RSA Security Analytics

Similar documents
Un SOC avanzato per una efficace risposta al cybercrime

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

RSA NetWitness Suite Respond in Minutes, Not Months

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Behavioral Analytics A Closer Look

You Can t Stop What You Can t See

THE EVOLUTION OF SIEM

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

Automated Threat Management - in Real Time. Vectra Networks

RSA INCIDENT RESPONSE SERVICES

RSA INCIDENT RESPONSE SERVICES

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Not your Father s SIEM

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

CyberArk Privileged Threat Analytics

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Integrated, Intelligence driven Cyber Threat Hunting

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

RSA ECAT DETECT, ANALYZE, RESPOND!

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Reducing the Cost of Incident Response

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Incident Response Agility: Leverage the Past and Present into the Future

Security. Risk Management. Compliance.

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

CloudSOC and Security.cloud for Microsoft Office 365

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

WHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT

Building Resilience in a Digital Enterprise

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

The Cognito automated threat detection and response platform

RSA IT Security Risk Management

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Compare Security Analytics Solutions

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

SOLUTION BRIEF REMOTE ACCESS: WEBSHELLS SEE EVERYTHING, FEAR NOTHING

ForeScout ControlFabric TM Architecture

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Building a Threat-Based Cyber Team

Carbon Black PCI Compliance Mapping Checklist

MITIGATE CYBER ATTACK RISK

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Automating the Top 20 CIS Critical Security Controls

Optimizing Security for Situational Awareness

Operationalizing the Three Principles of Advanced Threat Detection

NEXT GENERATION SECURITY OPERATIONS CENTER

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Office 365 Buyers Guide: Best Practices for Securing Office 365

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

MEETING ISO STANDARDS

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Novetta Cyber Analytics

RSA. The security division of EMC. Visibilidad total en el entorno de seguridad. Javier Galvan Systems Engineer Mexico & NOLA

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

SIEM Solutions from McAfee

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

IBM Security Network Protection Solutions

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

The Critical Incident Response Maturity Journey

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Advanced Malware Protection: A Buyer s Guide

RSA Data Loss Prevention: Policy to Remediation

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Traditional Security Solutions Have Reached Their Limit

10 FOCUS AREAS FOR BREACH PREVENTION

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

Cyber Security. Our part of the journey

Protecting organisations from the ever evolving Cyber Threat

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

esendpoint Next-gen endpoint threat detection and response

SIEM: Five Requirements that Solve the Bigger Business Issues

Imperva Incapsula Website Security

Best Practices for Scoping Infections and Disrupting Breaches

The New Era of Cognitive Security

CIS Controls Measures and Metrics for Version 7

Security. Made Smarter.

align security instill confidence

SIEM (Security Information Event Management)

FOUR WAYS TO IMPROVE ENDPOINT SECURITY: MOVING BEYOND TRADITIONAL APPROACHES

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

IBM services and technology solutions for supporting GDPR program

Transcription:

RSA Security Analytics This is what SIEM was Meant to Be 1

The Original Intent of SIEM Single compliance & security interface Analyze & prioritize alerts across various sources The cornerstone of security operations Compliance yes, but security? Limited detection due to reliance on logs & signatures 2 T Weak at investigation & incident response 2

A new approach is needed 3

SIEM Baseline Requirements How important is each of the following in your firm's decision to adopt security information management (SIM) within your organization 90% 88% 86% 84% 82% 80% 78% 76% 74% 72% 70% 90% 87% 80% Incident response Compliance and reporting Event correlation Log management % of respondents who answered "important" or "very important" - n=580 Critics give SIEM 2.5 out of 4 stars 77% Forrester ForrSights Security Survey Q2 2013 4

Threat Actors Firewall IDS/IPS Evolution of Threat Actors & Detection Implications At first, there were HACKS Preventative controls filter known attack paths AntiVirus Malicious Traffic Whitespace Successful HACKS Corporate Assets 5

Threat Actors Evolution of Threat Actors & Detection Implications Firewall IDS/IPS AntiVirus Malicious Traffic More Logs Blocked Session Blocked Session Blocked Session Alert S I E M At first, there were HACKS Preventative controls filter known attack paths Then, ATTACKS Despite increased investment in controls, including SIEM Whitespace Successful ATTACKS Corporate Assets 6

Security Analytics Threat Actors Firewall IDS/IPS AntiVirus Malicious Traffic Logs Endpoint Visibility Network Visibility Blocked Session Blocked Session Blocked Session Alert Process Network Sessions Evolution of Threat Actors & Detection Implications Now, successful ATTACK CAMPAIGNS target any and all whitespace. Complete visibility into every process and network sessions is required to eradicate the attacker opportunity. Unified platform for advanced threat detection & investigations, Corporate Assets 7

Exceeding SIEM Requirements Log Mgmt. Event Correlation Collect & parse 250+ event sources 275+ out-of-the-box correlation rules Visibility far beyond logs Logs, packets, NetFlow & endpoint together Incident Response Native, prioritized incident triage Wider SOC management capabilities Compliance & Reporting 90+ report templates Integration with compliance management program 8

RSA Security Analytics: Log-Centric Visibility Analysis Action LIVE Capture Time Data Enrichment LIVE Cloud Logs Security Operations Security Operations LIVE On Prem RSA LIVE INTELLIGENCE Threat Intelligence Rules Parsers Feeds Reports RSA Research 9

RSA Security Analytics Architecture Visibility Analysis Action LIVE Cloud Packets Logs Capture Time Data Enrichment LIVE Security Operations Security Operations LIVE On Prem NetFlow Endpoint RSA LIVE INTELLIGENCE Threat Intelligence Rules Parsers Feeds Reports RSA Research 10

VISIBILITY Visibility Analysis From the ENDPOINT to the CLOUD Action 11

Move From Log-Centric Approach organizations need to collect, process, and store a plethora of data sources including asset data, identity information, network traffic (via full packet capture), NetFlow, endpoint forensic information, etc. This data volume is in part what transforms yesterday s security analysis into today s big data security analytics. --JON OLTSIK, ESG, SEPTEMBER, 2014, INFORMATION-DRIVEN SECURITY AND RSA SECURITY ANALYTICS AND RSA ECAT 12

The Power Of A Risk-Based Approach Logs Basic connection information Endpoints Where is infection located NetFlow How far intrusion spread Security Analytics Packets How you got infected and what attacker did 13

Add Compliance & Business Context IT Info Asset List Device Type, Device Content CMDBs Vulnerability data Business Context Asset Intelligence Device Owner Business Owner, Unit, Process RPO / RTO Data Class Risk Level IP Address Asset Criticality Rating Facility 14

ANALYSIS Visibility Analysis Detect and analyze attacks before they can impact your organization Action 15

Incident Detection Correlation across logs, packets, NetFlow and endpoint data - separately or together Discover attacks missed by other tools Real-time detection - Ex. detecting a pdf containing an executable, followed by encrypted traffic to a blacklisted country 16

Data Sources: Shell Crew Example Logs: What was targeted? Packets: How did the exploit occur? NetFlow: How did the attackers move around once inside? Endpoints: Was the endpoint exploited? Were others infected? Intrusion attempts Beaconing & suspicious communications Sticky-keys backdoor Malicious proxy tools WinRAR using encrypted rar files Recreate entire exploit Lateral movement via RDP Time/date stomping Indicatorsabout malicious files and code Scope of infection 17

Content Enables Security Teams Percent who felt security management was more difficult than it was 24 months ago 62% - ESG The Big Data Security Analytics Era Is Here April 2013 400+ RSA provides over 400 out -of-the-box rules, alerts, feeds &reports Unleash the potential of your security team 18

Out-of-the-box Content Examples Intelligence feeds 275+ correlation rules 90+ reports 375+ log & network parsers APT Domains Data exfiltration Compliance templates Abnormal.exe files Suspicious Proxies Identity & access anomalies Network activity Packers Malicious Networks Unusual connections Operations Instant Messenger traffic Threat blacklists Endpoint & network activity Suspicious behavior Botnets O-day identifiers Reconnaissance detection User activity SQL injection 19

ACTION Visibility Analysis Take targeted action on the most important incidents Action 20

Packets Logs Endpoint & Malware Native Incident Management unified incidents & workflow analyst starting point 21

Prioritize & Streamline Workflow Unified, risk-score driven alerts Assign & track Integrate RSA Security Operations Management (SecOps) 3 rd party ticketing systems 22

RSA SecOps Domain RSA Security Operations Management Process People Framework & Alignment Technology Incident Response Breach Response SOC Program Management 23

Security Analytics vs. SecOps Alert Aggregation Dashboards Incident Response Workflow IR Procedure & Content Breach Response Workflow, tasks, content Risk Assessment Questionnaire Tracking Notification SOC Program Management GRC Integration (Risk, Policy, BC) SA Incident Triage SecOps 24

Benefits Detect and analyze before attacks impact the business Investigate, prioritize, and remediate incidents Unleash the potential of your existing security team Evolve existing tools with better visibility & workflow 25

26

Beverage Manufacturer RSA Security Analytics I really like the vision of where Security Analytics is going, which isn t seen anywhere else in the industry, it offers true value and intelligence Before After Security siloes, isolated incident response Visibility limited to the perimeter Blind to signs of compromise Full visibility and context into attacks that were unachievable in a traditional SIEM Quick and easy log collection & analysis Discovered massive amounts of IOCs Deployed globally without scaling issues 27

Security Attacks are Inevitable Must be ARMED to quickly identify and respond to attacks before they can damage the business Constant compromise does not mean constant loss 28

See Everything. Fear Nothing. EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.

Common SIEM Use Cases in Security Analytics Use case Unauthorized privilege access Unusual protocol use Virus outbreak Trojan Backdoor use Abnormal system access Unauthorized account administration Access policies Alert/Report Admin commands from a username not in a list of admins Unusual commands being executed Unexpected protocol hitting a firewall/gateway Port scans Large network transfers High # of alerts from a given set of AV systems Specific event class from an IDS High # of failed logons Account enable from list of locked accounts Access from an unauthorized location Can be run as a real-time alert, or a regular report for review 30

SIEM and Account Takeover How a SIEM tries to detect it Alert for failed logons followed by successful logon Lots of noise Why that doesn t work Low and slow approach evades detection Can t take Security Analytics approach Tag the session as high # of failed logons, tag the session as going to/from a critical asset, monitor the entire session for signs of bot activity, tag the source IP address if coming from unexpected source geography, tag the session if using nonstandard user agent 31

SIEM and Known Attack Sequences How a SIEM tries to detect it Create correlation rule for precise sequence e.g. failed longs, followed by successful logon, followed by DB Connect, followed by connection to Romania Why that doesn t work Any variation on the attack will fool the SIEM rule Can only rely on indicators in logs from critical systems Cannot scale beyond small set of rules Security Analytics approach Tag session with known attack indicators - e.g. high # of failed logons, use of weird protocols, use of weird tools etc), Tag session as going to/from critical asset Monitor the entire session to give investigative context 32

SIEM and Deviation from Normal Activity How a SIEM tries to detect it Define rules for known good alert for any nonstandard activity Why that doesn t work Impossible to keep up with all normal activities Cannot scale beyond only a small rule set Security Analytics approach Tag session for unexpected attributes nonstandard tools being used, unexpected source address, protocol misuse, unexpected scripting, strange encoding 33

Incident Detection Attack Step Traditional SIEM RSA Security Analytics Alert for access over non-standard port No Yes Recreate activity of suspect IP address across environment No Yes Show user activity across AD and VPN Yes Yes Alert for different credentials used for AD and VP Yes Yes Reconstruct exfiltrated data No Yes 34

Only RSA Security Analytics Can Tell If This Is A Targeted Attack Attack Step Traditional SIEM RSA Security Analytics Alert for suspected SPAM host Yes Yes Show all WWW requests where executable downloaded No Yes Recreate email with suspect link No Yes Analyze malware and incorporate community intelligence Determine whether attack is part of a targeted campaign No No Yes Yes 35

EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback