RSA Security Analytics This is what SIEM was Meant to Be 1
The Original Intent of SIEM Single compliance & security interface Analyze & prioritize alerts across various sources The cornerstone of security operations Compliance yes, but security? Limited detection due to reliance on logs & signatures 2 T Weak at investigation & incident response 2
A new approach is needed 3
SIEM Baseline Requirements How important is each of the following in your firm's decision to adopt security information management (SIM) within your organization 90% 88% 86% 84% 82% 80% 78% 76% 74% 72% 70% 90% 87% 80% Incident response Compliance and reporting Event correlation Log management % of respondents who answered "important" or "very important" - n=580 Critics give SIEM 2.5 out of 4 stars 77% Forrester ForrSights Security Survey Q2 2013 4
Threat Actors Firewall IDS/IPS Evolution of Threat Actors & Detection Implications At first, there were HACKS Preventative controls filter known attack paths AntiVirus Malicious Traffic Whitespace Successful HACKS Corporate Assets 5
Threat Actors Evolution of Threat Actors & Detection Implications Firewall IDS/IPS AntiVirus Malicious Traffic More Logs Blocked Session Blocked Session Blocked Session Alert S I E M At first, there were HACKS Preventative controls filter known attack paths Then, ATTACKS Despite increased investment in controls, including SIEM Whitespace Successful ATTACKS Corporate Assets 6
Security Analytics Threat Actors Firewall IDS/IPS AntiVirus Malicious Traffic Logs Endpoint Visibility Network Visibility Blocked Session Blocked Session Blocked Session Alert Process Network Sessions Evolution of Threat Actors & Detection Implications Now, successful ATTACK CAMPAIGNS target any and all whitespace. Complete visibility into every process and network sessions is required to eradicate the attacker opportunity. Unified platform for advanced threat detection & investigations, Corporate Assets 7
Exceeding SIEM Requirements Log Mgmt. Event Correlation Collect & parse 250+ event sources 275+ out-of-the-box correlation rules Visibility far beyond logs Logs, packets, NetFlow & endpoint together Incident Response Native, prioritized incident triage Wider SOC management capabilities Compliance & Reporting 90+ report templates Integration with compliance management program 8
RSA Security Analytics: Log-Centric Visibility Analysis Action LIVE Capture Time Data Enrichment LIVE Cloud Logs Security Operations Security Operations LIVE On Prem RSA LIVE INTELLIGENCE Threat Intelligence Rules Parsers Feeds Reports RSA Research 9
RSA Security Analytics Architecture Visibility Analysis Action LIVE Cloud Packets Logs Capture Time Data Enrichment LIVE Security Operations Security Operations LIVE On Prem NetFlow Endpoint RSA LIVE INTELLIGENCE Threat Intelligence Rules Parsers Feeds Reports RSA Research 10
VISIBILITY Visibility Analysis From the ENDPOINT to the CLOUD Action 11
Move From Log-Centric Approach organizations need to collect, process, and store a plethora of data sources including asset data, identity information, network traffic (via full packet capture), NetFlow, endpoint forensic information, etc. This data volume is in part what transforms yesterday s security analysis into today s big data security analytics. --JON OLTSIK, ESG, SEPTEMBER, 2014, INFORMATION-DRIVEN SECURITY AND RSA SECURITY ANALYTICS AND RSA ECAT 12
The Power Of A Risk-Based Approach Logs Basic connection information Endpoints Where is infection located NetFlow How far intrusion spread Security Analytics Packets How you got infected and what attacker did 13
Add Compliance & Business Context IT Info Asset List Device Type, Device Content CMDBs Vulnerability data Business Context Asset Intelligence Device Owner Business Owner, Unit, Process RPO / RTO Data Class Risk Level IP Address Asset Criticality Rating Facility 14
ANALYSIS Visibility Analysis Detect and analyze attacks before they can impact your organization Action 15
Incident Detection Correlation across logs, packets, NetFlow and endpoint data - separately or together Discover attacks missed by other tools Real-time detection - Ex. detecting a pdf containing an executable, followed by encrypted traffic to a blacklisted country 16
Data Sources: Shell Crew Example Logs: What was targeted? Packets: How did the exploit occur? NetFlow: How did the attackers move around once inside? Endpoints: Was the endpoint exploited? Were others infected? Intrusion attempts Beaconing & suspicious communications Sticky-keys backdoor Malicious proxy tools WinRAR using encrypted rar files Recreate entire exploit Lateral movement via RDP Time/date stomping Indicatorsabout malicious files and code Scope of infection 17
Content Enables Security Teams Percent who felt security management was more difficult than it was 24 months ago 62% - ESG The Big Data Security Analytics Era Is Here April 2013 400+ RSA provides over 400 out -of-the-box rules, alerts, feeds &reports Unleash the potential of your security team 18
Out-of-the-box Content Examples Intelligence feeds 275+ correlation rules 90+ reports 375+ log & network parsers APT Domains Data exfiltration Compliance templates Abnormal.exe files Suspicious Proxies Identity & access anomalies Network activity Packers Malicious Networks Unusual connections Operations Instant Messenger traffic Threat blacklists Endpoint & network activity Suspicious behavior Botnets O-day identifiers Reconnaissance detection User activity SQL injection 19
ACTION Visibility Analysis Take targeted action on the most important incidents Action 20
Packets Logs Endpoint & Malware Native Incident Management unified incidents & workflow analyst starting point 21
Prioritize & Streamline Workflow Unified, risk-score driven alerts Assign & track Integrate RSA Security Operations Management (SecOps) 3 rd party ticketing systems 22
RSA SecOps Domain RSA Security Operations Management Process People Framework & Alignment Technology Incident Response Breach Response SOC Program Management 23
Security Analytics vs. SecOps Alert Aggregation Dashboards Incident Response Workflow IR Procedure & Content Breach Response Workflow, tasks, content Risk Assessment Questionnaire Tracking Notification SOC Program Management GRC Integration (Risk, Policy, BC) SA Incident Triage SecOps 24
Benefits Detect and analyze before attacks impact the business Investigate, prioritize, and remediate incidents Unleash the potential of your existing security team Evolve existing tools with better visibility & workflow 25
26
Beverage Manufacturer RSA Security Analytics I really like the vision of where Security Analytics is going, which isn t seen anywhere else in the industry, it offers true value and intelligence Before After Security siloes, isolated incident response Visibility limited to the perimeter Blind to signs of compromise Full visibility and context into attacks that were unachievable in a traditional SIEM Quick and easy log collection & analysis Discovered massive amounts of IOCs Deployed globally without scaling issues 27
Security Attacks are Inevitable Must be ARMED to quickly identify and respond to attacks before they can damage the business Constant compromise does not mean constant loss 28
See Everything. Fear Nothing. EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.
Common SIEM Use Cases in Security Analytics Use case Unauthorized privilege access Unusual protocol use Virus outbreak Trojan Backdoor use Abnormal system access Unauthorized account administration Access policies Alert/Report Admin commands from a username not in a list of admins Unusual commands being executed Unexpected protocol hitting a firewall/gateway Port scans Large network transfers High # of alerts from a given set of AV systems Specific event class from an IDS High # of failed logons Account enable from list of locked accounts Access from an unauthorized location Can be run as a real-time alert, or a regular report for review 30
SIEM and Account Takeover How a SIEM tries to detect it Alert for failed logons followed by successful logon Lots of noise Why that doesn t work Low and slow approach evades detection Can t take Security Analytics approach Tag the session as high # of failed logons, tag the session as going to/from a critical asset, monitor the entire session for signs of bot activity, tag the source IP address if coming from unexpected source geography, tag the session if using nonstandard user agent 31
SIEM and Known Attack Sequences How a SIEM tries to detect it Create correlation rule for precise sequence e.g. failed longs, followed by successful logon, followed by DB Connect, followed by connection to Romania Why that doesn t work Any variation on the attack will fool the SIEM rule Can only rely on indicators in logs from critical systems Cannot scale beyond small set of rules Security Analytics approach Tag session with known attack indicators - e.g. high # of failed logons, use of weird protocols, use of weird tools etc), Tag session as going to/from critical asset Monitor the entire session to give investigative context 32
SIEM and Deviation from Normal Activity How a SIEM tries to detect it Define rules for known good alert for any nonstandard activity Why that doesn t work Impossible to keep up with all normal activities Cannot scale beyond only a small rule set Security Analytics approach Tag session for unexpected attributes nonstandard tools being used, unexpected source address, protocol misuse, unexpected scripting, strange encoding 33
Incident Detection Attack Step Traditional SIEM RSA Security Analytics Alert for access over non-standard port No Yes Recreate activity of suspect IP address across environment No Yes Show user activity across AD and VPN Yes Yes Alert for different credentials used for AD and VP Yes Yes Reconstruct exfiltrated data No Yes 34
Only RSA Security Analytics Can Tell If This Is A Targeted Attack Attack Step Traditional SIEM RSA Security Analytics Alert for suspected SPAM host Yes Yes Show all WWW requests where executable downloaded No Yes Recreate email with suspect link No Yes Analyze malware and incorporate community intelligence Determine whether attack is part of a targeted campaign No No Yes Yes 35
EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.