Un SOC avanzato per una efficace risposta al cybercrime

Similar documents
Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

RSA Security Analytics

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Behavioral Analytics A Closer Look

RSA NetWitness Suite Respond in Minutes, Not Months

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

RSA INCIDENT RESPONSE SERVICES

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

RSA INCIDENT RESPONSE SERVICES

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

THE EVOLUTION OF SIEM

RSA ECAT DETECT, ANALYZE, RESPOND!

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Compare Security Analytics Solutions

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Building Resilience in a Digital Enterprise

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

DATA SHEET RSA NETWITNESS PLATFORM PERVASIVE VISIBILITY. ACTIONABLE INSIGHTS.

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Privileged Account Security: A Balanced Approach to Securing Unix Environments

RSA IT Security Risk Management

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

WHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

You Can t Stop What You Can t See

SIEM Solutions from McAfee

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Business Context: Key for Successful Risk Management

CloudSOC and Security.cloud for Microsoft Office 365

Integrated, Intelligence driven Cyber Threat Hunting

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Seqrite Endpoint Security

MITIGATE CYBER ATTACK RISK

CyberArk Privileged Threat Analytics

Sustainable Security Operations

External Supplier Control Obligations. Cyber Security

ForeScout ControlFabric TM Architecture

Empower stakeholders with single-pane visibility and insights Enrich firewall security data

SIEMLESS THREAT MANAGEMENT

THE ACCENTURE CYBER DEFENSE SOLUTION

The New Era of Cognitive Security

align security instill confidence

RSA ADVANCED SOC SERVICES

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Managed Endpoint Defense

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

Carbon Black PCI Compliance Mapping Checklist

Readiness, Response & Resilence:

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Aktueller Überblick über das RSA Portfolio

Designing and Building a Cybersecurity Program

Think Like an Attacker

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

Automated Threat Management - in Real Time. Vectra Networks

Product Roadmap Symantec Endpoint Protection Suzanne Konvicka & Paul Murgatroyd

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Imperva Incapsula Website Security

Operationalizing the Three Principles of Advanced Threat Detection

Office 365 Buyers Guide: Best Practices for Securing Office 365

Network Security: Firewall, VPN, IDS/IPS, SIEM

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Sandboxing and the SOC

deep (i) the most advanced solution for managed security services

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Imperva CounterBreach

GDPR: An Opportunity to Transform Your Security Operations

SIEM FOR BEGINNERS Everything You Wanted to Know About

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Reducing the Cost of Incident Response

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Are we breached? Deloitte's Cyber Threat Hunting

Incident Response Agility: Leverage the Past and Present into the Future

locuz.com SOC Services

WHITE PAPER END-TO-END VISIBILITY: THE FOUNDATION OF BUSINESS-DRIVEN SECURITY THREAT DETECTION & RESPONSE OPTIMIZED SIEM

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

with Advanced Protection

Speed Up Incident Response with Actionable Forensic Analytics

The Critical Incident Response Maturity Journey

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Threat Centric Vulnerability Management

McAfee Endpoint Threat Defense and Response Family

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

Network Visibility and Segmentation

Security Information & Event Management (SIEM)

CCNA Cybersecurity Operations. Program Overview

Transcription:

Un SOC avanzato per una efficace risposta al cybercrime Identificazione e conferma di un incidente @RSAEMEA #RSAEMEASummit @masiste75 Mauro Costantini - Presales Consultant

Agenda A look into the threat landscape Facing the problem taking the bull by the horns: RSA Security Analytics: be the hunter or be hunted RSA ECAT: expose, analyze, respond SecOps: orchestrating the Security Operation Center The benefits of the RSA ASOC approach and solutions 2

A look into the threat landscape 3

Attackers getting (even more) smart and focused Source: Verizon s data breach investigation report 2015 4

while we are still moving at a different pace Source: Verizon s data breach investigation report 2015 5

Facing the problem taking the bull by the horns 6

Threat Actors Firewall IDS/IPS AntiVirus Malicious Traffic DLP Preventative Controls Defense in Depth GOOD: We are blocking attacks! Preventative controls filter known attack paths BAD: Reported breaches on the rise Despite increased investment in controls Strong Authentication Whitespace Corporate Assets Successful attacks Successful attacks bypass our preventative controls. Valid user accounts Trusted command and control New exploits Low and Slow 7

Threat Actors Firewall IDS/IPS AntiVirus Malicious Traffic DLP Strong Authentication Whitespace Blocked Session Blocked Session Blocked Session Alert Alert Successful attacks S I E M Current Visibility is Limited Difficult to Identify Successful Attacks Most visibility is log based Only tells you what your preventative controls detect Adding additional preventative controls creates more alerts Significant issues are drowned out by the noise Corporate Assets 8

Threat Actors Firewall IDS/IPS AntiVirus Malicious Traffic DLP Strong Authentication Full Packet Capture Endpoint Behavior Corporate Assets Blocked Session Blocked Session Blocked Session Alert Alert Pervasive Visibility is Crucial RSA Security Analytics Unified platform for incident detection, investigations, compliance reporting and advanced security analysis RSA ECAT Signature-less endpoint threat detection to confirm in real-time infections & respond with precision 9

RSA Security Analytics Be the hunter or be hunted 10

Threat Actors Security Analytics: how it works IP: 192.173.1.21 Firewall IDS/IPS AntiVirus Malicious Traffic DLP Blocked Session Blocked Session Blocked Session Alert FW Log Auth Log Username: JSMith Country: Brazil Risk: High Asset: SQL Server Action: GET Strong Authentication Full Packet Capture Alert Network Session Agent: Firefox Session Data: HTTP/1.1 200 OK... Corporate Assets 11

Integrated Intelligence Know What to Look For RSA LIVE INTELLIGENCE SYSTEM Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports and Custom Actions 1 Gathers advanced threat intelligence and content 2 Aggregates & consolidates data 3 Automatically distributes intelligence, correlation rules, parsers, reports, feeds OPERATIONALIZE INTELLIGENCE: Take advantage of what others have already found and apply against your current and historical data 12

Integrated Business Context IT Info Business Context Asset Intelligence Asset List Device Type, Device Content CMDBs Vulnerability data Device Owner Business Owner, Unit, Process RPO / RTO Data Class Risk Level IP Address Asset Criticality Rating Facility 13

Automation & Investigations All Network Traffic & Logs Downloads of executables Downloaded by Java! Unified, risk-score driven, correlated alerts Incident Management Terabytes of data 100% of total Thousands of data points 5% of total Hundreds of data points 0.2% of total Integrated workflows RSA Security Operations Management (SecOps) 3 rd party ticketing systems Create alerts to/from critical assets A few dozen alerts 14

RSA Security Analytics Demonstration 15

Use Case: from Spear Phishing to Drive by Download A daily report highlighted several users receiving spear phishing emails and Command and Control Traffic: Is it a false positive? How many people clicked? How did it occur? What is the impact to our business? How do we respond? 16

17

Break 18

Un SOC avanzato per una efficace risposta al cybercrime Dall analisi delle cause di un incidente alla sua gestione @RSAEMEA @daveveneziano #RSAEMEASummit Davide Veneziano - ASOC Senior Presales Consultant

RSA ECAT Expose, analyze, respond 20

Threat Actors Firewall IDS/IPS AntiVirus Malicious Traffic DLP Strong Authentication Full Packet Capture Endpoint Behavior Corporate Assets Blocked Session Blocked Session Blocked Session Alert Alert Pervasive Visibility is Crucial RSA Security Analytics Unified platform for incident detection, investigations, compliance reporting and advanced security analysis RSA ECAT Signature-less endpoint threat detection to confirm in real-time infections & respond with precision 21

