rsa advanced security operations center · rsa security analytics rsa advanced ... rsa security...

1© Copyright 2016 EMC Corporation. All rights reserved.

RSA ADVANCED SECURITY OPERATIONS CENTERDENVER SPITZ – SECURITY CONSULTANT

2© Copyright 2016 EMC Corporation. All rights reserved.

• Threat Landscape

• Challenges in a SOC

• RSA’s Strategy– RSA ECAT

– RSA Security Analytics

– RSA SecOps

– RSA Advanced Cyber Defense Consulting

AGENDA

3© Copyright 2016 EMC Corporation. All rights reserved.

At first, there were HACKS Preventative controls filter known attack paths

EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS

MaliciousTraffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

Corporate Assets

Whitespace Successful HACKS

4© Copyright 2016 EMC Corporation. All rights reserved.

At first, there were HACKS Preventative controls filter known attack paths

Then, ATTACKSDespite increased investment in controls, including

SIEM

EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS

MaliciousTraffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

More Logs

Corporate Assets

SIE

M

Blocked Session

Blocked Session

Blocked Session

Alert

Whitespace Successful ATTACKS

5© Copyright 2016 EMC Corporation. All rights reserved.

Now, successful ATTACK CAMPAIGNS target any and all whitespace.

Complete visibility into every process and network sessions is required to eradicate the attacker

opportunity.

Unified platform for advanced threat detection & investigations

EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS

MaliciousTraffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

Logs

Endpoint Visibility

Corporate Assets

Blocked Session

Blocked Session

Blocked Session

Alert

Process

Network VisibilityNetwork Sessions

Secu

rit

y A

naly

tics

6EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY

VERIZON DATA BREACH INVESTIGATIONS REPORT

Attacker Capabilities

Time to Discovery

ATTACKERS ARE OUTPACING DEFENDERS

Percent of breaches where time to compromise (red)/time to Discovery (blue) was days or less

Time to compromise

Time to discovery

100%

75%

50%

25%

2004

2005

2006

2007

2009

2008

2010

2011

2012

2013

© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

7EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY

- VERIZON DATA BREACH INVESTIGATIONS REPORT

A LOGS-ONLY APPROACH TO DETECTION ISN’T WORKING

Percent of successful attacks went undiscovered by logs99%

© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

Percent of incidents that took weeks or more to discover 83%

8EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY

DEFENDER’S CHALLENGES

Existing strategies & controls are failing

Attackers are becoming more sophisticated

The attack surface is expanding

Tools & processes must adapt to today’s threats

Teams need to increase experience

& efficiency

Security teams need comprehensive visibility from

endpoint to cloud

© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

9© Copyright 2016 EMC Corporation. All rights reserved.

RESOURCE SHIFT NEEDED: BUDGETS & PEOPLE

Today’sPriorities

Prevention80%

Monitoring15%

Response5%

Prevention33%

Future Requirements

Monitoring33%

Response33%

10© Copyright 2016 EMC Corporation. All rights reserved.

RSA ADVANCED SOC PLATFORM: ENABLING DEFENDERS

Detect Respond

Netw

ork

Endpoin

t

Logs

RSA Live

RSA Security Analytics

RSA Advanced Cyber Defense

RSA Incident Response

RSA SecOps

11© Copyright 2016 EMC Corporation. All rights reserved.

RSA ECAT

12© Copyright 2016 EMC Corporation. All rights reserved.

TOP ENDPOINT SECURITY CHALLENGES

• Lack tools & resources

• Manual and labor intensive

• Siloed Views

Slow & Partial Analysis

ESG & VBDIR 2015

• Over-Reliance on signatures

• Network alone not enough

• Lack deep endpoint visibility

• Increased attacker dwell time

• Elevated risk of data loss

• Limited resources

Unknown Scope Lack of Response

Invisible Infected Endpoints

13© Copyright 2016 EMC Corporation. All rights reserved.

SOLUTION

Instantly determine scope and take action

Quickly exposeendpoint threats

Analyze andconfirm faster

Integrate endpoint with network data

Signature-less Prioritizes alerts Answers scope Complete visibility

14© Copyright 2016 EMC Corporation. All rights reserved.

RSA ECAT OVERVIEW

• Detect by behavior of malware rather than a signature

• Deep endpoint visibility & real-time alerting

• Intelligent risk level scoring system to prioritize threats

• Confirm infections quickly & block with precision in real time

ECAT

Scan

Monitor & Alert

Analyze

Take Action

15EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY

HOW RSA ECAT WORKS

ECAT Server

Threat Intelligence | Feeds | RSA ResearchRSA LIVEINTELLIGENCE

Agent• Endpoints, Servers, VMs

• Windows, Linux & Mac OS

• Monitors for suspicious activity

• Scans for full system inventory

• Identify all executables, DLL’s, drivers, etc.

