connect the dots of the attack?

10 Ensuring your SIEM Finds the Attacks that Matter most

11 Gartner’s priorities for siem shifting
Use cases: Advanced Threat Detection Basic Security Monitoring Forensics & Incident Response 2016 Use cases: Threat Management Compliance General SIEM deployment 2013 – 2015 Capability Weight Real-time Monitoring 10% Data & User Monitoring Application Monitoring Threat Intelligence Behavior Profiling Analytics Log Management & Reporting Deployment & Support Simplicity 5% Incident Response & Management 6% Advanced Threat Detection 20% Business Context & Security Intell 15% User Monitoring 12% Data & Application Monitoring Advanced Analytics In 2016 Gartner indicated that the priorities for SIEMs were shifting. New use cases around advanced threat detection coupled with forensics and incident response were necessary. Capability Weight Real-time Monitoring 18% Data & User Monitoring 10% Application Monitoring Threat Intelligence 9% Behavior Profiling Analytics 23% Log Management & Reporting Deployment & Support Simplicity “Critical Capabilities for Security Information and Event Management”, Gartner

12 Requirements for siem have evolved
Evolved Threat Landscape Modern IT Infrastructure Noise in the System Now, there are many reasons that SIEMs, as the centerpiece of the security operations center, have to evolve. Security teams need to evolve to stay in front of attackers and the latest threats, but in recent years this has become much more difficult. Attackers continue to advance and use sophisticated techniques to infiltrate organizations which no longer have well defined perimeters. Attackers spend significant resources performing reconnaissance to learn about organizations and develop techniques specifically designed to bypass the security tools being used. The sophistication of threat actors and the expanding attack surface make it nearly impossible for security teams to discover and understand compromises quickly enough to respond before they impact the business. Why are attackers so successful? There are several reasons. Attackers are becoming more sophisticated and targeted; they have larger attack surfaces to exploit; existing security controls are failing; and there is a real shortage of skilled security staff. We are not playing on a level playing field. Automated, targeted, persistent attacks Erosion of the perimeter Humans can’t keep up, focus

13 Result: you can’t keep all the Bad guys out
THE LONGER THEY ARE IN, THE HIGHER THE RISK Accelerate Detection & Response Risk In light of today’s reality, a mind shift has to occur. We can no longer focus on preventative controls that promise to keep the bad guys out. If an adversary has a specific organization in it’s target, there is nothing to be done to prevent them from getting in to that organization’s infrastructure. However, we should not feel that this reality means the adversary will be able to leave that infrastructure with the data they targeted. If we shift our thinking from prevention to rapid detection and response, we can shorten the dwell time and prevent business damage. In order to do this, the center piece of our security operations needs to be informed by the underlying business intelligence which can ultimately provide critical context to an analyst when seconds matter. By tying critical asset and identity information into both the detection and response capabilities a security team is using, they can focus their efforts on the threats that matter most. If a security team knows that both a server that stores source code and a server that hosts the café menu are being targeted, it knows which machine is more important to the business. Dwell Time

14 Requirements for an evolved siem
Optimized for Threat Detection & Response Visibility Beyond Logs Rapid Ability to Understand & Respond to Full Scope of Incident Ability to Integrate Detection & Response with Business Risk Breadth of Analytics Methods to Detect Attack Campaigns If this is our new reality, what are the new requirements? One of Business-driven security: the ability of an organization to comprehensively and rapidly link security with business context to detect and respond effectively and protect what matters most. An Evolved SIEM which is optimized for threat detection & response must provide: Full visibility – across endpoints, networks, logs, VM’s and the Cloud – And combined with threat intelligence and business context. We need to be able to consume and transform data in to usable threat metadata. Or in other words – we need to transform the data into intelligence. <<CLICK>> We need deep analytics – Processing large amounts of threat data together with our data – and combining multiple analytic techniques, behavioral and the latest data science modeling and machine learning. <<CLICK>> We need to understand the full scope of attacks, to validate what happened, wherever it may have happened on our compute surface. Doing this requires a systematic, well-coordinated process that can orchestrate the function of our teams and all available data to produce understandable and actionable results. <<CLICK>> And we must enable our teams to act; to mitigate, and eradicate threats based on business context before they turn into breaches that will harm the business.

15 TRANSFORMATIONAL SECURITY STRATEGY
transforming security strategy: two fundamental areas of focus TRANSFORMATIONAL SECURITY STRATEGY Make Security Teams More Operationally Impactful More Strategically Manage Cyber Risk What’s required to fix this? A transformational security strategy to managing business risk must link risk management with the security events end-to-end. Organizations need the ability to link security strategy and activity with business priorities. To get there, organizations are embracing the need to transform their security strategy from an long-evolved series of point-products with few unifying qualities – to one that: More strategically manages business risk Makes security operations teams more impactful Delivers assurance around user access and behavior And Leverages intelligence from all corners of the business and from around the world. We can better defend the business, and protect business transactions and combat fraud.

16 an evolved siem Is Needed
BROADEST SOURCES OF VISIBILITY PRIORITIZED RESPONSE ANALYTICS ENGINE Utilize asset criticality and identity information to prioritize the threats that matter most Capabilities aligned to requirements – focus on prioritization and speed of TD&R Feed business context and identity to minimize noise PACKETS LOGS ENDPOINT THREAT INTELLIGENCE NETFLOW CLOUD BUSINESS CONTEXT Deepest Attack Insight This is where an all-inclusive suite comes in. The RSA NetWitness Suite consumes multiple types of desperate data from across your environment. We then take that data and turn it into more useful information by enriching it in real-time with threat intelligence - from industry experts, third party providers and crowd sourced from our customer base – as well and the critical business context which informs the suite so that prioritization can take place. We utilize a unified taxonomy across all this intelligent data that enables rapid detection of both known and unknown threats, processed through our analytics engine. Our analytics engine then enable organizations to rapidly identify threats that really matter by providing the deepest attack insight with priority. We also understand that even with the broadest amount of visibility, and the deepest analytics; NONE OF IT MATTERS UNLESS YOU ENABLE ACTION. The RSA NetWitness suite enables control over how you want to respond to threats with orchestration across your security infrastructure; role-based, prioritized incident response workflows; and investigations that can fully reconstruct incidents.

