Richard Nichols Netwitness Operations Director, RSA Security. Risk Management. Compliance. 1
Old World: Static Security Static Attacks Generic, Code-Based Static Infrastructure Physical, IT Controlled Static (Bolt-On) Defenses Signature-Based, At Perimeter 2
New World: Advanced Security Hybrid Cloud Public Clouds Advanced Attacks Targeted, Human-Based Dynamic Infrastructure Virtual, User-Centric Dynamic (Built-In) Defenses Analytics & Risk-Based 3
IN THE WORLD OF CLOUD AND BIG DATA TRUST AND SECURITY ARE ESSENTIAL 4
Building Trust In The Cloud Hybrid Cloud Infrastructure Private Public Tenets Of Cloud Security Governance Visibility Controls TRUST 5
RSA Approach GOVERNANCE Manage Business Risk, Policies and Workflows ADVANCED VISIBILITY AND ANALYTICS Collect, Retain and Analyze Internal and External Intelligence INTELLIGENT CONTROLS Rapid Response and Containment Cloud Network Mobility 6
RSA Approach GOVERNANCE RSA Archer egrc Suite ADVANCED VISIBILITY AND ANALYTICS INTELLIGENT CONTROLS RSA NetWitness RSA NetWitness Spectrum RSA envision RSA DLP Suite RSA Adaptive Authentication RSA Access Manager RSA SecurID RSA Transaction Monitoring RSA FraudAction RSA CCI RSA efraud Network RSA NetWitness Live RSA Federated Identity Manager RSA Data Protection RSA DLP Suite RSA BSAFE Cloud Network Mobility 7
Anatomy of an Attack 8
Attack Scenario Phishing emails John received a phishing email that was customized for him. Drive-by Download John clicked on the link and got infected by Trojan from drive-by download. 1 2 Attacker gain access to a critical server Trojan installed backdoor which allows reverse connection to infected machine. Hacker dump password hash and gain access to a critical server via RDP. 3 4 PASSWORD Data ex-filtration Attacker encrypted sensitive files found on the critical server and transfer out via FTP 9
DLP detected file transfer activity MENU DLP Network detects a transfer of encrypted file over FTP protocol 10
Correlation alert triggered from envision MENU EnVision generates alert from two correlated events 1. Successful RDP connection to critical server 2. DLP activity on the same server 11
Incident escalation to Archer Dashboard MENU EnVision alerts sent to RSA Archer via RCF RSA Archer links this incident with business context and prioritize it as HIGH priority 12
Seamless integration to NetWitness MENU Instant integration from Archer Console to NetWitness with two clicks SIEMLink transparently retrieves full session detail from NextGen 13
Spectrum Automated Malware Analysis MENU Spectrum instantly provides detailed analysis of the executable file in question 14
Interactive Analysis with Investigator MENU Context of all network activities to/from critical server Confirm John s machine (192.168.100.142) as source of RDP session 15
Interactive Analysis with Investigator MENU Drill into all network sessions from John s machine Small executable file Transfer over HTTP Suspicious filename & extension Malware?!? Suspicious domain name 16
DLP Network detect a transfer of encrypted file over FTP protocol Lessons Learned Continuous Monitoring Network Segregation Server access restriction 1 2 3 011000001111000010100 0100010100110010010101 0110001000101100010100 1010011001001011111101 011000001111000010100 6 Strong Authentication of users and admin PASSWORD 5 Firewall blocking of FTP transmitting to external unauthorized servers 4 Data encryption or tokenization for sensitive data on server 17
RSA NetWitness what is it and why do I need it? 18
Threats are Evolving Rapidly Criminals Petty criminals Unsophisticated Organized crime Organized, sophisticated supply chains (PII, financial services, retail) Nation state actors PII, government, defense industrial base, IP rich organizations Non-state actors Terrorists PII, Government, critical infrastructure Anti-establishment vigilantes Hacktivists Targets of opportunity 19
Advanced Threats 83% of organizations believe they have been the victim of an Advanced Threats 65% of organizations don t believe they have sufficient resources to prevent Advanced Threats 99% of breaches led to data compromise within days or less 85% of breaches took weeks or more to discover Source: Ponemon Institute Survey Conducted Growing Risk of Advanced Threats Source: Verizon 2012 Data Breach Investigations Report 20
New Security Concept: OFFENSE IN DEPTH Attacker Surveillance Target Analysis Access Probe Attack Set-up System Intrusion Attack Begins Cover-up Starts Discovery / Persistence Leap Frog Attacks Complete Cover-up Complete Maintain foothold Time ATTACKER FREE TIME Need to collapse attacker free time Physical Security Threat Analysis Attack Forecast Defender discovery Monitoring & Controls Attack Identified Incident Reporting Containment & eradication Damage Identification Impact Analysis System Reaction Response Recovery Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/hilf.pdf) 21
RSA NetWitness Is A revolutionary approach to enterprise network monitoring A platform for pervasive visibility into content and behavior Providing precise and actionable intelligence Know Everything. Answer Anything. 22
Know Everything Answer Anything» Why are packed or obfuscated executables being used on our systems?» What critical threats are my Anti-Virus and IPS missing?» I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment?» We need to better understand and manage the risks associated with insider threats I want visibility into end-user activity and to be alerted on certain types of behavior?» On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented?» How can I detect new variants of Zeus or other 0day malware on my network?» We need to examine critical incidents as if we had an HD video camera recording it all Invest in Certainty. Invest in Agility. 23
Enabling A Revolution in Network Monitoring NetWitness Product Tour 24
Understanding the NetWitness Network Monitoring Platform Normalized Data, Application Layer Context Network traffic Logs Fusion of Threat Intelligence 25
NetWitness Components APPLICATIONS Informer Visualization, reporting, alerting and live charting server Investigator Enterprise Interactive analysis with NetWitness appliances Live - Real-time integration of the collective intelligence of the world with your data. Spectrum Automated malware prioritization and analysis SIEMLink - Provides immediate access to NetWitness analytics from within your IDS or SIEM console SDK/API - Free for rapid development of any conceivable network analysis application Appliances Decoder - Real-time, distributed, highly configurable network recording appliance (full packet) Concentrator and Broker - Aggregate and analyze data across multiple capture locations; Request-brokering across entire infrastructure Eagle - Portable hybrid appliance combining elements of Decoder, Concentrator and Investigator in a fielddeployable solution 26
Automated Analysis, Reporting and Alerting Informer Flexible dashboard, chart and summary displays for unified view of threat vectors Automated answers to any question: Network Security Security / HR Legal / R&D / Compliance I/T Operations HTML, CSV and PDF report formats included Supports CEF, SNMP, syslog, SMTP data push for full integration in SIEM 27
Getting Answers to the Toughest New Questions Investigator Interactive data-driven session analysis of layer 2-7 content Award-winning, patented, port agnostic session analysis Infinite freeform analysis paths and content /context investigation points Data presented as the user experienced (Web, Voice, Files, Emails, Chats, etc.) Supports massive data-sets Instantly navigate terabytes of data - analysis that once took days, now takes minutes Freeware Version used by over 50,000 security experts worldwide 28
Signature-Free, Automated Malware Analysis, Prioritization, and Workflow Spectrum Mimics the techniques of leading malware analysts Leverages NetWitness Live by fusing information from leading threat intelligence and reputation services Utilizes NetWitness pervasive network monitoring capability for full network visibility Provides transparency and efficiency to malware analytic processes by delivering complete answers 29
Threat Intelligence Delivery System Live Automate insight into advanced threats Leverages global security community to correlate and illuminate the most pertinent information Fuses intelligence with your network data in real-time Solutions to problem-sets: Advanced threats Malware BOTNets Policy/Audit Enterprise Monitoring Fraud User Attribution Risk prioritization Prioritized and detailed reporting 30
Thank you! 31