Enhancing IR Reducing Complexity & Designing for Scale. Sean Mason Director, Threat Management Mar 10,
|
|
- Claire Mosley
- 5 years ago
- Views:
Transcription
1 Enhancing IR Reducing Complexity & Designing for Scale Sean Mason Director, Threat Management Mar 10,
2 Sean A. Mason v Florida resident v Developer for 10 years v Auditor for 2 years v IR for 10 years v 7 certifications v ISC2 SME v BS & MBA Career Highlight: Briefing Jeff Immelt & The Board of GE at 30 Rock in NYC
3 Agenda Integrated Threat Defense Foundation Complexity Integration, Consolidation, and Automation Other Critical Aspects Metrics Closing
4 ITD Foundation
5 Knowledge Management Wiki Repo Knowledge Management Workflow Management RT IMS Workflow Management HIPS IDB automated & manual ESA IPS automated Single Pane Suspect automated & manual External SSH SIEM Internal SSH
6 IR Evolution & Maturity Maturity Level As Needed Ad-hoc Maturing Strategic Dedicated Part-Time Full-Time SOC/IR+ Fusion CMM Equivalent Initial Repeatable Defined Managed Optimized People Specialization 4+ Formal roles 10+ (may include MSS) Shifts (possible 24x7) 15+ Intel, SOC, and IR Teams Existing IR Capabilities Process Chaotic and relying on individual heroics; reactive General purpose runbook Tribal knowledge Situational run books; some consistency -based processes Requirements and Workflows documented as standard business process Some improvement over time Process is measured via metrics Some automation Minimal Threat Sharing Shift turnover SLAs Processes are constantly improved, automated, and optimized Broad Threat sharing Hunt teams Technology AV Firewalls IDS/IPS SIEM Sandboxing Continuous Monitoring Endpoint Forensics Tactical Intelligence Malware Analysis Additional Intelligence Some Integration Intel+IR Drives Security Program Focus on Integrations Strategic Intelligence Coordination with Physical Security/Intelligence Threat Management Maturity, Sean Mason bit.ly/irmaturity
7 Dynamic Threats Nuisance Hacktivism Insiders Cyber Crime State Sponsored/APT Objective Access & Propagation Defamation, Destruction, Press & Policy Revenge, Destruction, Monetary Gain Financial Gain Economic, Political Advantage, Destruction Example Botnets & Spam Website Defacements, DDOS Destruction, Theft Credit Card Theft Intellectual Property Theft, DDOS Skill Low Low - Med Med High Very High Potential Data Targets Sensitive Information, Vulnerable Data Access to the Network, Compromising Information Intellectual Property, Compromising Information Credit Card Data, Personal Identifiable Information, Health Records Intellectual Property, Negotiation, National Intelligence Named Actors General Malware Syrian Electronic Army, LizardSquad, Anonymous Jimmy, Suzy, Sally, Johnny Russian Business Network (RBN) APT1, Energetic Bear
8 Attackers Are Easily Exploiting & Bypassing Point Solutions VPN Antivirus NGFW IAM IDS Firewall Malware Sandbox NGIPS Data
9 Only an Integrated Threat Defense Can Keep Pace Reduce Time to : tex Systemic Response ence Con -Detection t e l l ig t ro ib Con Int l V is ility Data -Containment -Mitigation -Response
10 Integrated Threat Defense Architecture Visibility Control Intelligence Context Faster Time to Detection, Faster Time to Remediate
11 Complexity
12 Fragmented Security Market Complexity Fragmentation Security Vendors for Some Customers Security Vendors 2017 RSAC (450 : 373)
13 Increase in Capabilities Over time, adding incremental solutions has plateauing capabilities
14 Adding on Complexity At the cost of additional complexity
15 Goal for Effective Security
16 Integration, Consolidation, & Automation
17 The Path to Effective IR Requires Integration Consolidation Automation
18 The Path to Effective IR Requires Integration Consolidation Automation
19 Starting with something like this Third Party Solutions Telemetry Sources NGFW NGIPS Log Collector NW DDoS Protections Monitoring Log Mgmt Hosted WAF SIEM Enrichment Feeds Investigation Linux Open Source Tools Web Tools Service Management Ticketing CMDB Training Platform Antimalware Web Proxies Vuln Scan Collab Tool Cloud Services Sec Wiki Communications, Collaboration and other IT Systems IM Virtualized Infrastructure
20 Evolving to this Telemetry and Other Data Sources Third Party Solutions Service Provider Solutions Intelligence Platforms Threat Intelligence Malware Analysis Intel and Enrich Threat Intel Providers AV Intel Providers Log Management Monitoring & Response Investigation Enrichment Providers* Native Logs Other Sources Security Monitoring, Analytics and Response Suite Security Case Management Digital Forensics Tools Service Management Ticketing Breach Remediation Knowledge Base Cyber Security Controls Other Infrastructure Comm & Collab Apps Wiki Communications and Collaboration Systems Internal Infra Cloud Infra Infrastructure Under Investigation Training Platform
21 Integrated Processes: Intel-driven risk mitigation Prevention Tactical Intel Sources Intel Analysis Detection Strategic Intel Hunting Triage Response Lessons Learned Analysis Other Functions Containment Collection IR Process Today, Sean Mason bit.ly/irprocessimg
22 The Path to Effective IR Requires Integration Consolidation Automation
23 Consolidation Also, I ve seen a looooooooooooong list of vendors that are a feature an engine to match TI to logs/flows [SIEM does this, even if not yet at scale], UBA for one particular use case, web proxy log analyzer [because, dude, proxy logs are SO important! :-)], etc. Sorry, but these products are all destined to die, and maybe the lucky few are to be acquired by larger vendors missing exactly that one feature - Dr. Anton Chuvakin, Gartner
24 Features?
25 Prevention & Detection Scenarios Recon Weaponization Deliver Exploitation Installation C2 Act on Objectives File File Behavior Behavior Code Binary Code Behavior Behavior File - Name URI Domain Name URI URL HTTP - GET HTTP UA String Address Address ipv4-addr File - Path URI - URL File File - Path File - Name URI- Domain Name URI - URL HTTP - POST Header - Subject Header X-Mailer Hash MD5 Hash SHA1 Address Address ipv4-addr Win Registry Key File File - Name URI Domain Name URI URL Hash MD5 Hash SHA1 Address cidr Address ipv4-addr Win Process Win Registry Key File File - Path File - Name URI Domain Name URI - URL HTTP - GET HTTP UA String Hash MD5 Hash SHA1 Address Win Process Win Registry Key File URI Domain Name URI - URL HTTP - GET HTTP - POST HTTP UA String Hash MD5 Hash SHA1 Address Address ipv4-addr Win Registry Key Win Service File File - Path File - Name URI Domain Name URI URL Hash MD5 Hash SHA1 Address ipv4-addr Address ipv4-addr Created by David Bianco, GE-CIRT
26 Platform Strengths (ex. IDS) Recon Weaponization Deliver Exploitation Installation C2 Act on Objectives File File Behavior Behavior Code Binary Code Behavior Behavior File - Name File - Path File Win Registry Key Win Process Win Process Win Registry Key URI Domain Name URI - URL File - Path File Win Registry Key Win Registry Key Win Service URI URL File - Name File - Name File File File HTTP - GET URI- Domain Name URI Domain Name File - Path URI Domain Name File - Path HTTP UA String URI - URL URI URL File - Name URI - URL File - Name Address HTTP - POST Hash MD5 URI Domain Name HTTP - GET URI Domain Name Address ipv4-addr Header - Subject Hash SHA1 URI - URL HTTP - POST URI URL Header X-Mailer Address cidr HTTP - GET HTTP UA String Hash MD5 Hash MD5 Address ipv4-addr HTTP UA String Hash MD5 Hash SHA1 Hash SHA1 Hash MD5 Hash SHA1 Address ipv4-addr Address Hash SHA1 Address Address ipv4-addr Address Address ipv4-addr Address ipv4-addr Notes: Security solutions are able to investigate, analyze and monitor this indicator type Security solutions are unable to track this indicator type. These areas represent gaps Created by David Bianco, GE-CIRT
27 Aggregated View Recon Weaponization Deliver Exploitation Installation C2 Act on Objectives File File Behavior Behavior Code Binary Code Behavior Behavior File - Name File - Path File Win Registry Key Win Process Win Process Win Registry Key URI Domain Name URI - URL File - Path File Win Registry Key Win Registry Key Win Service URI URL File - Name File - Name File File File HTTP - GET URI- Domain Name URI Domain Name File - Path URI Domain Name File - Path HTTP UA String URI - URL URI URL File - Name URI - URL File - Name Address HTTP - POST Hash MD5 URI Domain Name HTTP - GET URI Domain Name Address ipv4-addr Header - Subject Hash SHA1 URI - URL HTTP - POST URI URL Header X-Mailer Address cidr HTTP - GET HTTP UA String Hash MD5 Hash MD5 Address ipv4-addr HTTP UA String Hash MD5 Hash SHA1 Hash SHA1 Hash MD5 Hash SHA1 Address ipv4-addr Address Hash SHA1 Address Address ipv4-addr Address Address ipv4-addr Notes: Address ipv4-addr Security solutions are able to investigate, analyze and monitor this indicator type Security solutions are unable to track this indicator type. These areas represent gaps Created by David Bianco, GE-CIRT
28 Coverage Gaps Recon Weaponization Deliver Exploitation Installation C2 Act on Objectives HTTP UA String File Header - Subject Hash MD5 File - Path Header X-Mailer Hash SHA1 URI - URL Created by David Bianco, GE-CIRT
29 The Path to Effective IR Requires Integration Consolidation Automation
30 IR INTERNET IR HERE AMP AMP HERE FIREPOWER HERE AMP 4 FP LANCOPE AMP & HERE AMP AMP AMP AMP HQ Off-net HERE HERE AMP Roaming HERE AUTOMATION Intelligence collected & stored at the Talos level FIREPOWER FIREPOWER Signatures created & pushed out globally AMP AMP Branch AMP AMP Branch Maximum coverage across the environment quickly
31 Other Critical Aspects
32 Communication ØCommunicate broadly, engage others ØCommunication template, rhythm and formats ØMobile technology and speed of information Incident Severity Communications Rhythm Audience Grave (KC7) Significant (KC6) Within 1hr Conf. Call 2x Daily Conf. Call COB Daily Within 1hr COB Daily COO CSO CIO General Counsel Director of PR CISO Director of IR Chief Security Architect CISO Director of IR Chief Security Architect Benign (KC1-5) As needed or upon escalation Director of IR Security Manager Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin bit.ly/killchain
33 Internal Communications
34 Containment Who can access compromised devices? How will you track down the devices? When do you contain? Who makes the containment call? What method(s) will you use? Focus on IR Fundamentals: Containment, Sean Mason bit.ly/ircontainment
35 Analysis Infrastructure qanalysis Servers (CPU + RAM) qcisco UCS-C240 q2.3ghz, 18 cores q200gb RAM qstorage (TB/PBs) qresponder Laptops qmbp & Custom Gaming qorigin PC (Miami, FL) What s in Your IR Go-Bag?, Shelly Giesbrecht bit.ly/irgobag
36 Recurring Testing qpaper Test Ensure all documentation, templates, etc are properly updated. qtable Top Exercise Verbally walking through a number of different IR scenarios. qsimulated Incident A more invasive test that leverages a Red Team to simulate an attack (or utilize existing malware samples). Allows for a more comprehensive test of IR. Table Top Exercises for IR, Sean Mason bit.ly/irexercises
37 Metrics
38 IR Measured Cycle Times Event (Event Time) Event Dwell Time Event Analysis Triage (Detect Time) How fast did we find it? Report (Report Time) Report Contain Time Contain IR Actions (Contain Time) How fast did we respond to it? Business Impact Time Remediate Remediation (Remediation Time) How fast did we fix it? Incident Response Metrics, Sean Mason bit.ly/irmetrics
39 Dwell & Contain Dwell Time Avg Time to Contain Days Hours Monthly Contain Time Outliers! Incidents Hours Incident Response Metrics, Sean Mason bit.ly/irmetrics
40 Intel & Detection Detection Success Intel Source Success SIEM IDS DLP Users AV MIR 100% 80% 60% 40% 20% 0% False Positives Incidents Success Rate In-House Talos Vendor1 Vendor2 100% 80% 60% 40% 20% 0% False Positives Incidents Success Rate Incident Detection % 15 80% % 40% 20% Incidents % of Incidents 0 SIEM IDS DLP Users AV MIR 0% Incident Response Metrics, Sean Mason bit.ly/irmetrics
41 Closing Thoughts
42 Lessons Learned Kill Chain Actor Action Failure Mode Mitigation Action Reconnaissance Used commercial web scanner Potential gaps in threat tool & scanning capability Establish detection capability Weaponization Delivery SQLI on vulnerable ASP page to gain admin access Could not detect SSL traffic; vulnerable to SQLI Explore Secure Development & Application Security Assessments Exploitation Installation IIS web service used to upload web shell Failure to restrict file upload types or configure web server to not execute uploaded files Explore Secure Development & Application Security Assessments C2 Used web shell on initially compromised host Could not detect SSL traffic Actions on Intent Accessed info.txt which held admin account information Management scripts failed to delete info.txt after running Scripts retired and environment scanned Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin bit.ly/killchain
43 Organizational Sustainability & Elasticity Ø There simply isn t enough talent Ø Don t hire all Senior talent Ø Quit complaining- go do something! Ø Outsource Ø Develop a pipeline of students & interns Ø Don t be a school snob Ø Help schools design their InfoSec programs! Ø Ø Provide opportunities both ways Ø Give your mid-level folks opportunities Ø Bring in talent outside of IR
44 Resources Cisco Security Services: Blogs: Cisco Incident Response Team If you are currently experiencing an incident, please contact us at: Or Sean
45
Understanding Targeted Attacks. Sean Mason VP, Incident Response
Understanding Targeted Attacks Sean Mason VP, Incident Response Sean A. Mason www.seanmason.com @SeanAMason Security Analyst IR Mgr Director IR Executive IR Leader VP, Incident Response Sr. IT Auditor
More informationRSA NetWitness Suite Respond in Minutes, Not Months
RSA NetWitness Suite Respond in Minutes, Not Months Overview One can hardly pick up a newspaper or turn on the news without hearing about the latest security breaches. The Verizon 2015 Data Breach Investigations
More informationBUILDING AND MAINTAINING SOC
BUILDING AND MAINTAINING SOC Digit Oktavianto KOMINFO 7 December 2016 digit dot oktavianto at gmail dot com 1 Digit Oktavianto Profile in 1 Page Currently working as a Security Architect Professional Certifications:
More informationSOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM
SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM OVERVIEW The Verizon 2016 Data Breach Investigations Report highlights that attackers are regularly outpacing the defenders.
More informationRSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1
RSA Advanced Security Operations Richard Nichols, Director EMEA 1 What is the problem we need to solve? 2 Attackers Are Outpacing Defenders..and the Gap is Widening Attacker Capabilities The defender-detection
More informationCTI Capability Maturity Model Marco Lourenco
1 CTI Capability Maturity Model Cyber Threat Intelligence Course NIS Summer School 2018, Crete October 2018 MARCO LOURENCO - ENISA Cyber Security Analyst Lead European Union Agency for Network and Information
More information4/13/2018. Certified Analyst Program Infosheet
4/13/2018 Certified Analyst Program Infosheet Contents I. Executive Summary II. Training Framework III. Course Structure, Learning Outcomes, and Skills List IV. Sign-up and More Information Executive Summary
More informationAutomated Response in Cyber Security SOC with Actionable Threat Intelligence
Automated Response in Cyber Security SOC with Actionable Threat Intelligence while its biggest weakness is lack of visibility: SOCs still can t detect previously unknown threats, which is a consistent
More informationReducing the Cost of Incident Response
Reducing the Cost of Incident Response Introduction Cb Response is the most complete endpoint detection and response solution available to security teams who want a single platform for hunting threats,
More informationCloud and Cyber Security Expo 2019
Cloud and Cyber Security Expo 2019 The Terrain to Actionable Intelligence Azeem Aleem, VP Consulting, NTT Security Actionable Intelligence Actionable intelligence through Cyber Intelligence Embedding intelligence
More informationCisco Cyber Range. Paul Qiu Senior Solutions Architect
Cisco Cyber Range Paul Qiu Senior Solutions Architect Cyber Range Service A platform to experience the intelligent Cyber Security for the real world What I hear, I forget What I see, I remember What I
More informationCyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS
Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Continual disclosed and reported
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationCyber Threat Intelligence Standards - A high-level overview
Cyber Threat Intelligence Standards - A high-level overview Christian Doerr TU Delft, Cyber Threat Intelligence Lab Delft University of Technology Challenge the future ~ whoami At TU Delft since 2008 in
More informationThreat Hunting in Modern Networks. David Biser
Threat Hunting in Modern Networks David Biser What is Threat Hunting? The act of aggressively pursuing and eliminating cyber adversaries as early as possible in the Cyber Kill Chain. Why Perform Threat
More informationFROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM
SESSION ID: TECH-F02 FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM Mike Ostrowski VP Proficio @proficioinc EXPERIENCE FROM THE CHASM Managed Detection and Response Service Provider Three Global Security
More informationOperationalizing the Three Principles of Advanced Threat Detection
SESSION ID: SDS2-R08 Operationalizing the Three Principles of Advanced Threat Detection ZULFIKAR RAMZAN, PH.D Chief Technology Officer RSA @zulfikar_ramzan Dealing with Traffic Congestion Singapore: Major
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Analyze & prioritize alerts across various sources The cornerstone of security
More informationThe Resilient Incident Response Platform
The Resilient Incident Response Platform Accelerate Your Response with the Industry s Most Advanced, Battle-Tested Platform for Incident Response Orchestration The Resilient Incident Response Platform
More informationRSA IT Security Risk Management
RSA IT Security Risk Adding Insight to Security March 18, 2014 Wael Jaroudi GRC Sales Specialist 1 Where is Security Today? Companies have built layer upon layer of security, but is it helping? Complexity
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationNISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions
NISTCSF.COM NIST Cybersecurity Framework (NCSF) Workforce Development Solutions AGENDA The Cybersecurity Threat Landscape The Cybersecurity Challenge NIST Cybersecurity Framework NICE Cybersecurity Workforce
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationWHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale
WHITE PAPER Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale One key number that is generally
More informationBuilding a Threat-Based Cyber Team
Building a Threat-Based Cyber Team Anthony Talamantes Manager, Defensive Cyber Operations Todd Kight Lead Cyber Threat Analyst Sep 26, 2017 Washington, DC Forward-Looking Statements During the course of
More informationUn SOC avanzato per una efficace risposta al cybercrime
Un SOC avanzato per una efficace risposta al cybercrime Identificazione e conferma di un incidente @RSAEMEA #RSAEMEASummit @masiste75 Mauro Costantini - Presales Consultant Agenda A look into the threat
More informationCisco Cloud Security. How to Protect Business to Support Digital Transformation
Cisco Cloud Security How to Protect Business to Support Digital Transformation Dragan Novakovic Cybersecurity Consulting Systems Engineer January 2018. Security Enables Digitization Digital Disruption,
More informationNISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions
NISTCSF.COM NIST Cybersecurity Framework (NCSF) Workforce Development Solutions AGENDA The Cybersecurity Threat Landscape The Cybersecurity Challenge NIST Cybersecurity Framework NICE Cybersecurity Workforce
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationThe Kill Chain for the Advanced Persistent Threat
The Kill Chain for the Advanced Persistent Threat Intelligence-driven Computer Network Defense as presented at Michael Cloppert Eric Hutchins Lockheed Martin Corp Wednesday, October 12, 2011 0000 10/12/2011
More informationCopyright 2016 EMC Corporation. All rights reserved.
1 BUILDING BUSINESS RESILIENCY Isolated Recovery Services NAZIR VELLANI (ERNST & YOUNG) & DAVID EDBORG (EMC GLOBAL SERVICES) 2 PRESENTERS Nazir Vellani (EY) Senior Manager Tel: +1 214 596 8985 Email: nazir.vellani@ey.com
More informationTHE ACCENTURE CYBER DEFENSE SOLUTION
THE ACCENTURE CYBER DEFENSE SOLUTION A MANAGED SERVICE FOR CYBER DEFENSE FROM ACCENTURE AND SPLUNK. YOUR CURRENT APPROACHES TO CYBER DEFENSE COULD BE PUTTING YOU AT RISK Cyber-attacks are increasingly
More informationNew World, New IT, New Security
SESSION ID: GPS1-R08 New World, New IT, New Security Jackie Chen Chief Product & Marketing Officer Sangfor Technologies (HQ) #RSAC New World, New IT, New Security Internet of Things BYOD Cloud Estimated
More informationNEXT GENERATION SECURITY OPERATIONS CENTER
DTS SOLUTION NEXT GENERATION SECURITY OPERATIONS CENTER SOC 2.0 - ENHANCED SECURITY O&M SOC 2.0 - SUCCESS FACTORS SOC 2.0 - FUNCTIONAL COMPONENTS DTS SOLUTION SOC 2.0 - ENHANCED SECURITY O&M SOC 2.0 Protecting
More informationEFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave
EFFECTIVELY TARGETING ADVANCED THREATS Terry Sangha Sales Engineer at Trustwave THE CHALLENGE PROTECTING YOUR ENVIRONMENT IS NOT GETTING EASIER ENDPOINT POINT OF SALE MOBILE VULNERABILITY MANAGEMENT CYBER
More informationNational Cyber Security Operations Center (N-CSOC) Stakeholders' Conference
National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference Benefits to the Stakeholders A Collaborative and Win-Win Strategy Lal Dias Chief Executive Officer Sri Lanka CERT CC Cyber attacks
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationPrescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC
Prescriptive Security Operations Centers Leveraging big data capabilities to build next generation SOC Cyber Security Industry in constant renewal in 2016 and 2017 1 Tbps Mirai IoT Botnet broke the Internet
More informationProtecting organisations from the ever evolving Cyber Threat
Protecting organisations from the ever evolving Cyber Threat Who we are .At a glance 16+ Up to 190B 2B+ Dell SecureWorks is one of the most promising MSSPs in the GCC region MSS Market Report on GCC, Frost
More informationApplication Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9
Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9 About Me Chief Security Officer @ Bit9 Former Director of Technical Operations and Information Security @ Center for
More informationAgenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options
Agenda Why we need a new approach to endpoint security Introducing Sophos Intercept X Demonstration / Feature Walk Through Deployment Options Q & A 2 Endpoint Security has reached a Tipping Point Attacks
More informationCybersecurity Roadmap: Global Healthcare Security Architecture
SESSION ID: TECH-W02F Cybersecurity Roadmap: Global Healthcare Security Architecture Nick H. Yoo Chief Security Architect Disclosure No affiliation to any vendor products No vendor endorsements Products
More informationesendpoint Next-gen endpoint threat detection and response
DATA SHEET esendpoint Next-gen endpoint threat detection and response esendpoint powered by Carbon Black eliminates endpoint blind-spots that traditional technologies miss. Operating on a philosophy that
More informationHow Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity
How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity Why is the NIST framework important? GOH Seow Hiong Executive Director, Global Policy & Government Affairs, Asia Pacific
More informationThe New Era of Cognitive Security
The New Era of Cognitive Security IBM WATSON SUMMIT KANOKSAK RATCHAPAT Senior Technical Sales 1 Today s security challenges ACTORS TARGETS VECTORS REALITY Organized Crime Healthcare Ransomware Cloud, mobile,
More informationIntroduction to Threat Deception for Modern Cyber Warfare
Introduction to Threat Deception for Modern Cyber Warfare Joseph R. Salazar Technical Deception Engineer CISSP, CEH, EnCE 1 Introduction AGENDA Attacker Playbook The Need for Deception Deception as Detection
More informationSOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)
SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP) Adaptive Cybersecurity at the Speed of Your Business Attackers Evolve. Risk is in Constant Fluctuation. Security is a Never-ending Cycle.
More informationCisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017
Cisco Security Advanced Malware Protection Guillermo González Security Systems Engineer Octubre 2017 The New Security Model Attack Continuum Before During After Before Discover During Detect After Scope
More informationAdvanced Threat Protection Buyer s Guide GUIDANCE TO ADVANCE YOUR ORGANIZATION S SECURITY POSTURE
Advanced Threat Protection Buyer s Guide GUIDANCE TO ADVANCE YOUR ORGANIZATION S SECURITY POSTURE 1 Advanced Threat Protection Buyer s Guide Contents INTRODUCTION 3 ADVANCED THREAT PROTECTION 4 BROAD COVERAGE
More informationCNIT 50: Network Security Monitoring. 9 NSM Operations
CNIT 50: Network Security Monitoring 9 NSM Operations Topics The Enterprise Security Cycle Collection, Analysis, Escalation, and Resolution Remediation Introduction Methodology is more important than tools
More informationBurning Down the Haystack. Tim Frazier Senior Security Engineer
Burning Down the Haystack Tim Frazier Senior Security Engineer tfrazier@splunk.com Professional History EE, Army Comms + Cisco Networking background Transitioned to InfoSec after breaking things and seeing
More informationSecurity Terminology Related to a SOC
Security Terminology Related to a SOC Cybersecurity literacy is crucial for practicing proper security hygiene. As business leaders develop fluency in the language of information security (infosec), they
More informationMay the (IBM) X-Force Be With You
Ann Arbor, Michigan July 23-25 May the (IBM) X-Force Be With You A QUICK PEEK INTO ONE OF THE MOST RENOWNED SECURITY TEAMS IN THE WORLD Marlon Machado Worldwide Standardization Leader, Application Security
More informationBusiness Strategy Theatre
Business Strategy Theatre Security posture in the age of mobile, social and new threats Steve Pao, GM Security Business 01 May 2014 In the midst of chaos, there is also opportunity. - Sun-Tzu Security:
More informationEnhancing Threat Intelligence Data. 05/24/2017 DC416
Enhancing Threat Intelligence Data By @3ncr1pted 05/24/2017 DC416 Security consultant researcher/analyst in Threat Intel. Loves APTs, mainframes, ICS SCADA & creating security awareness StarTrek! Boldly
More informationEliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat
WHITE PAPER Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat Executive Summary Unfortunately, it s a foregone conclusion that no organisation is 100 percent safe
More informationENDPOINT SECURITY AND THE CLOUD: HOW TO APPLY PREDICTIVE ANALYTICS AND BIG DATA
SESSION ID: SPO3-R04 ENDPOINT SECURITY AND THE CLOUD: HOW TO APPLY PREDICTIVE ANALYTICS AND BIG DATA Brian Gladstein Cybersecurity Market Strategist Carbon Black @briangladstein ASYMMETRIC WARFARE IT S
More informationSOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE
RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE KEY CUSTOMER BENEFITS: Gain complete visibility across enterprise networks Continuously monitor all traffic Faster analysis reduces risk exposure
More informationNetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.
NetWitness Overview 1 The Current Scenario APT Network Security Today Network-layer / perimeter-based Dependent on signatures, statistical methods, foreknowledge of adversary attacks High failure rate
More informationCyber Security. Our part of the journey
Cyber Security Our part of the journey The Journey Evolved Built on the past Will be continued Not always perfect Small Steps moving forward The Privileged How to make enemies quickly Ask before acting
More informationFrom Managed Security Services to the next evolution of CyberSoc Services
From Managed Security Services to the next evolution of CyberSoc Services Gianluca Busco Arré Country Manager pandasecurity.com MSSP / MDR Where the Industry is going leaders and laggers MSSP industry
More informationCONTROLLING YOUR OWN BATTLESPACE. From Threat Response Teams To Threat Intelligence Teams
CONTROLLING YOUR OWN BATTLESPACE From Threat Response Teams To Threat Intelligence Teams Agenda Motivations The Intelligence Process The Cyber Kill Chain Approach Indicators of Compromise Information Sharing
More informationHow to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption
How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption Nikos Mourtzinos, CCIE #9763 Cisco Cyber Security Sales Specialist April 2018 New
More informationOUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER
OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER HOW TO ADDRESS GARTNER S FIVE CHARACTERISTICS OF AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER 1 POWERING ACTIONABLE
More informationSecurity Automation & Orchestration That Won t Get You Fired. Syra Arif Advisory Security Solutions Architect November 2017
Security Automation & Orchestration That Won t Get You Fired Syra Arif Advisory Security Solutions Architect ServiceNow @syraarif November 2017 1 Speaker Introduction NAME: Syra Arif TITLE: Advisory Security
More informationManaging an Active Incident Response Case. Paul Underwood, COO
Managing an Active Incident Response Case Paul Underwood, COO 2 About Us Paul Underwood - COO Emagined Security is a leading professional services firm for Information Security, Privacy & Compliance solutions.
More informationHow Breaches Really Happen
How Breaches Really Happen www.10dsecurity.com About Dedicated Information Security Firm Clients Nationwide, primarily in financial industry Services Penetration Testing Social Engineering Vulnerability
More informationA Risk Management Platform
A Risk Management Platform Michael Lai CISSP, CISA, MBA, MSc, BEng(hons) Territory Manager & Senior Security Sales Engineer Shift to Risk-Based Security OLD MODEL: Prevention-Based Security Prevention
More informationC T I A CERTIFIED THREAT INTELLIGENCE ANALYST. EC-Council PROGRAM BROCHURE. Certified Threat Intelligence Analyst 1. Certified
EC-Council C T Certified I A Threat Intelligence Analyst CERTIFIED THREAT INTELLIGENCE ANALYST PROGRAM BROCHURE 1 Predictive Capabilities for Proactive Defense! Cyber threat incidents have taken a drastic
More informationWHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX
WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX 1 INTRODUCTION The MITRE Corporation Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK ) Matrix provides a model
More informationSECURITY OPERATIONS CENTER BUY BUILD BUY. vs. Which Solution is Right for You?
SECURITY OPERATIONS CENTER BUY vs. BUILD BUY Which Solution is Right for You? How Will You Protect Against Today s Cyber Threats? As cyber-attacks become more frequent and more devastating, many organizations
More informationIncident Response Services to Help You Prepare for and Quickly Respond to Security Incidents
Services to Help You Prepare for and Quickly Respond to Security Incidents The Challenge The threat landscape is always evolving and adversaries are getting harder to detect; and with that, cyber risk
More informationBuilding Resilience in a Digital Enterprise
Building Resilience in a Digital Enterprise Top five steps to help reduce the risk of advanced targeted attacks To be successful in business today, an enterprise must operate securely in the cyberdomain.
More informationSecurity Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:
Position: Reports to: Location: Security Monitoring Engineer / (NY or NC) Director, Information Security New York, NY or Winston-Salem, NC Position Summary: The Clearing House (TCH) Information Security
More informationNovetta Cyber Analytics
Know your network. Arm your analysts. Introduction Novetta Cyber Analytics is an advanced network traffic analytics solution that empowers analysts with comprehensive, near real time cyber security visibility
More informationOne Hospital s Cybersecurity Journey
MAY 11 12, 2017 SAN FRANCISCO, CA One Hospital s Cybersecurity Journey SanFrancisco.HealthPrivacyForum.com #HITprivacy Introduction Senior Director Information Systems Technology, Children s Mercy Hospital
More informationFidelis Overview. ISC 2 DoD and Industry Forum. Rapid Detection and Automated Incident Response DoD & Commercial Active Defense Use Cases
Fidelis Overview ISC 2 DoD and Industry Forum Rapid Detection and Automated Incident Response DoD & Commercial Active Defense Use Cases Vince Holtmann-Cyber Subject Matter Expert Vincent.Holtmann@fidelissecurity.com
More informationBest Practices in Healthcare Risk Management. Balancing Frameworks/Compliance and Practical Security
Best Practices in Healthcare Risk Management Balancing Frameworks/Compliance and Practical Security Our industry is full of jargon terms that make it difficult to understand what we are buying To accelerate
More informationBuilding and Instrumenting the Next- Generation Security Operations Center. Sponsored by
Building and Instrumenting the Next- Generation Security Operations Center Sponsored by Webinar Logistics Optimize your experience today Enable pop-ups within your browser Turn on your system s sound to
More informationArbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA
Arbor Networks Spectrum Wim De Niel Consulting Engineer EMEA wdeniel@arbor.net Arbor Spectrum for Advanced Threats Spectrum Finds Advanced Threats with Network Traffic Unlocks Efficiency to Detect, Investigate,
More informationCloudSOC and Security.cloud for Microsoft Office 365
Solution Brief CloudSOC and Email Security.cloud for Microsoft Office 365 DID YOU KNOW? Email is the #1 delivery mechanism for malware. 1 Over 40% of compliance related data in Office 365 is overexposed
More informationPULLING OUR SOCS UP VODAFONE GROUP AT RSAC Emma Smith. Andy Talbot. Group Technology Security Director Vodafone Group Plc
#RSAC SESSION ID: AIR-R04 PULLING OUR SOCS UP VODAFONE GROUP AT RSAC 2018 Emma Smith Group Technology Security Director Vodafone Group Plc Andy Talbot Global Head of Cyber Defence Vodafone Group Plc Pulling
More informationTRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany
TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE Ralf Kaltenbach, Regional Director RSA Germany 1 TRUSTED IT Continuous Availability of Applications, Systems and Data Data Protection with Integrated
More informationAdvanced Endpoint Protection
Advanced Endpoint Protection Protecting Endpoints and Servers Nick Levay, Chief Security Officer, Bit9 @rattle1337 2014 Bit9. All Rights Reserved About Me Chief Security Officer, Bit9
More informationNot your Father s SIEM
Not your Father s SIEM Getting Better Insights & Results Bill Thorn Director, Security Operations Apollo Education Group Agenda Why use a SIEM? What is a SIEM? Benefits of Using a SIEM Considerations Before
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats Digital Transformation on a Massive Scale 15B Devices Today Attack Surface 500B Devices In 2030 Threat Actors $19T Opportunity Next 10 Years
More informationCylance Axiom Alliances Program
Alliances Program Cylance Axiom Alliances Program Program Overview The Cylance Axiom Alliances Program is a community of cybersecurity solution providers working together to deliver a prevention-first
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by behavior-based threat detection and intelligent automation.
More informationFIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?
WHAT IS FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT? While firewalls started life simply protecting networks from outside hacks and attacks, the role of the firewall has greatly evolved to take
More informationINCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER
INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER 1 INCIDENT RESPONDER'S FIELD GUIDE TABLE OF CONTENTS 03 Introduction
More informationDesigning and Building a Cybersecurity Program
Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016 Designing & Building a Cybersecurity
More information85% 89% 10/5/2018. Do You Have A Firewall Around Your Cloud? Conquering The Big Threats & Challenges
Do You Have A Firewall Around Your Cloud? California Cybersecurity Education Summit 2018 Tyson Moler Oracle Security, North America Public Sector Conquering The Big Threats & Challenges Real Life Threats
More informationCourse Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture
About this Course This course will best position your organization to analyse threats and detect anomalies that could indicate cybercriminal behaviour. The payoff for this new proactive approach would
More informationKey Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.
Key Technologies for Security Operations 2 Traditional Security Is Not Working 97% of breaches led to compromise within days or less with 72% leading to data exfiltration in the same time Source: Verizon
More informationCisco Security Exposed Through the Cyber Kill Chain
Cisco Forschung & Lehre Forum für Mecklenburg Vorpommern Cisco Security Exposed Through the Cyber Kill Chain Rene Straube CSE, Cisco Advanced Threat Solutions January, 2017 The Cisco Security Model BEFORE
More informationSharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data
Sharing What Matters Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data Dan Gunter, Principal Threat Analyst Marc Seitz, Threat Analyst Dragos, Inc. August 2018 Today s Talk at
More informationYou re Leaking: Incident Response in the World of DevOps Jerry Dixon & Levi Gundert
You re Leaking: Incident Response in the World of DevOps Jerry Dixon & Levi Gundert JERRY DIXON @jwdixonjr CROWDSTRIKE Chief Information Security Officer AMERICAN EXPRESS Vice President, Cyber Threat Intelligence
More informationFidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum
Fidelis Overview 15 August 2016 ISC2 Cyber Defense Forum Fidelis Cybersecurity EST. 2002 T HE W O RLD S M O ST VAL U ABLE BR AND S USE FIDELIS* I N D U S T R I E S W E S E R V E Defense Contractors Financial
More informationIncident Response Agility: Leverage the Past and Present into the Future
SESSION ID: SPO1-W03 Incident Response Agility: Leverage the Past and Present into the Future Torry Campbell CTO, Endpoint and Management Technologies Intel Security The Reality we Face Reconnaissance
More informationWITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:
SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE Protecting your business assets and sensitive data requires regular vulnerability assessment,
More information