Endpoint analysis: today s requirements Quickly expose endpoint threats Analyze and confirm faster Instantly determine scope and take action RSA CONFIDENTIAL INTERNAL USE ONLY 22

How RSA ECAT Works Agent Endpoints, Servers, VMs Windows & Mac OS Monitors for suspicious activity Scans for full system inventory Identify all executables, DLL s, drivers, etc. Low system impact (2MB on disk, 10-20MB in memory) Server Analyzes scan data & flags anomalies Maintain repository for global correlation Automatically download unknown files for additional analysis RSA CONFIDENTIAL INTERNAL USE ONLY 23

A deeper look into the ECAT Compare & Flag Anomalies Disk Inspection Live Memory Analysis Full inventory of everything in running memory Compared with the files on disk to ensure no modification or tampering Conduct behavior analysis & apply suspect level (signature-less approach) Detect & analyze suspicious network traffic Reduce the noise by leveraging baseline, certificate validation, whitelists and blacklists Visibility even off the corporate network Network Traffic Analysis 24

Monitor Endpoint Behavior User clicks on malicious email attachment.exe drops on machine, exploits a vulnerability Malware opens a browser process & connects to C2 for instructions Attacker navigates to sensitive data Attacker uses FTP to exfiltrate data RSA ECAT Behavior Tracking Monitor operations performed & look for suspicious activity Identify any new, unknown file that loads Alert on suspicious activity 25

Pivot between Endpoint, Network and Logs RSA Security Analytics Right click & pivot into SA Send alerts for suspicious activities Data enrichment with risk and username Right click & pivot into ECAT Aggregate alerts into a single incident RSA ECAT RSA CONFIDENTIAL INTERNAL USE ONLY 26

RSA ECAT Demonstration 27

Use Case: Root cause analysis on an infected machine An anomalous behavior has been reported for a critical workstation: Is it a false positive? How did it occur? How many people got infected? 28

29

RSA SecOps Orchestrating the Security Operation Center RSA CONFIDENTIAL INTERNAL USE ONLY 30

Why Framework and Alignment? IMPROVE RESPONSE READINESS AND BE PREPARED COLLABORATE INTERNALLY AND EXTERNALLY REPEATABLE ONGOING BUSINESS PROCESS LEARN AND REFINE MEASURE EFFECTIVENESS OF THE PROGRAM PRIORITIZE AGAINST BUSINESS CONTEXT 31

Security Operations Management (SecOps) Framework to prepare, investigate and respond to threats by aligning people, process and technology People Technology Process 32

SecOps: how it works Incident Response ü Aggregate Alerts ü Provide Business Context ü Prioritize Incidents ü Manage Investigations ü Track Remediation Breach Response ü Develop Breach Response Plans ü Identify & Report Data Breaches ü Assess Breach Impact ü Manage Notifications & Call Trees SOC Program Management ü Manage SOC Team ü Measure Security Control Effectiveness ü Document Response Policies & Procedures ü Link with Business GRC Applications 33

RSA SecOps Demonstration Copyright 2014 EMC Corporation. All rights reserved. 34

Use Case: an incident management workflow An incident has been reported involving a critical server: What is the technical context? What is the business impact? What are the next steps and remediation tasks? Is the SOC program efficient? Are the security controls effective? 35

Copyright 2014 EMC Corporation. All rights reserved. 36

The overall RSA ASOC Portfolio Incident Response Breach Response SOC Program Mgmt. CMDB/Assets RSA Security Operations Management Hosts Servers RSA Security Analytics Data Discovery/DLP RSA ECAT Vulnerability Identity RSA Live Threat Intelligence Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports and Custom Actions 37

The benefits of the RSA ASOC approach and solutions Detect and analyze before attacks impact the business Investigate, prioritize, and remediate incidents Unleash the potential of your existing security team Evolve existing tools with better visibility & workflow 38

EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback