To Catch A Thief. Sam Curry Chief Technology Officer RSA, The Security Division of EMC

Similar documents
RSA INCIDENT RESPONSE SERVICES

RSA INCIDENT RESPONSE SERVICES

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Panda Security 2010 Page 1

RSA NetWitness Suite Respond in Minutes, Not Months

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

NEXT GENERATION SECURITY OPERATIONS CENTER

Stopping Advanced Persistent Threats In Cloud and DataCenters

Streaming Prevention in Cb Defense. Stop malware and non-malware attacks that bypass machine-learning AV and traditional AV

The Transformation in Security How RSA is responding to the Changing Threat Landscape

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Symantec Ransomware Protection

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Transforming Security from Defense in Depth to Comprehensive Security Assurance

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Abstract. The Challenges. ESG Lab Review Proofpoint Advanced Threat Protection. Figure 1. Top Ten IT Skills Shortages for 2016

MITIGATE CYBER ATTACK RISK

8 Must Have. Features for Risk-Based Vulnerability Management and More

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

MODERN DESKTOP SECURITY

CyberArk Privileged Threat Analytics

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Automated Threat Management - in Real Time. Vectra Networks

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

FOR FINANCIAL SERVICES ORGANIZATIONS

Adaptive Authentication Adapter for Citrix XenApp. Adaptive Authentication in Citrix XenApp Environments. Solution Brief

Managed Endpoint Defense

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Agile Security Solutions

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are

Advanced Malware Protection: A Buyer s Guide

Sandboxing and the SOC

Network Virtualization Business Case

HOSTED SECURITY SERVICES

The Art and Science of Deception Empowering Response Actions and Threat Intelligence

Un SOC avanzato per una efficace risposta al cybercrime

How WebSafe Can Protect Customers from Web-Based Attacks. Mark DiMinico Sr. Mgr., Systems Engineering Security

SECURITY SERVICES SECURITY

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Defend Against the Unknown

Cloud Security & Advance Threat Protection. Cloud Security & Advance Threat Protection

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

THE ACCENTURE CYBER DEFENSE SOLUTION

with Advanced Protection

Transforming IT: From Silos To Services

Traditional Security Solutions Have Reached Their Limit

Maximum Security with Minimum Impact : Going Beyond Next Gen

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

Building and Instrumenting the Next- Generation Security Operations Center. Sponsored by

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Incident Response Agility: Leverage the Past and Present into the Future

Top 10 most important IT priorities over the next 12 months. (Percent of respondents, N=633, ten responses accepted)

Evolution Of Cyber Threats & Defense Approaches

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Attackers Process. Compromise the Root of the Domain Network: Active Directory

2018 Edition. Security and Compliance for Office 365

Proactive Approach to Cyber Security

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

deep (i) the most advanced solution for managed security services

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Securing Digital Transformation

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Threat Centric Vulnerability Management

Cisco Cyber Threat Defense Solution 1.0

ABB Ability Cyber Security Services Protection against cyber threats takes ability

Combating Cyber Risk in the Supply Chain

Security. Risk Management. Compliance.

Incident Response Services

Synchronized Security

Automated Context and Incident Response

Advanced Threat Control

Building Resilience in a Digital Enterprise

Advanced Malware Protection. Dan Gavojdea, Security Sales, Account Manager, Cisco South East Europe

About Lavasoft. Contact. Key Facts:

Consumerization. Copyright 2014 Trend Micro Inc. IT Work Load

Go mobile. Stay in control.

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Adaptive Authentication Adapter for Juniper SSL VPNs. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

THE EVOLUTION OF SIEM

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Cisco Firepower NGFW. Anticipate, block, and respond to threats

I D C T E C H N O L O G Y S P O T L I G H T

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

10 FOCUS AREAS FOR BREACH PREVENTION

Express Monitoring 2019

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Transcription:

To Catch A Thief Sam Curry Chief Technology Officer RSA, The Security Division of EMC

2 Security is about Security isn t about security. It is about managing risk at some cost. In the absence of metrics, we tend to over compensate and focus on risks that are either familiar or recent. Hugh Thompson, Chief Security Strategist People Security

Disruptors to IT (and the world) 3 Keep in mind today and in the coming days that there are three concurrent disruptors in IT 1. Cloud (Private, Public, Hybrid et al) 2. User-driven IT / Consumer Computing 3. Proliferation and Maturation of Cybercrime

The Criminal Reality today 4

Context: The Dark Cloud 5

There is an underground economy Asset Pay-out for each unique adware installation Going-rate Malware package, basic version $1,000 $2,000 30 cents in the United States, 20 cents in Canada, 10 cents in the UK, 2 cents elsewhere Malware package with add-on services Varying prices starting at $20 Exploit kit rental 1 hour $0.99 to $1 Exploit kit rental 2.5 hours $1.60 to $2 Exploit kit rental 5 hours Undetected copy of a certain information-stealing Trojan Distributed Denial of Service attack $4, may vary $80, may vary $100 per day 10,000 compromised PCs 1,000 $ Stolen bank account credentials Varying prices starting at $50 1 million freshly-harvested emails (unverified) Sample data from research on the underground digital economy in 2007 6 $8 up, depending on quality

Commercial Motivations: you don t have to be faster than the bear 7 When you are dealing with an intelligent opponent and quantifiable gains (reward) and losses (risks), you can apply Game Theory You can determine to some level of accuracy the relative probability of a set of attack types with respect to one another Total Reward Total Risk Therefore Probability Probability You can use this information to implement stronger controls against a dynamic and increasingly hostile threat environment You can use this outlook to examine the effects of world events and small changes in State of the Art or even the introduction of disruptive technologies Total Reward Probability Total Risk Or P V A V D V * R V

8 Content Races, Decision Loops and Operational Efficiency Products and systems always end up in a content race Who wins in this picture? It s all about decision loops OODA Command-and-control We have an intelligent opponent Adapt and change Improve / we improve GRC APT

R&D/Beta 1 st infection Zero-time 1 st Signature Solution Signature The. Long. Wait. Risk What does the risk curve look like? 9 9

R&D/Beta 1 st infection Zero-time 1 st Signature Solution Signature The. Long. Wait. Risk How do we reduce the risk window? 10 10

The APT Challenge: you do have to be faster than the bear 11 GREATER COMPLEXITY Architecture of the Virtual Data center and Cloud environments Consumerization of IT the growing demand for more unmanaged machines, applications, and information sharing tools Increase in information to analyze and correlate BIGGER THREATS Prevalence and sophistication of security threats will increase Advanced Persistent Threat (APT) will become more predominant Attack vectors continue to make use of infrastructure vulnerabilities and exploit human vulnerabilities RESPONSE TIME Responding to an attack can potentially slow due to increase in data (and noise) Important to be able stay ahead of the attackers and continue to stay in front of them

Advanced Persistent Threats The Ultimate Problem Low and Slow Multiple attack methodologies Specific objective Well organized and funded Human involvement Can leverage automated techniques 12

The Future Solution: Intelligent SOC A Holistic Approach Risk Planning 1 First and foremost requirement for building a focused, effective security operations program Information centric approach to security risk planning Knowledge determines how fast and well the SOC can react to problem Attack Modeling 2 Virtualized Environments 3 Determine which systems, people and processes have access to valuable, protected information Model threat surface: normal traffic patterns and potential attack vectors for this information Determine potential attack vectors, examine all defensive steps, devise optimal defense Virtualization will be a core capability of the Intelligent SOC Sandboxing: suspicious file could be launched in an isolated hypervisor and VM cut off from the rest of the system Isolation in depth for most sensitive information and virtual nodes Self Learning Predictive Analytics 4 Continually monitor and learn typical states to identify problematic patterns early Configuration data, events, contextual information and risk profiles connect unrelated events to detect high-risk activities instantaneously. Integrated feedback loops use confirmed alerts to help the system improve threat detection Automated topography: remap entire network infrastructure to disrupt an attacker s Assess risks almost instantly and vary responses accordingly Automated, Risk-based 5 reconnaissance efforts Decision Systems Improvement with Forensic Analysis Community Learning 6 Virtualized environments provide snapshots of the IT environment at the time of the security event. Provides useful information if detection of the attack was delayed Information collected centrally and shared among partnering organizations to analyze and help defend against similar security threats. 13

14 Modeling an Attack RSA Labs in Collaboration with Ron Rivest NO COMPROMISE Exploit Social Engineering FTP Server Attack INFECT EMAIL FTP SERVER DELIVERED VM Log Analysis User Opens PDF in time < t User opens email INFECT COMPROMISE CLIENT CLIENT MACHINE MACHINE WITH ZEUS Log Access into Document Store STEAL SENSITIVE INFORMATION Time Correlation User Opens PDF in time > t Deployment Dynamics Behavior Adaptive Analytics Authentication Within Attacker Through time uses manages a social t the stolen engineering FTP credentials get server to the attack, is target, re-provisioned from a compromised but Zeus attack variant from revealed is machine a installed clean by to VM on external log image an into document triggering Internal machine mechanism store Opportunity for attack is time interval t Probability Can By monitoring detect time that file attacker correlation and network accesses between access the FTP document patterns server at exploit store the hypervisor in and the opening expected layer, of context is malformed behavior low analytics PDF filecan detect compromise Attack Assume Log analysis tamper-resistant blocked can be with used high logs to probability backtrack the attack path and remove that attack vector

15 The APT Challenge in simple terms Attacker The Game Target The Goals Attacker must gain access to the target Defender must defend access to the target Defender must know which controls cover the attack vectors Both must stay within their financial means

Modeling an Attack RSA Labs in Collaboration with Ron Rivest Log Analysis User Opens PDF in time < t Exploit FTP Server INFECT FTP SERVER VM COMPROMISE CLIENT MACHINE Log into Document Store NO COMPROMISE Social Engineering Attack EMAIL User Opens PDF in time > t User Opens Email Deployment Dynamics INFECT CLIENT Access Document Store Risk Analytics STEAL SENSITIVE INFORMATION DELIVERED MACHINE WITH ZEUS Behavior Analytics Log Analysis 16

The Right Measures Simulate an APT like attack on an Intelligent SOC Risk Model Exploit FTP Server INFECT FTP SERVER VM User Opens PDF COMPROMISE CLIENT MACHINE Log into Document Store Dynamics NO COMPROMISE Social Engineering Attack EMAIL User Opens Email INFECT CLIENT Adaptive Access Document Store STEAL SENSITIVE INFORMATION DELIVERED MACHINE WITH ZEUS Analytics Behavioral Assessment 17

18 Deployment Dynamics Defensive Approach Attacker How it works Deployment Dynamics Server (DDS) instantiates clean FTP server from FTP VM image and moves to production area. DDS instructs Load Balancer to add FTP Server to the pool of available servers providing FTP service. After time (t), DDS instructs Load Balancer to remove FTP server from the pool of servers providing FTP service. DDS destroys FTP Server, and begins process again.

19 Adaptive Authentication Preventive Approach Username: wolfd Password: 0ct0rulz HIGH RISK: Require stronger authentication How it works Attacker tries to log into internal restricted document store that leverages adaptive authentication functionality. Document Store passes authentication credentials and observed network data (IP, device fingerprint) to AMx AMx calculates high risk score as authentication credentials had not been previously used from observed device. Document Store prompts Attacker for Secondary Authentication OTP which are sent via SMS to user.

20 Analytics Responsive Approach Data Center Security Management Data Warehouse Contextual Data Watch Lists Logs Risk Profile How it works Logs from Endpoints, Servers and VM snapshot data from Deployment Dynamics services are stored in Greenplum. Given knowledge of a document leak from external sources, the system backtracks through the log-data to identify past network activity of all endpoints which accessed the leaked document. Intermediate results are further correlated with VM Re-provisioning's snapshot meta-data to narrow down on suspicious points of server infection and sources of document leak.

Behavior Analytics Learning Approach Read/Write Activity Network Activity Dynamic Reputation User opens email Zeus infects VMs File creation Blacklist Folder Creation Analytics Engine Payload Analysis How it works Data flows from multiple VMs, mirrored by the hypervisor and sent to the analytics engine The engine analyzes the individual input and their relationships The engine ties multiple events together and if they look suspicious - an alert is generated Every alert arrives with a severity-score, and the reason of why the alert was generated 21

22 Techniques used in an Intelligent SOC Risk Model Dynamics Adaptive Behavioral Analytics assessment

23 The Future Solution: Intelligent SOC A Holistic Approach Identify what is important Assets and asset relationships Services and service dependencies User credentials Sensitive data Protect what is important Efficiently, aggressively and thoroughly secure and comply according to best practices Make advanced exploits harder: dynamics, sandboxing, isolation in depth, stack integrity monitoring Minimize damage Leverage comprehensive visibility Focus using analytics Respond quickly Adapt by improving response efficiency by addressing discovered weakness Disrupt the objective Interrupt the transaction Discover the leaked information Share cyber intelligence (collaborate) Prosecute aggressively (increase attacker s cost)

24 Summary CORE Elements of Intelligent SOC model Risk based security strategy Predictive modeling and analysis Leverage techniques in virtualized environments Self-learning predictive analytics Automated, adaptive systems Continual improvement through forensic analysis and community learning

25 The Future The bad guys will keep getting worse: we have an intelligent opponent! E.g. expect a bleed v. butcher approach in malware E.g. expect benefits built into malware E.g. expect APTs to converge vectors and get faster and more directed to IP Expect Cybercrime to continue to flourish Expect a resurgence in non-financially, motivated, sophisticated APT Move to a progressively more intelligent SOC GRC gives Security Management a chance To be about risk mitigation 2011+ To become more transparent To get close to the business To be more efficient and reduce focus on tools

26

Thank you! 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback