Prevention vs Detection - Come ribilanciare gli investimenti sulla sicurezza IT. Manuel Minzoni Business developer Itway

Transcription

1 Prevention vs Detection - Come ribilanciare gli investimenti sulla sicurezza IT Manuel Minzoni Business developer Itway

2 NASDAQ: RPD Delivering Security Data & Analytics that revolutionize the practice of cyber security 5,100+ Customers 37% Fortune Countries 800+ Employees Confidential and Proprietary 2

3 5,100+ Customers in More Than 90 Countries Technology/ Communication Retail/ Wholesale Energy Financial Services Healthcare Manufacturing Education Media & Entertainment Government Public Sector Others Confidential and Proprietary 3

4 New Explosion Of High-Impact Cyber Attacks IT CONTROL & VISIBILITY Vastly expanding attack surface ATTACKER SOPHISTICATION & REACH Weaponization of cyber attacks TIME Confidential and Proprietary 4

5 Massive Shift to Risk-Based Approach to Security OLD MODEL: Prevention-Based Security Block and Protect Prevention Detection Correction Detection NEW MODEL: Risk-Based Security Correction Data & Analytics Prevention By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches up from less than 20% in Gartner: Shift Cybersecurity Investment to Detection, dated 7 January 2016 Confidential and Proprietary 5

6 Security Advisory Services Accelerate Security Improvement Threat Exposure Management Reduce Your Risk of a Breach Incident Detection & Response Find The Attacks You re Missing Security Assessment Security Program Development Incident Response Program Development Nexpose Metasploit AppSpider UserInsight Incident Response Services 6

7 Rapid7 Solves Key Customer Questions AM I VULNERABLE? AM I COMPROMISED? AM I OPTIMIZED? THREAT EXPOSURE MANAGEMENT INCIDENT DETECTION & RESPONSE SECURITY ADVISORY SERVICES compliance reporting SECURITY ANALYTICS compliance reporting SECURITY ANALYTICS compliance reporting SECURITY ANALYTICS Legacy Vulnerability Management ATTACKER INSIGHTS REMEDIATION Log Aggregation BEHAVIORAL ANALYTICS CONTEXT SEARCH Traditional Testing SECURITY ASSESSMENT PROGRAM STRATEGY with technology-based differentiation to provide analytics-driven answers Confidential and Proprietary 7

8 Closing The Gap DAY 1 DAY 2 DAY 3 DAY 206 attacker threat threat gains entry detected malware contained 1. Detect compromise the same day threat detected 2. Scope the complete incident fast 3. Quickly hand off to remediation team DAY 234 threat contained??? Confidential and Proprietary 8

9 Cut Through the Noise Speed Investigations End Data Drudgery 9

10 Context Empowers Refinement Raw Events Relevant Activity Enriched, Attributed Events User & Asset Behaviors Notable Behaviors Suspicious Behaviors Alert Explore Search 10

11 Search - It s All About The Context Would you like to search through this? :10:54 R7-BOS-5545 : %ASA : Teardown TCP connection for outside: /443 to INSIDE: /57672 duration 0:00:14 bytes 4510 TCP FINs Or THIS? { "timestamp": " T21:10:54.000Z", "asset": kx acme.com, "user": Ronald Serpico, "source_address": " , "source_port": "443", "destination_address": " ", "destination_port": "57672", "direction": "INBOUND", "incoming_bytes": "4510", "outgoing_bytes": "0", "geoip_organization": "Amazon.com", "geoip_country_code": "US", "geoip_country_name": "United States", "geoip_city": "Ashburn", "geoip_region": "VA } 11

12 Alert not just Rules or just Anomalies How Attackers Work: Posing as a Legitimate User Incident Alerts Flag Suspicious Activity Compromised Credentials Streamline with Low Volume, High-Quality Alerts Network scans Lateral movement Phishing attempts 12

13 Investigate incident faster Focus the Scope Understand User Context Perform Fast Search 13

14 End Data Drudgery Active Directory LDAP DHCP DNS VPN IDS / IPS Web Proxy Firewall Servers Security Console Enterprise Cloud Applications Intruder Traps Single, Integrated Experience 14

15 Insight Platform Driving Innovation Threat Exposure Management Incident Detection & Response Managed Services Third-Party Applications PRE-PACKAGED ANALYTICS SEARCH VISUALIZE REPORT CONTEXTUAL DATA COLLECTION Asset Data User Data Behavioral Data Mobile Info Cloud Activity Controls Info 3rd Party Data Confidential and Proprietary 1 5

16 InsightIDR Solution Architecture Network Events Remote Endpoints Real-Time Endpoint Events Intruder Traps On-Premise Insight Collectors SSL SSL InsightIDR Attacker Analytics Platform Security Team Applications User Behavior Analytics Machine Learning Fully Searchable Data Set Existing Security Solutions, Alerts, and Events Enterprise Cloud Apps Mobile Devices 19

17 InsightIDR Event Sources FOUNDATIONAL EVENT SOURCES LDAP Microsoft Active Directory LDAP Active Directory Microsoft Active Directory Domain Controllers DHCP Cisco ios Infoblox Trinzic ISC dhcpd Microsoft DHCP VALUE-ADD EVENT SOURCES DNS VPN IDS / IPS Web Proxy Firewall Servers Security Console Enterprise Cloud Applications Intruder Traps 17

18 InsightIDR Event Sources Cont. DNS ISC Bind9 Infoblox Trinzic Microsoft DNS MikroTik PowerDNS Data Exporters FireEye Threat Analytics Platform HP ArcSight & ArcSight Logger Splunk VPN Cisco ASA VPN F5 Networks FirePass Fortinet FortiGate Juniper SA Microsoft IAS (RADIUS) Microsoft Network Policy Server Microsoft Remote Web Access OpenVPN SonicWALL Firewall & VPN Web Proxy Barracuda Web Filter Blue Coat Proxy Cisco IronPort Fortinet FortiGate Intel Security (fka McAfee) Web Reporter Sophos Secure Web Gateway Squid Watchguard XTM WebSense Web Security Gateway Microsoft ActiveSync (mobile devices) Microsoft Exchange Outlook Web Access Firewall Check Point Firewall Cisco ASA Firewall & VPN Cisco Meraki Fortinet Fortigate Juniper Netscreen Palo Alto Networks Firewall SonicWALL Sophos Firewall Stonesoft Firewall Watchguard XTM IDS / IPS Cisco Sourcefire Dell isensor Dell SonicWall HP TippingPoint McAfee IDS Metaflows IDS Security Onion Snort Rapid7 Windows Agentless Endpoint Monitor Mac Agentless Endpoint Monitor Honeypot & Honey Users Metasploit Nexpose Sophos Enduser Protection Symantec Endpoint Protection Cloud Services AWS Cloud Trails Box.com Duo Security Google Apps Office 365 Okta Salesforce.com Advanced Malware FireEye NX Palo Alto Networks WildFire SIEMs/Log Aggregators HP ArcSight IBM QRadar Intel Security (fka McAfee) NitroSecurity LogRhythm Splunk Virus Scanners McAfee epo Sophos Enduser Protection Symantec Enduser Protection Application Monitoring Atlassian Confluence Microsoft SQL Server 18

19 Reduce Your Risk of a Breach Nexpose Awards

20 Most Flexible Deployment Model Easy to Deploy, Easy to Integrate, Fastest Time to Value Engine Options Console Options SW Software SW Appliance Software Appliance Virtual Machine Laptop Cloud Virtual Machine Laptop Cloud

21 Flexible and Scalable Architecture Management Console Scan Engine Scan Engine Firewall Open API and Pre-Built Connector Scan Engine SIEM Log Management GRC IDS/IPS Network Topology Network Performance Analysis Pen Testing & Exploit Analysis

22 Dynamic Asset Groups Specific Assets By Type By Compliance By Location Windows By Importance Corporate Network Mac Windows Satellite Office Mac Linux Specific Risk By Single Vulnerability By Vulnerability Type By Vulnerability Risk Mac Windows Windows Linux Windows Data Center Windows Linux

23 Rapid7 s Prioritized Risk Reduction TRADITIONAL VULNERABILITY MANAGEMENT thousands of alerts clear, digestible & actionable by IT ID Title Occurrences MS05-43 MS04-61 MS05-72 MS03-32 AP04-32 AW01-34 AP04-16 FT01 VZ02 HPJ01 HW08 MS04-47 RHL013 PP32-1 SMOSL1 Microsoft Windows DCOM RPCSS Service Vulnerabilities Microsoft Windows DCOM RPC Interface Buffer Overrun Vuln Microsoft Windows ASN.1 Library Integer Handling Windows TCP/IP Remote Code Execution Apache Tomcat Directory Traversal APR-util Library Integer Overflow Apache 1.3 and 2.0 Web Server ProFTPD 1.3 2xc2 and Prior_mod SQL Injection OpenVZ Multiple Vulnerabilities HP NonStop Servers and Java Huawei Multiple Device Bypass Microsoft Messenger Service Buffer Overrun Vulnerability Red Hat Linux Instance 1.3 Multiple Vulnerabilities Plug and Play Remote Access Vulnerability SQL_mod remote Once Single Access Confidential and Proprietary 23

24 Reduce Your Risk of a Breach Know your weak points Prioritize what matters most Improve Your Outcomes Uncover your hidden attack surface Validate vulnerabilities with Metasploit Contextualize assets using RealContext Focus on the highest risks using RealRisk Deliver impactful, actionable remediation plans Implement best practice security controls Drive decisions using powerful reporting Meet vulnerability management compliance requirements

25 Know Your Weak Points Uncover your hidden attack surface Physical Virtual Cloud Mobile Validate Vulnerabilities with Metasploit Closed-loop Integration Contextualize assets using RealContext Asset Owner Asset Location Asset Importance

26 Prioritize What Matters Most Focus on the highest risks with RealRisk Granular Scoring (0-1000) Exploit & Malware Kit (Increases risk) Weighted Scoring (using RealContext ) Deliver impactful, actionable remediation plans Owner Assignment (using RealContext ) Top remediation reports Clear steps to follow Implement best practice security controls Visualize deployment of controls Measure effectiveness of controls Prioritizes controls for implementation

27 Nexpose Differentiator: Exploit & Malware Exposure; RealRisk 27

28 Improve Your Outcomes Drive decisions using powerful reporting Pre-built Report Templates (fully customizable) Risk Trending Charts A Benchmark Departments (using Risk Scorecard) Meet vulnerability management compliance requirements Pass Customizable Audit Reporting Compliance Reports Exception Workflow

29 SIEM Ticketing IT GRC Topology Risk NGFW - IPS Credentials Patch Virtualization SaaS NAC WAF Technology Partner Ecosystem

30 Lascia il tuo feedback su Nella pagina Agenda clicca sul nostro intervento e poi su «Inserisci il tuo feedback»