Why SIEM – Why Security Intelligence?? Presented by: Curtis Johnson LogRhythm Sales Engineer Sponsored by:
The Expanding Cyber Threat Motive Political Ideological Criminal Examples Political: Allegedly, North Korea is responsible for the mass data theft of Sony Entertainment as a pay back for releasing the movie, “The Interview” Ideological: The Syrian Electronic Army is responsible for a number of website defacements, including in Jan 2015 SEA hackers managed to infiltrate LeMonde’s publishing tool before launching a denial of service Criminal: A cyberattack exposed 11 million Premera Blue Cross members data to sell the IDs on the blackmarket and enable identity thefts
Damaging Data Breaches 80 Million Accounts Stolen 56 Million Credit Cards Stolen 83 Million Accounts Exposed 145 Million Accounts Compromised 40 Million Credit Cards Stolen Examples: Anthem: Criminals accessed names, birthdays, email addresses, SS#s, addresses, and employment data (including income). This is highly valuable data that can be sold on the black market to enable identity theft. Home Depot: Credit/Debit cards and email addresses that can be sold on the black market for credit card abuse JP Morgan: Theft of email addresses, home addresses, and phone numbers which can be sold on the black market to enable fraud Ebay: Theft of names, email addresses, home addresses, phone numbers and date of birth Target: Credit card data to be sold on the black market
Most Companies Compromised “71% of organizations were compromised by a successful cyber attack in 2014.” 2015 Cyberthreat Defense Report from CyberEdge Group as reported by SC Magazine 3/12/2015 IT’s WHEN, NOT IF…! Notes: Most companies have had some form of a compromise in the past year – it’s not just big companies. Almost 3 out of 4 companies were compromised by a successful compromise. Some avoided data breach by detecting the compromise – but some didn’t.
Prevention is Futile “Advanced targeted attacks make prevention-centric strategies obsolete. Securing enterprises in 2020 will require a shift to information and people-centric security strategies, combined with pervasive internal monitoring and sharing of security intelligence.” “By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches up from less than 10% in 2013.” - Neil MacDonald
Faster Detection & Response Reduces Risk 229 median number of days that threat groups were present on a victim’s network before detection Mandiant 2014 Threat Report 2,287 Days was the longest time to detection observed. Mandiant 2014 Threat Report IN 60% OF CASES, ATTACKERS ARE ABLE TO COMPROMISE AN ORGANIZATION WITHIN MINUTES. 2015 Verizon Data Breach Report As organizations improve their ability to quickly detect and respond to threats, the risk of experiencing a high impact breach is greatly reduced. http://www.verizonenterprise.com/DBIR/2015/ https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf RISK & IMPACT OF BREACH
Ever Increasing Cyber Risk ADVANCED THREAT / APT DETECTION DATA EXFILTRATION COMPROMISED HOSTS INAPPROPRIATE NETWORK USE FRAUD INSIDER THREATS COMPROMISED ACCOUNTS COMPROMISED HOSTS COMPROMISED CREDENTIALS NETWORK MISUSE COMPLIANCE VIOLATIONS STATE-SPONSORED ATTACKS Source: PwC, The Global State of Information Security Survey 2015
Today’s Threat Environment Only Advanced Analytics can detect these threats Threats conclusively recognized at run-time, prevented at the endpoint and perimeter Detecting a class of threats only a Big Data approach can realize Effectively prioritizing threats, separating the signal from the noise Providing the intelligence required to deliver optimally orchestrated and enabled incident response However, many threats: Require a broader view to recognize Will only emerge over time Get lost in the noise
A Security Intelligence Driven Approach is Required The cost of mitigating a threat, and risk to the business, rise exponentially across the lifecycle of a threat from inception to mission attainment. • Exfiltration • Corruption • Disruption Attack Reconnaissance Initial Compromise Command & Control Lateral Movement Target Attainment Organizations that desire to reduce their risk of experiencing a high impact cyber breach or incident must kill the threat early in it’s lifecycle, across the holistic attack surface.
Holistic Attack Surface Network Endpoint Network User User Network User User Endpoint Endpoint Network User Endpoint User Holistic Attack Surface User User Network Network User Endpoint Endpoint User User Endpoint Network User Network User Network
Threat Lifecycle Management™: End-to-End Detection & Response Workflow UNIFIED SECURITY INTELLIGENCE PLATFORM TIME TO DETECT TIME TO RESPOND FORENSIC DATA Security Event Data Captured Log & Machine Data Generated Forensic Sensor Data DISCOVER User Analytics Machine Analytics QUALIFY Assess threat and determine if it may pose risk and whether a full investigation is required. INVESTIGATE Fully analyze the threat and associated risk, determine if an incident has or is occurring. MITIGATE Implement countermeasures and controls that mitigate risk presented by the threat. RECOVER Eradicate Cleanup Report Review Adapt
Creating A Security Eco System Businesses have been buying these Solutions For Years….. SIEM -Makes These Pieces Work As A Single Security Eco System… SIEM Security Firewall IPS Malware WAF End Point Network Routers Switches Wireless Directory Services Active Directory Users Groups Data Management Data Loss Data in Motion Data at Rest Email Spam Phishing Physical Alarms Surveillance Access Control
LogRhythm Security Intelligence Maturity Model Progression Level Description BLIND No Visibility 1 MINIMALLY COMPLIANT Check Box 2 SECURELY COMPLIANT Holistic View Breaking log Silos Machine Analytics 3 VIGILANT Host data collection 3rd party feeds Packet captures Automated response 4 RESILIENT Forward looking 24x7 SOC LEVEL 0 LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4
Thank You! Any questions? Download the Security Intelligence Maturity Model whitepapers at: www.logrhythm.com/simm Sponsored by: