• No results found

RSA Security Analytics

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "RSA Security Analytics"

Copied!
36
0
0

Loading.... (view fulltext now)

Download now ( 36 Page )

Full text

(1)

RSA Security Analytics

This is what SIEM was Meant to Be

(2)

The cornerstone of security operations Single compliance &

security interface Analyze & prioritize alerts across various

sources

2 T

Weak at investigation &

incident response Compliance …yes,

but security…?

Limited detection due to reliance on logs &

signatures

The Original Intent of SIEM

(3)

A new approach

is needed

(4)

SIEM Baseline Requirements

Forrester ForrSights Security Survey Q2 2013 70%

72%

74%

76%

78%

80%

82%

84%

86%

88%

90%

Incident response Compliance and reporting Event correlation Log management

90% 87%

80%

77%

How important is each of the following in your firm's decision to adopt security information management (SIM) within your organization

% of respondents who answered "important" or "very important" - n=580

“Critics give SIEM 2.5 out of 4 stars”

(5)

At first, there were HACKS

Preventative controls filter known attack paths

Evolution of Threat Actors

& Detection Implications

Malicious Traffic

Firewall

Threat Actors

IDS/IPS AntiVirus

Corporate Assets

Whitespace Successful HACKS

(6)

At first, there were HACKS

Preventative controls filter known attack paths

Then, ATTACKS

Despite increased investment in controls, including SIEM

Evolution of Threat Actors

& Detection Implications

Malicious Traffic

Firewall

Threat Actors

IDS/IPS AntiVirus More Logs

Corporate Assets

S I M E

Blocked Session Blocked Session Blocked Session

Alert

Whitespace Successful ATTACKS

(7)

Now, successful ATTACK CAMPAIGNS target any and all whitespace.

Complete visibility into every process and network sessions is required to eradicate the attacker

opportunity.

Unified platform for advanced threat detection & investigations,

Evolution of Threat Actors

& Detection Implications

Malicious Traffic

Firewall

Threat Actors

IDS/IPS AntiVirus

Logs

Endpoint Visibility

Corporate Assets

Blocked Session Blocked Session Blocked Session

Alert Process

Network Visibility Sessions Network Security Analytics

(8)

Logs, packets, NetFlow &

endpoint together

Compliance

& Reporting Incident Response

Visibility far beyond logs

Event Correlation

Collect & parse 250+

event sources

275+ out-of-the-box correlation rules

Native, prioritized incident triage

Wider SOC management

capabilities

90+ report templates Integration with compliance management program Log

Mgmt.

Exceeding SIEM Requirements

(9)

Security Operations

LIVE

Action

Security Operations

Analysis

Threat Intelligence | Rules | Parsers | Feeds | Reports | RSA Research RSA LIVE

INTELLIGENCE

Capture Time Data Enrichment

Visibility

Logs

LIVE

LIVE

On Prem

Cloud

RSA Security Analytics: Log-Centric

(10)

RSA SECURITY ANALYTICS SOLUTION

CAPTURE, ENRICH AND ANALYZE DATA FROM ACROSS YOUR NETWORK

Investigation

Compliance Reporting

Endpoint Analysis Session Reconstruction Incident

Management

Capture Time Data Enrichment

LIVE

LOGS PACKETS

ENDPOINT

NETFLOW On

Prem Cloud

Action Analysis

Visibility

LIVE

Threat Intelligence | Rules | Parsers | Feeds | Reports | RSA Research

RSA LIVE INTELLIGENCE

Advanced Analytics

ENRICH

(11)

VISIBILITY

From the ENDPOINT to the CLOUD

Visibility Analysis

Action

(12)

Move From Log-Centric Approach

“organizations need to collect, process, and store a plethora of data sources including asset data, identity information, network traffic (via full packet capture), NetFlow, endpoint forensic information, etc. This data volume is in part what transforms yesterday’s security analysis into today’s big data security analytics.”

--JON OLTSIK, ESG, SEPTEMBER, 2014, INFORMATION-DRIVEN SECURITY AND RSA SECURITY ANALYTICS AND RSA ECAT

(13)

The Power Of A Risk-Based Approach

NetFlow

How far intrusion

spread

Endpoints

Where is infection located

Logs

Basic connection information

Packets

How you got infected and what

attacker did Security

Analytics

(14)

Add Compliance & Business Context

• Asset List

• Device Type, Device Content

• CMDBs

• Vulnerability data

IT Info

• Device Owner

• Business Owner, Unit, Process

• RPO / RTO

• Data Class

Business Context

• Risk Level

• IP Address

• Asset Criticality Rating

• Facility

Asset

Intelligence

(15)

ANALYSIS

Detect and analyze attacks before they can impact your organization

Visibility Analysis

Action

(16)

• Correlation across logs, packets, NetFlow and endpoint data - separately or together

• Discover attacks missed by other tools

• Real-time detection

- Ex. detecting a pdf containing an executable, followed by encrypted traffic to a blacklisted country

Incident Detection

(17)

Data Sources: Shell Crew Example

• Intrusion attempts Logs:

What was targeted?

• Beaconing & suspicious communications

• “Sticky-keys” backdoor

• Malicious proxy tools

• WinRAR using encrypted rar files

• Recreate entire exploit Packets:

How did the exploit occur?

• Lateral movement via RDP NetFlow:

How did the attackers move around once inside?

• Time/date “stomping”

• Indicatorsabout malicious files and code

• Scope of infection Endpoints:

Was the endpoint exploited?

Were others infected?

(18)

Percent who felt security management was more

difficult than it was 24 months

62%

ago

400+

RSA provides over 400 out -of-the-box rules, alerts, feeds &reports

Unleash the potential of your security team

Content Enables Security Teams

- ESG

“The Big Data Security Analytics Era Is Here”

April 2013

(19)

Out-of-the-box Content Examples

Intelligence feeds

APT Domains

Suspicious Proxies Malicious Networks Threat blacklists

O-day identifiers

275+

correlation rules

Data exfiltration Identity & access

anomalies Unusual connections

Endpoint &

network activity Reconnaissance

detection

90+

reports

Compliance templates Network activity

Operations Suspicious

behavior User activity

375+

log & network parsers

Abnormal .exe files

Packers Instant Messenger traffic

Botnets

SQL injection

(20)

ACTION

Take targeted action on the most important incidents

Visibility Analysis

Action

(21)

unified incidents & workflow

Native Incident Management

analyst starting point

Endpoint

&

Malware

Packets

Logs

(22)

• Unified, risk-score driven alerts

• Assign & track

• Integrate

RSA Security Operations Management (SecOps) 3rd party ticketing systems

Prioritize & Streamline Workflow

(23)

DomainRSA SecOps

Framework &

Alignment

People

Process

Technology

Incident

Response Breach

Response SOC Program

Management

RSA Security Operations Management

(24)

Security Analytics vs. SecOps

SA Incident

Triage SecOps Alert Aggregation

Dashboards

Incident Response Workflow IR Procedure & Content

Breach Response Workflow, tasks, content Risk Assessment Questionnaire

Tracking Notification

SOC Program Management

GRC Integration (Risk, Policy, BC)

(25)

Benefits

Detect and analyze before attacks impact the business Investigate, prioritize, and remediate incidents

Unleash the potential of your existing security team Evolve existing tools with better visibility & workflow

(26)
(27)

Beverage Manufacturer

RSA Security Analytics

“I really like the vision of where Security Analytics is going,

which isn’t seen anywhere else in the industry, it offers true value and intelligence”

Full visibility and context into attacks that were unachievable in a traditional SIEM

Quick and easy log collection & analysis

Discovered massive amounts of IOCs

Deployed globally without scaling issues

Security siloes, isolated incident response

Visibility limited to the perimeter

Blind to signs of compromise

Before

After

(28)

Must be ARMED to quickly identify and respond to attacks before they can

damage the business

Constant compromise

does not mean constant loss

Security

Attacks

Inevitable are

(29)

See Everything. Fear Nothing.

(30)

Common SIEM Use Cases in Security Analytics

Can be run as a real-time alert, or a regular report for review

Use case Alert/Report

Unauthorized privilege access

Admin commands from a username not in a list of admins

Unusual commands being executed

Unusual protocol use

Unexpected protocol hitting a firewall/gateway

Port scans

Large network transfers

Virus outbreak High # of alerts from a given set of AV systems Trojan Backdoor use Specific event class from an IDS

Abnormal system access High # of failed logons Unauthorized account

administration Account enable from list of locked accounts Access policies Access from an unauthorized location

(31)

SIEM and Account Takeover

 Security Analytics approach

Tag the session as high # of failed logons, tag the session as

going to/from a critical asset, monitor the entire session for signs of bot activity, tag the source IP address if coming from

unexpected source geography, tag the session if using non- standard user agent

How a SIEM tries to detect it Why that doesn’t work

Alert for failed logons followed by successful logon

Lots of noise

Low and slow approach evades detection

Can’t take

(32)

SIEM and Known Attack Sequences

 Security Analytics approach

Tag session with known attack indicators - e.g. high # of failed logons, use of weird protocols, use of weird tools etc),

Tag session as going to/from critical asset

Monitor the entire session to give investigative context

How a SIEM tries to detect it Why that doesn’t work

Create correlation rule for precise sequence e.g.

failed longs, followed

by successful logon, followed by DB Connect, followed by connection to Romania

Any variation on the attack will fool the SIEM rule

Can only rely on indicators in logs from critical systems

Cannot scale beyond small set of rules

(33)

SIEM and Deviation from Normal Activity

 Security Analytics approach

Tag session for unexpected attributes – nonstandard tools being used, unexpected source address, protocol misuse, unexpected scripting, strange encoding

How a SIEM tries to detect it Why that doesn’t work

Define rules for known good – alert for any nonstandard activity

Impossible to keep up with all normal activities

Cannot scale beyond only a small rule set

(34)

Incident Detection

Attack Step Traditional

SIEM RSA Security

Analytics

Alert for access over non-standard port No Yes

Recreate activity of suspect IP address across

environment No Yes

Show user activity across AD and VPN Yes Yes

Alert for different credentials used for AD and VP Yes Yes

Reconstruct exfiltrated data No Yes

(35)

Only RSA Security Analytics Can Tell If This Is A Targeted Attack

Attack Step Traditional

SIEM RSA Security

Analytics

Alert for suspected SPAM host Yes Yes

Show all WWW requests where executable

downloaded No Yes

Recreate email with suspect link No Yes

Analyze malware and incorporate community

intelligence No Yes

Determine whether attack is part of a targeted

campaign No Yes

(36)

References

Download now ( PDF - 36 Page - 1.78 MB )

Related documents

Auditing MCQs

c)Both internal as well as external audit d)Mangement audit 34.Internal auditor is helpful to improve the performance of the- a)Internal audit department b)Statutory audit

Use of indicators as tools of decision making

In a complex policy context such as natural resource management indicators are foremost communicative tools for demonstrating issues that are already known ones.. Successfully

CMT: Cold Metal Transfer. MIG/MAG dip-transfer arc process

- permits spatter-free MIG/MAG robot welding and brazing of ultra-light gauge sheets from 0.3 mm (0.012"), and joining of steel to aluminium.. - offers all the benefits of

MERCHANT SPOTLIGHT. Annual Meeting of the Association. Newsletter - January Mark your Calendar! - No events scheduled -

With your help, some of our success stories can be seen on the islands at 68th Terr and Mission Road, 67th and Fontana (with the additional generosity there of immediate

Teachers' instrumental geneses when integrating spreadsheet software

K eywor ds : mathematics teaching and learning, teaching practices, ICT integration, professional learning of mathematics teachers, technology-mediated classroom

Indice Table of Contents. Prezzo diminuito Decreased Price. Prezzo aumentato.

A320 Rubinetto rapido universale Universal male quick coupler maschio A323 Rubinetto rapido universale per spirale Universal quick coupler for spiral hose. A321 Rubinetto

van recycling tot re-design workshop results.

We also showed to all the interviewed people, samples of products which have been designed with garbage materials.. Most of them reacted very positive and enthusiastic about them

Thailand Non-formal education

Community Learning Centre (8,057 CLCs ) provide various kinds of knowledge in terms of lifelong learning for people in the communities, and the Educational Radio and