Incident Response Agility: Leverage the Past and Present into the Future

Similar documents
SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

RSA NetWitness Suite Respond in Minutes, Not Months

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

Transforming Security from Defense in Depth to Comprehensive Security Assurance

esendpoint Next-gen endpoint threat detection and response

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Not your Father s SIEM

GDPR: An Opportunity to Transform Your Security Operations

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

CloudSOC and Security.cloud for Microsoft Office 365

Security Automation Best Practices

Building a Threat-Based Cyber Team

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

BUILDING AND MAINTAINING SOC

Automated Threat Management - in Real Time. Vectra Networks

Integrated, Intelligence driven Cyber Threat Hunting

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

The Cognito automated threat detection and response platform

Agile Security Solutions

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

McAfee Endpoint Threat Defense and Response Family

RSA Security Analytics

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

ForeScout Extended Module for Splunk

Cloud and Cyber Security Expo 2019

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

Speed Up Incident Response with Actionable Forensic Analytics

OPERATIONS CENTER. Keep your client s data safe and business going & growing with SOC continuous protection

The Art and Science of Deception Empowering Response Actions and Threat Intelligence

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

CyberArk Privileged Threat Analytics

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Qualys Indication of Compromise

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Sustainable Security Operations

NEXT GENERATION SECURITY OPERATIONS CENTER

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Advanced Endpoint Protection

Un SOC avanzato per una efficace risposta al cybercrime

Mastering The Endpoint

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

FOUR WAYS TO IMPROVE ENDPOINT SECURITY: MOVING BEYOND TRADITIONAL APPROACHES

External Supplier Control Obligations. Cyber Security

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

Reducing the Cost of Incident Response

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Building and Instrumenting the Next- Generation Security Operations Center. Sponsored by

SIEM Solutions from McAfee

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

Vectra Cognito Automating Security Operations with AI

From Managed Security Services to the next evolution of CyberSoc Services

Privileged Account Security: A Balanced Approach to Securing Unix Environments

empow s Security Platform The SIEM that Gives SIEM a Good Name

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Building Resilience in a Digital Enterprise

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Operationalizing the Three Principles of Advanced Threat Detection

AppDefense Cb Defense Configuration Guide. AppDefense Appendix Cb Defense Integration Configuration Guide

CYBER RESILIENCE & INCIDENT RESPONSE

CYBER SECURITY EFFECTIVENESS FOR THE RESOURCE-CONSTRAINED ORGANIZATION

RSA IT Security Risk Management

A Risk Management Platform

align security instill confidence

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

SIEM: Five Requirements that Solve the Bigger Business Issues

THREAT HUNTING REPORT

Traditional Security Solutions Have Reached Their Limit

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

MITIGATE CYBER ATTACK RISK

Managed Security Services - Endpoint Managed Security on Cloud

Managed Endpoint Defense

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

The McGill University Health Centre (MUHC)

Aligning with the Critical Security Controls to Achieve Quick Security Wins

Behavioral Analytics A Closer Look

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

4/13/2018. Certified Analyst Program Infosheet

THE EVOLUTION OF SIEM

Transcription:

SESSION ID: SPO1-W03 Incident Response Agility: Leverage the Past and Present into the Future Torry Campbell CTO, Endpoint and Management Technologies Intel Security

The Reality we Face Reconnaissance 30+ days Compromise Web Server(s) 1 hour Distribute Malware via Cloud 15 min Social Engineering 7 min Data Exfiltration > 5 min TIME 2

Incident Response Survey Released April 13, 2015 http://mcaf.ee/r7ei8 3

Why Agility Average number of incidents investigated in 2014 Total (n= 700) 500 to 999 employees 1,000 to 4999 employees More than 5,000 employees 78 31 41 150 Intel Security Data via Vanson Bourne, March 2015. http://www.mcafee.com/us/resources/reports/rp-esg-tackling-attack-detection-incident-response.pdf 4

High Proportion of Targeted Attacks Average percentage of investigations in 2014 associated with targeted attacks Total (n= 700) 500 to 999 employees 1,000 to 4999 employees More than 5,000 employees 28% 24% 30% 28% Intel Security Data via Vanson Bourne, March 2015. http://www.mcafee.com/us/resources/reports/rp-esg-tackling-attack-detection-incident-response.pdf 5

Where Incident Responders Spend Their Time 47% 42% 41% 39% 38% Determining the impact and/or scope of a security incident Taking action to minimise the impact of an attack Analysing security intelligence to detect security incidents Determining which assets, if any, remain vulnerable Performing forensic analysis Intel Security Data via Vanson Bourne, March 2015. http://www.mcafee.com/us/resources/reports/rp-esg-tackling-attack-detection-incident-response.pdf 6

Best Boost for Efficiency and Effectiveness Detection, analytics, training Better detection tools (i.e. static and dynamic analysis tools ) 58% Better analysis tools 53% More training on how to deal with incident response issues More training on how to manage incident response issues across multiple networks 37% 41% Employ more IT security staff 24% Automation of processes to free up staff 15% Intel Security Data via Vanson Bourne, March 2015. http://www.mcafee.com/us/resources/reports/rp-esg-tackling-attack-detection-incident-response.pdf 7

Building the Story Requires Comprehension 8

Inhibitors to Real-time Awareness Understanding behavior, operational integration, analytics Need a better understanding of user behaviour 41% Need tighter integration between security intelligence and IT operations tools (NPM, APM, etc.) Need a better understanding of network behaviour 37% 37% Need better tools to baseline normal behaviour so we can detect anomalies Need a better understanding of server virtualisation technology behaviour Need better automated analytics from our security intelligence tools 27% 30% 33% Intel Security Data via Vanson Bourne, March 2015. http://www.mcafee.com/us/resources/reports/rp-esg-tackling-attack-detection-incident-response.pdf 9

A Series of Unintegrated Events Network & Gateway Sandbox SIEM NGFW NIPS Web Gateway Email Gateway IOC 1 IOC 2 IOC 3 IOC 4 analyze payload hunt historic events Endpoints Isolate and remediate previously compromised systems 10

Agile Incident Response Pre-breach Post-breach Number of events Protect Detect Correct Prolonged Dwell Time Minimized Dwell Time Time 11

SESSION ID: SPO1-W03 Protecting the Future by Studying the Past and Present Josh Thurston Manager, WW Technical Operations 12

Omaha 13

Peyton Manning The Perfectionist Past Study Film of his team Study Film of his opponent Present Study images of plays during game Analyze formations at the line Reflect on data OMAHA http://goingdeep.reblog.hu/peyton-manning-a-z-vilaghaboruban

Agenda 1. Pursuit of Perfection 2. Time is Against You 3. Data Collection 4. Analysis 5. Insight Through Integration 15

Pursuit of Perfection The Setup Integrated Security Architecture Ability detect and provide alerts to potential threats in as they occur Adapt and improve security Complete coverage: Endpoint, Network, Identity, and Data Mature Incident Response Ability to Collect Meaningful Data Ability to Analyze the Data Quickly Ability to Act Very Fast Minimize Impact Ability to Protect the Future http://www.gq.com/blogs/the-feed/2013/12/peyton-manning-breaks-touchdown-record-and-other-news-aman-needs-to-know-today.html

Time is Against You Attackers Have the Upper Hand Attacks take a lot of time to plan. Time To Detect You don t detect pre attack activities 24% 6% 7% Attacks are executed quickly 14% 53% of the Time it Takes More Than 1 Day to Detect a Breach 29% 20% Difficult Months Weeks Days Hours Minutes When Minutes Count: http://www.mcafee.com/us/resources/reports/rp-when-minutes-count.pdf 17

You Can Be Effective Toolkit Things to Know: Use the Tools You Have and Trust You Have The Right People Only 17% feel they need better analysis/ forensics skills. You Have the Data, just not integration Only 26% say they have a hard time gathering the right data for accurate situational awareness A Whopping 47% say they spend most of their time determining impact. i.e. putting the pieces together Things To Do: Integrate 37% feel they need tighter integration Understanding and Visibility 41% Need to understand user behavior 37% Need to understand network behavior 27% Need to understand application behavior 21% Need to understand host behavior Intel Security Data via Vanson Bourne, March 2015. http://www.mcafee.com/us/resources/reports/rp-esg-tackling-attack-detection-incident-response.pdf 18

Data Collection Past and Present No Blind Spots Endpoint Network Identity Data 19 19

Analysis How Fast are You Analyze What is Normal What is Abnormal Filter our the white noise Correlate Data between sources 20

Insight Through Integration Maximize Incident Response Management Insight: Event and Alert Correlation Context and IOC Visibility Breach Analysis Threat Protection Understand the Infrastructure Network Insight: Traffic Visibility Lateral Movement Network Connections Compliance Analytics Endpoint Insight: Context and Posture Malicious Activity Protect every Endpoint Mobile Protection Content Insight: Who is using your Data What is accessing your Data Suspicious Data Usage Learn Data Trends 21

Omaha in Action Live Analysis and Data Collection File Attributes An Executable Launches File Attributes are Compared and Stored Notify the Entire Environment Call Audible Unknown File 22 File Name File Path Signed Certificate MD5 Hash SHA 1 Age Prevalence

Clarity to Drive Better, Faster Decisions Current state vs. integrated and agile CURRENT STATE Limited scope. Point in time context. AGILE APPROACH Continuous monitoring and contextual analytics Product 1 Product 2 Product 3 Result Limited, reactive visibility and threat protection Result Faster, more proactive awareness of threats and anomalous events 23

Confidence to Act Boost confidence with risk scoring, automation, watch lists and alerting Gain confidence to act: Distillation and prioritization Risk scoring and customizable tuning Increased automation Focus on what matters most TRIAGE AND PRIORITIZE CLARITY FROM CONTEXT STATES / EVENTS 24

IR and Forensics Enable Your Team 1. Integrated Architecture 2. Agile Framework 3. Shared Intelligence 4. Effective SIEM Analytics Implementation 5. Clarity to Drive Better, Faster Decisions 6. Confidence to Act 25

Closing Call Omaha Download report from http://mcaf.ee/r7ei8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback