Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evolved requirements A Business-Driven Security Strategy for Threat Detection & Response Laura MacDonald Field CTO Laura.MacDonald@rsa.com.

Published byFelicia Sims Modified over 6 years ago

Similar presentations

Presentation on theme: "Evolved requirements A Business-Driven Security Strategy for Threat Detection & Response Laura MacDonald Field CTO Laura.MacDonald@rsa.com."— Presentation transcript:

1 Evolved requirements A Business-Driven Security Strategy for Threat Detection & Response Laura MacDonald Field CTO

2 The Challenge for Security Teams
First, let’s briefly discuss the problem as RSA sees it. What are the challenges that security operations teams are facing today?

3 Attackers Quickly Turn Compromises into Breaches
Minutes Hours Days Weeks Months Spear Phishing Attack Malware Installed Initial compromise 3rd Party Detection Communicate to External Server (C2) Breach Lateral Movement Discover Critical Assets Data Exfiltration Breach Detected It goes without saying that stories of cyber attacks and major breaches are all over the news today. As we look at what is happening in these breaches, a few trends become apparent. In short, attackers are gaining access faster – usually within minutes <<CLICK>>, nearly all attackers are extracting sensitive data within a matter of days <<CLICK>>, and they are staying longer…. <<CLICK>>typically inflicting greater damage over this time. Most breaches take months to discover. And the overwhelming majority are not detected by internal systems, rather external sources such as customers or authorities. Suffice to say, there is a direct correlation between “dwell time” (the amount of time that attackers have access to your network) and the impact that attacks will have on your business. compromised in MINUTES 82% of exfiltration occurred in DAYS 99% discovered in MONTHS 64%

4 Logs Provide Only Limited Visibility
Malware Tool misses UNKNOWN, NEW threat NGFW has no rule for/against threat traffic IPS has no signature to stop the threat traffic NetFlow Analyzer sees lateral movement but from a known user AV misses user downloading Unknown Malware VMs further inhibit visibility into threats Visibility into Threats in the Cloud is an even bigger challenge IDS / IPS NGFW NGFW Confidential Data So why are the attackers outpacing the defenders? - Well, one reason is that most organizations are still relying on logs for detection. But the truth is that logs can only provide a limited understanding of what is happening. For example, logs are very useful for identifying when a preventive control triggers an alert. But today, sophisticated adversaries are increasingly adept at navigating around those same preventive controls. For example, in most cases, previously unseen malware (or zero day, which is used most often in advanced attacks) will not trigger an alert on endpoint AV. The same is generally also the case for IDS/IPS. If a Next Gen Firewall has no rule to block or alert on certain threat traffic, security teams will have no way of knowing. Compounding the problem of limited visibility; as organizations migrate applications, data, and everyday computing to the cloud ~ we may have varying (if any) visibility into events occurring outside our traditional network environments. Also, expanding use of virtualization may present additional blindspots. Are alerts and other data pertaining to virtualized network traffic being collected? Also, is there visibility of every newly spun Virtual Machine? Is endpoint visibility accounted for for all hypervisors and clusters? Relying on logs alone is not enough.

5 The Flood of Data from Other Sources Can Be Overwhelming
NetFlow Collector / NBAD Full PCAP / Network Forensics Endpoint Security Data Capture across Cloud The need for visibility drives organizations to add more data sources SIEM / Logs ! ! ! ! ! But too much data from disparate sources can obfuscate real threats Today many organizations are starting to understand that they need greater visibility. So, they are collecting as much data as possible, frequently adding multiple point security solutions. This is to make sure that they have all their bases covered – as few blind spots as possible. So while they may have NetFlow, some type of packet capture, endpoint, and cloud data; it’s all happening in silos: with a narrow fields of focus. This means organizations are being flooded with information from individual data sources, with absolutely no correlation across them. Every new point solution that is introduced requires added expertise within the security team. And even when that expertise exists, those individuals are probably choking on data, unable to separate important alerts from false alarms and ‘noise’; and they don’t have the ability to recognize the connecting data between each function. In fact, adding additional point solutions may, in some cases, have an inverse effect on the effectiveness of security teams. Each new point product adds an additional set of variables that should be correlated with other data – making correlation orders-of-magnitude more difficult with each new dataset. However, this is not to say that more data from more sources isn’t good. In fact, the more information available relative to a particular event, the more effective both the analysis and response can be. It’s really a Catch-22. We need the data, but it’s making us less-effective because the computational requirements simply exceed human capabilities. We cannot effectively sort through and react to the massive amount of enterprise security information; certainly not with the speed that is required to keep up with the threats we discussed in the previous slides. Manual correlation and analysis make it NEARLY IMPOSSIBLE to respond in time and prevent breaches

