herzlich willkommen -...

1 © Copyright 2015 EMC Corporation. All rights reserved.

Herzlich Willkommen !


Security 2.0:

Sicherer Einsatz und

Überwachung von

Mobility und Cloud

Szenarien mit RSA

24. September 2015

Volker Strecke

Tel. 089 93099 140

[email protected]

[email protected]

mailto:[email protected]



Cyber Bedrohungen

Photos: Volker Strecke

Staatlich und wirtschaftlich motivierte Attacken (kritische Infrastrukturen, Verteidigungsbereiche, Finanz Institutionen, Industrie, …)

• Designer Malware gezielt auf End User (Spear Phishing Attacken)

• Verdeckte Netzwerk Angriffe, Beaconing und verschleierter Netzwerk Datenverkehr

• Langsame und schrittweise Daten Exfiltration • Veränderte Verschlüsselungsmethoden

Organisierte kriminelle Gruppen • Einbringen von bösartigen Code in

Verkaufssysteme, Überweisungsprozesse und Geldautomaten

• Infiltration von Datentransfer Systemen in kritischen Infrastrukturen

• Datendiebstahl auf Applikations-, Datenbank-, und Middleware-Ebenen inkl. “persönlicher Informationen” und anderen “Schlüssel-” Eigenschaften


Cyber Angriffe werden komplexer und häufiger

Quelle:

2014 Data-Breach Investigations Report Verizon Risk

Team US Secret Service Dutch High-Tech Crime Unit

Study April 2014

http://www.verizonenterprise.com/DBIR/2014/

83 % aller Unternehmen haben einen Einbruch (Espionage)

erst nach Wochen, Monaten, Jahren oder gar nicht bemerkt !





Cyber Angriffe werden komplexer und häufiger - Zeit

Quelle:

2015 Data-Breach Investigations Report Verizon Risk

Team US Secret Service Dutch High-Tech Crime Unit

Study April 2015





Visibility, Analysis, Action in Context of Business & IT Risk

The Solution: Security 2.0 - Intelligence Driven Security


Info

rma

tio

ns-S

ich

erh

eit -

Au

fga

be

n

Advanced Security

Operations Advanced Security

Operations

Aufspüren und Abwehren

von Cyber-Angriffen

Identity & Data

Protection Identity Trust

Management

Verwalten von Zugangs-

Berechtigungen und

Idenditäten

Fraud & Risk

Intelligence Fraud & Risk

Intelligence

Bekämpfen von

Online Fraud und

Cybercrime

Governance, Risk,

& Compliance Governance, Risk,

& Compliance (GRC)

Verstehen und Managen

von Unternehmens-

Risiken


Info

rma

tio

ns-S

ich

erh

eit -

Lö

su

ng

en

Advanced Security

Operations Advanced Security

Operations

• Security Analytics

• ECAT

• VRM

• SecOps

Identity & Data

Protection Identity Trust

Management

• SecurID • Adaptive Authentication

• Via

Fraud & Risk

Intelligence Fraud & Risk

Intelligence

• Web Threat Detection • Cyber Crime Intelligence

• Anti Fraud Services

Governance, Risk,

& Compliance Governance, Risk,

& Compliance (GRC)

• Archer


Cloud On Prem

ANALYTICS

IDENTITY & ACCESS

DATA

Threat Fraud Compliance Identity

GOVERNANCE, RISK, & COMPLIANCE

Intelligence Driven Security in Action

LOGS, PACKETS, NETFLOW, ENDPOINT, ID, VULNS, THREAT (INT & EXT)


RSA Solution Portfolio

IDENTITY & ACCESS

SecurID – Adaptive Authentication – Via (IMG)

MONITORING & ANALYTICS

Security Analytics – ECAT

Web Threat Detection – Fraud Action – Cyber Crime Intelligence

RSA Research


Archer GRC


Monitoring & Analytics Log Management (SIEM)

Network

Packet

Monitoring &

Analysis

Endpoint Threat

Detection Web Session Intelligence

Threat

Intelligence

Services

© Volker Strecke


RSA ECAT

• Signature-less endpoint threat detection

• Deep endpoint visibility & real-time alerting

• Confirm infections quickly & respond with precision

Enterprise Compromise Assessment Tool

Scan

Monitor & Alert

Analyze

Respond

Visibility

Analysis

Action


How RSA ECAT Works

Agent • Endpoints, Servers, VMs

• Windows & Mac OS

• Monitors for suspicious activity

• Scans for full system inventory

• Identify all executables, DLL’s,

drivers, etc.

• Low system impact (2MB on

disk, 10-20MB in memory)

Server

• Analyzes scan data &

flags anomalies

• Maintain repository for

global correlation

• Automatically download

unknown files for

additional analysis

ECAT Server


RSA ECAT Evaluation

https://emcinformation.com/267502/REG/.ashx





RSA Security Analytics

Visibility

Analysis

Action

Be the hunter,

not the hunted


Modular RSA Advanced SOC Solution

As You Grow, The Product Grows With You

NETWORK FORENSICS

SIEM & BEYOND

ENDPOINT THREAT

ANALYSIS


RSA Security Analytics - New Version 10.5.

Expanded Visibility

Improvements in

Investigation

Expanded SIEM

capabilities

Platform Enhancements

New Packaging and Pricing


RSA Security Analytics Architecture Action Analysis Visibility

Security Operations

LIVE Security Operations

Threat Intelligence | Rules | Parsers | Feeds | Reports | RSA Research RSA LIVE

INTELLIGENCE

Capture Time Data

Enrichment

NetFlow

Packets

Logs

Endpoint

LIVE

LIVE


RSA Security Analytics Architecture Action Analysis Visibility

Security Operations

LIVE Security Operations

Threat Intelligence | Rules | Parsers | Feeds | Reports | RSA Research RSA LIVE

INTELLIGENCE

Capture Time Data

Enrichment

NetFlow

Packets

Logs

Endpoint

LIVE

LIVE

3rd Party SIEM


Capture Time Data Enrichment

Inspect every network session & log event for

threat indicators

Most robust metadata

Fastest retrieval & reconstruction

Seconds to respond in a time of crisis

Capture Time Data

Enrichment

LIVE


HTTP Headers

Basic Packet Capture

Attachment

File Fingerprints

Session Size

Country Src/Dst

URL

Hostname

IP Alias Forwarded

Directory

File Packers

Non Standard

Content Type

Ethernet Connection

Embedded Objects

Top Level Domain

Access Criticality

Sql Query

Mac Address Alias

Email Address

Cookie

Browser

Credit Cards

Protocol Fingerprints

Database Name

SSL CA/Subject

URL in Email

Referrer

Language

Crypto Type

PDF/ Flash

Version

Client/Server

Application

User Name

Port

User Agent

IP Src/Dst

Session Characteristics

Deep Network

Forensics

175+ metadata

fields

Capture Time Data Enrichment


SA Live Services

Capture Time Data

Enrichment

LIVE

1 New Event Steaming Analysis (ESA) rules

- This addition to our ESA rule library will help analysts detect potential APT service installation

7 Updates to Event Streaming (ESA) rules

- This will limit noise in customer ESA environments and ensure the most targeted intelligence in our rule library

3 New Application rules

- These additions to our Application rule set allows analysts to detect potential ShadowIT within their environment.

- We also released a rule to detect rogue DHCP servers

1 Update to RSA Security Analytics List

- This made changes to our User Watchlist by IP list

11 New RSA Security Analytics Rules

- These rules are focused on ShadowIT detection and Security Analytics Administration reports

2 New RSA Security Analytics Reports

- These reports are focused on ShadowIT detection and Security Analytics Administration reports

3 New Log parsers

- RSA Via Access

- Evidian

- IBM Mainframe (Top Secret)

60 Updates to Log parsers

- Improves parsing accuracy and supports newer versions of event sources

For a full breakdown of new/updated content released to RSA Live, go here:

Content Announcement

Also, you can view our holistic content library and content request portals here:

RSA Live Content

Content Request Portals

http://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources/RSA_Content_Resources

http://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources/RSA_Content_Resources

https://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources

https://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources/RSA_Content_Resources/40_Request_Portals


New SA Throughput Licensing and Packaging - Vers. 10.5

• Use Case Driven Packaging

• Metered by Throughput or Endpoints

(ECAT)

• Perpetual & Subscription Terms

available

ECAT - Endpoint Analytics

SA - Network Monitoring & Forensics

SA - Log Monitoring & SIEM

Appliances Storage


RSA Security Analytics - Key Messages

Spot more attacks with complete visibility - from the endpoint to the cloud

Threat Detection & Investigation beyond just logs - This is what SIEM was meant to be

Choose the deployment that is right for you with flexible delivery models


Governance, Risk & Compliance

http://www.emc.com/security/rsa-archer.htm

Solving Your

Risk and

Compliance

Challenges






RSA Archer Fokus Solutions & Integrationen

https://community.emc.com/docs/DOC-27403

• ISMS Foundation

• PCI Compliance

• Unified Compliance Framework (UCF)

• Key & Certificate Management

• Regulatory Change Management

• Legal Matters Management

• Model Risk Management

• Code of Federal Regulations

• Stakeholder Evaluations

• FCPA Solution

• Environmental Health & Safety

• Market Conduct Management

• Anti-Money Laundering

• Privacy Program Management

• WhiteHat Security Sentinel

• Skybox Security Risk Control

• Qualys Guard

• RedSeal Networks

• McAfee Vulnerability Manager

• Veracode Security Review

• Rapid7 Nexpose

• CloudPassage

Solutions Integrations






SOC Use Cases

http://www.emc.com/security/rsa-advanced-security-operations-center/use-cases.htm



SOC Use Case 1



SOC Use Case 2


SOC Use Case 3



RSA Solution Portfolio

IDENTITY & ACCESS

SecurID – Adaptive Authentication – Via (IMG)

MONITORING & ANALYTICS

Security Analytics – ECAT

Web Threat Detection – Fraud Action – Cyber Crime Intelligence

RSA Research


Archer GRC


• Risk-based

– Prioritize activity and resources appropriately

• Incremental and achievable – New capabilities improve your maturity over

time

• Future proof – Enables response to changes in landscape not

based on adding new products

• Agile – Enables the business to take advantage of new

technology and IT-driven opportunities

Benefits of the Intelligence Driven 2.0 Approach


Advanced Security Operations at Work

EMC Critical Incident Response Center

EMC Critical Incident Response Center, Bedford, MA

• Surveillance of worldwide approx. 500 Subsidiaries, 1400 Security Devices and 250.000 Endpoints

• 5 Data Centers, 500 Applications, 97% virtualized, 7PB of Storage

• RSA Products in use:

• Archer eGRC Platform

• Security Analytics

• Enterprise Compromise Assessment Tool (ECAT)

• enVision SIEM

• Data Loss Prevention, …

• Advanced Analytics build on EMC Pivotal SA

Business Context Visibility Integrated Approach Process Automation


RSA SecurWorld Partner Program 2015 - 2016

• Partners enter the program at this Tier

• Primarily composed of VARs who manage the

Authentication business (more opportunistic)

• Drive RSA’s high growth solutions (ASOC, GRC, IMG)

• Greatest investment in training across full portfolio, particularly

in RSA’s focus products

• Specialize in a smaller number of RSA products, but invest

heavily in those products

• Significant RSA revenue

• Partners that are beginning to progress in the program, having

invested in training and starting to see financial results

Partner Tiers


RSA Partner Central http://www.RSAPartnerCentral.com/

RSA Partner Central is the central hub for all product and

program materials. Here, partners have 24X7 access to a

full range of sales tools, training, and marketing

materials, including datasheets, whitepapers, demo

videos, and campaign kits. This is also where partners can

view details about their company’s standing in

SecurWorld, as well as submit and manage deal

registration opportunities.

RSA Virtual Lab (vLab) http://portal.demoemc.com

The vLab is a hosted demonstration and use case training

system, allowing partners to demonstrate RSA products in

complex real world environments.

Not-for-Resale (NFR) Program

The NFR Program allows Partners to purchase hardware or

software at a deep discount to install within their labs,

allowing them to demo the product internally or with

prospects.

RSA SharedVue http://rsa.sharedvue.net/infocenter/en

RSA SharedVue enables partners to embed compelling RSA product

and solution content on their websites, which is automatically

updated. Content includes lead generators that send prospect

information directly to designated recipients.

SecurCare Online (SCOL) https://knowledge.rsasecurity.com

SCOL is an online express route to technical information, solutions,

and support, including patch downloads and product

documentation. End of Sale and End of Support announcements

are also made here.

Download Central (DLC) http://download.rsasecurity.com/

DLC is where you can download product software and licenses.

Submit a Case http://rsa.force.com/webtocase

Partners can submit a case using this form if experiencing any

technical issues using RSA’s systems

RSA SecurWorld Resources

http://www.rsapartnercentral.com/

http://portal.demoemc.com/



http://rsa.sharedvue.net/infocenter/en



https://knowledge.rsasecurity.com/

https://knowledge.rsasecurity.com/

http://download.rsasecurity.com/

http://download.rsasecurity.com/


Achieving Security and Privacy

1.Organization permits the personal use of communication systems •Personally identifiable information should be removed or masked before security analysis. 2. Organization does not permit the personal use of communications systems. •Legitimate use of personal data to secure network and preserve intellectual property. 3. Only data traffic to internal network segments within an organization is monitored. •Applications can limit exposure of personal information Source: http://germany.emc.com/about/news/press/2013/20131014-01.htm http://www.kpmg.de/bescheinigungen/RequestReportLaw.aspx?37823

http://germany.emc.com/about/news/press/2013/20131014-01.htm




http://www.kpmg.de/bescheinigungen/RequestReportLaw.aspx?37823

http://www.kpmg.de/bescheinigungen/RequestReportLaw.aspx?37823


Cyber Threats Trends

http://www.rsaconference.com/

2015 Top Trends („Word Cloud“)



Cyber Threats Trends


2015 Top Trends

Big Takeaway 1: “Internet of Things” gets the spotlight

Big Takeaway 2: “STIX” and “TAXII” get traction

Big Takeaway 3: “Compliance” getting run under the bus

Big Takeaway 4: “Human Element” becoming mature

Big Takeaway 5: “Cloud” and “Mobile” becoming ubiquitous

STIX = Structured Threat Information eXpression

TAXII = Trusted Automated eXchange of Indicator Information



Cyber Threats Trends - RSA Conference 2015






http://www.rsaconference.com/media/escaping-securitys-dark-ages San Francisco 21. April 2015 Amit Yoran, President RSA


http://www.rsaconference.com/media/escaping-securitys-dark-ages









Based on the breaches of the past couple of years, it’s obvious that the way our industry has been doing security isn’t working. The

adversary continues to get through even “next generation" defenses and what’s worse, too often they do so undetected for months or even

years. As the perimeter continues to dissolve under the onslaught of mobile and cloud technologies, enterprises need to realize that the

game has changed and that the only way to escape today’s vicious cycle of prevention and remediation is to change our mindset toward

security operations.

Cyber Threats Trends - RSA Conference 2015 APAC


http://www.rsaconference.com/media/the-game-has-changed Singapore 22. July 2015

The Game has changed

Amit Yoran, President RSA


http://www.rsaconference.com/media/the-game-has-changed









Wissen - Entscheiden - Tun

• Identifizierung, Klassifizierung Ihrer sensiblen Daten

• Userzugriffsregeln

• Export / Import

• Schwachstellen

• Analysen, Reports

Risikobetrachtungen

Sensibilisierung, Kommunikation

Handlungspläne

Schutz - Erkennen von Bedrohungen - Analysieren - Beheben

Aktivitäten: ….

Gehen Sie skalierbar vor !


RSA - Webcasts and Online Demos:

Informationen und Registrierung:

http://www.emc.com/campaign/global/rsa/rsa-webcast.htm

https://emcinformation.com/347002/SI/.ashx

https://community.emc.com/community/connect/rsaxchange/netwitness

RSA - Community Events:















RSA - Communities:

https://community.emc.com/community/by-category/security






Aktivitäten: ….

RSA / Arrow ECS - Webcasts und

Workshops:

Informationen und Registrierung:

http://www.arrowecs.de/events.html

RSA Evaluierungen: auf Anfrage

RSA Produkt Infos:

http://www.emc.com/security/index.htm

Rückfragen: [email protected]

http://education.arrowecs.de/portfolio/rsa_security.cfm

RSA / Arrow ECS - Trainings:










Aktivitäten: ….

Partner as trusted advisor Customer

[email protected]


EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.

Volker Strecke

Tel. 089 93099 140

[email protected]

Viel Erfolg !

herzlich willkommen -...

Documents