rsa advanced security operations center .rsa security analytics rsa advanced ... rsa security...

Download RSA ADVANCED SECURITY OPERATIONS CENTER .RSA Security Analytics RSA Advanced ... RSA SECURITY ANALYTICS

Post on 27-Jun-2018

222 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

  • 1 Copyright 2016 EMC Corporation. All rights reserved.

    RSA ADVANCED SECURITY OPERATIONS CENTERDENVER SPITZ SECURITY CONSULTANT

  • 2 Copyright 2016 EMC Corporation. All rights reserved.

    Threat Landscape

    Challenges in a SOC

    RSAs Strategy RSA ECAT

    RSA Security Analytics

    RSA SecOps

    RSA Advanced Cyber Defense Consulting

    AGENDA

  • 3 Copyright 2016 EMC Corporation. All rights reserved.

    At first, there were HACKS Preventative controls filter known attack paths

    EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS

    MaliciousTraffic

    Firewall

    Threat Actors

    IDS/IPS

    AntiVirus

    Corporate Assets

    Whitespace Successful HACKS

  • 4 Copyright 2016 EMC Corporation. All rights reserved.

    At first, there were HACKS Preventative controls filter known attack paths

    Then, ATTACKSDespite increased investment in controls, including

    SIEM

    EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS

    MaliciousTraffic

    Firewall

    Threat Actors

    IDS/IPS

    AntiVirus

    More Logs

    Corporate Assets

    SIE

    M

    Blocked Session

    Blocked Session

    Blocked Session

    Alert

    Whitespace Successful ATTACKS

  • 5 Copyright 2016 EMC Corporation. All rights reserved.

    Now, successful ATTACK CAMPAIGNS target any and all whitespace.

    Complete visibility into every process and network sessions is required to eradicate the attacker

    opportunity.

    Unified platform for advanced threat detection & investigations

    EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS

    MaliciousTraffic

    Firewall

    Threat Actors

    IDS/IPS

    AntiVirus

    Logs

    Endpoint Visibility

    Corporate Assets

    Blocked Session

    Blocked Session

    Blocked Session

    Alert

    Process

    Network VisibilityNetwork Sessions

    Secu

    rit

    y A

    naly

    tics

  • 6EMC CONFIDENTIALINTERNAL USE ONLYEMC CONFIDENTIALINTERNAL USE ONLY

    VERIZON DATA BREACH INVESTIGATIONS REPORT

    Attacker Capabilities

    Time to Discovery

    ATTACKERS ARE OUTPACING DEFENDERS

    Percent of breaches where time to compromise (red)/time to Discovery (blue) was days or less

    Time to compromise

    Time to discovery

    100%

    75%

    50%

    25%

    2004

    2005

    2006

    2007

    2009

    2008

    2010

    2011

    2012

    2013

    Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

  • 7EMC CONFIDENTIALINTERNAL USE ONLYEMC CONFIDENTIALINTERNAL USE ONLY

    - VERIZON DATA BREACH INVESTIGATIONS REPORT

    A LOGS-ONLY APPROACH TO DETECTION ISNT WORKING

    Percent of successful attacks went undiscovered by logs99%

    Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

    Percent of incidents that took weeks or more to discover 83%

  • 8EMC CONFIDENTIALINTERNAL USE ONLYEMC CONFIDENTIALINTERNAL USE ONLY

    DEFENDERS CHALLENGES

    Existing strategies & controls are failing

    Attackers are becoming more sophisticated

    The attack surface is expanding

    Tools & processes must adapt to todays threats

    Teams need to increase experience

    & efficiency

    Security teams need comprehensive visibility from

    endpoint to cloud

    Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

  • 9 Copyright 2016 EMC Corporation. All rights reserved.

    RESOURCE SHIFT NEEDED: BUDGETS & PEOPLE

    TodaysPriorities

    Prevention80%

    Monitoring15%

    Response5%

    Prevention33%

    Future Requirements

    Monitoring33%

    Response33%

  • 10 Copyright 2016 EMC Corporation. All rights reserved.

    RSA ADVANCED SOC PLATFORM: ENABLING DEFENDERS

    Detect Respond

    Netw

    ork

    Endpoin

    t

    Logs

    RSA Live

    RSA Security Analytics

    RSA Advanced Cyber Defense

    RSA Incident Response

    RSA SecOps

  • 11 Copyright 2016 EMC Corporation. All rights reserved.

    RSA ECAT

  • 12 Copyright 2016 EMC Corporation. All rights reserved.

    TOP ENDPOINT SECURITY CHALLENGES

    Lack tools & resources

    Manual and labor intensive

    Siloed Views

    Slow & Partial Analysis

    ESG & VBDIR 2015

    Over-Reliance on signatures

    Network alone not enough

    Lack deep endpoint visibility

    Increased attacker dwell time

    Elevated risk of data loss

    Limited resources

    Unknown Scope Lack of Response

    Invisible Infected Endpoints

  • 13 Copyright 2016 EMC Corporation. All rights reserved.

    SOLUTION

    Instantly determine scope and take action

    Quickly exposeendpoint threats

    Analyze andconfirm faster

    Integrate endpoint with network data

    Signature-less Prioritizes alerts Answers scope Complete visibility

  • 14 Copyright 2016 EMC Corporation. All rights reserved.

    RSA ECAT OVERVIEW

    Detect by behavior of malware rather than a signature

    Deep endpoint visibility & real-time alerting

    Intelligent risk level scoring system to prioritize threats

    Confirm infections quickly & block with precision in real time

    ECAT

    Scan

    Monitor & Alert

    Analyze

    Take Action

  • 15EMC CONFIDENTIALINTERNAL USE ONLYEMC CONFIDENTIALINTERNAL USE ONLY

    HOW RSA ECAT WORKS

    ECAT Server

    Threat Intelligence | Feeds | RSA ResearchRSA LIVEINTELLIGENCE

    Agent Endpoints, Servers, VMs

    Windows, Linux & Mac OS

    Monitors for suspicious activity

    Scans for full system inventory

    Identify all executables, DLLs, drivers, etc.

    Low system impact (2MB on disk, 10-20MB in memory)

    Server Analyzes scan data &

    flags anomalies

    Maintain repository for global correlation

    Automatically download unknown files for additional analysis

    Easily scales: 50K agents per server

  • 16 Copyright 2016 EMC Corporation. All rights reserved.

    RSA Security Analytics

  • 17EMC CONFIDENTIALINTERNAL USE ONLYEMC CONFIDENTIALINTERNAL USE ONLY

    RSA SECURITY ANALYTICS ARCHITECTURE

  • 18 Copyright 2016 EMC Corporation. All rights reserved.

    OUT-OF-THE-BOX CONTENT EXAMPLES

    Intelligence feeds

    APT Domains

    Suspicious Proxies

    Malicious Networks

    Threat blacklists

    O-day identifiers

    275+ correlation

    rules

    Data exfiltration

    Identity & access anomalies

    Unusual connections

    Endpoint & network activity

    Reconnaissance detection

    90+

    reports

    Compliance templates

    Network activity

    Operations

    Suspicious behavior

    User activity

    375+

    log & network parsers

    Abnormal .exe files

    Packers

    Instant Messenger traffic

    Botnets

    SQL injection

  • 19 Copyright 2016 EMC Corporation. All rights reserved.

    ADVANCED ANALYTICS ENGINE

    LEADING INDICATORS OF A PLANNED C2 EXPLOIT

    Real-time Analytics Data Science algorithms

    Scores on multiple C2 behavior indicators

    Utilizes streaming HTTP activity

    Low False Positives Learns from ongoing and historical

    activity

    Supervised whitelisting option

    BeaconingBehavior

    Rare DomainsRare

    User AgentsMissing

    ReferrersDomain Age

    (WhoIS)

    Suspicious Domains

    aggregate score

  • 20 Copyright 2016 EMC Corporation. All rights reserved.

    PRIORITIZED ACTION

    LIVE

    Alerts

    Investigation

    Workflow

    GRC

    OnPrem

    CloudLOGS

    PACKETS

    ENDPOINT

    NETFLOW

  • 21 Copyright 2016 EMC Corporation. All rights reserved.

    RSA Security Operations Management (SecOps)

  • 22 Copyright 2016 EMC Corporation. All rights reserved.

    SOC CHALLENGE - EVENT-FOCUSED, REACTIVE

    No Centralization of Alerts Lack of Centralized Incident Management

    Lack of Context Lack of ProcessLack of Best Practices

  • 23 Copyright 2016 EMC Corporation. All rights reserved.

    Dom

    ain

    RSA S

    ecO

    ps

    Framework & Alignment

    People

    Process

    Technology

    Incident Response

    Breach Response

    SOC ProgramManagement

    RSA SECURITY OPERATIONS MANAGEMENT

  • 24 Copyright 2016 EMC Corporation. All rights reserved.

    RSA SecOps

    AggregateAlerts toIncidents

    IncidentResponse

    BreachResponse

    SOC Program

    Management

    Dashboard &Report

    RSA Archer Enterprise

    Management(Context)

    RSA ArcherEnterprise Risk

    BCM(Optional)

    ALERTS

    CONTEXT

    LAUNCH FOR

    INVESTIGATIONS

    3rd Party Systems

    RSA SECOPS

  • 25 Copyright 2016 EMC Corporation. All rights reserved.

    SOC MANAGER / CISO DASHBOARD

  • 26 Copyright 2016 EMC Corporation. All rights reserved.

    Beyond Technology:Consulting

  • 27 Copyright 2016 EMC Corporation. All rights reserved.

    THE ADVANCED SOC

    Tier 2 Analyst

    Tier 1 Analyst

    Threat Intelligence Analyst

    SOC Manager

    Analysis & Tools Support Analyst

  • 28 Copyright 2016 EMC Corporation. All rights reserved.

    ASOC Design & ImplementationASOC Strategy, Design & Program Development

    Technology & Operations Buildout | Residencies, Support & Training

    Security Operations ManagementSecOps Strategy & Management | Use Case Development

    Incident Response Procedures

    Incident ResponseRetainer | In

Recommended

View more >