SESSION ID: SDS2-R08 Operationalizing the Three Principles of Advanced Threat Detection ZULFIKAR RAMZAN, PH.D Chief Technology Officer RSA @zulfikar_ramzan
Dealing with Traffic Congestion Singapore: Major traffic congestion pre 1975; introduced fixed manual road pricing Initial success; but new variable electronic road pricing program introduced in 1998 New ERP program very successful in further traffic reduction. What explains its success? Sunk cost fallacy (behavioral economics): We should make decisions based on future value; instead our reasoning is overly tainted by past investments. (Relevant to security!) 2
Why Organizations Struggle Threat actors evolve Attacks only get better Groups organized, attacks unnoticed until it s too late Incidents have increasing financial impact There s too much Noise Incidents hidden in massive amount of normal activity Scattered data hurts efficient investigations, limits agility to assess complete scope of incident Experts are hard to find Rate of attacks overwhelm analysts Expertise is limited Keeping abreast of latest threats is challenging
Why Intrusions Are Successful Attacks are targeted (e.g., via repeated use of polymorphism and metamorphism); Macro-distribution supplanted by micro-distribution. Powerful attack toolkits available w/ tiered pricing, 24x7 customer support. Ecosystem for buying and selling tools and cybercriminal services democratizes advanced attacks
Stages of an Attack Recon Initial Entry Persist Install Tools Move laterally Collect, Exfil, Exploit Scanning, Social network analysis Spear phish, waterhole, web app vuln removable media, CVEs, 0-days Privilege escalation, finding run keys, modifying scripts Web shells, dropped secondary malware Pass the hash, pass the ticket, RDP, CVEs, remote services One or more hops, drop zones, data destruction / manipulation
Today s Threats: Where to Focus 1 TARGETED SPECIFIC OBJECTIVE 2 3 STEALTHY INTERACTIVE LOW AND SLOW HUMAN INVOLVEMENT System Intrusion Attack Begins Cover-Up Discovery Leap Frog Attacks Cover-Up Complete TIME Dwell Time Response Time 1 Decrease Dwell Time Attack Identified 2 Speed Response Time Response
Three Strategic Pillars 1 Analytics 3 Risk Identity 2
visibility is the foundation for mitigating the risk of today s threats If you really want to protect your network, you really have to know your network. You have to know the devices, the security technologies, and the things inside it. -Rob Joyce, NSA TAO Chief, Usenix Enigma 2016
Key Visibility Points Logs Netflow Packets Endpoints Cloud Identities 10
Operationalize Visibility Through Analytics Visibility alone leads to alert fatigue; analytics is necessary for operationalizing visibility 1 Pre-process data extract metadata and organize into chunks 2 4 3 Group alerts since the same campaign can generate multiple alerts Pivot between different visibility points (e.g., from network to endpoint) Surface important events through analytics to simplify analyst tasks 5 Prioritize alerts through asset categorization 11
Identity as a Foundation of Security identity is foundational and will matter even more as the threat landscape evolves Security is about ensuring that only the. right people have access to the... right resources at the... right times and use them in right ways
Enterprise Identity Crisis As mobile devices and cloud services proliferate, identity becomes the new perimeter 88% of organizations using cloud services or are planning to use cloud services in the near future have a cloud-first strategy. (Gartner) Organizations have legacy identity architectures and islands of identity 25% of IT professionals said their orgs have multiple identity repositories, so it s difficult to get a complete understanding of user & access privileges. (ESG) The security team neither designed nor owns the identity infrastructure 23% of IT and cybersecurity professionals say their IAM infrastructure was really built for user convenience and not strong security. (ESG)
Malware Reality Check Advanced breaches don t have to involve malware: SQL Injection -> Web Shell -> RDP Advanced breaches can be very simple e.g., credential theft Every breach involves co-opting of identity (authentication isn t the same as identity assurance)
Identity is More Than Authentication Governance Access / Auth Lifecycle Assurance
Financial risk Physical risk embrace and own your risk Operational risk Currency fluctuation risk IT Security risk Regulatory risk Supply chain risk
Tying the Pieces Together At a business level, orgs want to mitigate risk; risk is multifaceted (financial risk, physical risk, operational risk, etc.). IT security risk is the most prominent and least understood aspect of organizational risk. CEO / BOARD CCO CIO CISO CIRC / SOC / IDENTITY TEAM INDIVIDUAL Security is a CEO / Board discussion, and CISOs & CIOs must translate lowlevel concepts into the language of risk. Assessing IT security risk requires measuring your environment, which requires visibility & analytics (you can t measure if you can t see). BUSINESS Visibility is multifaceted; Visibility + analytics enables proactive hunting, attack scoping, establishing normal patterns, and identifying misuse. The most consequential attack vector requiring the deepest visibility, is identity. TECHNOLOGY There is no more perimeter, just islands of identity. Security is fundamentally about ensuring that only the right people can access the right resources at the right times and do the right things with it. Achieving that requires a robust notion of identity.
Shift Priorities and Capabilities Monitoring 15% Response 5% Monitoring 33% Response 33% Prevention 80% Prevention 33% How we spend How we should spend
The Revised Operational Roadmap Security Operations / Governance, Risk, Compliance Threat Intel Logs Netflow Packets Endpoint Cloud Identity
Application: Short Term Review your security budget allocation are you overspending on prevention relative to detection and response? Identify what blind spots you have across your IT assets and whether those blind spots represent critical assets 20
Application: Medium-term Determine which identity-related use cases you control Identify, more thoroughly, what assets are the most critical (and develop a regular cadence for reviewing and prioritizing those assets) 21
Takeaways 1 2 3 Pervasive visibility is foundational for addressing today s threats; operationalizing visibility requires analytics A comprehensive identity strategy must be part of your overall security strategy, with clear lines of ownership and responsibility Security is becoming recognized as a business problems; addressing boards and executives requires the language or risk, which you must embrace and own