Operationalizing the Three Principles of Advanced Threat Detection

Similar documents
RSA NetWitness Suite Respond in Minutes, Not Months

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Transforming Security from Defense in Depth to Comprehensive Security Assurance

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Table of Content Security Trend

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

RSA INCIDENT RESPONSE SERVICES

NEXT GENERATION SECURITY OPERATIONS CENTER

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

The Critical Incident Response Maturity Journey

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

RSA IT Security Risk Management

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

RSA INCIDENT RESPONSE SERVICES

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

MITIGATE CYBER ATTACK RISK

8 Must Have. Features for Risk-Based Vulnerability Management and More

FOR FINANCIAL SERVICES ORGANIZATIONS

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

CISO as Change Agent: Getting to Yes

Behavioral Analytics A Closer Look

Un SOC avanzato per una efficace risposta al cybercrime

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

empow s Security Platform The SIEM that Gives SIEM a Good Name

IDENTITY AND THE NEW AGE OF ENTERPRISE SECURITY BEN SMITH CISSP CRISC CIPT RSA FIELD CTO

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

CSP 2017 Network Virtualisation and Security Scott McKinnon

Reinvent Your 2013 Security Management Strategy

10 FOCUS AREAS FOR BREACH PREVENTION

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Incident Response Agility: Leverage the Past and Present into the Future

SOLUTION BRIEF Virtual CISO

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

New World, New IT, New Security

Security. Made Smarter.

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Security Operations Centers in Action

locuz.com SOC Services

RSA Security Analytics

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

Security-as-a-Service: The Future of Security Management

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Critical Hygiene for Preventing Major Breaches

AKAMAI CLOUD SECURITY SOLUTIONS

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

Seven Steps to Ease the Pain of Managing a SOC

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

CyberArk Privileged Threat Analytics

THE POWER OF TECH-SAVVY BOARDS:

What matters in Cyber Security

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Mastering The Endpoint

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

Trustwave Managed Security Testing

WHITEPAPER END-TO-END VISIBILITY: THE FOUNDATION OF BUSINESSDRIVEN SECURITY DETECTING AND RESPONDING TO THE THREATS THAT MATTER MOST TO THE BUSINESS

align security instill confidence

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

MATURE YOUR CYBER DEFENSE OPERATIONS with Accenture s SIEM Transformation Services

Building Successful Threat Intelligence Programs

THE EVOLUTION OF SIEM

with Advanced Protection

Cybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY

CISO Success Strategies: On Becoming a Security Business Leader

Rethinking Security: The Need For A Security Delivery Platform

Popular SIEM vs aisiem

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Netwrix Auditor. Visibility platform for user behavior analysis and risk mitigation. Mason Takacs Systems Engineer

Green Governance Growth

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

WHITE PAPER END-TO-END VISIBILITY: THE FOUNDATION OF BUSINESS-DRIVEN SECURITY THREAT DETECTION & RESPONSE OPTIMIZED SIEM

Automating the Top 20 CIS Critical Security Controls

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Aktueller Überblick über das RSA Portfolio

Accelerate Your Enterprise Private Cloud Initiative

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

Modern Database Architectures Demand Modern Data Security Measures

Transcription:

SESSION ID: SDS2-R08 Operationalizing the Three Principles of Advanced Threat Detection ZULFIKAR RAMZAN, PH.D Chief Technology Officer RSA @zulfikar_ramzan

Dealing with Traffic Congestion Singapore: Major traffic congestion pre 1975; introduced fixed manual road pricing Initial success; but new variable electronic road pricing program introduced in 1998 New ERP program very successful in further traffic reduction. What explains its success? Sunk cost fallacy (behavioral economics): We should make decisions based on future value; instead our reasoning is overly tainted by past investments. (Relevant to security!) 2

Why Organizations Struggle Threat actors evolve Attacks only get better Groups organized, attacks unnoticed until it s too late Incidents have increasing financial impact There s too much Noise Incidents hidden in massive amount of normal activity Scattered data hurts efficient investigations, limits agility to assess complete scope of incident Experts are hard to find Rate of attacks overwhelm analysts Expertise is limited Keeping abreast of latest threats is challenging

Why Intrusions Are Successful Attacks are targeted (e.g., via repeated use of polymorphism and metamorphism); Macro-distribution supplanted by micro-distribution. Powerful attack toolkits available w/ tiered pricing, 24x7 customer support. Ecosystem for buying and selling tools and cybercriminal services democratizes advanced attacks