6 Security Teams Struggle to Assess and Act
Is this a real incident? Did any new processes execute on the target? Were there any communications back to the attacker? What’s the scope of the incident? Based on the initial incident, are there other systems affected? What’s the impact of the incident? What data was exfiltrated? What actions are required to mitigate? ! ? Meanwhile, as security and technical experts struggle to keep up with the flood of alerts, business leaders (who frequently are making the resourcing decisions that will ultimately determine how or if these issues are addressed) are demanding to understand the reason, scope, impact, and response to attacks; and how to better manage cyber-risk in the future. We frequently refer to this phenomenon as “The Gap of Grief”. Security teams struggle to meet the needs of the business; while the business struggles to gain perspective on what is actually happening – meanwhile both the direct cyber threat and the organization’s paralysis in meeting the challenges can hamper progress; or even put the entire business at substantially greater risk. So how can we better function to adequately answer these questions on the right side of this screen? How do we effectively answer the question, “How bad is it?” How can we make sure the team doesn’t have blind spots and can connect the dots of the attack?

7 Ensuring your SIEM Finds the Attacks that Matter most
SIEM solutions have been around for many years and they were designed primarily for two objectives: 1. Collect, analyze, report and store log data from hosts, applications and security devices to support security policy compliance management and regulatory compliance initiatives 2. Process and correlate in real time event data from security devices, network devices and systems to identify security issues that pose the biggest risk to an organization While most SIEM solutions have met objective number 1, a big majority of these solutions struggle to meet objective number 2. These SIEM solutions do not have the scale and real-time analytics capabilities for identifying issues that can compromise an organization before an attacker achieves their objective, and have limited capabilities to prioritize the sea of alerts analysts are facing based on true business risk.

8 Requirements for siem have evolved
Evolved Threat Landscape Modern IT Infrastructure Noise in the System Now, there are many reasons that SIEMs, as the centerpiece of the security operations center, have to evolve. Security teams need to evolve to stay in front of attackers and the latest threats, but in recent years this has become much more difficult. Attackers continue to advance and use sophisticated techniques to infiltrate organizations which no longer have well defined perimeters. Attackers spend significant resources performing reconnaissance to learn about organizations and develop techniques specifically designed to bypass the security tools being used. The sophistication of threat actors and the expanding attack surface make it nearly impossible for security teams to discover and understand compromises quickly enough to respond before they impact the business. Why are attackers so successful? There are several reasons. Attackers are becoming more sophisticated and targeted; they have larger attack surfaces to exploit; existing security controls are failing; and there is a real shortage of skilled security staff. We are not playing on a level playing field. Automated, targeted, persistent attacks Erosion of the perimeter Humans can’t keep up, focus

9 Result: you can’t keep all the Bad guys out
THE LONGER THEY ARE IN, THE HIGHER THE RISK Accelerate Detection & Response Risk In light of today’s reality, a mindshift has to occur. We can no longer focus on preventative controls that promise to keep the bad guys out. If an adversary has a specific organization in it’s target, there is nothing to be done to prevent them from getting in to that organization’s infrastructure. However, we should not feel that this reality means the adversary will be able to leave that infrastructure with the data they targeted. If we shift our thinking from prevention to rapid detection and response, we can shorten the dwell time and prevent business damage. In order to do this, the center piece of our security operations needs to be informed by the underlying business intelligence which can ultimately provide critical context to an analyst when seconds matter. By tying critical asset and identity information into both the detection and response capabilities as security team is using, they can focus their efforts on the threats that matter most. If a security team knows that both a server that stores source code and a server that hosts the café menu are being targeted, it knows which machine is more important to the business. Dwell Time

10 Requirements for an evolved siem
Optimized for Threat Detection & Response Visibility Beyond Logs Rapid Ability to Understand & Respond to Full Scope of Incident Ability to Integrate Detection & Response with Business Risk Breadth of Analytics Methods to Detect Attack Campaigns So if this is our new reality, what are the new requirements? One of Business-driven security: the ability of an organization to comprehensively and rapidly link security with business context to detect and respond effectively and protect what matters most. RSA believes an Evolved SIEM which is optimized for threat detection & response must provide: Full visibility – across endpoints, networks, logs, VM’s and the Cloud – And combined with threat intelligence and business context. We need to be able to consume and transform data in to usable threat metadata. Or in otherwords – we need to transform the data into intelligence. <<CLICK>> We need deep analytics – Processing large amounts of threat data together with our data – and combining multiple analytic techniques, behavioral and the latest data science modeling and machine learning. <<CLICK>> We need to understand the full scope of attacks, to validate what happened, wherever it may have happened on our compute surface. Doing this requires a systematic, well-coordinated process that can orchestrate the function of our teams and all available data to produce understandable and actionable results. <<CLICK>> And we must enable our teams to act; to mitigate, and eradicate threats based on business context before they turn into breaches that will harm the business.

11 TRANSFORMATIONAL SECURITY STRATEGY
transforming security strategy: two fundamental areas of focus TRANSFORMATIONAL SECURITY STRATEGY Make Security Teams More Operationally Impactful More Strategically Manage Cyber Risk So what’s required to fix this? A transformational security strategy to managing business risk must link risk management with the security events end-to-end. Organizations need the ability to link security strategy and activity with business priorities. To get there, organizations are embracing the need to transform their security strategy from an long-evolved series of point-products with few unifying qualities – to one that: More strategically manages business risk Makes security operations teams more impactful Delivers assurance around user access and behavior And Leverages intelligence from all corners of the business and from around the world. We can better defend the business, and protect business transactions and combat fraud.

12 an evolved siem Is Needed
BROADEST SOURCES OF VISIBILITY PRIORITIZED RESPONSE ANALYTICS ENGINE Utilize asset criticality and identity information to prioritize the threats that matter most Capabilities aligned to requirements – focus on prioritization and speed of TD&R Feed business context and identity to minimize noise PACKETS LOGS ENDPOINT THREAT INTELLIGENCE NETFLOW CLOUD BUSINESS CONTEXT Deepest Attack Insight This is where the RSA NetWitness Suite comes in. The RSA NetWitness Suite consumes multiple types of desperate data from across your environment. We then take that data and turn it into more useful information by enriching it in real-time with threat intelligence - from industry experts, third party providers and crowd sourced from our customer base – as well and the critical business context which informs the suite so that prioritization can take place. We utilize a unified taxonomy across all this intelligent data that enables rapid detection of both known and unknown threats, processed through our analytics engine. Our analytics engine then enable organizations to rapidly identify threats that really matter by providing the deepest attack insight with priority. We also understand that even with the broadest amount of visibility, and the deepest analytics; NONE OF IT MATTERS UNLESS YOU ENABLE ACTION. So the RSA NetWitness suite enables control over how you want to respond to threats with orchestration across your security infrastructure; role-based, prioritized incident response workflows; and investigations that can fully reconstruct incidents.

13 INCLUSION & EXCLUSION SECURITY BUSINESS RISK MANAGEMENT
BUSINESS-DRIVEN SECURITY INCLUSION & EXCLUSION SECURITY TECHNOLOGY BUSINESS RISK MANAGEMENT LINK SECURITY INCIDENTS WITH BUSINESS CONTEXT TO RESPOND FASTER AND PROTECT WHAT MATTERS MOST RSA’s strategy fuses security insight with business context, creates explicit linkage between what our security technology is telling us and what that means in terms of business risk. RSA’s business-driven security solutions help customers comprehensively and rapidly link security incidents with business context to respond effectively and protect what matters most. With award-winning solutions for rapid detection and response, user access control, consumer fraud protection, and business risk management, RSA customers can thrive in an uncertain, high-risk world. It’s time for Business-Driven Security. 

14 Thank You

Download ppt "Evolved requirements A Business-Driven Security Strategy for Threat Detection & Response Laura MacDonald Field CTO Laura.MacDonald@rsa.com."

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
1© Copyright 2014 EMC Corporation. All rights reserved. Securing the Cloud Gintaras Pelenis Field Technologist RSA, the Security Division of EMC

1© Copyright 2014 EMC Corporation. All rights reserved. Securing the Cloud Gintaras Pelenis Field Technologist RSA, the Security Division of EMC
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
© 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written.

© 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.

1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.

1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.

CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.
Network security Product Group 2 McAfee Network Security Platform.

Network security Product Group 2 McAfee Network Security Platform.
1© Copyright 2014 EMC Corporation. All rights reserved. Applying the Power of Data Analytics to Cyber Security Dr. Robert W. Griffin Chief Security Architect.

1© Copyright 2014 EMC Corporation. All rights reserved. Applying the Power of Data Analytics to Cyber Security Dr. Robert W. Griffin Chief Security Architect.
Role Of Network IDS in Network Perimeter Defense.

Role Of Network IDS in Network Perimeter Defense.

Similar presentations

Ads by Google