rsa advanced soc - dell emc middle-east · rsa advanced soc halim abouzeid ... rsa security...
TRANSCRIPT
1© Copyright 2016 EMC Corporation. All rights reserved.
RSA ADVANCED SOCHALIM ABOUZEID – ASOC SYSTEMS ENGINEER
2© Copyright 2016 EMC Corporation. All rights reserved.
• Threat Landscape
• Challenges in a SOC
• RSA’s Strategy– RSA ECAT
– RSA Security Analytics
– RSA Secops
– RSA Advanced Cyber Defense Services
AGENDA
3EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY
VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT
Attacker Capabilities
Time to Discovery
ATTACKERS ARE OUTPACING DEFENDERS
Percent of breaches where time to compromise (red)/time to Discovery (blue) was days or less
Time to compromise
Time to discovery
100%
75%
50%
25%
2004
2005
2006
2007
2009
2008
2010
2011
2012
2013
© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required
4EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY
- VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT
A LOGS-ONLY APPROACH TO DETECTION ISN’T WORKING
Percent of successful attacks went undiscovered by logs99%
© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required
Percent of incidents that took weeks or more to discover 83%
5EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY
DEFENDER’S CHALLENGES
Existing strategies & controls are failing
Attackers are becoming more sophisticated
The attack surface is expanding
Tools & processes must adapt to today’s threats
Teams need to increase experience
& efficiency
Security teams need comprehensive visibility from
endpoint to cloud
© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required
6© Copyright 2016 EMC Corporation. All rights reserved.
RESOURCE SHIFT NEEDED: BUDGETS & PEOPLE
Today’sPriorities
Prevention80%
Monitoring15%
Response5%
Prevention33%
Future Requirements
Monitoring33%
Response33%
7© Copyright 2016 EMC Corporation. All rights reserved.
RSA ADVANCED SOC PLATFORM: ENABLING DEFENDERS
Detect Respond
Netw
ork
Endpoin
t
Logs
RSA Live
RSA Security Analytics
RSA Advanced Cyber Defense
RSA Incident Response
RSA SecOps
8© Copyright 2016 EMC Corporation. All rights reserved.
At first, there were HACKS Preventative controls filter known attack paths
EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS
MaliciousTraffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
Corporate Assets
Whitespace Successful HACKS
9© Copyright 2016 EMC Corporation. All rights reserved.
At first, there were HACKS Preventative controls filter known attack paths
Then, ATTACKSDespite increased investment in controls, including
SIEM
EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS
MaliciousTraffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
More Logs
Corporate Assets
SIE
M
Blocked Session
Blocked Session
Blocked Session
Alert
Whitespace Successful ATTACKS
10© Copyright 2016 EMC Corporation. All rights reserved.
Now, successful ATTACK CAMPAIGNS target any and all whitespace.
Complete visibility into every process and network sessions is required to eradicate the attacker
opportunity.
Unified platform for advanced threat detection & investigations
EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS
MaliciousTraffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
Logs
Endpoint Visibility
Corporate Assets
Blocked Session
Blocked Session
Blocked Session
Alert
Process
Network VisibilityNetwork Sessions
Secu
rit
y A
naly
tics
12© Copyright 2016 EMC Corporation. All rights reserved.
TOP ENDPOINT SECURITY CHALLENGES
• Lack tools & resources
• Manual and labor intensive
• Siloed Views
Slow & Partial Analysis
ESG & VBDIR 2015
• Over-Reliance on signatures
• Network alone not enough
• Lack deep endpoint visibility
• Increased attacker dwell time
• Elevated risk of data loss
• Limited resources
Unknown Scope Lack of Response
Invisible Infected Endpoints
13© Copyright 2016 EMC Corporation. All rights reserved.
SOLUTION
Instantly determine scope and take action
Quickly exposeendpoint threats
Analyze andconfirm faster
Integrate endpoint with network data
Signature-less Prioritizes alerts Answers scope Complete visibility
14© Copyright 2016 EMC Corporation. All rights reserved.
RSA ECAT OVERVIEW
• Detect by behavior of malware rather than a signature
• Deep endpoint visibility & real-time alerting
• Intelligent risk level scoring system to prioritize threats
• Confirm infections quickly & block with precision in real time
ECAT
Scan
Monitor & Alert
Analyze
Take Action
15EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY
HOW RSA ECAT WORKS
ECAT Server
Threat Intelligence | Feeds | RSA ResearchRSA LIVEINTELLIGENCE
Agent• Endpoints, Servers, VMs
• Windows, Linux & Mac OS
• Monitors for suspicious activity
• Scans for full system inventory
• Identify all executables, DLL’s, drivers, etc.
• Low system impact (2MB on disk, 10-20MB in memory)
Server• Analyzes scan data &
flags anomalies
• Maintain repository for global correlation
• Automatically download unknown files for additional analysis
• Easily scales: 50K agents per server
17EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY
RSA SECURITY ANALYTICS ARCHITECTURE
18© Copyright 2016 EMC Corporation. All rights reserved.
OUT-OF-THE-BOX CONTENT EXAMPLES
Intelligence feeds
APT Domains
Suspicious Proxies
Malicious Networks
Threat blacklists
O-day identifiers
275+ correlation
rules
Data exfiltration
Identity & access anomalies
Unusual connections
Endpoint & network activity
Reconnaissance detection
90+
reports
Compliance templates
Network activity
Operations
Suspicious behavior
User activity
375+
log & network parsers
Abnormal .exe files
Packers
Instant Messenger traffic
Botnets
SQL injection
20© Copyright 2016 EMC Corporation. All rights reserved.
• Benefits:
– Automated incident detection
– Automated alerting
– Correlation and Complex Event Processing (CEP) across packets, logs, NetFlow and endpoint
– Out of box rules (monthly updates); rule builder
– Advanced Behavioral Analytics
• Real-time (streaming) detection– Ex. detecting a pdf containing an executable, followed by encrypted traffic
over a non-standard port to a blacklisted country from select hosts in the AD group “executives” and hooked code running in laptop memory
EVENT STREAM ANALYSIS
21© Copyright 2016 EMC Corporation. All rights reserved.
DATA SOURCES: SHELL CREW EXAMPLE
• Intrusion attemptsLogs:
What was targeted?
• Beaconing & suspicious communications• “Sticky-keys” backdoor• Malicious proxy tools• WinRAR using encrypted rar files• Recreate entire exploit
Packets:
How did the exploit occur?
• Lateral movement via RDPNetFlow:
How did the attackers move around once inside?
• Time/date “stomping”• Indicators about malicious files and code • Scope of infection
Endpoints: Was the endpoint exploited?
Were others infected?
22© Copyright 2016 EMC Corporation. All rights reserved.
ADVANCED ANALYTICS ENGINE
LEADING INDICATORS OF A PLANNED C2 EXPLOIT
• Real-time Analytics – Data Science algorithms
– Scores on multiple C2 behavior indicators
– Utilizes streaming HTTP activity
• Low False Positives– Learns from ongoing and historical
activity
– Supervised whitelisting option
BeaconingBehavior
Rare DomainsRare
User AgentsMissing
ReferrersDomain Age
(WhoIS)
Suspicious Domains
aggregate score
24© Copyright 2016 EMC Corporation. All rights reserved.
PRIORITIZED ACTION
LIVE
Alerts
Investigation
Workflow
GRC
OnPrem
CloudLOGS
PACKETS
ENDPOINT
NETFLOW
25© Copyright 2016 EMC Corporation. All rights reserved.
ASSET INFORMATION IN SECURITY ANALYTICS
• Helps analyst better understand risk
• To prioritize investigation & response
• Conduct the investigation
26© Copyright 2016 EMC Corporation. All rights reserved.
RSA Security Operations Management (SecOps)
27© Copyright 2016 EMC Corporation. All rights reserved.
Shift
Handoff
SOCManager 1
SOCManager 2
CISO
Finance
Legal
Incident
Process
Threat
Analysis
Report
KPIsBreach
Process
IT
Handoff
Centralize
Alerts
Measure
Efficacy
L1 Analyst
BreachCoordinator
HR
IT
L2 Analyst
ThreatAnalyst
SIEM
DLP
Network
Visibility
eFraud
Host
Visibility
SOC COMPLEXITIES
Multiple Roles
Multiple Processes
Multiple Technologies
28© Copyright 2016 EMC Corporation. All rights reserved.
SOC CHALLENGE - EVENT-FOCUSED, REACTIVE
No Centralization of Alerts Lack of Centralized Incident Management
Lack of Context Lack of ProcessLack of Best Practices
29© Copyright 2016 EMC Corporation. All rights reserved.
Dom
ain
RSA S
ecO
ps
Framework & Alignment
People
Process
Technology
Incident Response
Breach Response
SOC ProgramManagement
RSA SECURITY OPERATIONS MANAGEMENT
30© Copyright 2016 EMC Corporation. All rights reserved.
RSA SecOps
AggregateAlerts toIncidents
IncidentResponse
BreachResponse
SOC Program
Management
Dashboard &Report
RSA Archer Enterprise
Management(Context)
RSA ArcherEnterprise Risk
BCM(Optional)
ALERTS
CONTEXT
LAUNCH FOR
INVESTIGATIONS
3rd Party Systems
RSA SECOPS
31© Copyright 2016 EMC Corporation. All rights reserved.
SOC PERSONA DRIVEN DESIGNCUSTOMIZED FOR THE SOC PERSONAS
L1/L2 Analyst
• Review Incidents• Collect Data• Investigate / Escalate• Forensic Analysis
Incident Coordinator
• Analyst Mgmt.• Shift Handover• Incident Trends
BreachResponse
Lead
• Review Escalations• Breach Impact Analysis• Notification Process
SOC Manager/
CISO
• SOC Visibility• Access to Dashboards• Access to Reports• Measure Effectiveness
33© Copyright 2016 EMC Corporation. All rights reserved.
New and My Incident Queue
LINK TO BUSINESS CONTEXT
Cross-Reference Alerts to Asset Details and Business Context
36© Copyright 2016 EMC Corporation. All rights reserved.
LEVERAGE BEST PRACTICES
RESPONSEPROCESS
25+CIRC
PRACTITIONERVIEW
ENGINEERED AS PER THE EXPERTISE OF INDUSTRY AND PRACTITIONERS
NAMING &TERMINOLOGY
VERISFramework
38© Copyright 2016 EMC Corporation. All rights reserved.
THE ADVANCED SOC
Tier 2 Analyst
Tier 1 Analyst
Threat Intelligence Analyst
SOC Manager
Analysis & Tools Support Analyst
39© Copyright 2016 EMC Corporation. All rights reserved.
ASOC Design & ImplementationASOC Strategy, Design & Program Development
Technology & Operations Buildout | Residencies, Support & Training
Security Operations ManagementSecOps Strategy & Management | Use Case Development
Incident Response Procedures
Incident ResponseRetainer | Incident Discovery | Incident Response | IR Hunting Services
Breach Management
Cyber Readiness & Capability RoadmapCurrent State & Gap Analysis | Maturity Modeling | Breach Readiness Roadmap |
Net Defender (Cyber Security Framework)
Cyber & Counter Threat IntelligenceProgram Development | Web & E-mail Threat Operations | Best Practices
RSA ADVANCED CYBER DEFENSE SERVICESDEVELOP AND MATURE A PORTFOLIO FOR ONGOING COMPETITIVE ADVANTAGE
40© Copyright 2016 EMC Corporation. All rights reserved.
• Proven methodologies
• Hands-on labs
• Delivered by security
practitioners
RSA ADVANCED CYBER DEFENSE SERVICES & TRAINING
41© Copyright 2016 EMC Corporation. All rights reserved.
DEFENDER’S CHALLENGES
Existing strategies & controls are failing
Attackers are becoming more sophisticated
The attack surface is expanding
Tools & processes must adapt to today’s threats
Teams need to increase experience
& efficiency
Security teams need comprehensive visibility from
endpoint to cloud
© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required
Security AnalyticsECAT
ACD TrainingsIncident Response
ACD DesignSecops