rsa advanced soc - dell emc middle-east · rsa advanced soc halim abouzeid ... rsa security...

42
1 © Copyright 2016 EMC Corporation. All rights reserved. RSA ADVANCED SOC HALIM ABOUZEID – ASOC SYSTEMS ENGINEER

Upload: truongdan

Post on 27-Jun-2018

223 views

Category:

Documents


0 download

TRANSCRIPT

1© Copyright 2016 EMC Corporation. All rights reserved.

RSA ADVANCED SOCHALIM ABOUZEID – ASOC SYSTEMS ENGINEER

2© Copyright 2016 EMC Corporation. All rights reserved.

• Threat Landscape

• Challenges in a SOC

• RSA’s Strategy– RSA ECAT

– RSA Security Analytics

– RSA Secops

– RSA Advanced Cyber Defense Services

AGENDA

3EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY

VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT

Attacker Capabilities

Time to Discovery

ATTACKERS ARE OUTPACING DEFENDERS

Percent of breaches where time to compromise (red)/time to Discovery (blue) was days or less

Time to compromise

Time to discovery

100%

75%

50%

25%

2004

2005

2006

2007

2009

2008

2010

2011

2012

2013

© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

4EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY

- VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT

A LOGS-ONLY APPROACH TO DETECTION ISN’T WORKING

Percent of successful attacks went undiscovered by logs99%

© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

Percent of incidents that took weeks or more to discover 83%

5EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY

DEFENDER’S CHALLENGES

Existing strategies & controls are failing

Attackers are becoming more sophisticated

The attack surface is expanding

Tools & processes must adapt to today’s threats

Teams need to increase experience

& efficiency

Security teams need comprehensive visibility from

endpoint to cloud

© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

6© Copyright 2016 EMC Corporation. All rights reserved.

RESOURCE SHIFT NEEDED: BUDGETS & PEOPLE

Today’sPriorities

Prevention80%

Monitoring15%

Response5%

Prevention33%

Future Requirements

Monitoring33%

Response33%

7© Copyright 2016 EMC Corporation. All rights reserved.

RSA ADVANCED SOC PLATFORM: ENABLING DEFENDERS

Detect Respond

Netw

ork

Endpoin

t

Logs

RSA Live

RSA Security Analytics

RSA Advanced Cyber Defense

RSA Incident Response

RSA SecOps

8© Copyright 2016 EMC Corporation. All rights reserved.

At first, there were HACKS Preventative controls filter known attack paths

EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS

MaliciousTraffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

Corporate Assets

Whitespace Successful HACKS

9© Copyright 2016 EMC Corporation. All rights reserved.

At first, there were HACKS Preventative controls filter known attack paths

Then, ATTACKSDespite increased investment in controls, including

SIEM

EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS

MaliciousTraffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

More Logs

Corporate Assets

SIE

M

Blocked Session

Blocked Session

Blocked Session

Alert

Whitespace Successful ATTACKS

10© Copyright 2016 EMC Corporation. All rights reserved.

Now, successful ATTACK CAMPAIGNS target any and all whitespace.

Complete visibility into every process and network sessions is required to eradicate the attacker

opportunity.

Unified platform for advanced threat detection & investigations

EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS

MaliciousTraffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

Logs

Endpoint Visibility

Corporate Assets

Blocked Session

Blocked Session

Blocked Session

Alert

Process

Network VisibilityNetwork Sessions

Secu

rit

y A

naly

tics

11© Copyright 2016 EMC Corporation. All rights reserved.

RSA ECAT

12© Copyright 2016 EMC Corporation. All rights reserved.

TOP ENDPOINT SECURITY CHALLENGES

• Lack tools & resources

• Manual and labor intensive

• Siloed Views

Slow & Partial Analysis

ESG & VBDIR 2015

• Over-Reliance on signatures

• Network alone not enough

• Lack deep endpoint visibility

• Increased attacker dwell time

• Elevated risk of data loss

• Limited resources

Unknown Scope Lack of Response

Invisible Infected Endpoints

13© Copyright 2016 EMC Corporation. All rights reserved.

SOLUTION

Instantly determine scope and take action

Quickly exposeendpoint threats

Analyze andconfirm faster

Integrate endpoint with network data

Signature-less Prioritizes alerts Answers scope Complete visibility

14© Copyright 2016 EMC Corporation. All rights reserved.

RSA ECAT OVERVIEW

• Detect by behavior of malware rather than a signature

• Deep endpoint visibility & real-time alerting

• Intelligent risk level scoring system to prioritize threats

• Confirm infections quickly & block with precision in real time

ECAT

Scan

Monitor & Alert

Analyze

Take Action

15EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY

HOW RSA ECAT WORKS

ECAT Server

Threat Intelligence | Feeds | RSA ResearchRSA LIVEINTELLIGENCE

Agent• Endpoints, Servers, VMs

• Windows, Linux & Mac OS

• Monitors for suspicious activity

• Scans for full system inventory

• Identify all executables, DLL’s, drivers, etc.

• Low system impact (2MB on disk, 10-20MB in memory)

Server• Analyzes scan data &

flags anomalies

• Maintain repository for global correlation

• Automatically download unknown files for additional analysis

• Easily scales: 50K agents per server

16© Copyright 2016 EMC Corporation. All rights reserved.

RSA Security Analytics

17EMC CONFIDENTIAL—INTERNAL USE ONLYEMC CONFIDENTIAL—INTERNAL USE ONLY

RSA SECURITY ANALYTICS ARCHITECTURE

18© Copyright 2016 EMC Corporation. All rights reserved.

OUT-OF-THE-BOX CONTENT EXAMPLES

Intelligence feeds

APT Domains

Suspicious Proxies

Malicious Networks

Threat blacklists

O-day identifiers

275+ correlation

rules

Data exfiltration

Identity & access anomalies

Unusual connections

Endpoint & network activity

Reconnaissance detection

90+

reports

Compliance templates

Network activity

Operations

Suspicious behavior

User activity

375+

log & network parsers

Abnormal .exe files

Packers

Instant Messenger traffic

Botnets

SQL injection

19© Copyright 2016 EMC Corporation. All rights reserved.

Advanced Analytics:Rapid Detection

20© Copyright 2016 EMC Corporation. All rights reserved.

• Benefits:

– Automated incident detection

– Automated alerting

– Correlation and Complex Event Processing (CEP) across packets, logs, NetFlow and endpoint

– Out of box rules (monthly updates); rule builder

– Advanced Behavioral Analytics

• Real-time (streaming) detection– Ex. detecting a pdf containing an executable, followed by encrypted traffic

over a non-standard port to a blacklisted country from select hosts in the AD group “executives” and hooked code running in laptop memory

EVENT STREAM ANALYSIS

21© Copyright 2016 EMC Corporation. All rights reserved.

DATA SOURCES: SHELL CREW EXAMPLE

• Intrusion attemptsLogs:

What was targeted?

• Beaconing & suspicious communications• “Sticky-keys” backdoor• Malicious proxy tools• WinRAR using encrypted rar files• Recreate entire exploit

Packets:

How did the exploit occur?

• Lateral movement via RDPNetFlow:

How did the attackers move around once inside?

• Time/date “stomping”• Indicators about malicious files and code • Scope of infection

Endpoints: Was the endpoint exploited?

Were others infected?

22© Copyright 2016 EMC Corporation. All rights reserved.

ADVANCED ANALYTICS ENGINE

LEADING INDICATORS OF A PLANNED C2 EXPLOIT

• Real-time Analytics – Data Science algorithms

– Scores on multiple C2 behavior indicators

– Utilizes streaming HTTP activity

• Low False Positives– Learns from ongoing and historical

activity

– Supervised whitelisting option

BeaconingBehavior

Rare DomainsRare

User AgentsMissing

ReferrersDomain Age

(WhoIS)

Suspicious Domains

aggregate score

23© Copyright 2016 EMC Corporation. All rights reserved.

Rapid Response & Investigation

24© Copyright 2016 EMC Corporation. All rights reserved.

PRIORITIZED ACTION

LIVE

Alerts

Investigation

Workflow

GRC

OnPrem

CloudLOGS

PACKETS

ENDPOINT

NETFLOW

25© Copyright 2016 EMC Corporation. All rights reserved.

ASSET INFORMATION IN SECURITY ANALYTICS

• Helps analyst better understand risk

• To prioritize investigation & response

• Conduct the investigation

26© Copyright 2016 EMC Corporation. All rights reserved.

RSA Security Operations Management (SecOps)

27© Copyright 2016 EMC Corporation. All rights reserved.

Shift

Handoff

SOCManager 1

SOCManager 2

CISO

Finance

Legal

Incident

Process

Threat

Analysis

Report

KPIsBreach

Process

IT

Handoff

Centralize

Alerts

Measure

Efficacy

L1 Analyst

BreachCoordinator

HR

IT

L2 Analyst

ThreatAnalyst

SIEM

DLP

Network

Visibility

eFraud

Host

Visibility

SOC COMPLEXITIES

Multiple Roles

Multiple Processes

Multiple Technologies

28© Copyright 2016 EMC Corporation. All rights reserved.

SOC CHALLENGE - EVENT-FOCUSED, REACTIVE

No Centralization of Alerts Lack of Centralized Incident Management

Lack of Context Lack of ProcessLack of Best Practices

29© Copyright 2016 EMC Corporation. All rights reserved.

Dom

ain

RSA S

ecO

ps

Framework & Alignment

People

Process

Technology

Incident Response

Breach Response

SOC ProgramManagement

RSA SECURITY OPERATIONS MANAGEMENT

30© Copyright 2016 EMC Corporation. All rights reserved.

RSA SecOps

AggregateAlerts toIncidents

IncidentResponse

BreachResponse

SOC Program

Management

Dashboard &Report

RSA Archer Enterprise

Management(Context)

RSA ArcherEnterprise Risk

BCM(Optional)

ALERTS

CONTEXT

LAUNCH FOR

INVESTIGATIONS

3rd Party Systems

RSA SECOPS

31© Copyright 2016 EMC Corporation. All rights reserved.

SOC PERSONA DRIVEN DESIGNCUSTOMIZED FOR THE SOC PERSONAS

L1/L2 Analyst

• Review Incidents• Collect Data• Investigate / Escalate• Forensic Analysis

Incident Coordinator

• Analyst Mgmt.• Shift Handover• Incident Trends

BreachResponse

Lead

• Review Escalations• Breach Impact Analysis• Notification Process

SOC Manager/

CISO

• SOC Visibility• Access to Dashboards• Access to Reports• Measure Effectiveness

32© Copyright 2016 EMC Corporation. All rights reserved.

ANALYST FOCUSED DASHBOARD

33© Copyright 2016 EMC Corporation. All rights reserved.

New and My Incident Queue

LINK TO BUSINESS CONTEXT

Cross-Reference Alerts to Asset Details and Business Context

34© Copyright 2016 EMC Corporation. All rights reserved.

INCIDENT COORDINATOR DASHBOARD

35© Copyright 2016 EMC Corporation. All rights reserved.

SOC MANAGER / CISO DASHBOARD

36© Copyright 2016 EMC Corporation. All rights reserved.

LEVERAGE BEST PRACTICES

RESPONSEPROCESS

25+CIRC

PRACTITIONERVIEW

ENGINEERED AS PER THE EXPERTISE OF INDUSTRY AND PRACTITIONERS

NAMING &TERMINOLOGY

VERISFramework

37© Copyright 2016 EMC Corporation. All rights reserved.

Beyond Technology:Services

38© Copyright 2016 EMC Corporation. All rights reserved.

THE ADVANCED SOC

Tier 2 Analyst

Tier 1 Analyst

Threat Intelligence Analyst

SOC Manager

Analysis & Tools Support Analyst

39© Copyright 2016 EMC Corporation. All rights reserved.

ASOC Design & ImplementationASOC Strategy, Design & Program Development

Technology & Operations Buildout | Residencies, Support & Training

Security Operations ManagementSecOps Strategy & Management | Use Case Development

Incident Response Procedures

Incident ResponseRetainer | Incident Discovery | Incident Response | IR Hunting Services

Breach Management

Cyber Readiness & Capability RoadmapCurrent State & Gap Analysis | Maturity Modeling | Breach Readiness Roadmap |

Net Defender (Cyber Security Framework)

Cyber & Counter Threat IntelligenceProgram Development | Web & E-mail Threat Operations | Best Practices

RSA ADVANCED CYBER DEFENSE SERVICESDEVELOP AND MATURE A PORTFOLIO FOR ONGOING COMPETITIVE ADVANTAGE

40© Copyright 2016 EMC Corporation. All rights reserved.

• Proven methodologies

• Hands-on labs

• Delivered by security

practitioners

RSA ADVANCED CYBER DEFENSE SERVICES & TRAINING

41© Copyright 2016 EMC Corporation. All rights reserved.

DEFENDER’S CHALLENGES

Existing strategies & controls are failing

Attackers are becoming more sophisticated

The attack surface is expanding

Tools & processes must adapt to today’s threats

Teams need to increase experience

& efficiency

Security teams need comprehensive visibility from

endpoint to cloud

© Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

Security AnalyticsECAT

ACD TrainingsIncident Response

ACD DesignSecops