Key Technologies for Security Operations 2
Traditional Security Is Not Working 97% of breaches led to compromise within days or less with 72% leading to data exfiltration in the same time Source: Verizon 2013 Data Breach Investigations Report 78% of breaches took weeks or more to discover 66% took months or more 3
Today s Security Requirements Big Data Infrastructure Need a fast and scalable infrastructure to conduct real time and long term analysis High Powered Analytics Give me the speed and smarts to detect, investigate and prioritize potential threats Comprehensive Visibility See everything happening in myenvironment and understand it Integrated Intelligence Help me understand what to look for and what others have discovered 4
RSA Advanced Security Operations Center RSA Security Operations for Archer 3 rd Party Tools Asset Context Security Operations Managemen Incident Vulnerability t Managemen Risk t Management RSA Security Analytics RSA ECAT Windows Clients/Servers RSA Live Intelligence Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports and Custom Actions 5
RSA Security Analytics Unified platform for incident detection, investigations, compliance reporting and advanced security analysis SIEM Log Parsing Compliance Reports Incident Alerts RSA Security Analytics Big Data Infrastructure Comprehensive Visibility High Powered Analysis Intelligence Driven Context Network Security Monitoring Full Packet Capture Capture Time Data Enrichment Deep Dive Investigations 6
Security Analytics Architecture LIVE Distributed Data Collection PACKETS LOGS Capture Time Data Enrichme PARSING nt & METADATA TAGGING PACKET METADATA LOG METADATA LIVE Reporting & Alerting Investigation & Forensics Intelligence Feeds Compliance Malware Analysis LIVE Incident Response Endpoint Visibility & Analysis Additional Business & IT Context RSA LIVE INTELLIGENCE Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports & Custom Actions 7
SA can coexist with a SIEM Distributed Data Collection PACKETS Capture PARSING & Time Data Enrichme nt PACKET METADATA LIVE METADATA TAGGING LIVE Alerting Investigation & Forensics Malware Analysis Intel Feeds LIVE 3 rd Party SIEM Collection Alerts LOGS Alert Triage Compliance & Reporting Investigations 8
Integrated Intelligence Know What To Look For RSA LIVE INTELLIGENCE SYSTEM Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports and Custom Actions 1 Gathers advanced threat intelligence and content 2 Aggregates & consolidates data 3 Automatically distributes correlation rules, blacklists, parsers, views, feeds OPERATIONALIZE INTELLIGENCE: Take advantage of what others have already found and apply against your current and historical data 9
Reimagining Security Analysis: Removing Hay vs. Digging For Needles All Network Traffic & Logs Downloads of executables Type does not match extension! Terabytes of data 100% of total Thousands of data points 5% of total Hundreds of data points 0.2% of total Create alerts to/from critical assets A few dozen alerts 10
Example Alert Packing technology destined to host FOLLOWED BY Encrypted traffic to IP registered in blacklisted country Could be an attacker compromising host and stealing data! 11
Logs AND packets Non-RFC compliant traffic destined to host FOLLOWED BY Network interface put in promiscuous mode Could be an attacker compromising a host and installing a sniffer! 12
Incident Detection: Data Ex-filtration Authorized User Logged in to AD ALERT!!... Suspect Network Traffic 1 2 PASSWORD 4 Different user from same IP/Host logged into development test server, then the corporate file server PASSWORD 3 Data ex-filtration 13
RSA ECAT Key Functionality & Benefits File Whitelisting Multi-engine AV scan Certificate Validation Network Traffic analysis Full System Inventory Direct physical disk inspection Live Memory Analysis X-ray view of what s happening on endpoints Identify behavior related to malware Highlight likely infections with Machine Suspect Level (MSL) Quickly triage results to gain actionable intelligence Find other infected machines & gauge scope of breach Forensic data gathering 14
RSA Advanced Cyber Defense Training Security Analyst III Malware Analyst Threat Analyst Tier 3 RSA Malware Analysis RSA Cyber Defense Workshop Security Analyst I Incident Analyst Event Analyst Security Analyst II Incident Handler Forensic Analyst Tier 1 Tier 2 RSA Incident Handling and Response RSA Intelligence Driven Event Analysis RSA Threat Intelligence Prerequisites: Knowledge of operating systems, fundamentals of networking, security concepts RSA Malware Analysis and RSA Threat Intelligence available now. Complete curriculum will be available in Q4 2013. 15
Benefits Identify suspicious events with superior incident detection and threat analysis Investigate potential compromises with more speed, context and analytical firepower Invest in a platform that will grow with you as you move towards a big data security analysis program Demonstrate compliance without detracting from security 16