Noam Ikar R&DVP. Complex Event Processing and Situational Awareness in the Digital Age

Similar documents
Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

SIEM Solutions from McAfee

RSA INCIDENT RESPONSE SERVICES

RSA NetWitness Suite Respond in Minutes, Not Months

NEXT GENERATION SECURITY OPERATIONS CENTER

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

RSA INCIDENT RESPONSE SERVICES

Integrated, Intelligence driven Cyber Threat Hunting

An All-Source Approach to Threat Intelligence Using Recorded Future

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

with Advanced Protection

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Traditional Security Solutions Have Reached Their Limit

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Securing Your Digital Transformation

MITIGATE CYBER ATTACK RISK

Managed Endpoint Defense

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Run the business. Not the risks.

SIEM: Five Requirements that Solve the Bigger Business Issues

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

SIEMLESS THREAT MANAGEMENT

ForeScout Extended Module for Splunk

BUILDING AND MAINTAINING SOC

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

AKAMAI CLOUD SECURITY SOLUTIONS

FOR FINANCIAL SERVICES ORGANIZATIONS

Building an Effective Threat Intelligence Capability. Haider Pasha, CISSP, C EH Director, Security Strategy Emerging Markets Office of the CTO

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

An Aflac Case Study: Moving a Security Program from Defense to Offense

CloudSOC and Security.cloud for Microsoft Office 365

From Managed Security Services to the next evolution of CyberSoc Services

Think Like an Attacker

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

CYBER SOLUTIONS & THREAT INTELLIGENCE

ForeScout ControlFabric TM Architecture

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Empower stakeholders with single-pane visibility and insights Enrich firewall security data

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

A Risk Management Platform

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

PT Unified Application Security Enforcement. ptsecurity.com

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

MATURE YOUR CYBER DEFENSE OPERATIONS with Accenture s SIEM Transformation Services

Security Information & Event Management (SIEM)

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

empow s Security Platform The SIEM that Gives SIEM a Good Name

locuz.com SOC Services

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

Security. Made Smarter.

Checklist for Evaluating Deception Platforms

Detect Fraud & Financial Crime

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Building a Threat-Based Cyber Team

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

Think Like an Attacker

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks

Doxxing, Dissidents, And. Digital Extortion. Fortify Your Digital Risk Defenses. Nick Hayes, Senior Analyst

SIEMLESS THREAT DETECTION FOR AWS

Reinvent Your 2013 Security Management Strategy

Building Successful Threat Intelligence Programs

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Not your Father s SIEM

SECOPS: NAVIGATE THE NEW LANDSCAPE FOR PREVENTION, DETECTION AND RESPONSE

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

Unlocking the Power of the Cloud

Cybersecurity Roadmap: Global Healthcare Security Architecture

Building Resilience in a Digital Enterprise

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

First Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.

Automated, Real-Time Risk Analysis & Remediation

Incident Response Services

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Sustainable Security Operations

Security-as-a-Service: The Future of Security Management

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

TRUE SECURITY-AS-A-SERVICE

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Transcription:

Noam Ikar R&DVP Complex Event Processing and Situational Awareness in the Digital Age

We need to correlate events from inside and outside the organization by a smart layer Cyberint CEO, Dec 2017.

Wikipedia Event processing is a method of tracking and analyzing (processing) streams of information (data) about things that happen (events), and deriving a conclusion from them. Complex event processing, or CEP, is event processing that combines data from multiple sources to infer events or patterns that suggest more complicated circumstances. The goal of complex event processing is to identify meaningful events (such as opportunities or threats) and respond to them as quickly as possible.

Gartner Complex-event processing (CEP) is a kind of computing in which incoming data about events is distilled into more useful, higher level complex event data that provides insight into what is happening. CEP is event-driven because the computation is triggered by the receipt of event data. CEP is used for highly demanding, continuous-intelligence applications that enhance situation awareness and support real-time decisions.

So, What is CEP? Data Source A Data Source B Data Source C Complex Business Rules Action A Action B Action C Multiple Data Sources CEP Engine Inbound/Outbound Actions Complex Event Processing and Situational Awareness in the Digital Age

Data Sources and Events Data can be collected from outside the perimeter, such as: OSINT, IOC, Feeds, Social, etc. Data can be collected from inside the perimeter, such as: SIEM Events, EDR, Controls, System Logs, etc. Data can be structured (i.e. IOC, SIEM Events), Unstructured (i.e. posts on forums) or Semi-Structured (i.e. data with free-text) Data should be enriched and timestamped for each record and potentially also for other Metadata For each event there is a correlated event processor - Batch or Stream (ETL) The events accumulation should support distributed storage repository to create a data lake The event can transform, enrich, aggregate, or apply other rules on the data DevOps related - it is important to support auto-scaling (and more)

CEP Engine The CEP engine executes the rules according to the business logic The engine can consume new rules in real time with no deployment - Event Processor Consumer (define new rules) i.e. fork logic The engine can support new types of rules i.e. new data source type The engine must support Big Data query and analysis Contextual Patterns Sequences (order of events) Trends and Anomaly Apply machine learning and deep learning models DevOps related - Monitor and maintain processes

Actions You control the structure of the action For each action include a timestamp and maybe also other Metadata and persist (contribute to data lake) The action can trigger an inbound activity i.e. discovery process. Or, an outbound activity - i.e. integration with third party (firewalls) The action can be direct (synchronously). Or indirect, i.e. schedule future actions (asynchronously). The action can be automatically initiated by the system (CEP engine) or manually by an admin/back office team. DevOps related - It is important to support auto-scaling (and more)

But it is not that simple Large number of data sources Social Media - Facebook, Twitter, VK, YouTube, Instagram, WhatsApp, etc. OSINT - Open web and Dark net External sources - Whois, PassiveDNS, etc. SIEM - Security Information and Event Management EDR - Endpoint Detection and Response System and Event Logs - Network, Operating Systems, Application, IDM, Cloud, etc. Amount of data to process is increasing, from Terabytes to Zettabytes. Deep Learning and Machine Learning is progressing.

Runtime vs. Research and Build Research environment - Available data for analytics, i.e. enabling Threat Hunting. Search Engines - on data lake including the follow up actions Big Data Tools Knowledge Base Enhanced User Interface Programming environment - Development and testing of the models (data sources, processes, actions). Runtime environment The production platform and services including the proper monitoring tools and administrative interfaces.

CEP Checklist Event Channels (data source and ETL) Modeling Events (enrichment and metadata) Processing Elements and Expressions Event augmentation Statefull processing and management Platform capabilities Development Environment Business interface Project considerations https://www.tibco.com/blog/2010/03/04/complex-event-processing-a-technology-evaluation-check-list/

Collector Analysis UI CEP as part of the architecture Argos UI Account Intelligence Online Protection IOC SIEM Events Dashboard Situational Awareness Data Layer Orchestration Complex Event Processing Big Data Response Box Intelligence OLP ML Correlation ML Correlation Research Lab Query Mng ML Forensics Correlation Avatar Management Crawlers Server Network Log SIEM Platform Cloud EDR Integration Application Deception

Example - Asset Discovery & Vulnerability Assessment Main Domain Complex Business Rules Leaked Credential Active Directory Sub Domain Hijacking Removal Close Open Ports Multiple Data Sources CEP Engine Inbound/Outbound Actions

Example - Asset Discovery & Vulnerability Assessment (Cont.)

Example - Asset Discovery & Vulnerability Assessment (Cont.)

Example - Asset Discovery & Vulnerability Assessment (Cont.)

Example - Asset Discovery & Vulnerability Assessment (Cont.)

Thank You Noam Ikar VP R&D R&D 1.Data Scientist 2.Front-End Team Leader 3.Front-End Developer 4.Back-End Python Team Leader 5.Back-End Python Developer 6.R&D Support Team Leader 7.R&D Ops 8.Senior Product Manager Cyber Security Services 1.Cyber Intelligence Analysts Team Leader 2.Cyber Intelligence Analyst 3.SOC Expert 4.Cyber Blue Team Expert (Travel to London) www.cyberint.com/careers jobs@cyberint.com

One Platform All Solutions CyberInt s solutions are provided from one central platform. Covering asset discovery, threat intelligence, social media protection, email and mobile app protection and 3 rd party vendor risk. Benefiting from fully integrated data, providing unmatched detection and realtime response.

Digital Managed Detection and Response Map Detect Monitor Respond Digital Footprint Asset Discovery Social Media Presence Online Asset Vulnerabilities Fraudulent Activities Targeted Campaigns Risk Materialization Real-time Mitigation Investigations Identifying Weaknesses Take Downs exposure Threat Landscape (actors, forums, tools) Brand Infringement New and Emerging Threats Top Tools &Threat Actors On-site Incident Response Attack Vectors Threat Materialization

A Solution for Every Need Beyond the Perimeter Our capabilities beyond the perimeter provide you with a variety of solutions. From protecting you digital brand to identifying fraudulent activities, to protecting your business from cyber attacks.

Our Technology Stack Argos CyberScore CybeReadiness Threat Intelligence Vendor Risk Management Red Team Automation Argos Digital Asset Protection

What Retail Customers are Saying About CyberInt s Digital MDR Over the last couple of years, CyberInt has re-enforced our defenses, reduced our fraud rates and protected the Asos brand with their detection and response capabilities, in both the technology that they offer and their experienced services teams. Cliff Cohen, CIO For me, CyberInt is a true partner to the process of enhancing and improving CASINO group IT security operations policy and resiliency. Cyrille Elsen, CISO, Groupe Casino

Industry Recognition Whether it s to spot a major data leak, prevent a brand impersonation, or monitor a closed conversation threatening physical harm of key personnel, digital risk monitoring solutions are increasingly valuable for S&R pros who need to scour countless digital (i.e., social, mobile, web) channels and rapidly remediate these burgeoning crises before severe, long-lasting damage occurs. CyberInt s solution does not only identify intentions or bad actors but is useful in pre-empting attacks by proactively searching social media posts and activities. By identifying malicious links ahead of time, attacks can be subverted.

Our Intelligence Led SOC 24X7 Continuous Monitoring and Incident Management Advanced Threat Detection and Intelligence Based Attribution Log Management and Retention Ongoing Tuning and Improvements on Detection Out-of-the-Box Knowledge base and Incident Response procedures

Intelligence Led Managed SOC 24x7 Managed SOC, Incident investigations and response, Log retention and threat hunting Strategy & Governance - Cyber Strategy and Cyber Risk Profile Consulting, Workshops, Risk Assessments Threat Intelligence - Investigations, Threat Landscape Mapping, Reconnaissance Detect & Response Services - IRT Maturity Assessment, SIEM Enhancements, Response Team and Take Downs IRT Our Incident response team is ready to support you both on and off site Intelligence led Penetration Testing - Threat Intelligence Driven Penetration Testing

Today s threat landscape has evolved, presenting security practitioners with greater challenges than ever before When put together with the understanding that prevention alone is not enough to fend off threat actors, we ve developed a new breed of cyber security platforms that enhances the detection and response capabilities of businesses Our session will focus on the use of cutting edge technology to allow detection of cyber attacks and responding to them based on complex event processing

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback