Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat Lifecycle Management

Published byAubrey Baker Modified over 6 years ago

Similar presentations

Presentation on theme: "Threat Lifecycle Management"— Presentation transcript:

1 Threat Lifecycle Management
Scott Renegar Director, Sales Engineering Hello and Good morning everyone, I hope you are enjoying your breakfast. My name is Scott Renegar, I am the Director of Sales Engineering for Log Rhythm, and I am based here in Dallas, TX. Today I am going to give you a short introduction to Threat Lifecycle Management, and discuss LogRhythm’s approach to helping reduce your MTTD and MTTR.

2 The Modern Cyber Threat Pandemic
3,930 Breaches in 2015 736 million records were exposed in 2015, compared to 96 million records in 2010 2,000,000,000 records exposed in one breach in Yahoo! The security industry is facing serious talent and technology shortages 321 Breaches in 2006 953 Breaches in 2010 Selected Data Breaches Is there anyone here, that is not aware that we are dab smack in the middle of a cyber threat pandemic? Seriously, do any of you not know about this? I know that you do, because you are here, learning from others, sharing best practices, and exploring ways to improve your security posture. Victims of damaging cyber breaches are making the news almost every week. I’d like to help you not become one of them. This slide illustrates how much damage is being done, and the number of records exposed (bigger circles were breaches with more exposed records) Source: World’s Biggest Data Breaches, Information is Beautiful

3 Can you see the threat? Take a look at this landscape. What do you see? At first glance it seems like a benign landscape of rock, snow and ice. However, there is an intruder lurking in plain sight. An attacker is skilled in the art of blending in and not being seen. Now imagine all this visual detail of snow and rock are analogous to events, alerts and data. Everything looks normal. But ….can you as a SOC Analyst identify the threat? Can you look past the noise and see the threat?

4 There it is. A Himalayan Snow Leopard
There it is! A Himalayan Snow Leopard. An expert in using its environment to hide in plain sight. Similar to a “bad actor” the snow leopard will use surveillance, stealth and patience. It will get close to its victim, understand the best vantage point to launch its attack and then wait patiently to maximize its chances of success. Think about Target, just one of many large breaches, but one that made the news for several reasons, and shifted the thoughts of many from protection ,to detection and response. For 279 their attackers lay dormant on their network, before an attack was launched. Other examples, Michaels (8 months), Home Depot – 5 months, Sony, OPM, and Trump Hotels – 1 year

5 No End In Sight Motivated Threat Actors Cyber-crime Supply Chain
Expanding Attack Surface Motivated Threat Actors Expanding Attack Surface Cyber-crime Supply Chain Notes: Due to a combination of motivated threat actors, an active cyber-crime supply chain and organizations’ constantly expanding attack surface, the risk of breaches continues to grow

6 The Cyber Attack Lifecycle
Recon. & Planning Initial Compromise Command & Control Lateral Movement Target Attainment Exfiltration, Corruption, Disruption Modern threats take their time and leverage the holistic attack surface The lifecycle of a threat begins with reconnaissance. Find their way in by manipulating users, dropping USB keys in parking lot, compromising physical environment, etc. At some point, they will begin to engage with the environment and eventually compromise the system. If that compromise isn’t detected, they will take increasing control over the environment and move laterally toward their target, taking over accounts and systems until they attain their target, where the biggest damage is done: exfiltration, corruption, disruption, etc. This is how threats work. If we can stop the attacker after the initial compromise, we can prevent the damaging breach.

7 Modern threats take their time and leverage the holistic attack surface
Exposed to Threats Resilient to Threats High Vulnerability Low Vulnerability Months Days Hours Minutes Weeks MTTD & MTTR MEAN TIME TO DETECT (MTTD) The average time it takes to recognize a threat requiring further analysis and response efforts MEAN TIME TO RESPOND (MTTR) The average time it takes to respond and ultimately resolve the incident As organizations improve their ability to quickly detect and respond to threats, the risk of experiencing a damaging breach is greatly reduced Like spotting the snow leopard, it has become increasingly challenging to detect threats in our environment. Inevitably, hackers will get in. The key is to identify threats as early as possible in the attack lifecycle. Per Verizon’s Data Breach Investigations Report, it takes 5 – 7 months to detect breaches - but the damage is done within the first 3 days. Reducing MTTD & MTTR is critical and the gap is huge. It’s a simple concept but many struggle to accomplish this. What’s the solution? Faster detection and faster response. We’ve developed a model to assess your current maturity and ability to detect and respond to threats. Help customers measure their overall security posture. Many studies show that MTTD and MTTR are measured in weeks and months, and companies that want to improve need the types of solutions we provide.

8 Obstacles To Faster Detection & Response
Alarm Fatigue Swivel Chair Analysis Forensic Data Silos Fragmented Workflow Lack of Automation Effective Threat Lifecycle Management Addresses these obstacles Enables faster detection and response to threats Notes: Alarm Fatigue – Hundreds / thousands of sensors generating events and alarms leaving security teams struggling to know which to pay attention to. Swivel Chair Analysis – Absent a trusted, centralized place for risk-based monitoring, analysts have to spend time in a variety of different product UIs investigating alarms - trying to manually piece everything together. Forensic Data Silos – Absent a consolidated collection of the most commonly needed forensic data, analysts have to work within a variety of different data repositories – the time to investigate increases, and often analysts can’t get to the information they need Fragmented Workflow – Teams don’t have formal processes or tools that ensure high priority threats are tracked to resolution.  and spreadsheets become inefficient substitutes.  Threats slip through the cracks when early indicators that were caught, become forgotten about because they weren’t tracked to full resolution. Lack of Automation – Organizations haven’t found ways to effectively automate routine IR actions, requiring teams to perform all activities manually.  This means few investigations can be conducted and a single incident could become all-consuming, whereas other threats/incidents don’t get the attention they deserve. 

9 Threat Lifecycle Management (TLM)
Series of aligned security operations capabilities Begins with ability to “see” broadly and deeply across IT environment Ends with ability to quickly mitigate and recover from security incidents Goal is to reduce mean time to detect (MTTD) and mean time to respond (MTTR), while keeping staffing levels flat Notes: At LogRhythm, we call this process, Threat Lifecycle Management, and it’s built upon a Series of aligned security operations capabilities which Begins with ability to “see” broadly and deeply across IT environment and Ends with ability to quickly mitigate and recover from security incidents Technology is the key enabler, the use of which helps bridge people and process, making process possible, and making people highly efficient and highly efficient – with a goal of reduing MTTD and MTTR while keeping staffing levels flat

10 End-to-End Threat Lifecycle Management Workflow
TIME TO DETECT TIME TO RESPOND Forensic Data Collection Discover Qualify Investigate Neutralize Recover Security event data Log & machine data Forensic sensor data Search analytics Machine analytics Assess threat Determine risk Is full investigation necessary? Analyze threat Determine nature and extent of incident Implement counter-measures Mitigate threat & associated risk Clean up Report Review Adapt Lets take a deeper dive into TLM, what is the workflow really comprised of? The ability to detect and respond to the threat early in the Cyber Attack Lifecycle is the key to protecting your company from large-scale impact because the earlier an attack is detected and mitigated, the less the ultimate cost to your business. There are 6 phases to Threat Lifecycle Management: Phase 1: Forensic Data Collection. Before any threat can be detected, you must be able to see evidence of it within the IT environment. To do this, you need to focus on 3 principle types of data: Security event & alarm data, log and machine data, and forensic sensor data- broadly and deeply. Once visibility has been established, you now stand a chance at detecting and responding to threats. Discovery of potential threats is accomplished through a blend of search and machine analytics….in a more modern approach, it’s machine analytics – being able to look through the data in real time Discovered threats must then be quickly qualified to assess the potential impact to your business and to determine the urgency of additional investigation and response efforts. The qualification process is manual and time intensive, while also being very time sensitive. An efficient process will allow you to analyze a greater number of alarms with less staff, while also positively affecting overall MTTD and MTTR. Once threats have been qualified, they need to be fully investigated to determine whether a security incident has occurred or is in progress. AND..what do you need to do that – YOU NEED rapid access to forensic data and intelligence on the threat. Automation of routine investigatory tasks and tools that facilitate cross-organizational collaboration, at this stage especially, is ideal for optimally reducing MTTR. Next, you must implement mitigations to reduce and eventually eliminate risk to the business. For some threats, such as ransomware or compromised privileged users, every second counts. Easily accessible and updated incident response processes and playbooks, coupled with automation, is critically important. Once the incident has been neutralized and risk to the business is under control, you can start recovery efforts. To recover effectively, it’s important you have access to all forensic information surrounding the investigation and incident response process. This includes ensuring that any changes made during incident response are tracked, audit trail information is captured, and the affected systems are updated and brought back online. In addition, the recovery process should ideally include putting measures in place that leverage the gathered threat intelligence to detect if the threat returns or has left behind a back door.

11 This Approach Is Not Effective
Network Monitoring & Forensics Log Management SIEM UEBA Network Monitoring & Forensics User & Entity Behavioral Analytics Log Management SIEM Endpoint Monitoring & Forensics Security Analytics SAO Network Behavioral Analytics Endpoint Monitoring & Forensics Security Automation & Orchestration Network Behavioral Analytics Security Analytics So here is one approach you could take. The problem is multi-faceted.  It’s not just the threat landscape you have to worry about – it’s the tool set. Some are working with limited tools and resources, resulting in limited visibility and capacity.  This leads to flying blind. Some have too many tools that are siloed and not working together.  This leads to fragmented workflow, alarm fatigue, swivel chair analysis, and ineffective automation. Both of these approaches are ineffective.  Both result in greater time to detect and respond to threats.

12 A Consolidated Workflow Approach
Forensic Data Collection Discover Qualify Investigate Neutralize Recover This rather is our approach.. We offer all of these solutions within a single UI, your full Threat Lifecycle Management is covered, including an End-to-end “workflow” which includes,…, Case Management – so rather than realizing TLM via a collection of different products, use a single platform, that is designed to realize TLM as a whole, via products designed to work together and help you realize an OPTIMALLY EFFICIENT and EFFECTIVE WORKFLOW. This will undoubtedly help you reduce your MTTD and MTTR

13 Security Automation Orchestration Network Behavior Analytics
Single Platform Advanced Correlation Log Management UEBA Security Automation Orchestration Network Monitoring & Forensics Endpoint Behavior Analytics Network Behavior Analytics We are a single, end-to-end security platform that gives you visibility into your entire environment. You will see other vendors attempting to offer these same capabilities, but we are the only vendor that has built these in from the very beginning.   With our embedded applications, you minimize the amount of security experts needed to implement our solution, and your Team will extract almost immediate value. With seamless integration and optimized workflow we help your teams work productively and ultimately reduce the time it takes them to detect and respond to threats. We started as a log management company over 13 years ago, so our solution makes it easy for you to analyze and parse log data. Because we support north of 700 different applications, we are able to quickly pull in the logs from your environment, without worrying about custom APIs or collectors. We also leverage FILE INTEGRITY MONITORING and Network Monitor (both native to our solution) to minimize your blind spots. These both give you deep visibility into your endpoint and network data, allowing you to detect things that otherwise would have been missed. Another major differentiator you are going to have is that within our SECURITY AUTOMATION AND ORCHESTRATION feature set is built-in Case Management and SmartResponse. This gives admins and analysts a workflow that allows them to collaborate not just among themselves but with other groups within the organization. This allows your Teams to find the root cause and mitigate the breach in terms of minutes and hours. Not only does this lead to efficiency by reducing swivel chair analysis, but it will help your Team figure out what actually happened so you don’t have to deal with it again. Native to our system, our case management is available Out of the Box. Wouldn’t it be nice if you could take case management one step further by taking tasks off your analysts’ plates with automation? Our built-in SmartResponse capability allows LogRhythm to respond as quickly as possible on your behalf so you can be sure serious threats are blocked even if your team does not have capacity to block manually. We also give you the flexibility to implement a multi-tier approval if it’s important for you to have control. As you dig into other solutions, I would ask them about how they approach these obstacles.

14 Modern threats take their time and leverage the holistic attack surface
Exposed to Threats Resilient to Threats High Vulnerability Low Vulnerability Months Days Hours Minutes Weeks MTTD & MTTR MEAN TIME TO DETECT (MTTD) The average time it takes to recognize a threat requiring further analysis and response efforts MEAN TIME TO RESPOND (MTTR) The average time it takes to respond and ultimately resolve the incident As organizations improve their ability to quickly detect and respond to threats, the risk of experiencing a damaging breach is greatly reduced Like spotting the snow leopard, it has become increasingly challenging to detect threats in our environment. Inevitably, hackers will get in. The key is to identify threats as early as possible in the attack lifecycle. Per Verizon’s Data Breach Investigations Report, it takes 5 – 7 months to detect breaches - but the damage is done within the first 3 days. Reducing MTTD & MTTR is critical and the gap is huge. It’s a simple concept but many struggle to accomplish this. What’s the solution? Faster detection and faster response. We’ve developed a model to assess your current maturity and ability to detect and respond to threats. Help customers measure their overall security posture. Many studies show that MTTD and MTTR are measured in weeks and months, and companies that want to improve need the types of solutions we provide.

15

Download ppt "Threat Lifecycle Management"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.

© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.

MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.
CREATING GREAT STANDS: A STEP-BY-STEP GUIDE TO CREATING A TEAM’S MOST VALUABLE TOOL DFA Coaches DoLE Team.

CREATING GREAT STANDS: A STEP-BY-STEP GUIDE TO CREATING A TEAM’S MOST VALUABLE TOOL DFA Coaches DoLE Team.
Www.infotech.com Impact Research 1 Enabling Decision Making Through Business Intelligence: Preview of Report.

Impact Research 1 Enabling Decision Making Through Business Intelligence: Preview of Report.
GRC: Aligning Policy, Risk and Compliance

GRC: Aligning Policy, Risk and Compliance
Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.

Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.
1 | Company Confidential The Modern Cyber Threat Pandemic Nate Traiser Mtn Region Ent Sales Engineer

1 | Company Confidential The Modern Cyber Threat Pandemic Nate Traiser Mtn Region Ent Sales Engineer
©2012 Bit9. All Rights Reserved Peter Llorens, PERegional Sales Manager, FL, Caribbean & Latin America Julio GutierrezSales Engineer, FL, Caribbean & Latin.

©2012 Bit9. All Rights Reserved Peter Llorens, PERegional Sales Manager, FL, Caribbean & Latin America Julio GutierrezSales Engineer, FL, Caribbean & Latin.
Why SIEM – Why Security Intelligence??

Why SIEM – Why Security Intelligence??
1 | Company Confidential The Modern Cyber Threat Pandemic Cameron Erens LogRhythm.

1 | Company Confidential The Modern Cyber Threat Pandemic Cameron Erens LogRhythm.
Tripwire Threat Intelligence Integrations. 2 Threat Landscape by the Numbers Over 390K malicious programs are found every day AV-Test.org On day 0, only.

Tripwire Threat Intelligence Integrations. 2 Threat Landscape by the Numbers Over 390K malicious programs are found every day AV-Test.org On day 0, only.
Proactive Incident Response

Proactive Incident Response
5 Obstacles to Faster Cyber Threat Detection and Response

5 Obstacles to Faster Cyber Threat Detection and Response

Similar presentations

Ads by Google