RSA IT Security Risk Adding Insight to Security March 18, 2014 Wael Jaroudi GRC Sales Specialist 1
Where is Security Today? Companies have built layer upon layer of security, but is it helping? Complexity Data Breaches Damage 2
Lack of Insight [The Noise Factor] We believe that doing the right thing should be obvious but for today's IT security organizations it is too often hidden. Web Vulnerability OS Configuration Patch Device Vulnerability Anti-Virus/Malware SEIM/Packets Logical Access IPS/IDS VPNs Firewalls Physical Access Defense in Depth 8:02 AM Malware infection on 10.1.2.30 8:30 AM Voice mail from colleague re: new hacker group 9:00 AM Meeting with QSA re: last week s vulnerability scan 11:15 AM Vulnerability scan on DMZ completed 11:30 AM Meeting with XYZ department on new application being installed next week 12:00 PM Company just like us announced major breach 12:02 PM CVE-2014-123 just released 1:45 PM Meeting with audit committee re: security risks 2:00 PM System outage at Phoenix branch 2:15 PM Weird(?) network traffic reported by network team 2:53 PM Malware outbreak on multiple machines 3:00 PM New contractor onboarding 3:20 PM Present Security awareness training to new employees 4:15 PM Industry ISAC security conference call 4:32 PM HR reports social engineering attempt 5:07 PM Port scan on 192.168.3.45 6:07 PM Security policy meeting 8:02 PM Malware infection on 10.10.2.32 8:30 PM Multiple failed login attempts on 192.168.100.23 11:15 PM Vulnerability scan found 142 critical vulnerabilities 12:00 AM Malware infection on 10.2.3.45 12:02 AM Sun just released a new patch to JRE 5.4.3.2 Do we have a compliance issue? Is this a high risk business function? Which of these are most important? What are the executive concerns? Is this a coordinated advanced attack? Inappropriate access attempt on top secret information? Meaningless virus infection? 3
The New World of Security It will become increasingly difficult to secure infrastructure We must focus on people, the flow of data and on transactions 4
We Need to Change our Approach Improve monitoring and response capabilities. Monitoring Response Monitoring Response Prevention Prevention Defense in Depth Security Intelligence-Driven Security Copyright 2012 EMC Corporation. All rights reserved. 5
Signal Clarity and Amplification We provide solutions that disrupt the noise, bring clarity to the signal to amplify your decisions. Visibility Noise Visibility + Analysis = Priority Analysis Priority + Action = Results Action Metrics Results + Metrics = Progress 6
IT Security Risk not a single answer but rather a solution leveraging people, process, and technology as a force multiplier. Enables organizations to: establish business context for security Security Policies establish security policies and standards detect and respond to attacks identify and remediate security deficiencies Security Compliance Threat & Vulnerability reducing the risk of today s security threats; poor, misaligned security practices; and operational security compliance failures. Security Strategy Security Operations 7
Preventative IT Security Risk Solutions Vulnerability Preventative Risk Scan Results IT Security Risk Indicators and Metrics Remediation Workflow Threat Correlation RSA Archer egrc Gold Build Images Measure Outcomes Responsive Incidents & Investigations Breach Crisis SOC Responsive Assets IT Context Regulatory Biz Context Data Foundation Catalogs Foundational Identity CVE/CVSS CPE Threat Intel CWE CCE UCF Login/Logout Repositories Integrations Focused UIs Persona Based UI Interactive Charts Searching and Filtering Workflow Ticketing Reports Exceptions Notifications 9
Vulnerability Today Trying to avoid the vulnerability pit The Vulnerability Scanner finds number of issues on IT systems. Pages of results are delivered to Alice, IT Administrator, to fix. 2 Issue 3 Patch 4 Patches are pushed out or configurations are Carlos, updated CISO, to fix is left wondering: the vulnerabilities. 5 What does this mean for business risk? What about my Some most patches valuable are assets? missed, don t What fix the happens problem, if the or threats there change? isn t enough Can I get time more to get protection to them. quickly? The vulnerability Are we improving? will sit Do we have unaddressed, the right coverage? possibly forever Devices Vulnerability 1 Vulnerability Scanner Brian, IT Security Analyst, runs his vulnerability scanner. 10
What is VRM? Vulnerability Risk allows enterprises to proactively manage IT security risks through the combination of asset business context, actionable threat intelligence, vulnerability assessment results, and comprehensive workflow. 11
Vulnerability Risk VRM IT Security Analyst CISO Vuln. Scan Results (Qualys, McAfee) VULNERABILITY ANALYTICS ARCHER VULNERABILITY RISK MANAGEMENT Vuln. Data Pubs (NVD CVE) Threat Intelligence (US-CERT) INVESTIGATIVE UI ANALYTICS ENGINE Devices Findings Exceptions KPIs INTEGRATION WITH GRC REPORTING AND DASHBOARDS Asset Taxonomies (NVD CPE) Other Asset Data (CSV, CMDB, Etc.) DATA COLLECTOR Administrator WORKFLOW RSA VRM DATA WAREHOUSE INDEXING NORMALIZATION RAW DATA STORAGE 12
The Value of VRM IT Security Analyst IT Administrator CISO Asset Discovery and Issue Prioritization Know what you have Issue Lifecycle Tracking Exception and SLA Dashboards and Reporting Measure and Report KPIs Do the right thing Measure effectiveness, not just activity 13
Preventative IT Security Risk Solutions IT Security Risk Security Scan Results Remediation Workflow Threat Correlation Gold Build Images Indicators and Metrics Operations Incidents & Investigations Breach RSA Archer egrc Crisis SOC Measure Outcomes Responsive Foundation Assets IT Context Regulatory Biz Context Data Catalogs CVE/CVSS CWE CPE CCE Threat Intel UCF Identity Login/Logout Repositories Integrations Focused UIs Persona Based UI Interactive Charts Searching and Filtering Workflow Ticketing Reports Exceptions Notifications 14
SOC Challenges Today Event focused and reactive with no centralization of alerts or incident management Lack of Context Lack of Best Practices Lack of Process 15
Security Operations Domain What is SecOps? Consistent, predictable business process Process People Orchestrate & Manage Technology Incident Breach SOC Program IT Security Risk 16
Security Operations RSA SecOps CONTEXT ALERTS Incident Response Breach Response LAUNCH TO SA Aggregate Alerts to Incidents SOC Program Dashboard & Report Capture & Analyze Packets, Logs & Threat Feeds RSA Archer Enterprise (Context) RSA Archer BCM (Crisis Events) 17
The Value of SecOps CISO IT Security Analyst Incident Coordinator Enable SOC/IR Analysts to Be More Effective Optimize SOC Investments Manage IT Security & Business Risk Incident Prioritization Visibility & Biz Context Workflow to guide IR process Threat Intelligence Response Procedures Automation Monitor KPIs Identify gaps & improve Measure Security Controls Manage SOC Team Data Breach Enterprise Risk Vendor Risk Compliance Risk and more 18