RSA Advanced Security Operations Richard Nichols, Director EMEA 1
What is the problem we need to solve? 2
Attackers Are Outpacing Defenders..and the Gap is Widening Attacker Capabilities The defender-detection deficit Defender Capabilities VERIZON 2015 DATA BREACH INVESTIGATIONS REPORT 3
Why Security Defenses Are Failing The Strategic View The attack surface is expanding Attackers are becoming more sophisticated Existing strategies & controls are failing Security teams are missing attacks Teams need to increase experience & efficiency Tools & processes must adapt to today s threats 4
Evolution of Threat Actors & Detection Implications Threat Actors Firewall IDS/IPS At first, there were HACKS Preventative controls filter known attack paths AntiVirus Malicious Traffic Whitespace Successful HACKS Corporate Assets 5
Evolution of Threat Actors & Detection Implications Threat Actors Firewall IDS/IPS AntiVirus Malicious Traffic More Logs Blocked Session Blocked Session Blocked Session Alert S I E M At first, there were HACKS Preventative controls filter known attack paths Then, ATTACKS Despite increased investment in controls, including SIEM Whitespace Successful ATTACKS Corporate Assets 6
Security Analytics Evolution of Threat Actors & Detection Implications Threat Actors Firewall IDS/IPS Blocked Session Blocked Session Now, successful ATTACK CAMPAIGNS target any and all whitespace. AntiVirus Malicious Traffic Logs Blocked Session Alert Complete visibility into every process and network sessions is required to eradicate the attacker opportunity. Endpoint Visibility Process Network Visibility Network Sessions Unified platform for advanced threat detection & investigations, Corporate Assets 7
How can we address the problem? 8
Shift from Prevention to Detection & Response By 2020, 60% of enterprise information security budgets will be allocated to rapid detection and response approaches up from less than 10% in 2014. --Neil Macdonald and Peter Firstbrook, Gartner, Feb. 12, 2014, Designing an Adaptive Security Architecture for Protection From Advanced Attacks 9
Security Monitoring Must Evolve ENDPOINT TO CLOUD VISIBILITY ADVANCED THREAT DETECTION RAPID INVESTIGATIONS EFFICIENT OPERATIONS Fuse together network, endpoint and system data & threat intelligence for Complete Visibility Utilize intelligence, context and Advanced Analytics to highlight potential incidents from normal activity Leverage Visibility to Investigate Incidents rapidly and completely such that Prioritized Actions can be taken to mitigate Incidents Incident response, investigations and systems management need to be Easy to Use 10
See More Visibility P E L N Packets, Logs, Endpoints, NetFlow Capture Time Data Enrichment Business & Compliance Context 11
Understand Everything Analysis Correlate Multiple Data Sources Endpoint Threat Detection Out-of-the-box Content Big Data & Data Science 12
Investigate & Remediate Faster Action Prioritized & Unified Analyst Workflow Investigate down to finest details Integrate SOC Best Practices 13
Enabling Better Detection with Content Monthly Reports and Analytics content to deliver more value to customers. Over 195 application rules, 75 correlation rules. Several high profile specific threat updates: Heartbleed, IE9 Zero Day Game Over Zeus Shell crew Boleto Fraud Ring Many More in the Pipeline Future focus on Identity, Cloud and Expanded Threat Indicators SA Nailed it! RSA Security Analytics provided us the best view of attempts and issues on our network, better than any other product. 14
RSA Advanced SOC RSA SecOps CONTEXT ALERTS Incident Response Breach Response 3 rd Party Systems LAUNCH FOR INVESTIGATIONS Aggregate Alerts to Incidents SOC Program Management Dashboard & Report RSA Archer Enterprise Management (Context) RSA Archer Enterprise Risk BCM (Optional) 15
Resource Shift Needed: Budgets & People Monitoring 15% Response 5% Monitoring 33% Response 33% Prevention 80% Prevention 33% Today s Priorities Intelligence-Driven Security 16
Beyond Technology 17
RSA Advanced Cyber Defense Services Incident Response Rapid breach response & SLA-based retainer Strategy & Roadmap Review and recommendations NextGen Security Operations Technical consulting to transform from reactive to proactive 18
See Everything. Fear Nothing. EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.