• No results found

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks"

Copied!
17
0
0

Loading.... (view fulltext now)

Download now ( 17 Page )

Full text

(1)

ADVANCED KILL CHAIN DISRUPTION

(2)

#RSAsummit

Agenda

Enabling Deception Networks

Introduction

Overview of Active Defense

Process Orchestration in Active Defense

Introducing Deception Networks

Software-defined Networking as an enabler

Taking Action on Insights

(3)

#RSAsummit

Taking action quickly…

Active Defense

Orchestrating infrastructure changes to

automate well-defined and understood

processes to mitigate

“In cyber we think of [The OODA loop] as Sensing, Sense-making, Decision-making (with a dial-able level of automated decision-making), and Acting”

Source: CyberWire Interview Philip Quade, COO of Information Assurance National Security Agency

Applying capabilities to contain and

understand threats

Applying analytics to identify key

insights from threat activity

(4)

#RSAsummit

Attaining an Agile Security Posture

External Orientation

Int

er

na

l

O

rie

nt

at

io

n

Aggressive

Submissive

Resilient

Turtle: Strong security hygiene, and able to absorb attacks often, but with no ability to keep from getting hit they’ll eventually be breached

Cuttlefish: Strong security hygiene, with capabilities to have a more agile/adaptive attack surface internally, does not counter-attack threats but will actively disrupt threats inside the organization

Leopard: Strong security hygiene, able to dodge or absorb attacks as needed, willing to counter-attack threats if enabled to under policy or law

Rhino: Strong security hygiene and able to absorb attacks, willing to counter-attack threats aggressively regardless of the legality of the actions

Chihuahua: Minimal security hygiene, often will counter-attack threats aggressively regardless of legality or ability to withstand retribution

Goldfish: Minimal or no security hygiene, often abused by attackers as a proxy host in attacking stronger targets as to avoid attribution

(5)

#RSAsummit

Evolving Active Defense

Building blocks towards agility in

security

Orchestrating Incident

Response and Threat

Management

Incorporating Advanced Active

Defense capabilities like

Deception Networks

Integrating security into an

Intelligent Infrastructure and

leveraging Software-defined

Networking

Beyond Security • Software Defined Infrastructure • Enterprise Resiliency

Engaging the Adversary

• Deceptive Networks • Decoy Resources • Anti-Reconnaissance • Resource Shifting

Strengthen the Core

• Response Orchestration • Course of Action

Automation • Asset Identification

Intelligent Security

Leveraging an agile and adaptive infrastructure to change the game in security.

Evolving the Core

Tackling challenges in Incident Response and Threat Management with new and evolving capabilities

Getting Started

(6)

#RSAsummit

Automating Processes

Orchestrating an Agile Organization

 Identifying processes that benefit

from automation

 Instrumenting human incident

response and threat management workflows

 Defining courses of action to

automate in the infrastructure

 Coordinating between automated

actions and human workflows for approval

(7)

#RSAsummit

Phishing Attacks

Orchestration Use Case

 E-mail monitoring tool picks up a

URL in an e-mail

 Orchestration receives the URL

and sends it to a Threat

Protection service to verify if it’s malicious or benign

 Threat Protection service reports

back it is malicious

 Orchestration updates web proxy

to block the domain/IP used by the e-mail

 Orchestration generates a

workflow request to remove the malicious e-mail from the

recipients mailbox Detection of potential threat activity Infrastructure Orchestration Web Proxy

Technology Overlay

Threat Protection Security Orchestration Infrastructure Orchestration Incident Response Runbook

1) Email monitoring tool detects a URL in an email

(8)

#RSAsummit

Threat Management with Active Defense

Active

Defense

SIEM &

Advanced

Analytics

Threat

Intelligence

Service

Global Insights

Internal Intelligence Responses Targets to Monitor

Threat

Indicators Actionable Insights

Threat Intelligence Service SIEM & Advanced Analytics Active Defense

This service ingests from as well as shares with external and internal threat intelligence. It identifies the key indicators and observables within those intelligence feeds. It helps users contextualize and better understand events in their

environment. It pushes awareness out to monitoring and response capabilities.

Supported by SIEM, Analytics, and Visualization capabilities, the solution ingests IT, OT, and Physical data sources, and provides monitoring of patterns and

anomalies indicative of threat activity within an organization, as informed by Threat Intelligence

Supported by Security and Infrastructure Orchestration capabilities, the solution takes insights and findings from Threat Intelligence, SIEM, and Analytics, and provides automated or semi-automated infrastructure changes and service management ticketing to mitigate the impact of identified threats. Government Feeds Peer Exchange Commercial Feeds Infrastructure Orchestration Security Orchestration Physical Controls Information

(9)

#RSAsummit

Introducing Deception Networks

Enable an organization to protect against threats by automating and

orchestrating the process of understanding and mitigating threat activity

Understanding Threats

•Use Honeypots, decoys, and deep packet

inspection to target investigation of

threat activity

Mitigating Threats

(10)

#RSAsummit

Deception Networks

 Apply network agility, deep

packet inspection, and honeypots to track threat activity

 Apply analytics to identify

high value indicators of compromise

 Normalize and

Contextualize internal threat intelligence, with external feeds

 Apply mitigations

automatically using infrastructure

(11)

#RSAsummit

Software-defined Networking in Deception Networks

Software-defined Networking provides an opportunity for

security to engage the adversary

Passive Engagement

•Enable efficient re-use of Honeypots

•Deploy targeted Deep Packet Inspection

•Spoof network topology

Active Engagement

•Generate White Noise

•Manipulate Data

•Prevent Network Intrusion

•Deploy IP Blackholes

(12)

#RSAsummit

Understanding the noise…

Threat Indicator Analytics

Need to generate threat intelligence

Drivers

Harvest indicators of compromise generated internally

Understand high value indicators to address

Apply indicators to the infrastructure for mitigation

Threat Indicator Analytics

Solution

A data analytics application to address identifying key insights in threat activity

Aggregates threat activity generated internally

Applies analytics to understand high value insights to operationalize

Leverages big data analytics platform and data visualization tools

Benefits

Operationalize indicators of compromise to prevent spread of the threat internally

Improve profiling of threat actors and motivations against the organization

Enable an organization to participate in threat exchanges amongst peers

(13)

#RSAsummit

Taking action…

Operationalizing the Insights

Apply Infrastructure Orchestration to push indicators of compromise

To endpoint systems for increased inspection and blocking

To SIEM and Network Analytics for increased monitoring

Use Software-defined Networking capabilities to block or re-direct

network based observables

Share insights with peer organizations through Threat exchanges

(14)

#RSAsummit

The Building Blocks

Getting Started

Get a handle on your Threat Intelligence

Utilize Analytics to get actionable

intelligence

Understand how to generate internal

threat intelligence

Orchestrate incident response and threat

management run-books

Establish well defined processes

Instrument the run-books for

consistent human workflows

Automate processes to address

security challenges

Explore Network Virtualization

Test environments for

Software-defined Networking

Options to virtualize at a datacenter

level

Re-introduce honeypots to security

Not just external facing systems

How to mimic production

(15)
(16)

16

#RSAsummit

16 © Copyright 2014 EMC Corporation. All rights reserved.

Detailed View

16

Threat Intelligence Sharing (TIS) SDN Switch SDN Controller Agent SDN Switch SDN Switch Infrastructure Orchestrator

SIEM IDS/IPS Protection Endpoint

(17)

Technology Overlay

Threat Intelligence Sharing (TIS)

SDN Switch SDN || NFV || VMware NSX Agent

Internet

SDN Switch SDN Switch Security Orchestrator TippingPoint Sentinel Sentinel Redirecting malicious traffic or known hostile IP Sentinel Sandboxed Threat Intelligence Policy Enforcement Threat Indicator Analytics

Production

Threat Data

References

Download now ( PDF - 17 Page - 1.05 MB )

Related documents

Real-Time Security Intelligence for Greater Visibility and Information-Asset Protection

Ideally, you’ll implement a single solution that provides both log management and security information and event management (SIEM) capabilities, which deliver real-time

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

• Data-Driven Security- emerging capabilities such and Big Data cyber analytics and cyber visualization may enable automated analysis and response to

Extreme Networks Security Upgrade Guide

Information about upgrading Extreme Networks Security Analytics applies to Extreme SIEM, Extreme Networks Security Log Manager products..

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

RedSeal Networks, the leading provider of network infrastructure security management, is the only end-to-end solution that provides the network visibility and analytics you need

Brochure More information from

Threat Intelligence Security Market by Solution (SIEM, Log Management, IAM, SVM, Risk Management, Incident Forensics), Service (Managed, Professional), Deployment, Organization

Leverage security intelligence for retail organizations

QRadar Security Intelligence Platform takes security profes- sionals beyond the functionality of standard SIEM or log management solutions to provide advanced threat detection,

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

ThreatConnect answers these needs with rich email intelligence features that allow analysts to share threat intelligence among themselves via email and to work with suspicious

Clavister InSight TM. Protecting Values

Event Management (SIEM) solution that provides essential real-time security intelligence to help decipher hacker/virus behavior, combat security threats and meet regulatory