17 Full Visibility and Context
Intrusion attempts What was Targeted? LOGS Beaconing and Suspicious Communications “Sticky-keys” Backdoor Malicious Proxy Tools WinRAR Using Encrypted RAR Files Recreate Entire Exploit Enterprise Visibility How Did the Exploit Occur? PACKETS Lateral Movement via RDP How Did the Attackers Move Around Once Inside? NETFLOW Time / Date “Stomping” Indicators about Malicious Files, Code, and Processes Scope of Infection Let’s take a look at an example of how this all comes together. Logs are very good for identifying if an incident has occurred. For example, perhaps there has been an intrusion attempt where the attacker was attempting to exploit a known web vulnerability. Logs in the traditional SIEM use-case can quickly identify that through standard rules. However, teams are then left struggling to identify what actually occurred, and how to continue to identify the full scope of what’s happening across the enterprise. Time is not on their side. This is where packets come into play. Packets can help the organization understand what actually occurred. What specifically traversed the wire? This is where we can get into the details of the steps the hacker took, reconstruct the session, and replay the attack from all the relevant angles. NetFlow is then very good at understanding lateral movement across the infrastructure – how did they move around once they were inside? For example, if an attacker first comes in through a phishing attack and establishes a foothold, NetFlow can help to show how to identify east/west communication – where else that attacker is looking or moving – perhaps he has moved across the environment to find a privileged account. We can then bring in endpoint information, to understand the extent to which this threat has invaded our environment. How far has the attacker gone? Were other endpoints infected similarly? We can understand the full scope of the infection by going very deep into the endpoint layer. The truth is that if you look at any one of these datasets as a silo, you are going to understand some level of risk. But without context, and a broader, well-correlated understanding of what occurred across the data, you are less-likely to arrive at the right conclusions quickly, and take the appropriate action – and probably not in time. Ultimately RSA NetWitness ingests all of this data – but it is also normalized on a taxonomy that is utilized across all datasets to identify the true risk of an entire attack campaign. Was the endpoint exploited? Were Others Infected? ENDPOINT

18 Detecting Threats Is Only the First Step
As we’ve discussed, detecting threats is only the first step. We also must have the capability to take action in response to threats, so we can prevent or mitigate damage.

19 To Eradicate Attacks and Mitigate Business Risk, You Need a Process-Oriented Response
! Full Attack Understanding Understand Attack Ingress, Lateral Movement, and Threat Actor Behavior Incidents Prioritized and Triaged Rapid, Organized Response Mitigation of All Associated Threats Distinct Ownership Roles Clear, Process-Oriented Escalations Security Gaps Addressed Context, Files for Forensic Analysis Locate Assets, Applications, and Protocols Leveraged for Data Exfiltration ! ANALYTICS ENGINE Packets Logs Endpoints Threat Intelligence To eradicate attacks and mitigate business risks – you can’t rely on technology alone. People and processes are just important as the right tools. With full visibility and advanced analytics – we can enable security teams to be far more efficient and effective at their jobs. They’ll have a full understanding of what occurred. And their activities can be sequenced to address the highest-priority threats first. Because wasting time on threats that aren’t a priority is a massive mistake no one wants to make. You need an orchestration layer that organizes activity in role- and persona-based workflows that are well-coordinated and comprehensive in ensuring that threats are addressed completely. One that facilitates a strategic, organized response so the organization can fully respond and lessen the likelihood of future, similar events from occurring.

20 Connecting ALL the Dots is the ONLY Way to Stop Breaches
Minutes Hours Days Weeks Months BREACH PREVENTED! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! By combining the broadest and deepest visibility in the market with advanced, machine-learning behavior analytics and the action to identify the full-scope of an attack; the RSA NetWitness Suite enables security teams to connect the dots of an attack before it becomes a material breach. ! ! ! ! ! ! ! ! ! ! ! ! RISK 96 Connect the Dots Faster, with Enough Context to Detect and Respond

21 INCLUSION & EXCLUSION SECURITY BUSINESS RISK MANAGEMENT
BUSINESS-DRIVEN SECURITY INCLUSION & EXCLUSION SECURITY TECHNOLOGY BUSINESS RISK MANAGEMENT LINK SECURITY INCIDENTS WITH BUSINESS CONTEXT TO RESPOND FASTER AND PROTECT WHAT MATTERS MOST RSA’s strategy fuses security insight with business context, creates explicit linkage between what our security technology is telling us and what that means in terms of business risk. RSA’s business-driven security solutions help customers comprehensively and rapidly link security incidents with business context to respond effectively and protect what matters most. With award-winning solutions for rapid detection and response, user access control, consumer fraud protection, and business risk management, RSA customers can thrive in an uncertain, high-risk world. It’s time for Business-Driven Security. 

22 Thank You

Download ppt "Evolved requirements A Business-Driven Security Strategy for Threat Detection & Response Laura MacDonald Field CTO Laura.MacDonald@rsa.com."

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.
Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
David Flournoy Bit9 Mid-Atlantic Regional Manager

David Flournoy Bit9 Mid-Atlantic Regional Manager
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
© 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written.

© 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.

1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.

1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.

CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.
Network security Product Group 2 McAfee Network Security Platform.

Network security Product Group 2 McAfee Network Security Platform.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

Similar presentations

Ads by Google