Un SOC avanzato per una efficace risposta al cybercrime Identificazione e conferma di un incidente @RSAEMEA #RSAEMEASummit @masiste75 Mauro Costantini - Presales Consultant
Agenda A look into the threat landscape Facing the problem taking the bull by the horns: RSA Security Analytics: be the hunter or be hunted RSA ECAT: expose, analyze, respond SecOps: orchestrating the Security Operation Center The benefits of the RSA ASOC approach and solutions 2
A look into the threat landscape 3
Attackers getting (even more) smart and focused Source: Verizon s data breach investigation report 2015 4
while we are still moving at a different pace Source: Verizon s data breach investigation report 2015 5
Facing the problem taking the bull by the horns 6
Threat Actors Firewall IDS/IPS AntiVirus Malicious Traffic DLP Preventative Controls Defense in Depth GOOD: We are blocking attacks! Preventative controls filter known attack paths BAD: Reported breaches on the rise Despite increased investment in controls Strong Authentication Whitespace Corporate Assets Successful attacks Successful attacks bypass our preventative controls. Valid user accounts Trusted command and control New exploits Low and Slow 7
Threat Actors Firewall IDS/IPS AntiVirus Malicious Traffic DLP Strong Authentication Whitespace Blocked Session Blocked Session Blocked Session Alert Alert Successful attacks S I E M Current Visibility is Limited Difficult to Identify Successful Attacks Most visibility is log based Only tells you what your preventative controls detect Adding additional preventative controls creates more alerts Significant issues are drowned out by the noise Corporate Assets 8
Threat Actors Firewall IDS/IPS AntiVirus Malicious Traffic DLP Strong Authentication Full Packet Capture Endpoint Behavior Corporate Assets Blocked Session Blocked Session Blocked Session Alert Alert Pervasive Visibility is Crucial RSA Security Analytics Unified platform for incident detection, investigations, compliance reporting and advanced security analysis RSA ECAT Signature-less endpoint threat detection to confirm in real-time infections & respond with precision 9
RSA Security Analytics Be the hunter or be hunted 10
Threat Actors Security Analytics: how it works IP: 192.173.1.21 Firewall IDS/IPS AntiVirus Malicious Traffic DLP Blocked Session Blocked Session Blocked Session Alert FW Log Auth Log Username: JSMith Country: Brazil Risk: High Asset: SQL Server Action: GET Strong Authentication Full Packet Capture Alert Network Session Agent: Firefox Session Data: HTTP/1.1 200 OK... Corporate Assets 11
Integrated Intelligence Know What to Look For RSA LIVE INTELLIGENCE SYSTEM Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports and Custom Actions 1 Gathers advanced threat intelligence and content 2 Aggregates & consolidates data 3 Automatically distributes intelligence, correlation rules, parsers, reports, feeds OPERATIONALIZE INTELLIGENCE: Take advantage of what others have already found and apply against your current and historical data 12
Integrated Business Context IT Info Business Context Asset Intelligence Asset List Device Type, Device Content CMDBs Vulnerability data Device Owner Business Owner, Unit, Process RPO / RTO Data Class Risk Level IP Address Asset Criticality Rating Facility 13
Automation & Investigations All Network Traffic & Logs Downloads of executables Downloaded by Java! Unified, risk-score driven, correlated alerts Incident Management Terabytes of data 100% of total Thousands of data points 5% of total Hundreds of data points 0.2% of total Integrated workflows RSA Security Operations Management (SecOps) 3 rd party ticketing systems Create alerts to/from critical assets A few dozen alerts 14
RSA Security Analytics Demonstration 15
Use Case: from Spear Phishing to Drive by Download A daily report highlighted several users receiving spear phishing emails and Command and Control Traffic: Is it a false positive? How many people clicked? How did it occur? What is the impact to our business? How do we respond? 16
17
Break 18
Un SOC avanzato per una efficace risposta al cybercrime Dall analisi delle cause di un incidente alla sua gestione @RSAEMEA @daveveneziano #RSAEMEASummit Davide Veneziano - ASOC Senior Presales Consultant
RSA ECAT Expose, analyze, respond 20
Threat Actors Firewall IDS/IPS AntiVirus Malicious Traffic DLP Strong Authentication Full Packet Capture Endpoint Behavior Corporate Assets Blocked Session Blocked Session Blocked Session Alert Alert Pervasive Visibility is Crucial RSA Security Analytics Unified platform for incident detection, investigations, compliance reporting and advanced security analysis RSA ECAT Signature-less endpoint threat detection to confirm in real-time infections & respond with precision 21
Endpoint analysis: today s requirements Quickly expose endpoint threats Analyze and confirm faster Instantly determine scope and take action RSA CONFIDENTIAL INTERNAL USE ONLY 22
How RSA ECAT Works Agent Endpoints, Servers, VMs Windows & Mac OS Monitors for suspicious activity Scans for full system inventory Identify all executables, DLL s, drivers, etc. Low system impact (2MB on disk, 10-20MB in memory) Server Analyzes scan data & flags anomalies Maintain repository for global correlation Automatically download unknown files for additional analysis RSA CONFIDENTIAL INTERNAL USE ONLY 23
A deeper look into the ECAT Compare & Flag Anomalies Disk Inspection Live Memory Analysis Full inventory of everything in running memory Compared with the files on disk to ensure no modification or tampering Conduct behavior analysis & apply suspect level (signature-less approach) Detect & analyze suspicious network traffic Reduce the noise by leveraging baseline, certificate validation, whitelists and blacklists Visibility even off the corporate network Network Traffic Analysis 24
Monitor Endpoint Behavior User clicks on malicious email attachment.exe drops on machine, exploits a vulnerability Malware opens a browser process & connects to C2 for instructions Attacker navigates to sensitive data Attacker uses FTP to exfiltrate data RSA ECAT Behavior Tracking Monitor operations performed & look for suspicious activity Identify any new, unknown file that loads Alert on suspicious activity 25
Pivot between Endpoint, Network and Logs RSA Security Analytics Right click & pivot into SA Send alerts for suspicious activities Data enrichment with risk and username Right click & pivot into ECAT Aggregate alerts into a single incident RSA ECAT RSA CONFIDENTIAL INTERNAL USE ONLY 26
RSA ECAT Demonstration 27
Use Case: Root cause analysis on an infected machine An anomalous behavior has been reported for a critical workstation: Is it a false positive? How did it occur? How many people got infected? 28
29
RSA SecOps Orchestrating the Security Operation Center RSA CONFIDENTIAL INTERNAL USE ONLY 30
Why Framework and Alignment? IMPROVE RESPONSE READINESS AND BE PREPARED COLLABORATE INTERNALLY AND EXTERNALLY REPEATABLE ONGOING BUSINESS PROCESS LEARN AND REFINE MEASURE EFFECTIVENESS OF THE PROGRAM PRIORITIZE AGAINST BUSINESS CONTEXT 31
Security Operations Management (SecOps) Framework to prepare, investigate and respond to threats by aligning people, process and technology People Technology Process 32
SecOps: how it works Incident Response ü Aggregate Alerts ü Provide Business Context ü Prioritize Incidents ü Manage Investigations ü Track Remediation Breach Response ü Develop Breach Response Plans ü Identify & Report Data Breaches ü Assess Breach Impact ü Manage Notifications & Call Trees SOC Program Management ü Manage SOC Team ü Measure Security Control Effectiveness ü Document Response Policies & Procedures ü Link with Business GRC Applications 33
RSA SecOps Demonstration Copyright 2014 EMC Corporation. All rights reserved. 34
Use Case: an incident management workflow An incident has been reported involving a critical server: What is the technical context? What is the business impact? What are the next steps and remediation tasks? Is the SOC program efficient? Are the security controls effective? 35
Copyright 2014 EMC Corporation. All rights reserved. 36
The overall RSA ASOC Portfolio Incident Response Breach Response SOC Program Mgmt. CMDB/Assets RSA Security Operations Management Hosts Servers RSA Security Analytics Data Discovery/DLP RSA ECAT Vulnerability Identity RSA Live Threat Intelligence Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports and Custom Actions 37
The benefits of the RSA ASOC approach and solutions Detect and analyze before attacks impact the business Investigate, prioritize, and remediate incidents Unleash the potential of your existing security team Evolve existing tools with better visibility & workflow 38
EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.