Joining Forces: Bringing Big Data to your Security Team
Transcription
Joining Forces: Bringing Big Data to your Security Team
Joining Forces: Bringing Big Data to your Security Team Alaa Abdulnabi, CISSP RSA Regional Pre-Sales Manager Turkey, Middle East & Africa @AlaaAbdulnabi © Copyright 2013 EMC Corporation. All rights reserved. 1 Facteurs de mutation du marché Effectifs étendus Appareils mobiles Cloud Big Data Chaînes de valeur interconnectées Menaces avancées persistantes Techniques de fraude élaborées Transformation de l’infrastructure Transformation de l’entreprise Transformation du paysage des menaces Moins de contrôle sur les périphériques d’accès et sur l’infrastructure back-end Encore plus hyperétendue et numérique Des tactiques fondamentalement différentes, plus redoutables que jamais © Copyright 2013 EMC Corporation. All rights reserved. 2 Old World Threats ATTACK FOCUS ON INTRUSION © Copyright 2013 EMC Corporation. All rights reserved. DEFENSE FOCUS ON PREVENTION 3 New World Advanced Threats 85% of breaches Breach response under 2 hours weeks or more to discover 60% reduced risk Source: Verizon 2012 Data Breach Investigations Report © Copyright 2013 EMC Corporation. All rights reserved. 4 Des menaces avancées radicalement différentes 1 2 CIBLÉES OBJECTIF PRÉCIS FURTIVES DISCRÈTES ET LENTES 3 INTERACTIVES INTERVENTION HUMAINE Fin de la Intrusion Début de Découverte de la dissimulation dans l’attaque dissimulation le système Attaques par rebonds Fenêtre d’attaque TEMPS 1 © Copyright 2013 EMC Corporation. All rights reserved. Temps de réponse Identification de l’attaque Réduire la fenêtre d’attaque 2 Réponse Accélérer le temps de réponse 5 Profile of Attack: Data Exfiltration Unusual Network Traffic Multi-connections tunneled over non-standard port 1 4 Ex-filtration Encrypted ZIP transmitted out of corporate network © Copyright 2013 EMC Corporation. All rights reserved. Authentication Check Directory logs authorized credentials from unknown IP PASSWORD ****** 2 3 Authorization Checks VPN & Host log multiple credentials on multiple servers 6 Réallocation des ressources budgétaires et humaines Surveillance 15 % Réponse 5% Surveillance 33 % Réponse 33 % Prévention 80 % Prévention 33 % Priorités actuelles Sécurité intelligente © Copyright 2013 EMC Corporation. All rights reserved. 7 To improve detection, investigation, & response organizations need… COMPREHENSIVE VISIBILITY AGILE ANALYTICS ACTIONABLE INTELLIGENCE “Analyze everything that’s happening in my infrastructure” “Enable me to efficiently analyze and investigate potential threats” “Help me identify targets, threats & incidents” © Copyright 2013 EMC Corporation. All rights reserved. OPTIMIZED INCIDENT MANAGEMENT “Enable me to manage the incidents” 8 IS WHERE SECURITY MEETS BIG DATA © Copyright 2013 EMC Corporation. All rights reserved. 9 Traditional: Collect and report on existing data to monitor and manage risk Advanced: Advanced analytics and algorithms generate predictive insights and active controls as direct result of data Security Analytics Source: EMC Study, “Data Science Revealed: A Data-Driven Glimpse into the Burgeoning New Field,” December 5, 2011 © Copyright 2013 EMC Corporation. All rights reserved. 10 Security Analytics Platform Big Data Analytics Governance Data Alert & Report Compliance Apps Investigate & Analyze SECURITY ANALYTICS + Systems Store Visualize Respond Network ARCHER Incident GRC Management Remediation Public & Private Threat Intelligence © Copyright 2013 EMC Corporation. All rights reserved. 11 RSA FirstWatch ® RSA ‘s elite, highly trained global threat research & intelligence team Providing covert and strategic threat intelligence on advanced threats & actors • Focused on threats unknown to the security community – Malicious code & content analysis – Threat research & ecosystem analysis – Profiling threat actors Research operationalized automatically via RSA Live © Copyright 2013 EMC Corporation. All rights reserved. 12 Prioritize Security Analyst Efforts Finding the Right Needle in a Stack of Needles All Network Traffic & Logs Terabytes of Data 100% of total Downloads of executables Thousands of Data Points 5% of total Type does not match extension Hundreds of Data Points 0.2% of total ! © Copyright 2013 EMC Corporation. All rights reserved. Create Critical Asset Alerts A few dozen alerts 13 Asset Criticality Intelligence Asset Intelligence Asset List IT Info Device Type Biz Context Device Owner Business Unit Content Process Category IP/MAC CMDBs, DLPAdd scans, etc. © Copyright 2013 EMC Corporation. All rights reserved. IP Address Criticality Rating Business Unit Facility Business Owner Device IDs (DLP) RSA ACI RPO / RTO Criticality Rating RSA Security Analytics Security analysts now have asset intelligence and business context to better analyze and prioritize alerts. 14 Asset Criticality Intelligence in Security Analytics • Helps analyst better understand risk • To prioritize investigation & response • Asset criticality represented as metadata © Copyright 2013 EMC Corporation. All rights reserved. 15 Advanced Incident Management • Offload response from security analyst • Enhances management visibility • Accelerates remediation • Manage entire incident lifecycle © Copyright 2013 EMC Corporation. All rights reserved. 16 RSA Data Discovery for Security Analytics Discover sensitive data & improve investigations with DLP SharePoint File Servers Databases RSA Data Discovery Data Discovery Feed NAS/SAN Endpoints RSA Security Analytics Content-level Intelligence Security Analyst © Copyright 2013 EMC Corporation. All rights reserved. 17 RSA Data Discovery for Security Analytics Investigative Interface Data Discovery attributes available in SA Investigation UI help Security Analysts identify high risk assets and prioritize investigations © Copyright 2013 EMC Corporation. All rights reserved. 18 RSA ECAT Key Functionality & Benefits File Whitelisting Multi-engine AV scan Certificate Validation Network Traffic analysis Full System Inventory Direct physical disk inspection Live Memory Analysis • • • • • • © Copyright 2013 EMC Corporation. All rights reserved. X-ray view of what’s happening on endpoints Identify behavior related to malware Highlight likely infections with Machine Suspect Level (MSL) Quickly triage results to gain actionable intelligence Find other infected machines & gauge scope of breach Forensic data gathering 19 Advanced Threat Detection & Incident Management with RSA SMC Portfolio RSA Advanced Incident Mgmt. for Security (AIMS) RSA Security Analytics Alerts Based on Rules Capture & Analyze – NW Packets, Logs & Threat Feeds Group Alerts Manage Workflows Provide Visibility Syslog alert of high Machine Suspect Levels RSA ECAT Business & Security Users Detect suspicious endpoint activity © Copyright 2013 EMC Corporation. All rights reserved. 20 © Copyright 2013 EMC Corporation. All rights reserved. 21