rsa advanced security operations center · rsa security analytics rsa advanced ... rsa security...

1© Copyright 2016 EMC Corporation. All rights reserved.

RSA ADVANCED SECURITY OPERATIONS CENTERDENVER SPITZ – SECURITY CONSULTANT


• Threat Landscape

• Challenges in a SOC

• RSA’s Strategy– RSA ECAT

– RSA Security Analytics

– RSA SecOps

– RSA Advanced Cyber Defense Consulting

AGENDA


At first, there were HACKS Preventative controls filter known attack paths

EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS

MaliciousTraffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

Corporate Assets

Whitespace Successful HACKS


At first, there were HACKS Preventative controls filter known attack paths

Then, ATTACKSDespite increased investment in controls, including

SIEM


MaliciousTraffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

More Logs

Corporate Assets

SIE

M

Blocked Session

Blocked Session

Blocked Session

Alert

Whitespace Successful ATTACKS


Now, successful ATTACK CAMPAIGNS target any and all whitespace.

Complete visibility into every process and network sessions is required to eradicate the attacker

opportunity.

Unified platform for advanced threat detection & investigations


MaliciousTraffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

Logs

Endpoint Visibility

Corporate Assets

Blocked Session

Blocked Session

Blocked Session

Alert

Process

Network VisibilityNetwork Sessions

Secu

rit

y A

naly

tics

6EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY

VERIZON DATA BREACH INVESTIGATIONS REPORT

Attacker Capabilities

Time to Discovery

ATTACKERS ARE OUTPACING DEFENDERS

Percent of breaches where time to compromise (red)/time to Discovery (blue) was days or less

Time to compromise

Time to discovery

100%

75%

50%

25%

2004

2005

2006

2007

2009

2008

2010

2011

2012

2013

© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required


- VERIZON DATA BREACH INVESTIGATIONS REPORT

A LOGS-ONLY APPROACH TO DETECTION ISN’T WORKING

Percent of successful attacks went undiscovered by logs99%


Percent of incidents that took weeks or more to discover 83%


DEFENDER’S CHALLENGES

Existing strategies & controls are failing

Attackers are becoming more sophisticated

The attack surface is expanding

Tools & processes must adapt to today’s threats

Teams need to increase experience

& efficiency

Security teams need comprehensive visibility from

endpoint to cloud



RESOURCE SHIFT NEEDED: BUDGETS & PEOPLE

Today’sPriorities

Prevention80%

Monitoring15%

Response5%

Prevention33%

Future Requirements

Monitoring33%

Response33%


RSA ADVANCED SOC PLATFORM: ENABLING DEFENDERS

Detect Respond

Netw

ork

Endpoin

t

Logs

RSA Live

RSA Security Analytics

RSA Advanced Cyber Defense

RSA Incident Response

RSA SecOps


RSA ECAT


TOP ENDPOINT SECURITY CHALLENGES

• Lack tools & resources

• Manual and labor intensive

• Siloed Views

Slow & Partial Analysis

ESG & VBDIR 2015

• Over-Reliance on signatures

• Network alone not enough

• Lack deep endpoint visibility

• Increased attacker dwell time

• Elevated risk of data loss

• Limited resources

Unknown Scope Lack of Response

Invisible Infected Endpoints


SOLUTION

Instantly determine scope and take action

Quickly exposeendpoint threats

Analyze andconfirm faster

Integrate endpoint with network data

Signature-less Prioritizes alerts Answers scope Complete visibility


RSA ECAT OVERVIEW

• Detect by behavior of malware rather than a signature

• Deep endpoint visibility & real-time alerting

• Intelligent risk level scoring system to prioritize threats

• Confirm infections quickly & block with precision in real time

ECAT

Scan

Monitor & Alert

Analyze

Take Action


HOW RSA ECAT WORKS

ECAT Server

Threat Intelligence | Feeds | RSA ResearchRSA LIVEINTELLIGENCE

Agent• Endpoints, Servers, VMs

• Windows, Linux & Mac OS

• Monitors for suspicious activity

• Scans for full system inventory

• Identify all executables, DLL’s, drivers, etc.

• Low system impact (2MB on disk, 10-20MB in memory)

Server• Analyzes scan data &

flags anomalies

• Maintain repository for global correlation

• Automatically download unknown files for additional analysis

• Easily scales: 50K agents per server


RSA Security Analytics


RSA SECURITY ANALYTICS ARCHITECTURE


OUT-OF-THE-BOX CONTENT EXAMPLES

Intelligence feeds

APT Domains

Suspicious Proxies

Malicious Networks

Threat blacklists

O-day identifiers

275+ correlation

rules

Data exfiltration

Identity & access anomalies

Unusual connections

Endpoint & network activity

Reconnaissance detection

90+

reports

Compliance templates

Network activity

Operations

Suspicious behavior

User activity

375+

log & network parsers

Abnormal .exe files

Packers

Instant Messenger traffic

Botnets

SQL injection


ADVANCED ANALYTICS ENGINE

LEADING INDICATORS OF A PLANNED C2 EXPLOIT

• Real-time Analytics – Data Science algorithms

– Scores on multiple C2 behavior indicators

– Utilizes streaming HTTP activity

• Low False Positives– Learns from ongoing and historical

activity

– Supervised whitelisting option

BeaconingBehavior

Rare DomainsRare

User AgentsMissing

ReferrersDomain Age

(WhoIS)

Suspicious Domains

aggregate score


PRIORITIZED ACTION

LIVE

Alerts

Investigation

Workflow

GRC

OnPrem

CloudLOGS

PACKETS

ENDPOINT

NETFLOW


RSA Security Operations Management (SecOps)


SOC CHALLENGE - EVENT-FOCUSED, REACTIVE

No Centralization of Alerts Lack of Centralized Incident Management

Lack of Context Lack of ProcessLack of Best Practices


Dom

ain

RSA S

ecO

ps

Framework & Alignment

People

Process

Technology

Incident Response

Breach Response

SOC ProgramManagement

RSA SECURITY OPERATIONS MANAGEMENT


RSA SecOps

AggregateAlerts toIncidents

IncidentResponse

BreachResponse

SOC Program

Management

Dashboard &Report

RSA Archer Enterprise

Management(Context)

RSA ArcherEnterprise Risk

BCM(Optional)

ALERTS

CONTEXT

LAUNCH FOR

INVESTIGATIONS

3rd Party Systems

RSA SECOPS


SOC MANAGER / CISO DASHBOARD


Beyond Technology:Consulting


THE ADVANCED SOC

Tier 2 Analyst

Tier 1 Analyst

Threat Intelligence Analyst

SOC Manager

Analysis & Tools Support Analyst


ASOC Design & ImplementationASOC Strategy, Design & Program Development

Technology & Operations Buildout | Residencies, Support & Training

Security Operations ManagementSecOps Strategy & Management | Use Case Development

Incident Response Procedures

Incident ResponseRetainer | Incident Discovery | Incident Response | IR Hunting Services

Breach Management

Cyber Readiness & Capability RoadmapCurrent State & Gap Analysis | Maturity Modeling | Breach Readiness Roadmap |

Net Defender (Cyber Security Framework)

Cyber & Counter Threat IntelligenceProgram Development | Web & E-mail Threat Operations | Best Practices

RSA ADVANCED CYBER DEFENSE SERVICESDEVELOP AND MATURE A PORTFOLIO FOR ONGOING COMPETITIVE ADVANTAGE


DEFENDER’S CHALLENGES

Existing strategies & controls are failing

Attackers are becoming more sophisticated

The attack surface is expanding

Tools & processes must adapt to today’s threats

Teams need to increase experience

& efficiency

Security teams need comprehensive visibility from

endpoint to cloud


Security AnalyticsECAT

Advanced Cyber Defence

SecOps

rsa advanced security operations center · rsa security analytics rsa advanced ... rsa security...

Documents