Stages of an Attack Recon Initial Entry Persist Install Tools Move laterally Collect, Exfil, Exploit Scanning, Social network analysis Spear phish, waterhole, web app vuln removable media, CVEs, 0-days Privilege escalation, finding run keys, modifying scripts Web shells, dropped secondary malware Pass the hash, pass the ticket, RDP, CVEs, remote services One or more hops, drop zones, data destruction / manipulation

Today s Threats: Where to Focus 1 TARGETED SPECIFIC OBJECTIVE 2 3 STEALTHY INTERACTIVE LOW AND SLOW HUMAN INVOLVEMENT System Intrusion Attack Begins Cover-Up Discovery Leap Frog Attacks Cover-Up Complete TIME Dwell Time Response Time 1 Decrease Dwell Time Attack Identified 2 Speed Response Time Response

Three Strategic Pillars 1 Analytics 3 Risk Identity 2

visibility is the foundation for mitigating the risk of today s threats If you really want to protect your network, you really have to know your network. You have to know the devices, the security technologies, and the things inside it. -Rob Joyce, NSA TAO Chief, Usenix Enigma 2016

Key Visibility Points Logs Netflow Packets Endpoints Cloud Identities 10

Operationalize Visibility Through Analytics Visibility alone leads to alert fatigue; analytics is necessary for operationalizing visibility 1 Pre-process data extract metadata and organize into chunks 2 4 3 Group alerts since the same campaign can generate multiple alerts Pivot between different visibility points (e.g., from network to endpoint) Surface important events through analytics to simplify analyst tasks 5 Prioritize alerts through asset categorization 11

Identity as a Foundation of Security identity is foundational and will matter even more as the threat landscape evolves Security is about ensuring that only the. right people have access to the... right resources at the... right times and use them in right ways

Enterprise Identity Crisis As mobile devices and cloud services proliferate, identity becomes the new perimeter 88% of organizations using cloud services or are planning to use cloud services in the near future have a cloud-first strategy. (Gartner) Organizations have legacy identity architectures and islands of identity 25% of IT professionals said their orgs have multiple identity repositories, so it s difficult to get a complete understanding of user & access privileges. (ESG) The security team neither designed nor owns the identity infrastructure 23% of IT and cybersecurity professionals say their IAM infrastructure was really built for user convenience and not strong security. (ESG)

Malware Reality Check Advanced breaches don t have to involve malware: SQL Injection -> Web Shell -> RDP Advanced breaches can be very simple e.g., credential theft Every breach involves co-opting of identity (authentication isn t the same as identity assurance)

Identity is More Than Authentication Governance Access / Auth Lifecycle Assurance

Financial risk Physical risk embrace and own your risk Operational risk Currency fluctuation risk IT Security risk Regulatory risk Supply chain risk

Tying the Pieces Together At a business level, orgs want to mitigate risk; risk is multifaceted (financial risk, physical risk, operational risk, etc.). IT security risk is the most prominent and least understood aspect of organizational risk. CEO / BOARD CCO CIO CISO CIRC / SOC / IDENTITY TEAM INDIVIDUAL Security is a CEO / Board discussion, and CISOs & CIOs must translate lowlevel concepts into the language of risk. Assessing IT security risk requires measuring your environment, which requires visibility & analytics (you can t measure if you can t see). BUSINESS Visibility is multifaceted; Visibility + analytics enables proactive hunting, attack scoping, establishing normal patterns, and identifying misuse. The most consequential attack vector requiring the deepest visibility, is identity. TECHNOLOGY There is no more perimeter, just islands of identity. Security is fundamentally about ensuring that only the right people can access the right resources at the right times and do the right things with it. Achieving that requires a robust notion of identity.

Shift Priorities and Capabilities Monitoring 15% Response 5% Monitoring 33% Response 33% Prevention 80% Prevention 33% How we spend How we should spend

The Revised Operational Roadmap Security Operations / Governance, Risk, Compliance Threat Intel Logs Netflow Packets Endpoint Cloud Identity

Application: Short Term Review your security budget allocation are you overspending on prevention relative to detection and response? Identify what blind spots you have across your IT assets and whether those blind spots represent critical assets 20

Application: Medium-term Determine which identity-related use cases you control Identify, more thoroughly, what assets are the most critical (and develop a regular cadence for reviewing and prioritizing those assets) 21

Takeaways 1 2 3 Pervasive visibility is foundational for addressing today s threats; operationalizing visibility requires analytics A comprehensive identity strategy must be part of your overall security strategy, with clear lines of ownership and responsibility Security is becoming recognized as a business problems; addressing boards and executives requires the language or risk, which you must embrace and own

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback