Security. Risk Management. Compliance.

Transcription

1 Richard Nichols Netwitness Operations Director, RSA Security. Risk Management. Compliance. 1

2 Old World: Static Security Static Attacks Generic, Code-Based Static Infrastructure Physical, IT Controlled Static (Bolt-On) Defenses Signature-Based, At Perimeter 2

3 New World: Advanced Security Hybrid Cloud Public Clouds Advanced Attacks Targeted, Human-Based Dynamic Infrastructure Virtual, User-Centric Dynamic (Built-In) Defenses Analytics & Risk-Based 3

4 IN THE WORLD OF CLOUD AND BIG DATA TRUST AND SECURITY ARE ESSENTIAL 4

5 Building Trust In The Cloud Hybrid Cloud Infrastructure Private Public Tenets Of Cloud Security Governance Visibility Controls TRUST 5

6 RSA Approach GOVERNANCE Manage Business Risk, Policies and Workflows ADVANCED VISIBILITY AND ANALYTICS Collect, Retain and Analyze Internal and External Intelligence INTELLIGENT CONTROLS Rapid Response and Containment Cloud Network Mobility 6

7 RSA Approach GOVERNANCE RSA Archer egrc Suite ADVANCED VISIBILITY AND ANALYTICS INTELLIGENT CONTROLS RSA NetWitness RSA NetWitness Spectrum RSA envision RSA DLP Suite RSA Adaptive Authentication RSA Access Manager RSA SecurID RSA Transaction Monitoring RSA FraudAction RSA CCI RSA efraud Network RSA NetWitness Live RSA Federated Identity Manager RSA Data Protection RSA DLP Suite RSA BSAFE Cloud Network Mobility 7

8 Anatomy of an Attack 8

9 Attack Scenario Phishing s John received a phishing that was customized for him. Drive-by Download John clicked on the link and got infected by Trojan from drive-by download. 1 2 Attacker gain access to a critical server Trojan installed backdoor which allows reverse connection to infected machine. Hacker dump password hash and gain access to a critical server via RDP. 3 4 PASSWORD Data ex-filtration Attacker encrypted sensitive files found on the critical server and transfer out via FTP 9

10 DLP detected file transfer activity MENU DLP Network detects a transfer of encrypted file over FTP protocol 10

11 Correlation alert triggered from envision MENU EnVision generates alert from two correlated events 1. Successful RDP connection to critical server 2. DLP activity on the same server 11

12 Incident escalation to Archer Dashboard MENU EnVision alerts sent to RSA Archer via RCF RSA Archer links this incident with business context and prioritize it as HIGH priority 12

13 Seamless integration to NetWitness MENU Instant integration from Archer Console to NetWitness with two clicks SIEMLink transparently retrieves full session detail from NextGen 13

14 Spectrum Automated Malware Analysis MENU Spectrum instantly provides detailed analysis of the executable file in question 14

15 Interactive Analysis with Investigator MENU Context of all network activities to/from critical server Confirm John s machine ( ) as source of RDP session 15

16 Interactive Analysis with Investigator MENU Drill into all network sessions from John s machine Small executable file Transfer over HTTP Suspicious filename & extension Malware?!? Suspicious domain name 16

17 DLP Network detect a transfer of encrypted file over FTP protocol Lessons Learned Continuous Monitoring Network Segregation Server access restriction Strong Authentication of users and admin PASSWORD 5 Firewall blocking of FTP transmitting to external unauthorized servers 4 Data encryption or tokenization for sensitive data on server 17

18 RSA NetWitness what is it and why do I need it? 18

19 Threats are Evolving Rapidly Criminals Petty criminals Unsophisticated Organized crime Organized, sophisticated supply chains (PII, financial services, retail) Nation state actors PII, government, defense industrial base, IP rich organizations Non-state actors Terrorists PII, Government, critical infrastructure Anti-establishment vigilantes Hacktivists Targets of opportunity 19

20 Advanced Threats 83% of organizations believe they have been the victim of an Advanced Threats 65% of organizations don t believe they have sufficient resources to prevent Advanced Threats 99% of breaches led to data compromise within days or less 85% of breaches took weeks or more to discover Source: Ponemon Institute Survey Conducted Growing Risk of Advanced Threats Source: Verizon 2012 Data Breach Investigations Report 20

21 New Security Concept: OFFENSE IN DEPTH Attacker Surveillance Target Analysis Access Probe Attack Set-up System Intrusion Attack Begins Cover-up Starts Discovery / Persistence Leap Frog Attacks Complete Cover-up Complete Maintain foothold Time ATTACKER FREE TIME Need to collapse attacker free time Physical Security Threat Analysis Attack Forecast Defender discovery Monitoring & Controls Attack Identified Incident Reporting Containment & eradication Damage Identification Impact Analysis System Reaction Response Recovery Source: NERC HILF Report, June 2010 ( 21

22 RSA NetWitness Is A revolutionary approach to enterprise network monitoring A platform for pervasive visibility into content and behavior Providing precise and actionable intelligence Know Everything. Answer Anything. 22

23 Know Everything Answer Anything» Why are packed or obfuscated executables being used on our systems?» What critical threats are my Anti-Virus and IPS missing?» I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment?» We need to better understand and manage the risks associated with insider threats I want visibility into end-user activity and to be alerted on certain types of behavior?» On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented?» How can I detect new variants of Zeus or other 0day malware on my network?» We need to examine critical incidents as if we had an HD video camera recording it all Invest in Certainty. Invest in Agility. 23

24 Enabling A Revolution in Network Monitoring NetWitness Product Tour 24

25 Understanding the NetWitness Network Monitoring Platform Normalized Data, Application Layer Context Network traffic Logs Fusion of Threat Intelligence 25

26 NetWitness Components APPLICATIONS Informer Visualization, reporting, alerting and live charting server Investigator Enterprise Interactive analysis with NetWitness appliances Live - Real-time integration of the collective intelligence of the world with your data. Spectrum Automated malware prioritization and analysis SIEMLink - Provides immediate access to NetWitness analytics from within your IDS or SIEM console SDK/API - Free for rapid development of any conceivable network analysis application Appliances Decoder - Real-time, distributed, highly configurable network recording appliance (full packet) Concentrator and Broker - Aggregate and analyze data across multiple capture locations; Request-brokering across entire infrastructure Eagle - Portable hybrid appliance combining elements of Decoder, Concentrator and Investigator in a fielddeployable solution 26

27 Automated Analysis, Reporting and Alerting Informer Flexible dashboard, chart and summary displays for unified view of threat vectors Automated answers to any question: Network Security Security / HR Legal / R&D / Compliance I/T Operations HTML, CSV and PDF report formats included Supports CEF, SNMP, syslog, SMTP data push for full integration in SIEM 27

28 Getting Answers to the Toughest New Questions Investigator Interactive data-driven session analysis of layer 2-7 content Award-winning, patented, port agnostic session analysis Infinite freeform analysis paths and content /context investigation points Data presented as the user experienced (Web, Voice, Files, s, Chats, etc.) Supports massive data-sets Instantly navigate terabytes of data - analysis that once took days, now takes minutes Freeware Version used by over 50,000 security experts worldwide 28

29 Signature-Free, Automated Malware Analysis, Prioritization, and Workflow Spectrum Mimics the techniques of leading malware analysts Leverages NetWitness Live by fusing information from leading threat intelligence and reputation services Utilizes NetWitness pervasive network monitoring capability for full network visibility Provides transparency and efficiency to malware analytic processes by delivering complete answers 29

30 Threat Intelligence Delivery System Live Automate insight into advanced threats Leverages global security community to correlate and illuminate the most pertinent information Fuses intelligence with your network data in real-time Solutions to problem-sets: Advanced threats Malware BOTNets Policy/Audit Enterprise Monitoring Fraud User Attribution Risk prioritization Prioritized and detailed reporting 30

31 Thank you! 31