Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Similar documents
Infoblox as Part of the Ecosystem

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Compare Security Analytics Solutions

ForeScout ControlFabric TM Architecture

WHITE PAPER. Why Infoblox for DDI. It is time to migrate from BIND and Microsoft

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

ForeScout Extended Module for Splunk

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

How-To Threat Centric NAC Cisco AMP for Endpoints in Cloud and Cisco Identity Service Engine (ISE) Integration using STIX Technology

McAfee epolicy Orchestrator

How Vectra Cognito enables the implementation of an adaptive security architecture

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Integrated McAfee and Cisco Fabrics Demolish Enterprise Boundaries

Authoritative IPAM QuickStart

DHS Automated Information Sharing (AIS) Program

Stop Threats Before They Stop You

CloudSOC and Security.cloud for Microsoft Office 365

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

SIEM Solutions from McAfee

Un SOC avanzato per una efficace risposta al cybercrime

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

SYMANTEC DATA CENTER SECURITY

Integrated, Intelligence driven Cyber Threat Hunting

locuz.com SOC Services

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

GDPR: An Opportunity to Transform Your Security Operations

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Traditional Security Solutions Have Reached Their Limit

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

Reducing the Cost of Incident Response

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Build a Software-Defined Network to Defend your Business

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Reinvent Your 2013 Security Management Strategy

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

CLEARPASS EXCHANGE. Open third party integration for endpoint controls, policy and threat prevention SOLUTION OVERVIEW MAKE BETTER-INFORMED DECISIONS

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

ForeScout Extended Module for Carbon Black

Automated Threat Management - in Real Time. Vectra Networks

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Building an Effective Threat Intelligence Capability. Haider Pasha, CISSP, C EH Director, Security Strategy Emerging Markets Office of the CTO

First Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Defending Against Unkown Automation is the Key. Rajesh Kumar Juniper Networks

Microsoft Security Management

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

securing your network perimeter with SIEM

Sustainable Security Operations

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

Implementing a Well-Behaved Network for Your Cloud. David Veneski October 31, 2017

The New Era of Cognitive Security

THE ACCENTURE CYBER DEFENSE SOLUTION

Integration with McAfee DXL

Top 10 most important IT priorities over the next 12 months. (Percent of respondents, N=633, ten responses accepted)

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

INTEGRATION BRIEF DFLabs and Jira: Streamline Incident Management and Issue Tracking.

Agile Security Solutions

Cisco Advanced Malware Protection against WannaCry

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

align security instill confidence

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

<Partner Name> <Partner Product> RSA Ready Implementation Guide for. Rapid 7 Nexpose Enterprise 6.1

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Managed Endpoint Defense

Automating the Top 20 CIS Critical Security Controls

ClearPass Ecosystem. Tomas Muliuolis HPE Aruba Baltics lead

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

The Cognito automated threat detection and response platform

Designing and Building a Cybersecurity Program

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Intelligent Edge Protection

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Manufacturing security: Bridging the gap between IT and OT

Infoblox: Company Update. Thomas Gerch Account Executive Infoblox, Date 30 march, 2017 Bern

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Incident Response Agility: Leverage the Past and Present into the Future

RSA ECAT DETECT, ANALYZE, RESPOND!

NEXT GENERATION SECURITY OPERATIONS CENTER

MITIGATE CYBER ATTACK RISK

McAfee Skyhigh Security Cloud for Amazon Web Services

McAfee Endpoint Threat Defense and Response Family

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

RSA IT Security Risk Management

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

SIEMLESS THREAT DETECTION FOR AWS

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

Transcription:

Threat Containment and Operations Yong Kwang Kek, Director of Presales SE, APJ 2018-07-19 1 1 2017 Infoblox Inc. All Rights 2013 Infoblox Inc. All Reserved. Rights Reserved.

Three Aspects of Security #1 Infrastructure Protection Better Application and Service Availability #2 Data Protection and Malware Mitigation Protect Users and Data #3 Threat Containment and Operations Efficiency & Optimization of Security Operations 2 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Agenda The Big Disconnect in IT Infoblox solution for Threat Containment and Operations Why Infoblox Next Steps #1 Infrastructure Protection 3 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved. #2 Data Protection and Malware Mitigation #3 Threat Containment and Operations

Today s Security Landscape 400+ VENDORS 4 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

And Yet There is a Disconnect Security You Want Security You Often Get 5 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Silos Exist Between Teams and Technologies Network and Security Separate Teams with Different Priorities Network Team High Availability Network Infrastructure: routers, APs, switches, etc. Security Team Risk Mitigation Security Infrastructure: firewalls, endpoints, sandboxing, etc. Silos between network, edge, endpoint and data security systems and processes can restrict an organization s ability to prevent, detect and respond to advanced attacks. Network Logging and Monitoring Security Logging and Monitoring (SIEM) Best Practices for Detecting and Mitigating Advanced Threats, 2016 Update 29 March 2016 6 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Ineffective Threat Intelligence Poor incident response and manual processes 70% 46% 45% of survey respondents that felt Threat Intel is not timely 1 % of survey respondents unable to prioritize the threat by category 1 % of survey respondents lacked context for threat intel to make it actionable 1 Siloed Threat Intelligence impacts effectiveness & trust Lack of prioritization and context slows remediation 1. Source: Ponemon Institute, 2016 Second Annual Study on Exchange Cyber Threat Intelligence: There Has to Be a Better Way 7 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

No Knowledge of Threat Context Context environmental information required to take the right action WHO (identity) WHAT (what network device) WHERE (where and what part of the network) WHEN (time of day, how often) Today s security teams: Face too many alerts with no way to prioritize based on actual risk Lack easy access to network data for context 8 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Lack of Automation Security tools can t take action automatically based on network activities When new network elements join the network When malicious activities are detected by DNS security tools Today s security teams use difficult, manual processes to assemble data from disparate sources 9 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Solution: Threat Containment and Operations Ease Security Operations with Better Context, Automation and Consolidated Threat Intel Threat Intelligence Optimization Enforce policy using timely, consolidated & high quality threat intelligence Improve incident response with consolidate threat intelligence from multiple sources Eliminate silos and accelerate remediation by centralizing threat intelligence Security Orchestration Automatically share DNS IoCs with security ecosystem for more efficient incident response Share network context and actionable intelligence (IP address, DHCP fingerprint, lease history etc.) to help assess risk and prioritize alerts Rapid Triage/Resource Optimization Investigate threats faster to free up security personnel Timely access to context for threat indicators #1 Infrastructure Protection 10 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved. #2 Data Protection and Malware Mitigation #3 Threat Containment and Operations

1 1 2 Solution Components 2 3 11 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Consolidated Threat Intelligence A single vendor relationship enables organizations to Leverage specialized feeds from different vendors (no one source knows it all) across entire infrastructure Eliminate conflicts between sources NGEP Get higher rate of accuracy as all systems use same source of truth Efficient use of resources NGEP NGFW SIEM 12 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Timely, Consolidated & High Quality Threat Intelligence Out-of-the-box Integration of native threat intelligence with DDI for policy enforcement Verified and curated threat intelligence with <.01% historic rate of false positives Easily Acquire, Aggregate and Distribute Threat Intelligence Data Easily Deploy Threat Intelligence Data to Mitigate Threats Operationalize Threat Intelligence Data Distribution of threat intelligence to existing security infrastructure to prevent future attacks 13 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Leveraging Threat Intel Across Entire Security Infrastructure Infoblox C&C IP List SURBL Marketplace Custom TI TIDE Define Data Policy, Governance & Translation Phishing & Malware URLs Spambot IPs C&C & Malware Host/Domain Various file formats Dossier Investigate Threats RESULT: Single-source of TI management Faster triage Threat Prioritization 14 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Security Orchestration Accelerating Incident Handling and Response with Automation Context to Prioritize Remediation Device Audit Trail and Fingerprinting SIEM Vulnerability Management DHCP Device info, MAC, lease history Threat Intelligence Platform Network Access Control IPAM Application and Business Context Metadata via Extended Attributes: Owner, app, security level, location, ticket number Context for accurate risk assessment and event prioritization Malicious activity inside the security perimeter Advanced Threat Detection Next-gen Endpoint Security DNS Includes BYOD and IoT devices Profile device & user activity 15 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Visualize Your Network Clearly and Automatically Inform Ecosystem See every network asset, every IP address and switch port, with unmatched clarity. Consolidate core network infrastructure into a single, comprehensive, authoritative database. Automatically notify ecosystem of changes in network Manage Diverse Devices Intelligently as You Grow Identify New or Unmanaged Network Elements Quickly to Enforce Security Notify Security Tools of Network Changes in Real Time Discovery and Visibility IPAM Sync Ecosystem Integrations with security vendors Reporting 16 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Mine Valuable Historical DNS data for Security & Troubleshooting Forensic data mining for security operations Determine scope of a security incident by searching for systems that visited malware control site Automate correlation of network context and data with security events Unified reporting of security events for on-premises and cloud Help reduce Splunk Enterprise license costs by optimizing DNS data transfer through filtering 17 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Rapid Threat Investigation and Triage Single view for multiple sources Provides timely access to contextual information on threat actor, threat campaign, associated breaches in other organizations Allows rapid threat investigation and automation to free up security personnel 18 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Why 1 2 Easy to apply threat intelligence not just in DNS infrastructure but across the entire security infrastructure In-house advanced threat research team 3 4 Proven Integrations with leading security technologies using STIX/TAXII, REST APIs, pxgrid, syslog for automating response to threats track record: market leader in DNS, DHCP and IPAM 50% market share, over 8000 customers 19 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Next Steps Path to Engagement Free Trials/software ActiveTrust (on-premises) eval Security(PCAP) assessment Engage with Infoblox to find out if we integrate with your security tools Follow up with sales teams for deep dive on products 20 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Q&A 21 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Technical Section Note to presenter: Include technical slides if needed based on audience 22 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

How does Infoblox Threat Intel Provide the Most Value? High accuracy and wide coverage Provides context enabling security to focus on most crucial indicators Deletion of outdated intelligence utilizing TTL (time to live) Single source of truth: streamlines policy enforcement, incident response, and threat analyst activities (blacklisted domains easy to find in Dossier) Wide set of Threat Intel partners integrated into platform, business model and common API 23 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Leveraging Threat Intel Across Entire Security Infrastructure Infoblox C&C IP List SURBL Marketplace Custom TI TIDE Define Data Policy, Governance & Translation Phishing & Malware URLs Spambot IPs C&C & Malware Host/Domain CSV File JSON STIX RBL Zone File RPZ Dossier Investigate Threats RESULT: Single-source of TI management Faster triage Threat Prioritization 24 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

The DNS, DHCP and IPAM Data Gold Mine DHCP Device Audit Trail and Fingerprinting A DHCP assignment signals the insertion of a device on to the network Includes context: Device info, MAC, lease history DHCP is an audit trail of devices on the network IPAM Application and Business Context Fixed IP addresses are typically assigned to high value devices: Data center servers, network devices, etc. IPAM provides metadata via Extended Attributes: Owner, app, security level, location, ticket number Context for accurate risk assessment and event prioritization DNS Activity Audit Trail DNS query data provides a client-centric record of activity Includes internal activity inside the security perimeter Includes BYOD and IoT devices This provides an excellent basis to profile device & user activity 25 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Ecosystem API Integration Options Automated Action and Remediation STIX/TAXII Mitigation/Course of Action: Enable 3 rd party to block IP and Domain Third-Party Propriety REST API Infoblox Third-Party System Interfaces Indicator of Compromise: DNSFW or Data Exfiltration event notification to trigger automated action or provide to the monitoring platform Data Enrichment: 3 rd party requests data (IP Address, DNS records, Location) 26 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Quarantining Endpoints and Containment Infoblox and Carbon Black Infoblox sends alert to Carbon Black Infoblox identifies domain associated with data exfiltration and blocks connection Infected endpoint attempts data exfiltration Carbon Black correlates endpoint, network data and remediates infected endpoint automatically Kills endpoint process, preserves evidence Updates security policy [kill process] on all endpoints 27 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Improving Operational Efficiency thru Information Exchange Cisco ISE pxgrid Integration CISCO ISE pxgrid ecosystem Subscribe INFOBLOX The Challenge Security and Network Operation Center tools are isolated leading to inefficiency INFOBLOX publish EVENT CISCO ISE pxgrid ecosystem Infoblox Solution Infoblox will publish critical data that will enrich the ISE database and 3 rd party partners Infoblox will subscribe for user identity data available via ISE to enhance IPAM. Infoblox will publish Secure DNS events (infected devices) for further analysis and remediation by ecosystem partners. MITIGATE CISCO NETWORK Customer Benefits Easier Troubleshooting: With additional identity and network data Security Operations Efficiency: By sharing data 28 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Easing Compliance & Audit Infoblox & Vulnerability Scanners Opportunity Lack of complete and up-to-date information about network devices and non-compliant hosts limits effectiveness of vulnerability scanning Solution Infoblox acts as the Single Source of Truth for the network and devices. Network & device discovery with metadata Notifies Qualys/Rapid 7 on new networks, devices as they are identified Triggers on-demand vulnerability scan Vulnerability Scans Policy Enforcement Remediation Benefits Efficient vulnerability management & compliance processes Faster response to potential risks associated with new devices or virtual workloads on the network 29 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

SIEM Integration Infoblox and LogRhythm DNS Security Events IP Address Changes Infoblox DNS security and DHCP services Infoblox provides visibility into DNS security events and IP address changes, which can be used by SIEM for analysis. 30 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

SIEM Integration - Infoblox and Splunk Splunk Universal Forwarder Helps reduce Splunk Infoblox Data Connector VM Infoblox Grid Members CSV Infoblox Grid Master Splunk Enterprise Enterprise license costs by optimizing DNS data transfer through filtering Saves time and human resources by automating the collection, transfer, and conversion of DNS data from Infoblox Grid members 31 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Gain Insights with Reporting and Analytics Unlock the Value of Core Network Services Data Harness rich network data to gain actionable insights Visibility into infected endpoints with contextual info(can include DHCP fingerprinting info username, MAC address, device type, lease history etc.) Ensure Compliance with Historical Visibility Identify Security Risks and Impacted Devices at Present Time Plan Future Requirements with Predictive Reports Integrated Data Collection Engine Historical Tracking of DDI Unique Algorithm and Predictive Reports Pre-built Reports and Customization Cost Effective Deployment 32 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Backup 33 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

Industry Recommendations: SANS Critical Security Controls 1) Inventory of Authorized and Unauthorized Devices 2) Inventory of Authorized and Unauthorized Software 1 2 3) Secure Configurations for Hardware and Software 3 Source: https://www.sans.org/critical-security-controls 34 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved. 13) Data Protection 13 12 11 12) Boundary Defense 11) Secure Configurations for Network Devices 8 8) Malware Defenses

Additional Challenges Companies view their defense against cyber attacks as ineffective Companies view their processes to use internal and external actionable threat intelligence data and as ineffective. Information overload for users who are monitoring and responding to incidents Research and context gathering requires multiple tools leading to slow response Cannot share data internally in controlled manner Source: Second Annual Study on Exchanging Cyber Threat Intelligence: There Has to Be a Better Way 35 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

서울시구로구디지털로 31 길 38-21, 609 호 ( 구로동, E&C 벤처드림타워 3 차 ) 08376 Tel. 02)3282-2300 / Fax. 02)6330-1505 / http://www.expernet.co.kr Copyrightc Expernet Co.,Ltd.All rights reserved. 36 2017 2013 Infoblox Inc. All Inc. Rights All Reserved. Rights Reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback