rsa it security risk management - dell emc netherland · pdf filersa it security risk...

1© Copyright 2013 EMC Corporation. All rights reserved.

RSA IT Security Risk Management

Adding Insight to Security

RSA Security SummitAmsterdam, The NetherlandsMay 7, 2014

Alexander van WindenGRC Solutions Consultant


Where is Security Today?

Complexity

Data

Breaches

Damage

Companies have built layer upon layer of security, but is it helping?


Which of these are most

important?

We believe that doing the right thing should be obvious but for today's IT security organizations it is too often hidden.

Lack of Insight [The Noise Factor]

Web Vulnerability

OS Configuration

Patch Management

Device Vulnerability

Anti-Virus/Malware

Logical Access

IPS/IDS

Physical Access

Firewalls

VPNs

SEIM/Packets

8:02 AM – Malware infection on 10.1.2.308:30 AM – Voice mail from colleague re: new hacker group9:00 AM – Meeting with QSA re: last week’s vulnerability scan11:15 AM – Vulnerability scan on DMZ completed11:30 AM – Meeting with XYZ department on new application being installed next week12:00 PM – Company just like us announced major breach12:02 PM – CVE-2014-123 just released1:45 PM – Meeting with audit committee re: security risks2:00 PM – System outage at Phoenix branch2:15 PM – Weird(?) network traffic reported by network team2:53 PM – Malware outbreak on multiple machines3:00 PM – New contractor onboarding3:20 PM – Present Security awareness training to new employees4:15 PM – Industry ISAC security conference call4:32 PM – HR reports social engineering attempt5:07 PM – Port scan on 192.168.3.456:07 PM – Security policy meeting8:02 PM – Malware infection on 10.10.2.328:30 PM – Multiple failed login attempts on 192.168.100.2311:15 PM – Vulnerability scan found 142 critical vulnerabilities12:00 AM – Malware infection on 10.2.3.4512:02 AM – Sun just released a new patch to JRE 5.4.3.2

Inappropriate access attempt on top secret information?

Do we have a compliance issue?

Is this a high risk business function?

What are the executive concerns?

Meaningless virus infection?

Is this a coordinated advanced attack?

Defense in Depth


It will become increasingly difficult to secure infrastructure

The New World of Security

We must focus on people, the flow of data and on transactions


Improve monitoring and response capabilities.

Prevention

Monitoring Response

We Need to Change our Approach…

Defense in DepthSecurity

Prevention

Monitoring Response

Prevention

Intelligence-DrivenSecurity

Monitoring Response


We provide solutions that disrupt the noise, bring clarity to the signal to amplify your decisions.

Analysis

Visibility + Analysis = Priority

Signal Clarity and Amplification

Noise

Action

Priority + Action = Results

MetricsResults + Metrics = Progress

Visibility


Enables organizations to:

establish business context for security

establish security policies and standards

detect and respond to attacks

identify and remediate security deficiencies

reducing the risk of today’s security threats; poor, misaligned security practices; and operational security compliance failures.

IT Security Risk Management

…not a single answer but rather a solution leveraging people, process, and technology as a force multiplier.

Security Strategy

Security Compliance

Threat & Vulnerability Management

Security Policies

Security Operations


Gaininsight & visibilityManage

known & unknown risks

Reactive IntelligentProactive

Maturity

Layeredpoint solutions, multiple

management consoles, basic reporting

Managedintegrated

security, expanded visibility, improved analysis/metrics

Advantagedfully risk aware, identify

opportunity

Integratedata sources

Makerisk-based decisions

Planning Your Journey


Foundational

Preventative Responsive

IT Security Risk Solutions

Foundation


Scan Results Indicators and Metrics

Assets

IT Context RegulatoryBiz Context Data

Catalogs

CVE/CVSS CWECPE CCEThreat Intel UCF

Identity

Login/LogoutRepositoriesIntegrations

Workflow

Ticketing ReportsExceptions Notifications

Remediation Workflow

Threat Correlation

Gold Build Images

Incidents & Investigations

Breach Management

Crisis Management

SOC Management

Focused UIs

Persona Based UIInteractive Charts

Searching and Filtering

Pre

venta

tive

Resp

onsiv

e

RSA Archer eGRC

Measure Outcomes

Vulnerability Risk

Management


Devices

Issue

Vulnerability

Patch

1

2

3

5

VulnerabilityScanner

4

Brian, IT Security Analyst, runs his vulnerability scanner.

The Vulnerability Scanner finds number of issues on IT systems.

Pages of results are delivered to Alice, IT Administrator, to fix.

Patches are pushed out or configurations are updated to fix the vulnerabilities.

Some patches are missed, don’t fix the problem, or there isn’t enough time to get to them. The vulnerability will sit unaddressed, possibly forever…

What does this mean for business risk? What about my most valuable assets?

Are we improving? Do we have the right coverage?

What happens if the threats change? Can I get more protection quickly?

Carlos, CISO, is left wondering:

Trying to avoid the vulnerability pit…

Vulnerability Management Today


Vulnerability Risk Management allows enterprises to proactively manage IT

security risks through the combination of asset business context, actionable threat

intelligence, vulnerability assessment results, and comprehensive workflow.

What is VRM?


VRM In A Nutshell

Scan all networks

Identify all types of vulnerabilities

Scan without affecting IT SLAs

Identify real issues

Assign reliable severity ratings

Prioritize issues based on real risk

Identify the right action

Fix/except issues

Manage through workflows

Track the real status of issues

Generate trend reports, etc.

Create dashboards

Create an accurate asset repository

Track technical and business context

Update with ease

RE

QU

IRE

D

CA

PA

BIL

ITIE

SC

HA

LLE

NG

ES

Discover Vulnerabilities

Classify Issues

AddressIssues

Track and Report

Catalog AssetsS

TE

PS

No Relation Between Technical And Business DataLack Of Context And Reliable Prioritization

Lack Of Flexible Workflows And AutomationIneffective And Time Consuming Reporting

VRM[solution]

Scan Results

Business Context

Threat Intel

+

+=

Prioritized Issues

Workflow

KPIs

Reports

Scalability

Speed

Accuracy

Addressed by Qualys, McAfee and others

Inaccurate and incomplete

Lack of a single system of records


RSA VRM DATA WAREHOUSE

INDEXING

RAW DATA STORAGE

NORMALIZATION

VULNERABILITY ANALYTICS

INVESTIGATIVE UI

ANALYTICS ENGINE

DATA COLLECTOR

IT Security Analyst CISO

DevicesFindings

ExceptionsKPIs

VRM

Vuln. Scan Results(Qualys, McAfee)

Vuln. Data Pubs(NVD CVE)

Threat Intelligence(US-CERT)

Asset Taxonomies(NVD CPE)

Other Asset Data(CSV, CMDB, Etc.) Administrator

ARCHER VULNERABILITYRISK MANAGEMENT

INTEGRATION WITH GRC

REPORTING AND DASHBOARDS

WORKFLOW

Vulnerability Risk Management


Asset Discovery and ManagementKnow what you have

Issue Prioritization

Issue Lifecycle TrackingDo the right thing

Exception and SLA Management

Dashboards and ReportingMeasure effectiveness, not just activity

Measure and Report KPIs

IT Security Analyst

IT Administrator

CISO

The Value of VRM


IT Security Risk Solutions

Foundation


Scan Results Indicators and Metrics

Assets

IT Context RegulatoryBiz Context Data

Catalogs

CVE/CVSS CWECPE CCEThreat Intel UCF

Identity

Login/LogoutRepositoriesIntegrations

Workflow

Ticketing ReportsExceptions Notifications

Remediation Workflow

Threat Correlation

Gold Build Images

Incidents & Investigations

Breach Management

Crisis Management

SOC Management

Focused UIs

Persona Based UIInteractive Charts

Searching and Filtering

Pre

venta

tive

Resp

onsiv

e

RSA Archer eGRC

Measure Outcomes

Security Operations

Management


Centralizing Incident Response Teams

Specialized TeamReporting to:

– CSO/CISO CIO

Consisting of:– People– Process– Technology

Detect, Investigate and Respond

SOC Manager

Tier 2 Analyst

Analysis & Tools Support Analyst

Tier 1 Analyst

Threat Analyst


Lack of Context Lack of ProcessLack of Best Practices

Event focused and reactive with no centralization of alerts or incident management…

SOC Challenges Today


Shift Handoff

SOCManager 1

SOCManager 2

CISO

Finance

Legal

Incident Process

ThreatAnalysis

ReportKPIs

BreachProcess

ITHandoff

CentralizeAlerts

MeasureEfficacy

L1 Analyst

BreachCoordinator

HR

IT

L2 Analyst

ThreatAnalyst

SIEM

DLP

NetworkVisibility

eFraud

HostVisibility

Complexities of a SOC


IncidentManagement

BreachManagement

SOCProgram

Management

IT SecurityRisk

Management

Dom

ain

Secu

rity

Opera

tions

Managem

ent

People

Process

TechnologyOrchestrate&

Manage

What is SecOps?

Consistent, predictable business process


RSA SecOps

AggregateAlerts toIncidents

IncidentResponse

BreachResponse

SOC Program

Management

Dashboard &Report

RSA Archer Enterprise

Management (Context)

RSA Archer BCM

(Crisis Events)

ALERTS

CONTEXT

Capture & Analyze – Packets, Logs & Threat Feeds

LAUNCH TO SA

Security Operations Management


Enable SOC/IR Analysts to Be More Effective

Incident PrioritizationVisibility & Biz ContextWorkflow to guide IR processThreat IntelligenceResponse Procedures

Optimize SOC Investments

AutomationMonitor KPIsIdentify gaps & improveMeasure Security ControlsManage SOC Team

Manage IT Security & Business Risk

Data Breach ManagementEnterprise RiskVendor RiskCompliance Risk… and more

The Value of SecOps

IT Security Analyst

Incident Coordinator

CISO


Back up slides SecOps


New and My Incident Queue

Overall Incident Status

Analyst Focused Dashboard


Contextual Launch to Collect Data

Launch to SATo CollectAdditional

Data


New and My Incident Queue

Link to Business Context

Cross-Reference Alerts to Asset Details and Business Context


Incident Coordinator Dashboard

Shift Handover Analyst Workload

Incident Trends


Breach Coordinator Dashboard

Current Breaches, Impact and Records Affected


IT Operations Dashboard

Current Breaches, Impact and Records AffectedFindings Addressed by IT Help Desk


SOC Manager / CISO Dashboard

Overall View of Security Operation Center


Back up slides VRM


VRM – Vulnerability Analytics Brian’s, IT Security Analyst, dashboard

Are all my devices scanned?

Is remediation time as per SLA?

Are issues handled on time?

Track Issues

Facebook style timeline to check overall

operational health

Brian focuses on what is important


Devices, Vulnerabilities & Issues Single system of record

1

1 Assets have business context from Archer, CMDBs, etc.

How many devices do I have? Which ones are business critical? How do I discover new devices? Brian, now has the full information.

2

2 Brian easily lists high severity active issues

3 Investigates vulnerability, impacted device & related issues

3 3

4 Assigns Ticket

4


VRM – Issue Workflow

1 Manage Tickets

2 Assign Workflows

3 Grant Exception

1

2

3

4 Get Approval

4


VRM – Management Dashboard

1 Assess Security Risk 2 Check KPIs 3 Compare operational efficiency

1 2

3


Key Performance Indicators (KPIs)Assess operational efficiency

1 Does this group have more staff or better tools?

1

2 What changes can be applied to improve this group’s performance?

2

rsa it security risk management - dell emc netherland · pdf filersa it security risk...

Documents