• Low system impact (2MB on disk, 10-20MB in memory)

Server• Analyzes scan data &

flags anomalies

• Maintain repository for global correlation

• Automatically download unknown files for additional analysis

• Easily scales: 50K agents per server

16© Copyright 2016 EMC Corporation. All rights reserved.

RSA Security Analytics

17EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY

RSA SECURITY ANALYTICS ARCHITECTURE

18© Copyright 2016 EMC Corporation. All rights reserved.

OUT-OF-THE-BOX CONTENT EXAMPLES

Intelligence feeds

APT Domains

Suspicious Proxies

Malicious Networks

Threat blacklists

O-day identifiers

275+ correlation

rules

Data exfiltration

Identity & access anomalies

Unusual connections

Endpoint & network activity

Reconnaissance detection

90+

reports

Compliance templates

Network activity

Operations

Suspicious behavior

User activity

375+

log & network parsers

Abnormal .exe files

Packers

Instant Messenger traffic

Botnets

SQL injection

19© Copyright 2016 EMC Corporation. All rights reserved.

ADVANCED ANALYTICS ENGINE

LEADING INDICATORS OF A PLANNED C2 EXPLOIT

• Real-time Analytics – Data Science algorithms

– Scores on multiple C2 behavior indicators

– Utilizes streaming HTTP activity

• Low False Positives– Learns from ongoing and historical

activity

– Supervised whitelisting option

BeaconingBehavior

Rare DomainsRare

User AgentsMissing

ReferrersDomain Age

(WhoIS)

Suspicious Domains

aggregate score

20© Copyright 2016 EMC Corporation. All rights reserved.

PRIORITIZED ACTION

LIVE

Alerts

Investigation

Workflow

GRC

OnPrem

CloudLOGS

PACKETS

ENDPOINT

NETFLOW

21© Copyright 2016 EMC Corporation. All rights reserved.

RSA Security Operations Management (SecOps)

22© Copyright 2016 EMC Corporation. All rights reserved.

SOC CHALLENGE - EVENT-FOCUSED, REACTIVE

No Centralization of Alerts Lack of Centralized Incident Management

Lack of Context Lack of ProcessLack of Best Practices

23© Copyright 2016 EMC Corporation. All rights reserved.

Dom

ain

RSA S

ecO

ps

Framework & Alignment

People

Process

Technology

Incident Response

Breach Response

SOC ProgramManagement

RSA SECURITY OPERATIONS MANAGEMENT

24© Copyright 2016 EMC Corporation. All rights reserved.

RSA SecOps

AggregateAlerts toIncidents

IncidentResponse

BreachResponse

SOC Program

Management

Dashboard &Report

RSA Archer Enterprise

Management(Context)

RSA ArcherEnterprise Risk

BCM(Optional)

ALERTS

CONTEXT

LAUNCH FOR

INVESTIGATIONS

3rd Party Systems

RSA SECOPS

25© Copyright 2016 EMC Corporation. All rights reserved.

SOC MANAGER / CISO DASHBOARD

26© Copyright 2016 EMC Corporation. All rights reserved.

Beyond Technology:Consulting

27© Copyright 2016 EMC Corporation. All rights reserved.

THE ADVANCED SOC

Tier 2 Analyst

Tier 1 Analyst

Threat Intelligence Analyst

SOC Manager

Analysis & Tools Support Analyst

28© Copyright 2016 EMC Corporation. All rights reserved.

ASOC Design & ImplementationASOC Strategy, Design & Program Development

Technology & Operations Buildout | Residencies, Support & Training

Security Operations ManagementSecOps Strategy & Management | Use Case Development

Incident Response Procedures

Incident ResponseRetainer | Incident Discovery | Incident Response | IR Hunting Services

Breach Management

Cyber Readiness & Capability RoadmapCurrent State & Gap Analysis | Maturity Modeling | Breach Readiness Roadmap |

Net Defender (Cyber Security Framework)

Cyber & Counter Threat IntelligenceProgram Development | Web & E-mail Threat Operations | Best Practices

RSA ADVANCED CYBER DEFENSE SERVICESDEVELOP AND MATURE A PORTFOLIO FOR ONGOING COMPETITIVE ADVANTAGE

29© Copyright 2016 EMC Corporation. All rights reserved.

DEFENDER’S CHALLENGES

Existing strategies & controls are failing

Attackers are becoming more sophisticated

The attack surface is expanding

Tools & processes must adapt to today’s threats

Teams need to increase experience

& efficiency

Security teams need comprehensive visibility from

endpoint to cloud

© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

Security AnalyticsECAT

Advanced Cyber Defence

SecOps