building an intelligence-driven security operations center

BUILDING AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

RSA Technical Brief

KEY POINTS

•Cyberattacksandintrusionsarealmostimpossibletoprevent,giventheopennessof

today’snetworksandthegrowingsophisticationofadvancedthreats.Inresponse,the

practiceofcybersecurityshouldfocusonensuringthatintrusionandcompromisedo

notresultinbusinessdamageorloss.

•Organizationsneedtoshiftmoresecurityresourcesfrompreventingintrusiontoward

rapidthreatdetectionandremediation.

•Improvingthreatdetectionandresponserequiresanintelligence-drivensecurityapproach,

whichhelpsorganizationsuseallavailablesecurity-relatedinformationfrombothinternal

andexternalsourcestodetecthiddenthreatsandevenpredictfutureones.

•Optimizinghowsecuritytechnologies,personnelandprocessesworktogetherispivotal

toscalingsecuritycapabilitiestothemountingrisksposedbyadvancedcyberthreats—

allwhiledeliveringefficiencyandvaluebacktotheorganization.

•Technologyautomationcanhelpanalystsmakethemostoftheirtimebyslashingthe

workloadforclosingroutine,lower-levelincidents.Automationfreesupanalyststo

focusonhigher-priorityrisksaffectingtheorganization’smostcriticalassets.

•Configuringsecurityprocessestoautomaterepetitivetasksandintegraterelated

workflowsispotentiallythemostbeneficialstepthatsecurityoperationscenters(SOCs)

cantaketoboostproductivity,enforcepoliciesandimplementbestpracticesforthreat

detectionandresponse.

•SOCswillneedtobuildcollaborative,cross-disciplinaryteamswithhighlyspecialized

skillsetstocombatadvancedcyberthreats.Thesecurityindustry,however,facesa

seriousshortageofskillsandqualifiedpersonnel.Leveragingthelatesttechnologyfor

time-savingautomationandsupplementingin-housecapabilitieswithoutsourced

expertisecanhelporganizationsmanageskillandresourcegaps.

•Resultsfrombest-in-classsecurityoperationsteamsillustratetheimpactofoptimizing

theinterplayofpeople,processesandtechnologiesinsecurityoperations.Byaligning

behindanintelligence-drivensecurityprogram,leadingorganizationscanachieve

resultssuchasreducingtheaveragetimeforresolvingincidentsbyupto60percent.

February 2013

RSA Technical Brief, February 2013

Contents

LevelingtheThreatLandscapewithBigDataAnalytics....................................................3

AligningPeople,ProcessandTechnologytoScaleSecuritytoThreats..............................4

TechnologyAlignment:BigDataandAutomation.....................................................4

ProcessAlignment:theGreatestProductivityDriver..................................................6

PeopleAlignment:NewSkillsNeeded......................................................................7

Intelligence-drivenSecurityatWork.................................................................................8

ConvergedOrganizationforManagingRiskandSecurity...........................................8

ConvergedInfrastructureforSecurityMonitoringandManagement..........................8

AutomatingtheUseofIntelligenceandIncidentData.......................................9

AutomatingBigDataCollection......................................................................11

AutomatingHost-basedAnalytics...................................................................11

EMCOutcomesinAligningBehindIntelligence-DrivenSecurity...............................12

Appendix:Intelligence-drivenSecuritySolutionsfromRSA............................................13

1GartnerInc.,“ITKeyMetricsData2013:KeyInformationSecurityMeasures:Multiyear”(14Dec.2012),pp.7–10

Perfectioninsecurity—theno-breachgoal—isnotonlyimpossiblebutalsoimpractical.

That’sbecausesophisticatedadversarieshavelearnedtocrafttheirattacktechniquesto

getaroundpreventivesecuritymeasuressuchasantivirus,firewallsandpasswords.

AdversariesalsotakegreatcaretocovertheirtracksandstayhiddenwithinIT

environments,sometimesforweeksorevenmonthsaftergainingentry.Thecomplexityof

mostenterpriseITenvironments,combinedwiththeprevalenceofcloudandmobile

servicesandtheexpandingaccessibilityofenterprisenetworkstooutsideparties,gives

attackersmanyplacestohideandevenmorepointsofpotentialintrusion.

Despiterisingcyberrisksandattacks,securityteamsfacepersistentbudgetandresource

constraintsinprotectingtheorganization’sprizedinformationassets.Securityspending

asapercentageofITspendinghasgonefrom6.0%in2008to5.6%in2012,according

toaGartnerreportthatbenchmarkssecurityexpendituresandstaffing.1Inthesame

report,Gartnerreporteddeclinesinsecurityspendingfrom$636peremployeein2008to

$577peremployeein2012.Thesetrendsindicatethatsecurityteamsmustlearntodo

morewithless.

Mostsecurityspendingisstillinvestedinamultitudeofperimeter-based,prevention-

focusedtoolsthatadvancedcyberattackshavemadelargelyobsolete.Cybersecurity’s

mostpressinggoal,nowandfortheforeseeablefuture,shouldbetopreventbusiness

damageorloss,nottopreventintrusionandcompromise.

Thebestwaytopreventbusinessdamageistodetectandremediatecyberattacks

quickly.Todothis,organizationsshouldallocateagreatershareoftheirsecurity

investmentstoenhancingcapabilitiesinthreatdetectionandresponse.First,theymust

gainfullvisibilityintowhat’shappeningintheirITenvironments.Then,theymustexpand

theirviewtoincludeoutsidethreatintelligence.Organizationswillhavetolearntouse

newtypesofsecuritydata—andmuchmoreofit.


LEVELINGTHETHREATLANDSCAPEWITHBIGDATAANALYTICS

Anewgenerationofsecuritytoolsusesinnovativetechniquestocollectandanalyze

massiveamountsofdata:datafromPCs,mobiledevicesandservers;datafrominternal

networks,includingthecompositionandcontentofnetworkpackets;andthreat

intelligenceaboutattacksonotherorganizationsandthetoolsandmethodsused.In

additiontoanalyzingthesetraditionalinformationsources,“bigdata”securitytoolsalso

caningestinformationfromnon-traditionalsourcessuchasbuildingkeycardscanners,

personnelrecordsandevenMicrosoftOutlook®calendars.Suchdatamaybeused,for

instance,toassessthelegitimacyofremotelog-insbyemployees.

Theheightenedvisibilityprovidedbythebigdatacapabilitiesofnewsecurityanalytics

platformscreateunprecedentedopportunitiestoidentifyanomalies,uncoverevidenceof

hiddenthreatsorevenpredictspecific,imminentattacks.Moredatacreatesaricher,

moregranularview:itpresentsthethreatlandscapeinhighdefinition,asopposedto

grainyblack-and-white.Security-relateddetailscanbeseeninsharperfocusand

irregularitiescanbefoundfaster.Also,becausesecurityanalyticsplatformsintegrate

threatintelligencefromoutsidesources,organizationsseethethreatlandscapeasa

panorama,notjustfromthenarrowapertureoftheirowninternalITenvironments.

Enhancedvisibilitywillleadtoenhancedsecuritycapabilities,vastlyexpandingoptions

forhowsecurityoperationscenters(SOCs)actandrespondtoprospectivethreats.

Technologyadvancementsinbigdataandsecurityanalyticssystemsarebeginningto

deliver“imagineif”capabilities.Theboundsofwhat’simaginablearenowbeing

exploredbysecurityoperationsprofessionalsandbusinessleaderstogether.

Fororganizationsconcernedaboutadvancedcyberthreats,these“imagineif”scenarios

oftenfocusoninjectingbetterintelligenceandcontextintosecuritypractices.For

example,ifweapplynewanalyticapproachestohistoricaldata,whatcouldwelearn?

Whatdothecyberattackswe’veencounteredtellusaboutourbusinessandoperational

risks?Ifweaddnewlogsourcesorexternalintelligencefeedstoourdatawarehouse,

whatpatternscouldwelookforthatwecouldn’tevenimagineseeingbefore?Whattypes

ofintelligencemighthelpushuntdownthreatsfaster?

TheSecurityforBusinessInnovationCouncil,agroupoftopsecurityexecutivesfrom

Global1000enterprises,advisesorganizationstotakeadata-intensiveapproachcalled

“intelligence-drivensecurity”toprotectingcriticalinformationandbusinessassets.2

Intelligence-drivensecuritypracticeshelporganizationsuseallthesecurity-related

informationavailabletothem,bothinternallyandexternally,todetecthiddenthreats

andevenpredictfutureones.Intelligence-drivensecuritycallsfororganizationstoreduce

theirrelianceonperimeterdefensesandsignature-basedscanningtools,whichonly

identifymodesofattackthathavebeenencounteredinthepast.Instead,organizations

shouldlookforsuspiciousactivitiesandpatternsatypicalfortheirenvironment—subtle

indicatorsmuchhardertodetectthanmatchingamalwaresignature.

Implementingintelligence-drivensecuritywillrequireSOCstoexaminetheir

organizationsasaholisticsystemandtobringsecuritytools,processesandpersonnel

intotightalignment.Aligningpeople,processesandtechnologyinandaroundaSOCis

essentialtoscalingsecuritycapabilitiestothemountingrisksposedbyadvancedcyber

threats—andtodoitwithinperennialtimeandbudgetlimitations.

page3

2Forguidanceonimplementingintelligence-drivensecurityprograms,pleasereadtheSecurityforBusiness

InnovationCouncil’sreport“GettingAheadofAdvancedThreats:AchievingIntelligence-drivenInformation

Security”onEMC.com.


ALIGNINGPEOPLE,PROCESSANDTECHNOLOGYTOSCALE SECURITYTOTHREATS

Thecomplexinterplayamongpeople,processandtechnologyinsecurityoperations

makesitchallengingtoadjustanyoneelementwithoutalsoadjustingtheothers.

Harmonizingtools,skillsandmethodologyinsecurityoperationsisessentialtoproviding

defense-in-depthandtoprotectingtheorganization’scriticalinformationassets.

Additionally,perfectingthepeople-process-technologytriadcanunlockoperational

efficienciesbyautomatingroutinetasksandstreamliningworkflows.Theresultisthat

securityanalystswillspendfarlesstimetrackingdowninformationforaninvestigation

orresearchingthestatusofanincident.Instead,theycanfocustheirtimeonenriching

intelligencesources,uncoveringsubtleirregularitiesintheirITenvironmentsthatpointto

seriousproblems,orhuntingdowncovertthreatsfaster.

Puttingtherightmixoftechnologiesinplacethatworkwelltogetheraspartofan

intelligence-drivensecurityprogramcanbechallenging.Nevertheless,thetechnologiesnow

availabletoSOCsmaybethemostmaturepieceinthepeople-process-technologytriad.

Whilenewtoolssuchassecurityanalyticsplatformsholdgreatpromise,they’reonlyas

goodasthepeopleusingthemandtheoperationalbestpracticesputinplacetohelpthe

largerorganizationworkeffectivelyandefficientlytogether.

Fromconsultingwithhundredsofcustomerorganizations,RSAbelievespeopleand

processareoftenhardertoalignbehindanintelligence-drivensecurityapproachthan

thetechnology.That’sbecausedeveloping,testingandinstitutingnewproceduresfor

managingandrespondingtosecurityincidentstakesspecializedexpertiseandtime.

Italsotakestimeforsecurityoperationspersonneltolearntheirorganization’scritical

businessprocesseswellenoughtodefendthemfromattack.

Optimizingtheinterplayofpeople,processandtechnologywillbedifferentforevery

SOC,dependingontheuniqueconditionsandneedsoftheirorganizations.Regardless,

commonguidelinescanapplytomostSOCsstrivingtoimplementanintelligence-driven

securityapproach.

Technology Alignment: Big Data and Automation

Whenaligningtechnologytoanintelligence-drivensecurityprogram,agoodstarting

pointistotakestockoftheorganization’sexistingsecuritytoolsandinformationassets.

Istheorganizationmakingthemostofwhatithas?Howeffectivearetechnicalassetsin

servingtheirintendedfunctions?

Afteraninitialtechnologyinventorycomesanexplorationofhowsecuritycouldbe

improvedifnewcapabilitieswereadded.Apartfromacquiringnewtools,new

capabilitiescansometimesbederivedbyusingexistingdatainnewways.Capabilities

expansioncouldalsobeamatterofextendingtheSOC’svisibilityintoorganization’s

networks,bothinternalandexternal.Whatadditionalinstrumentationisneededto

monitorremoteoroutsourcedenvironments?Howcouldtechnologiesbeadjustedor

addedtoexpandvisibilityortoprovidevaluablecontextforassessinganincident?

page4


Ingeneral,asSOCsconsiderenhancingtheircapabilities,theyshouldprioritizeinvestments

fulfillingthefollowingtechnologyrequirementsofanintelligence-drivensecurityprogram:

•Scalable analytics enginescapableofqueryingvastvolumesoffast-changingdatain

realtimeacrossvectorssuchasgeography,networkpartitionsanddatabases

•Consolidated warehouse for security datasoallsourcesaremadeavailableforquery

throughoneplace,eitherasaunifiedrepositoryor,morelikely,asacross-indexed

seriesofdatastores

•Centralized management dashboardtoconductandcoordinateincidentinvestigations

andtomanageincidentresponse(e.g.,blockingnetworktraffic,quarantiningsystems

orrequiringadditionalverificationofuseridentity)

•Flexible data architecturethatallowsinformationfrommanysourcesinmanydifferent

formatstobecaptured,indexed,normalized,analyzedandshared

•Automated data normalizationsoanalyticsenginescaningestandworkwithhighly

diversedatatypeswithminimalhumanintervention

•Pattern-based monitoring techniquesthatcontinuouslyexaminehigh-valuesystems

andinformationassetstoidentifythreatsbasedonbehaviorandriskmodels,noton

staticthreatsignatures

•Rich correlation of incident informationsothatdatarelevanttoincidentinvestigations

automaticallypopulatesecuritymanagementconsoles,minimizingtheamountoftime

analystsmustspendcollectinginformationandassessingincidents

•Full network packet captureenablingsecurityanalyststoreconstructsessionsinsufficient

detailtomakesenseofwhathappenedandwhatcorrectiveactionsshouldbetaken

•External threat intelligence servicesthataggregateinformationfrommanytrustworthy,

relevantsourcesandpresenttheminmachine-readableformsthatcanbecorrelated

withandanalyzedalongsideinternaldatawithminimalhumanintervention

•Active countermeasures and controlssuchasrequiringadditionaluserauthentication,

blockingdatatransmissionsorfacilitatinganalysts’decision-makingwhenhigh-risk

activityisdetected

•Integrated compliance management processthatarchiveslong-termsecuritydata

throughadistributedcomputingarchitectureandprovidesbuilt-incompliancereports

foramultitudeofregulatoryregimes

page5


Process Alignment: the Greatest Productivity Driver

Designingsecurityoperationsprocessestoautomaterepetitivetasksandintegrate

relatedworkflowsispotentiallythemostbeneficialthingthatSOCscandotoboost

productivity,enforcepoliciesandimplementbestpracticesforthreatdetectionand

response.That’sbecause,inRSA’sexperience,processistypicallythemostimmature

andinefficientpartofmostSOCs’people-process-technologytriad.

RSArecommendstightintegrationofprocessesandworkflows.Forexample,incident

managementshouldbedirectlylinkedtoincidentresponse,anddatasourcesshouldall

feedintoanintegratedanalyticsandsecuritymanagementplatformsoanalystscansee

everythingthrougha“singlepaneofglass”andderivebetterintelligenceandcontextfor

incidentinvestigations.

Processintegrationeliminatesmanyroutinesteps,suchascopying-and-pastingincident

information,thatgoalongwithmanuallyjoiningdisparatesecurityoperationsworkflows.

Integrationalsoreducesopportunitiesforerror,becauseactivitiesforcomplexprocesses

suchasincidentresponsecanbeprogrammedtofollowadeterministicsequenceof

actionsbasedonbestpractices.Finally,processintegrationcanfacilitatecooperation

amongdifferentpartsofthebusiness—amongaudit,informationsecurityand

compliance,forexample—andhelporganizationscreateaunifiedviewofconditions

andrisksthroughouttheorganization.

Processalignmentsareaclosed-loopfunction.AsSOCsredesign,testandimplement

processes,theytakewhatthey’velearnedtoimprovesubsequentstrategiesand

implementations.Becauseiterationsbreedimprovementandbestpractices,many

organizationsenlistthehelpofoutsideconsultantswhenembarkingonmajorprocess

changesinsecurityoperations.Inherentintheserialnatureofconsultingengagementsis

thecontinualrefinementofbestpractices,andSOCscanbenefitimmediatelyfrom

consultants’experienceindesigningandimplementingsecurityprocessimprovements

forotherorganizations.

InRSA’sexperienceconsultingtohundredsofenterprises,implementinganintelligence-

drivensecurityapproachinvolvesoptimizingtheseprocesses:

•Breach readiness assessmentstogaugetheorganization’scurrentsecuritystateand

increaseoperationalmaturitybydesigning,testingandpracticingbreachmanagement

andresponse

•Cyber threat intelligence processestomodelthreatsandtodevelopbestpracticesand

proceduresforproactivelyidentifyingthreatvectorsandanomaliesinlargevolumes

ofdata

•Incident response and discovery workflowstoimprovevisibilityintoenterprisenetworks

andtominimizetheaveragetimeneededtodetectabreach

•Breach management automationtorefineprocessesandprogramproceduresfora

closed-loopincidenthandlingprocessmarkedbycontinuouslearningandimprovement

•Identity, infrastructure and information controlsfocusingonprivilegedaccount

management,securecommunications,informationrights/dataclassificationand

post-breachremediationandsecurity

page6


People Alignment: New Skills Needed

InasurveyconductedbyEnterpriseStrategyGroup,morethanhalf(55%)ofresponding

organizationssaidtheyplannedtoaddsecurityheadcountin2012,yet83%saiditwas

difficulttorecruitandhiresecurityprofessionals.3Oneofthewaystodealwiththe

skillsshortageintoday’s“domorewithless”financialclimateistoalignprocessand

technologytoreduceanalysts’routineworkloadssoanalystscanfocusonmoreadvanced

tasks.InRSA’sexperience,toolsandprocessautomationcanslashtheworkloadandtime

requirementsforanalystssortingthroughroutine,lower-levelthreats.Inpractice,RSAhas

seenSOCswithfiveanalystsoutperformSOCswith25analyststhroughtoolsandprocess

optimization.

ThetechniquesusedinAPTsandotheradvancedcyberattackscanbesocomplexthatit

takescross-disciplinaryteamswithhighlyspecializedsecurityskillstodetect,dissect

anddisablethethreat.Toaddressadvancedcyberthreats,SOCswillneedtobuild

collaborativeteamscomprisingthefollowingskills,eitherbycultivatingtheexpertise

in-houseorbysupplementingwithoutsourcedexperts:

•Forensics knowledge,especiallyinmethodologiesforcollecting,maintaining,analyzing

andreusinglargerepositoriesofdatafromnetworksandhosts/endpoints

•Proficiency in coding, scripting and protocolstohelpanalyzevulnerabilities,debug

systemsandreversemalware

•Managing threat intelligence,especiallycultivatingandtrackingmultipleexternalintelligence

sourcesandbringingrelevantthreatresearchbackintotheorganizationinausefulway

•Breach management,whichincludescoordinatingtheorganization’sresponsetocrises

andprovidingdisclosurestooutsideparties

•Penetration testing todiscoverpotentialvulnerabilitiesintheITenvironmentresulting

frompoorsystemconfiguration,hardwareorsoftwareflawsoroperationaldeficiencies

•Data analystswhounderstandbusinessrisksandcyber-attacktechniquesinsufficientdepth

todevelopanalyticalmodelsthatdetecthiddenthreatsandevenpredictcyberattacks

Securitypersonnelwillneedtodevelopaninvestigativemindset:seeingtheorganization’s

assetsandvulnerabilitiesastheiradversariesdotoanticipateattacktechniquesanddevise

countermeasures.Analystswillalsohavetohonehuntinginstincts:stalkingadversaries

withintheITenvironment,instrumentingtripwirestodetectattackers’presenceandsetting

trapssuchashoneypotstocatchthem.

InadditiontobuildingtheSOC’stechnicalandinvestigativecapabilities,securityoperations

teamsshouldalsocultivatecommunicationskillswithintheirranks.Developingsoftskills

withintheteamcanhelptheSOCbuildusefullinkagestootherorganizations,whetherit’s

informalinformation-sharingpartnershipswithotherSOCsorfosteringC-suitesupportfor

securityoperationsprograms.

page7

3EnterpriseStrategyGroup,“SecurityManagementandOperations:ChangesontheHorizon”(July2012),pp.19–20


INTELLIGENCE-DRIVENSECURITYATWORK

EMCCorporation’sGlobalSecurityOrganization(GSO)illustratestheimpactofoptimizingthe

interplayofpeople,processesandtechnologiesinsecurityriskmanagement.EMCpractices

continuousimprovementofthetools,skillsandprocessescomprisingitssecurityoperations.

Thecompanyaimstoachieveaholisticviewoftheenterprise–bothphysicalanddigital–to

gainabetterunderstandingofrisktrendsandthreatsthroughoutthecompany.

Converged Organization for Managing Risk and Security

EMChasbuiltaconvergedsecurityorganizationcharacterizedbyclosecollaborationamong

itsInformationSecurity,RiskManagement,CustomerSecurityManagementandCorporate

ProtectionandInvestigationgroups.Bycombiningtheseorganizationsunderasingle

umbrella,EMCisabletoanalyzemetricsandtrendstoachieveaviewofriskthroughoutthe

wholeorganization.Forinstance,iftheCorporateProtectionandInvestigationteam

identifiesrepeatedinstancesofintellectualproperty(IP)theft,theInformationSecurity

groupcanstudythoseinstancestocreatecontrolspreventingfutureIPloss.

Converged Infrastructure for Security Monitoring and Management

Tosupportthisconvergedriskandsecuritystrategy,EMCbuiltastateoftheartCritical

IncidentResponseCenter(CIRC).TheEMCCIRCcombinesworkflowanddatafromacross

theglobalorganizationandcreatesacentralpointformonitoringandenforcingthe

safetyandintegrityofthecompany’sinformationassets.EMC’sCIRCaggregateslogs

frommorethan1,400securitydevicesand250,000endnodesdistributedglobally

across500physicalsites.

WithintheCIRC,ateamofhighlyskilledanalystscontinuouslymonitorEMC’sglobalIT

andsecurityenvironments,respondingtothreatsandvulnerabilitiessuchasmalware

anddataleakagetophysicalsecurityincidentssuchasthreatsofviolenceand

equipmenttheft.Withthissingleintegratedviewoftheglobalenterprise,security

analystscanprovideadviceandguidancetoEMCmanagement–providingacritical

feedbackloopforcontinuouslyimprovingthecompany’ssecurityposture.

TheEMCCIRCisbuiltpredominantlyontechnologiesandbestpracticesdevelopedby

RSA.WhilemanytechnologytoolsareusedwithintheCIRC,attheheartaretheRSA

Archer®GRCplatformandtheRSA®SecurityAnalyticssolution.Thesetwosystems

integratedatafrommanyothertools,providingCIRCpersonnelwithasinglebigdata

repositoryandacentralmanagementconsoleforsecurityanalytics.(SeeFigure1.)

TheintegrationofRSAArcherGRCplatformwithRSASecurityAnalyticsstreamlinesmany

securityoperationsworkflows,helpingtheEMCCIRCaccelerateinvestigationsandreduce

thetimeneededtocloseincidents.

page8


Automating the Use of Intelligence and Incident Data

HundredsofalertsaregeneratedeachdayforreviewbytheEMCCIRC.Beforeanalertis

presentedtosecurityanalystsforinvestigation,RSAArchertechnologyandRSASecurity

Analyticsautomaticallycollectandcorrelatearichvarietyofdatarelatedtotheincident.

Severalprocessesandtechnologieshavebeenengineeredtointegratecontextualdata

andintelligenceintothreatdetectionandresponseprocesses.

page9

Data sources• Contacts (Active Directory)• Facilities (IP Address Management)• Devices (Asset DB)

Generate alerts found through

correlations and analyses

Provides supplemental

data from Archer sources related to the

incident

Compiles enriched incident

data to presentto analyst

• Presents alerts with enriched incident data

• Consolidates all incident data

• Manage the investigation process, creating and tracking incident-related requests

• Track incident resolution

• Maintain detailed incident history and audit trail

• Conduct impact/risk assessments of incidents

• Captures massive volumes of diverse, fast-changing data related to security

• Performs contextual analysis and correlations, pivoting on terabytes of data in real time

• Fuse external threat intelligence with internal data, reducing blind spots

• Archive huge volumes of data for compliance and for forensic analysis

RSA SecurityAnalytics

RSA Archer

SOC analyst

External intelligence feeds• External Threat Feeds• Threat Indicator Portal (for internal IoCs)• RSA FraudAction™ Feed• RSA NetWitness® Live Feeds• RSA CCIS• IP Geo Data

Internal Feeds• Internal data sources• Firewalls• Intrusion Detection Sensors• Intrusion Prevention Systems• Proxies• Web Application Firewalls• Active Directory• Exchange• AAA Servers

• Wireless LAN Controllers• Routers• Anti-virus• Data Loss Prevention (DLP)• Full Network Packets• HR User Data• Logon Data (Active Directory)• End Point IPS Data• Web Logs

Figure 1: Unified Platform for Data Analytics and Security Management


page10

EMC’sCIRChasdevelopedathreatindicatormanagementsystemtoassimilateadvanced-

threatintelligenceartifactsderivedfrompublicandprivateintelligencesources,

intelligencesharingpartnerships,andtheCIRC’sownAdvancedAnalysisandCyberThreat

Intelligencefunctions.Theindicatorsofcompromise(IOCs)inthissystemrunthe

spectrumfromknownhostiledomainsandIPaddressestocommunicationcharacteristics

suchasstringsandelementsofhostileemailmessages,includingemailheaders.

IOCsareclassifiedbyseverityandautomaticallyintegratedintotheRSASecurityAnalytics

platformasacapturefeed,generatingspecificmetadatatags.Forexample,aknown

advanced-threatdomaintaggedinthethreatmanagementsystemwillgeneratea“Severity

1”metadatatag(thehighestpriorityrating)foranyactivitytothatdomainfoundbyRSA

SecurityAnalytics.AlertsforthesemetadatatagsaredesignedtochannelthroughtheRSA

Archersecuritymanagementconsoletofacilitateanearreal-timeresponsebytheCIRC.

Butbeforethealertisevenpresentedtosecurityanalysts,additionaldataelementsthat

canprovidevaluablecontextaboutthethreatareretrievedfromtheCIRC’scentralized

securitydatabase.Thisprovidestheanalystwithallavailableartifactsrelatedtothe

incidentandtothesourceanddestinationendpoints.TheexampleinFigure2illustrates

howthisdataenrichmentprocessandintegratedapproachtoalertingprovidesEMCCIRC

withthedetailsnecessarytorapidlyanalyzeandrespondtocriticalincidents.

Figure 2: Automated Enrichment of Event Data

Enriched Event Info(presented through RSA Archer console)

Incident 12345Date: 01 February 2012Severity: 1 Known Hostile C2

Source IP: 10.10.11.11Network Location: AtlantaLog-in time: 01 February 2012 10:05:05Hostname: smithj_pcOwner: John SmithOperating System: Windows 7 Critical Asset: YESFunctional Org: Finance

Destination IP: 201.200.100.10Location: Hac, SerbiaDomain: www.badsite.infoDomain registrant: Mobel SergeiRegister Date:12-Oct-2012

Alert: Attempted SSL Connection to SuspiciousIP Range

Basic Event Info(data enrichment coordinated by RSA Security Analytics)

External data enrichment

Internal data enrichment

Incident 12345Date: 01 February 2012

Alert: AttemptedSSLConnection to suspicious IP range

Source IP: 10.10.11.11Destination IP: 201.200.100.10Domain: badsite.info

Query Domain/IP lookup tools

Registrant: Mobel SergeiRegister Date: 12-Oct-2012Location: Hac, Serbia

Event Generated for Destination IP 201.200.100.10

* Other sources may also be applicable

Query reputation services and malicious

site lookups

Domain: www.badsite.infoSite linked to previous

malicious activities

Event Data Source IP: 10.10.11.11Hostname: smithj_pc

Query DHCP*for Hostname

Hostname Equals“smithj_pc”

Query EmployeeDatabase for

Details for jsmith

Event Data Source IP: 10.10.11.11 Hostname: smithj_pc Username: jsmith Owner: John Smith OS: Windows 7 Last log-in: 01 Feb 2013, 10:05:05

Query for Last User Logged in to “smithj_pc”

Event Data Source IP: 10.10.11.11 Hostname: smithj_pc Username: jsmith Owner: John Smith OS: Windows 7 Last log-in: 01 Feb 2013, 10:05:05Location: AtlantaFunctional Org: Finance

Event DataDestination IP: 201.200.100.10Location: Hac, SerbiaDomain: www.badsite.infoRegistrant: Mobel Sergei�Register Date: 12-Oct-2012

Event Generatedfor Source IP10.10.11.11


page11

TheEMCCIRC’sdataenrichmentandintelligenceintegrationcapabilitieshelpanalysts

focustheireffortsonrapidlyrespondingtothreats,reducingexposuretimetoattacksand

eliminatingthemanualcollectionofadditionaldataelementscorrelatedtoincidents.

Automating Big Data Collection

TraditionalSIEMandmonitoringapplicationsarelimitedintheiradhocqueryand

advancedanalysiscapabilitiesbyarchitectureandperformanceconcerns.EMC’sCIRC

addressesthischallengebystreamingamirrorofalllogeventstoabigdatarepository

thatcollectsapproximately1billionrecordsperdayacross25devicetypes—morethan

900GBofdataperday.Datainthiscentralizedstorehousecanbequeriedbyanalyststo

correlateactivitiestothreats.Forexample,theEMCCIRCusesitsbigdatacapabilitiesfor

basicbehavioralanalysis,suchasdetectionofpotentialbeaconingpatternswithinweb

proxyandfirewalleventlogs.Also,asEMC’sCIRCreceivesnewsecurityintelligence,

historicalactivitypotentiallyrelatedtonewlydiscoveredthreatscanbeanalyzedto

determinewhatdamage,ifany,wasdone.TheprocessingpowerofEMC’sbigdata

platformhasreducedthetimetocollectandmakesenseofsecurityinformation

relatedtoathreatfromseveralhourstominutes,shrinkingexposuretimesignificantly.

Automating Host-based Analytics

Traditionalantivirusandhost-basedIDS/IPSproductsprimarilyrelyonsignaturesto

identifymalware.Yet,signature-basedtechniqueshavebeenoverwhelmedbythegrowth

ofmalwareandentirelybypassedbytargetedattackssuchasAPTsandotheradvanced

threats.Whiletraditionalmalwarescanningtechnologieswillcontinuetohavearoutine

roleasalayerofdefenseindepth,theyalonearesimplynotequaltocombatingtoday’s

moresophisticatedthreats.

Integratingbehavior-basedintelligenceintohostanalysisandremediationhelpsfillthe

gapsleftbysignature-basedtoolssuchasAVandIDS/IPS.EMC’sCIRChasdeployedthe

RSA®EnterpriseCompromiseAssessmentTool(ECAT)tohelpmonitorandprotect

endpointsthatnetworkmonitoringorotherintelligenceresourceshaveidentifiedas

potentiallycompromised.

RSAECAT’sapproachtomalwaredetectionishighlydistinctive.Malwareoftenmodifies

internaloperatingsystemstructurestohideitsactivity.Byvalidatingimportantinternal

kernelandapplicationstructures,RSAECATidentifiesanomaliesthataretypically

generatedbymalwaresuchashooking,kernelobjectmodification,file/process/

registry/communicationhiding,etc.


AsdeployedwithinEMC’sCIRC,ECATprovidesthethreatdetectioncapabilitiesseenin

Figure3,RSAECATatWork.

Aftercompromisedhostsandprocesseshavebeenconfirmed,EMC’sanalystscandefine

thescopeofthethreatwithasingleactionandfrombehindasinglepaneofglass,as

RSAECATidentifiesallotherhostsharboringthesamemaliciousfileorprocess.Security

analystscanquicklyusetheECATMachineSuspectLevelscoretoevaluatetheprobability

ofcompromise:ahighscoreindicatesproblems,whilealowscoreindicatesahostis

probablyclean.Whilealowscoredoesnotguaranteeacleanmachine,thescoring

systemneverthelesshelpsprioritizeinvestigativeworkflows,resultinginfaster

containmentandremediationforlarger-scale,moreseriousthreats.

RSAECAThasenabledEMC’sCIRCtosignificantlyreducehostanalysistimeandto

containmuchoftheworkloadformalwareanalysisandvalidationtotheearliertriage

stageofEMC’sthreatdetectionprocess,whichishandledbyEMC’smorejuniorsecurity

analysts.EMCestimatesRSAECATsavesitsCIRCapproximately30analysthoursper

high-priorityincident.

EMC Outcomes in Aligning Behind Intelligence-Driven Security

Byaligningpeople,processandtechnologybehindanintelligence-drivensecurity

program,theEMCCIRCestimatesithasslashedtheaveragetimeforclosingincidentsby

upto60percent.

Technologyandprocessintegrationaccountsformuchoftheefficiencygain.Iteliminates

manytime-consumingtasksformanuallygatheringincident-relatedinformationandhas

evenautomatedaspectsofthreatdetection,asseeninEMC’suseofRSASecurity

AnalyticsandRSAECAT.

Theautomationcreatedbytechnologyandprocessintegrationhashelpedscaleupthe

CIRC’sthreatdetectionandresponsecapabilities,freeingupanalyststodevotemoreof

theirtimetohigher-priorityincidents.Analystscanexaminealldataavailableon

prospectivethreatsthroughthecentralizedRSAArchersecuritymanagementconsole,

acceleratinganalysisanddecision-making.

Theintegrationofsecuritytechnologiesandworkflows,combinedwithEMC’s

convergenceofvariousrisk-andsecurity-relatedfunctionsunderasingleorganizational

umbrella,hashelpedEMCmountafaster,moreefficientandcompleteresponseto

attacks.This,inturn,hasgreatlyreducedEMC’sexposuretimetothreatsandempowers

EMC—withits53,500employees—tooperatewithgreaterconfidenceinthedigitalworld.

RSA thanks Mike Gagne, Chris Harrington, Jim Lugabihl, Jeff Hale, Jason Rader, Garrett

Schubert and Peter Tran for contributing their time and expertise to the development of

this technical brief.

Figure 3: RSA ECAT Automates

Detection of Host-based Threats

page12

Performs an inventory of every executable, DLL and

driver in the machine

Checks for internal structures and system anomalies indicating

malware activity

Sends the collected information to a central server for processing,

comparing results with a clean baseline system

Flags abnormal behaviors and correlates them

across the entireenvironment

Sends unknown files toa server for scanning

using OPSWAT Metascan Antivirus

Identifies known good files using digital

signature validationand the Bit9 GSR

Generates a Machine Suspect Level Score

summarizing the probability of compromise

for affected hosts

After a network alert fires, RSA ECATis installed on suspicious hosts.

!


APPENDIX:INTELLIGENCE-DRIVEN SECURITYSOLUTIONSFROMRSA

RSA® Advanced Cyber Defense Practiceprovidesaholisticrangeofsolutionstohelp

clientsprotecttheirorganizationalmission,driveoperationalefficienciesandevolve

withadynamicthreatenvironment.Targetedattacksoftenfocusonthetheftof

criticalassetsanddataandutilizetechniquesthatbypasstraditionaldefenses.RSA

helpsorganizationsenhancetheirexistingsecuritycapabilitiesandimplement

countermeasuresdesignedtopreventcyberadversariesfromachievingtheir

objectives.ServicesofferedbyRSAincludegapanalysis,maturitymodeling,cyber

threatintelligence,infrastructurehardeningandsecurityoperationsdevelopment

andautomation.RSA’sNextGenSOCsolutionisdesignedtohelporganizations

convergetheirtechnicalandoperationalcapabilitiesintoaunifiedsecurityprogram

thatalignswithriskmanagementprioritiesandbusinessobjectives.RSAemphasizes

thepreventivemeasuresrequiredtoprotecttheorganizationwhilealsoproviding

incidentresponseandremediationservicestoreducebreachexposuretimeandto

mitigateattacks.

RSA Archer® GRC Suiteisamarket-leadingsolutionformanagingenterprise

governance,riskandcompliance(GRC).Itprovidesaflexible,collaborativeplatform

tomanageenterpriserisks,automatebusinessprocesses,demonstratecompliance

andgainvisibilityintoexposuresandgapsacrosstheorganization.TheRSAArcher

GRCplatformisdesignedtodrawdatafromawidevarietyofsystemstoserveasa

centralrepositoryforrisk-,compliance-andsecurity-relatedinformation.TheRSA

ArcherThreatManagementsolutionisanearly-warningsystemfortrackingthreats.

TheRSAArcherIncidentManagementsolutionhelpsorganizationsescalate

problems,tracktheprogressofinvestigationsandcoordinateproblemresolution.

Theplatform’sabilitytointegrateinformationonsecurityalertsandthreats,togather

andpresentmetricsabouttheeffectivenessofsecuritycontrolsandprocessesand

toanalyzecontextualinformationaboutthesecurityandbusinessenvironmenthelps

createactionable,real-timeintelligenceacrosstheenterprise.

RSA® Cybercrime Intelligence (CCI)isaserviceprovidinginformationaboutcorporate

assetscompromisedbymalware,includingcorporatemachines,networkresources,

accesscredentials,businessdataandemailcorrespondence.CCImonitors

undergroundcybercrimetouncovercompromisedcorporatedatathathaveleaked

intothewild.Theservicereportstoclientsanydatarelatedtotheirorganizations

recovereddirectlyfrommalwarelogfiles,includingemployeecredentials,email

accounts,IPaddressesofinfectedmachinesandcompromiseddomains.Going

beyondmalware,CCIscansopensourceintelligence(OSINT),reportinginformation

backtoclientsonemployeecredentials,corporateemailaddressesandd0xingdata

thathavebeentracedinthewildandcompromisedbyhackersorfraudsters.CCIalso

reportsdetailsonemailcontent,IPaddressesandcompromisedcreditcardnumbers

belongingtothecorporationoritsemployeesthatarebeingsharedand/orsoldby

cybercriminalsinclosed,deep-webcommunities.Inaddition,CCIoffers

organizationsinsightintomalware-infectedonlineresourcesviadailyblacklistfeeds.

ThesefeedsexposeIPaddressesandresourceseitherpresentlyhostingorlikelyto

hostmaliciouscontent,allowinginformationsecuritystafftotakepreemptive

measurestomitigaterisks.

page13


RSA® Data Loss Prevention (DLP) Suiteisbuilttoalertorganizationsofsensitive

dataactivitythatissuspiciousorviolatesorganizationalpolicy.DLPalsoexecutes

first-lineremediationfunctions,suchasblockingthetransmissionofsensitivedata,

orquarantining,deleting,movingorapplyingrightsmanagementtodocumentsthat

containprivatedata.RSADLPsuiteiseasytointegratewiththeRSAArchersecurity

managementconsoleandtheRSASecurityAnalyticsplatform,providing

organizationswithavaluabledatafeedforalertingandwithimprovedlayered

defenses.

RSA® Education Servicesprovidetrainingcoursesoninformationsecuritygearedto

ITstaff,softwaredevelopers,securityprofessionalsandanorganization’sgeneral

employees.Coursescombinetheory,technologyandscenario-basedexercisesto

engageparticipantsinactivelearning.Thecurrentcurriculumcoverstopicssuchas

malwareanalysisandcyberthreatintelligence.RSAEducationServicesalsooffersa

workshoponaddressingadvancedthreatssuchasAPTs.Coursesaredesignedto

deliverthemaximumamountofinformationintheshortestperiodtominimizestaff

downtime.

RSA® Enterprise Compromise Assessment Tool (ECAT)isanenterprisethreat

detectionandresponsesolutiondesignedtomonitorandprotectITenvironments

fromundesirablesoftwareandthemostelusivemalware—includingdeeplyhidden

rootkits,advancedpersistentthreats(APTs)andunidentifiedviruses.RSAECAT

automatesthedetectionofanomalieswithincomputerapplicationsandmemory

withoutrelyingonvirussignatures.Insteadofanalyzingmalwaresamplestocreate

signatures,RSAECATestablishesabaselineofanomaliesfrom“knowngood”

applications,filteringoutbackgroundnoisetouncovermaliciousactivityin

compromisedmachines.TheRSAECATconsolepresentsacentralizedviewof

activitiesoccurringwithinacomputer’smemory,whichcanbeusedtoquickly

identifymalware,regardlessofwhetherasignatureexistsorifthemalwarehas

beenseenbefore.Onceasinglemaliciousanomalyisidentified,RSAECATcanscan

acrossthousandsofmachinestoidentifyotherendpointsthathavebeen

compromisedorareatrisk.

RSA® Security Analyticsisdesignedtoprovidesecurityorganizationswiththe

situationalawarenessneededtodealwiththeirmostpressingsecurityissues.By

analyzingnetworktrafficandlogeventdata,theRSASecurityAnalyticssystem

helpsorganizationsgainacomprehensiveviewoftheirITenvironment,enabling

securityanalyststodetectthreatsquickly,investigateandprioritizethem,make

remediationdecisions,takeactionandautomaticallygeneratereports.TheRSA

SecurityAnalyticssolution’sdistributeddataarchitecturecollects,analyzes,and

archivesmassivevolumesofdata–oftenhundredsofterabytesandbeyond–at

veryhighspeedusingmultiplemodesofanalysis.TheRSASecurityAnalytics

platformalsoingeststhreatintelligenceaboutthelatesttools,techniquesand

proceduresinusebytheattackercommunitytoalertorganizationstopotential

threatsthatareactiveintheirenterprise.

page14


page15

Thispageintentionallyleftblank.

EMC2, EMC, the EMC logo, RSA, Archer, FraudAction, NetWitness and the RSA logo are registered trademarks or

trademarks of EMC Corporation in the United States and other countries. Microsoft and Outlook are registered

trademarks of Microsoft. All other products or services mentioned are trademarks of their respective companies.

© Copyright 2013 EMC Corporation. All rights reserved.

179827-H11533-ASOC_BRF_0213

ABOUT RSA

RSA, The Security Division of EMC, is the premier provider of security, risk and

compliance management solutions for business acceleration. RSA helps the world’s

leading organizations solve their most complex and sensitive security challenges.

These challenges include managing organizational risk, safeguarding mobile access

and collaboration, proving compliance, and securing virtual and cloud environments.

Combining business-critical controls in identity assurance, encryption & key

management, SIEM, data loss prevention, continuous network monitoring, and fraud

protection with industry leading GRC capabilities and robust consulting services, RSA

brings visibility and trust to millions of user identities, the transactions that they

perform and the data that is generated. For more information, please visit www.RSA.

com and www.EMC.com.

www.rsa.com
