RSA ECAT DETECT, ANALYZE, RESPOND!

Similar documents
Un SOC avanzato per una efficace risposta al cybercrime

RSA NetWitness Suite Respond in Minutes, Not Months

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

RSA Security Analytics

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Compare Security Analytics Solutions

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

The Cognito automated threat detection and response platform

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Automated Threat Management - in Real Time. Vectra Networks

esendpoint Next-gen endpoint threat detection and response

SentinelOne Technical Brief

SentinelOne Technical Brief

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

Reducing the Cost of Incident Response

Incident Response Agility: Leverage the Past and Present into the Future

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

SOLUTION BRIEF REMOTE ACCESS: WEBSHELLS SEE EVERYTHING, FEAR NOTHING

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

Speed Up Incident Response with Actionable Forensic Analytics

WHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

CloudSOC and Security.cloud for Microsoft Office 365

Building Resilience in a Digital Enterprise

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

ForeScout Extended Module for Carbon Black

RSA INCIDENT RESPONSE SERVICES

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

SIEM: Five Requirements that Solve the Bigger Business Issues

Security. Risk Management. Compliance.

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Integrated, Intelligence driven Cyber Threat Hunting

Fidelis Overview. ISC 2 DoD and Industry Forum. Rapid Detection and Automated Incident Response DoD & Commercial Active Defense Use Cases

ForeScout ControlFabric TM Architecture

RSA INCIDENT RESPONSE SERVICES

Building a Threat-Based Cyber Team

Not your Father s SIEM

THE EVOLUTION OF SIEM

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

THE ACCENTURE CYBER DEFENSE SOLUTION

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Operationalizing the Three Principles of Advanced Threat Detection

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Incident Scale

Lastline Breach Detection Platform

Best Practices for Scoping Infections and Disrupting Breaches

McAfee Advanced Threat Defense

Imperva CounterBreach

Seceon s Open Threat Management software

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

Novetta Cyber Analytics

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

CounterACT IOC Scanner Plugin

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

Stopping Advanced Persistent Threats In Cloud and DataCenters

Gladiator Incident Alert

<Partner Name> <Partner Product> RSA NETWITNESS Logs Implementation Guide. Exabeam User Behavior Analytics 3.0

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

ForeScout CounterACT. Configuration Guide. Version 2.2

How Vectra Cognito enables the implementation of an adaptive security architecture

Infoblox as Part of the Ecosystem

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Network Security: Firewall, VPN, IDS/IPS, SIEM

AppDefense Cb Defense Configuration Guide. AppDefense Appendix Cb Defense Integration Configuration Guide

Essentials to creating your own Security Posture using Splunk Enterprise

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

Copyright 2011 Trend Micro Inc.

the SWIFT Customer Security

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Optimizing Security for Situational Awareness

Symantec Ransomware Protection

SIEM Solutions from McAfee

Built-in functionality of CYBERQUEST

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

First Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.

What matters in Cyber Security

Sandboxing and the SOC

Paloalto Networks PCNSA EXAM

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

SOLUTION OVERVIEW. Enterprise-grade security management solution providing visibility, management and reporting across all OSes.

DATA SHEET RSA NETWITNESS PLATFORM PERVASIVE VISIBILITY. ACTIONABLE INSIGHTS.

ForeScout Extended Module for Splunk

Transcription:

RSA ECAT DETECT, ANALYZE, RESPOND!

Cyber Threat Landscape Attack surface (& attackers) expanding Web app Existing strategies & controls are failing Laptop EHR Firewall Attacks sophistication on the rise DNS TACTICS TECHNIQUES PROCEDURES IP 2

49% of enterprises know they were compromised by a malware-based attack in the last 2 years ESG, September 2014 70-90% of malware samples are unique to an organization 83% of incidents that took weeks or more to discover Verizon 2014 #DBIR Verizon 2015 #DBIR Source: http://www.informationisbeautiful.net/ 3

How Attackers work TTP your way in Stage #1: Establish Foothold Probe servers/ apps for vuln. Develop exploits Install webshells/ remote access SpearPhish users Obtain credentials Deliver malware Gain remote access Stage #2: Entrench, Expend, Explore Dump local credentials Install malware Download cracking tools Move laterally Identify privileged accounts (IT Admin), domain controllers, exchange servers, Expend access methods (VPN, RDP, Proxy) Map network Stage #3: Exfiltrate, maintain Aggregate and stage data Obfuscate to avoid detection Exiltrate data > http, ssh, ftp, email Leverage Dyn dns to rotate drop zones Damage/ Cost Sec. Min. Hrs. Days Weeks Months Time 4

Why endpoints matter? Where evil starts > weakest link in the (kill)-chain IP Lack deep endpoint visibility as well as lateral movements across the organization. Leading to increased attack dwell time Partner Access Employees Access End- users Access reallybadfile.exe Detection: 0/48 Network alone is not enough Siloed, partial views Enable analysts to instantly determine full attack scope and gather critical forensics data 5

Old vs. New A/V Wrong data overflow Right data missing Contextual visibility Next Gen attacks Old Gen tools (good, but not enough) Behavioral Analytics lssas.exe (signature vs. behavior) 64ef07ce3e4b420c334227eecb3b3f4c Suspicious SVCHOST running Autorun unsigned hidden module Invalid kernel object type Floating module in OS process Unsigned writes executable to UNC Threat Intel Module Machine Malware/RAT 6

What is RSA ECAT? Leader of the UNKNOWN Continuous endpoint monitoring solution providing contextual visibility, seeing beyond a single alert across endpoints deployed in- and Off-premises Providing incident responders and security analysts a full attack investigation platform ECAT reveals targeted threats by Automatic abnormal behavior whitebox analysis patterns (beyond known signatures) Machine-learning risk scoring STIX and RSA Live threat intelligence 7

Enterprise-Ready ECAT From Silicium Security to RSA ECAT Endpoint Security TBD First production customer. A large Canadian government agency 2009 Stuxnet APT (and Flamer) detected ECAT detected these targeted attacks out-of-the-box # of customers Sep 2012 Tip from EMC CIRC lead to RSA Acquiring Silicium Security ECAT v4.1 (3 rd major release post RSA acquisition) Blocking, STIX CTI, Remote Relay, Machine-learning Risk Score 2007 2008 2009 2010 2011 2012 2013 2014 2015 Inventory and anomaly detection v3.x ECAT 4.0 Instant IOC (IIOC) Windows only Windows and Mac OS Sep 2007 Silicium Security is silently being built in a basement in Montreal 2011 Government only to commercial @RSA Re-skin of ECAT UI Integration with SA RSA Live 8

How does it work? RSA Research RSA Live Process Inventory Threat Intel Network Data User Space Response Action (Blocking, quarantine) Physical data Status Kernel Space Behavioral Profiling Module Behavior Behavior Malware/RAT Behavior 127.0.0.1 Security Config Process Tracking 3rd Party Sandbox solution Yara Engine OPSWAT A/V Engine Network AutomaHc InformaHon LisHng Operating System RSA Security Analytics (and other 3rd party applications) Syslog, JSON, SMTP (Ticketing system) Risk Score Priority Root Cause Full attack scope (Organization-side) 9

ECAT Endpoint Client 100% 20m 5% 500k 2m Process Inventory Network Data User Space Agent Uptime Per endpoint CPU network bandwidth Consumption Client Disk Footprint (Configurable) Physical data Status Kernel Space Security Config Process Tracking Memory Usage Operating System Tested and verified with major AV, DLP, disk encryption Servers, Laptops, Desktops, VMs, VDIs Windows (xp-win10) and Mac OS X (10.6-10.11) In- and off-premises endpoints monitoring Automatic & on-demand scanning Automatically download unknown files for additional analysis Disconnected or formatted machine? Risk is still there! 10

ECAT Endpoint Client (Cont.) Always & Everywhere Visibility Full system inventory Executables, DLLs, Drivers, etc. Detect & analyze suspicious traffic Find files on disk & inspect Disk Inspection Live Memory Analysis Compare & Flag Anomalies Network Traffic Analysis Validate integrity of system & files Identify hidden processes, modifications & tampering 11

ECAT Console Primary & Secondary RSA Live RSA Research Threat Intel Analyzes scan data & flags anomalies SQL Server Maintain repository for global correlation and both on- and off-line investigation Know exact location & persistence of malicious file for removal Scale up to 50k agents per ConsoleServer Primary Console Server Secondary Console Server(s) x1 x2 xn Behavioral Profiling Yara Engine Module Behavior OPSWAT A/V Engine Risk Score Priority Machine Behavior 127.0.0.1 Network InformaHon Root Cause Malware/RAT Behavior AutomaHc LisHng Full attack scope (Organization-side) 12

Behavior Analytics Detection RSA PEDIA > Instant IOC (IIOC) RSA Live Geo LocaHon ECAT IIOCs (Instant Indicator of Compromise) determine the threat attack vector(s) and identify abnormal behavior indicative of malware. IP InformaHon 127.0.0.1 Yara Engine ECAT provides ~300 IIOC out-of-the-box that are executed server side as data is processed, causing zero performance load on client. Behavioral Profiling OPSWAT A/V Engine ECAT IIOCs enhance detection and prioritization capabilities, so that analysts can instantly pinpoint full attack scope root-cause and attacker TTPs. Module Behavior Threat Intelligence They are NOT known signature-based malicious IOCs (MD5, IP, Domain, etc.) Customer can create their own customized Machine(s) Behavior Malware / RAT Behavior 13

Real-Time Response Action Find commodity and prioritize accordingly Enable SOC analyst taking real-time action against modules being Written to disk Loaded in memory Block: File is blocked but remain at its location Quarantine: File is blocked and quarantined to a separate directory (subdir from deleted files folder) and are only accessible to system administrators. Malware drops or already exists on a machine t=0 > > > > Blacklist and Block based on hash value.exe, COM,.SYS,.DLL,.SCR,.OCX,.JAR,.BAT,.PS1,.VBS,. SF,.VBE,.PYC,.WSF,.WAR,.VB,.PY,.CLASS ECAT Agent identify a new module suspicoiusfiledonotopen.exe MD5: bd33f0f22b8038489e4542b8a08d75c4 SHA- 1: 49de968090ad7fe0bf22b6f9f60b65c05c077cfa SHA- 2: 2e94fee2094ff92c807b067ad86c17ce903db0f72ad767b t=0+ <STIX> Threat Intel ed0f027320c419f71730546f7b2fa171 bd33f0f22b8038489e4542b8a08d75c4 406dff23418df9083979dfbff12488d8 18ada35e0e9137f1177ab4d32a24a971... 0df525e5c0d6f6fa17c58b102390171f 14

ECAT Threat Intelligence Data Enrichment RSA Live, RSA Research & External Threat Intel Gathers advanced, high-quality, threat intelligence content Aggregates & consolidates data Operationalize on known-unknown community intelligence <stix: STIX Package> Support Where Content and Context meet! RSA Live RSA Research Threat Intel Malware IP/Domain Lists RSA Research APT IP/Domains RSA Research C2/Exploits IP/Domains Suspicious Proxies Malicious Networks 0day Identifiers 15

ECAT Threat Intelligence Data Enrichment (Cont.) Results from previous Incident Response Engagement, Live Data, Demonstrate results During a recent Incident Response engagement, using RSA Live data ALONE, at a Global Financial Institution, RSA IR team were able to Immediately identify infected machines communicating with a suspicious high-target APT domain Identify machines exfiltrating (which) data When used in connection to ECAT s behavioral analytics and Contextual Visibility, customer was able to instantly pinpoint infected machines across the environment and initiate a cross organization block 16

RSA Advanced SOC Platform PACKETS LOGS Visibility Capture Time Data Enrichment Analysis Incident Management Action Compliance Reporting ENDPOINT Investigation Session Reconstruction NETFLOW Advanced Analytics Endpoint Analysis RSA LIVE INTELLIGENCE Threat Intelligence Rules Parsers Feeds Reports RSA Research 17

Integrate your ECAT Layering endpoint on top of packets and logs data Use Case #1 Pivot from Security Analytics to ECAT Use Case #2 Pivot from ECAT to Security Analytics 127.0.0.1 8.8.8.8 TCP network traffic to suspicious location was recorded SourceIP: 10.100.161.2 DestinationIP: 127.0.0.1 Before scenario: Analyst explore DHCP logs to identify and match username and its assigned IP for a specific timeframe After scenario: Right- click from SA to ECAT Instantly identify ALL machines communicated with suspicious IP Infected endpoint identified (server) Recorded network traffic to a suspicious location. Abnormal bytes received vs. bytes sent ratio IIOC triggered MachineID: LT- US- HWashington DestinationIP: 8.8.8.8 Before scenario: Pivot to a SIEM will be able to provide more context about process and action After scenario: 1) Right- click from ECAT to SA will direct to exact SA investigation filter. 2) Reconstructing the session will enable to identify the exact content exfiltrated 18

Integrate your ECAT (Cont.) Layering endpoint on top of packets and logs data Use Case #3 Ingest endpoint data feed to Security Analytics Use Case #4 REST API & protocols integration options Network Forensics (packets) destinationip sourceip useragentstring HTTP Referer RESTful API Log Management AV_Login_attempt_Time AV_Login_success/failure FW_entry_src_ip Investigation Reporting Alerting Endpoint data (ECAT) Machine name: LT- US- FWashington Machine score: 1007 Username: FWashington Machine OS: Win8.1 (VMware VDI) MAC address: 01-23- 45-67- 89- ab syslog SMTP RabbitMQ 19

Proven and Widely Deployed Solution 1,600+ Customers worldwide Top 20 U.S. Financials 90+ Countries worldwide 70+ U.S. Federal/Govt. Agencies 20

EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback