Presentation is loading. Please wait.

Presentation is loading. Please wait.

5 Obstacles to Faster Cyber Threat Detection and Response

Similar presentations


Presentation on theme: "5 Obstacles to Faster Cyber Threat Detection and Response"— Presentation transcript:

1 5 Obstacles to Faster Cyber Threat Detection and Response
Reasons Why Your Current Approach to Cybersecurity isn’t Working—and How to Fix Them 5 4 3 2 1

2 The problem is clear. Threat actors are becoming more advanced— and therefore more successful.

3 The modern cyber threat pandemic is growing.
3,930 breaches in 2015 736 million records were exposed in 2015, compared to 96 million records in 2010. The security industry is facing serious talent and technology shortages. 953 breaches in 2010 Selected Data Breaches 321 breaches in 2006 Source: World’s Biggest Data Breaches, Information is Beautiful

4 It’s a perfect storm. Cyber attackers are becoming more sophisticated
It’s a perfect storm. Cyber attackers are becoming more sophisticated. The attack surface is expanding with the IoT and the cloud. And the cyber crime supply chain is becoming more organized and better funded. Motivated Threat Actors Expanding Attack Surface Cyber-Crime Supply Chain

5 It’s become apparent that prevention is not enough
It’s become apparent that prevention is not enough. A strategic shift is occurring—from prevention-centric strategies to detection and response. By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from 20% in –Gartner, 2016 Sources: Gartner, Shift Cybersecurity Investment to Detection and Response, January 2016; Gartner, Forecast: Information Security, Worldwide, , 1Q16 Update, April 2016 Note: Excludes security services from estimated overall market spend for enterprise information security

6 Improving your mean time to detect (MTTD) and mean time to respond (MTTR) is the best solution to keeping modern threats at bay. Exposed to Threats Resilient to Threats High Vulnerability Low Vulnerability Months Days Hours Minutes Weeks MTTD & MTTR

7 But there are obstacles holding you back from reducing your MTTD and MTTR

8 Obstacle 1: Alarm Fatigue
Your team is struggling to keep up with thousands of alarms every day. They’re being bombarded and they have no idea where to spend their time. The worst part is they can’t discern real events from false ones.

9 Obstacle 2: Swivel-Chair Analysis
Your team is using a multitude of technologies and attempting to tie data together manually. They’re constantly going from one screen to the next—creating a maze of confusion around your current state of security. Network Monitoring & Forensics User & Entity Behavioral Analytics Log Management SIEM Endpoint Monitoring & Forensics Security Automation & Orchestration Network Behavioral Analytics Security Analytics

10 Obstacle 3: Forensic Data Silos
Your team is operating with multiple data sets. They’re struggling to somehow manually consolidate and correlate intelligence, but this process is error-prone, ineffective, and inefficient.

11 Obstacle 4: Fragmented Workflow
To investigate an incident, your team may be using informal processes and tools such as , spreadsheets, Google Docs, and more to collaborate. Threats that could be detected slip through the cracks and are forgotten because your team lacks a centralized workflow and case management system.

12 Obstacle 5: Lack of Automation
Your team is struggling due to a lack of resources, and without automation, they are doing everything manually. You either don’t have budget for more employees, can’t find trained security personnel, or a combination of the two. As a result, your team is barely keeping their heads above water.

13 But don’t worry. You can overcome these obstacles without hiring a 24x7 SOC.
5 4 3 2 1

14 Challenge accepted. Enter Threat Lifecycle Management™—a framework that combines technology, process, and people so that your team can detect and respond to threats faster—without adding staff to do so.

15 Threat Lifecycle Management (TLM)
Series of aligned security operations capabilities Begins with ability to “see” broadly and deeply across IT environment Ends with ability to quickly mitigate and recover from security incidents Goal is to reduce mean time to detect (MTTD) and mean time to respond (MTTR), while keeping staffing levels flat Speaker Notes: What is Threat Lifecycle Management? It’s a series of aligned capabilities that begins with the ability to see very broadly and deeply across the environment. And ends with the ability to quickly respond to and neutralize a threat. Technology is the key enabler of bridging people and process. Making process possible, making people highly effective and highly efficient. The goal of Threat Lifecycle Management is to reduce mean time to detect and mean time to respond without having to add more headcount.

16 End-to-End Threat Lifecycle Management Workflow
TIME TO DETECT TIME TO RESPOND Forensic Data Collection Discover Qualify Investigate Neutralize Recover Security event data Log & machine data Forensic sensor data Search analytics Machine analytics Assess threat Determine risk Is full investigation necessary? Analyze threat Determine nature and extent of incident Implement counter-measures Mitigate threat & associated risk Clean up Report Review Adapt Speaker Notes: Let’s take a deeper dive into Threat Lifecycle Management. What’s the workflow comprised of? It starts with Forensic Data Collection. Pulling in security data from the products you’ve already invested in. Log and machine data and also from forensic sensors such as endpoint and network forensic sensors for deeper visibility. The first part of this workflow is being able to see deeply and broadly across the environment. Next is to Discover threats through two different techniques: Search analytics which is good for the hunting-type workflow where we’re searching through the data to discover threats or using search to qualify or investigate threats. But most important in a modern approach is machine analytics. This means moving the analytics to the software, leveraging AI and Machine Learning to automatically sort through all the data in real time and surface those threats that can only be seen through an analytics driven approach. This ensures that the right threats are exposed to your team for rapid Qualification, the final phase of detection. Qualification teams need to be able to quickly go from alarm, back to forensic data, pulling in context and intelligence to make very fast decisions around: Is this is a possible threat or can I move onto the next alarm? This needs to happen within minutes. On the response side, we need to focus on analyzing the threat, and here solutions like case management are critical. The ability to track a threat requires more Investigation: the ability to go back to forensic log data with a click, pull in PCAPs, collaborate across the investigation process and collaborate across the team to very quickly determine if there’s an incident. If there is, we move onto the next part of Threat Lifecycle Management which is Neutralization. Neutralization is to remove the risk to the environment through countermeasures and controls. This is where we need heavy automation. Actually we need automation across both Investigation and Neutralization. Automation allows us to automate investigatory tasks that are common, but also to automate implementation of countermeasures. Say a user account gets compromised. We need to get it off the network, killing communications that are exfiltrating data. With one click those countermeasures can be implemented and time to respond can be moved from days down to minutes. Lastly, is Recovery. Once the threat it gone then cleaning up afterwards and making sure the organization has learned and adapted to do better next time. That is the Threat Lifecycle Management workflow at a high level.

17 LogRhythm TLM Platform Top 5 Differentiators
TIME TO DETECT TIME TO RESPOND Forensic Data Collection Discover Qualify Investigate Neutralize Recover 1. Machine Data Intelligence Fabric (MDIF) 2. Precision Search 3. Holistic Threat Detection 4. Risk-Based Monitoring 5. Embedded Security Automation and Orchestration Speaker Notes: Let’s focus for a bit on how LogRhythm sets itself apart from the competition. Here we have what we consider our 5 key differentiators specifically around the delivery of Threat Lifecycle Management. It first starts with our Machine Data Intelligence Fabric – our ability to broadly see and understand across the environment. Second is our search capabilities. Third is our ability to holistically detect threats across the entire attack surface. Fourth is our Risk Based Monitoring approach. Fifth is our embedded SAO capabilities. I’m going to dig a bit deeper into each of these now.

18 Machine Data Intelligence Fabric
Machine Data Intelligence (MDI) Fabric Data Collection Uniform Data Classification Uniform Data Structure Time Normalization Risk Score User Persona Host Persona Geolocation Flow Direction …more Benefits Serves as IT environment abstraction layer Enables generic scenario representation Allows for high-efficacy packaged analytics modules Data Generation Speaker Notes: Machine Data Intelligence is our ability to bring in data from everything you’re going to find in your environment. We support over 800 different types of logging devices. But on top of all that unstructured data is our Machine Data Intelligence which provides a deep structuring of that data, contextualizing all that data in a uniform fashion. The goal and benefit is we provide a uniform view of all of this data that is now optimized for downstream analytics. It makes sure that our analytics are uniquely accurate and also unlocks analytics that you can only realize when you have this level of intelligence around the underlying data. Our Machine Data Intelligence also serves as an abstraction layer from the IT environment. One of the challenges with analytics is that the IT environment is constantly changing. You might go from a Checkpoint firewall to a Palo Alto firewall. When that change occurs will all of your analytics break or will they keep working? With LogRhythm through our MDI, those analytics keep on working. It doesn’t matter what kind of firewall you have, our analytics are built on top of this Machine Data Intelligence fabric that abstracts away the details of the underlying technical environment. This allows you describe scenarios in the data generically and ensures that the analytics keep working even as your underlying IT infrastructure changes. This is critically important to cost of ownership and efficacy of analytics. On top of that, it also enables our Labs team to give you out of the box analytics modules so you can quickly adopt and get value from the platform.

19


Download ppt "5 Obstacles to Faster Cyber Threat Detection and Response"

Similar presentations


Ads by Google