2. Organizations Face Difficult Security Challenges
A real scarcity of skilled security
analysts forces enterprises to get
creative to combat threats and protect
the enterprise.
GROWING SHORTAGE OF
SKILLED SECURITY STAFF
More Endpoints in the enterprise, in the
field, and in the cloud means more
potential entry points for attacks.
A GREATLY EXPANDING
ATTACK SURFACE
The days of simple malware or APTs
are gone. Today’s attacks are targeted,
lengthy, and multifaceted.
MORE SOPHISTICATED
ATTACK CAMPAIGNS
“Organizations took weeks or more to discover that a breach even occurred.”
- Verizon 2016 Data Breach Report
3. So They Take Preventive Steps to Protect Themselves
Confidential
Data
Endpoints
NGFW IDS / IPS SIEM NGFW
80% of security staff, budget, and activity is generally
dedicated to preventive action
4. But Breaches Still Occur. What’s Happening?
Confidential
Data
Endpoints
NGFW IDS / IPS SIEM NGFW
NGAV misses
UNKNOWN,
NEW threat NGFW has no
rule for/against
threat traffic
IPS has no
signature for the
threat packets
SIEM captures
logs, but will it
trigger an alert?
NGFW has no
rule for/against
threat traffic
Missing the Little Things Rapidly Adds Up to One Bigger Problem
How big is the compromise?
How long has it been there?
Just how bad is this?
What did the attacker do?
6. Shift priorities and capabilities
Today’s Priorities
Prevention
Response
Monitoring
Monitoring
Prevention
Response
Future State
6
7. Advanced Threats Are Different
Speed
Response Time2Decrease
Dwell Time1
TIME
Attack Identified Response
System
Intrusion
Attack
Begins
Cover-Up
Complete
Cover-Up Discovery
Leap Frog Attacks
Dwell Time Response Time
8. Evolution of Threat Actors & Detection
Implications
Firewall
Threat Actors
IDS/IPS
AntiVirus
Corporate Assets
Whitespace Successful HACKS
Network Visibility
Endpoint Visibility
Logs/SIEM
Complete visibility into every process and network
sessions is required to eradicate the attacker
opportunity.
Unified platform for advanced threat
detection & investigations
Blocked
Session
Blocked
Session
Blocked
Session
Alert
Process
Network
Session
SecurityAnalytics
RSA Security Analytics
10. • Shows how an attacker got in
• Shows what the attacker did
• Helps to determine the source of the attack
• Shows suspicious communication
• Beaconing
• Data Exfiltration
• Outbound encrypted communication
• Service communication over a non-standard port
• Detect advanced threats using Behavior Analytics
• Communication to and from the infected system
• See the complete attack picture
• Reconstruct the malicious payload or exploit
RSA NetWitness® Packets
Providing real-time
analysis and full
visibility of
everything
going in and out of
your network.
11. HTTP Headers
Basic Packet
Capture
Attachment
File Fingerprints
Session Size
Country Src/Dst
URL
Hostname
IP Alias Forwarded
Directory
File Packers
Non Standard
Content Type
Ethernet
Connection
Embedded Objects
Top Level Domain
Access Criticality
Sql Query
Mac Address Alias
Email Address
Cookie
Browser
Credit Cards
Protocol
Fingerprints
Database Name
SSL CA/Subject
URL in Email
Referrer
Language
Crypto Type
PDF/ Flash
Version
Client/Server
Application
User Name
Port
User Agent
IP Src/Dst
Session
Characteristics
Deep Network
Forensics
225+
metadata
fields
“You can't hide
a packet once
it's traversed the wire,
you can't unsend it”
13. Why RSA NetWitness Endpoint?
Detect by threat behavior
rather than by signature
Rapid Response Enabled
by Full Scope Visibility
Intelligent Risk-Level
Scoring System
More rapidly expose
new, unknown, and
non-malware threats on
endpoints
Eliminate white noise;
prioritize threats more
efficiently & accurately
Provide all data needed
to confirm threats and
quickly take action
73
RISK
!
!
!
!
!
!
!
!
! !
!
!
14. Rapidly and Accurately Analyze ALL Threats
IP/Domain Information & Geo
Threat Intelligence + RSA Community
YARA Rules Engine
Blacklisting (Multi-A/V)
File / App Whitelisting & Reputation
“Gold Image” Baselining
Certificate Validation
Live Memory Analysis
Direct Physical Disk Inspection
User-Initiated Suspicious Behavior
Endpoint/Module Behavior Analytics
73
85
99
21
87
RSA NetWitness Endpoint combines multiple detection methodologies to
detect both KNOWN and UNKNOWN threats faster and more accurately.
15. How Customers Use RSA NetWitness Endpoint
Proactive Assessments of Key Assets
Selectively deploy, monitor, and protect your most valuable, at-risk corporate assets
Protective Endpoint Monitoring and Alerting
Gain greater visibility, detect threats faster, and focus response more effectively
Hunting Tool for Incident Response
Investigate compromised systems to collect incident data for forensic analysis
Deeper Understanding of the Full Scope of an Incident
Fully eradicate a threat actor by leveraging both network and endpoint visibility and analysis
16. Detect Unknown Threats. Reduce Dwell Time. Accelerate Response –
Gartner
“Traditional defense-in-depth components are still necessary, but are no longer sufficient in
protecting against advanced targeted attacks and advanced malware” – Gartner
Source: Gartner’s “Five Styles of Advanced Threat Defense”
Network Traffic Analysis
RSA
Payload Analysis
Endpoint Behavior Analysis
RSA
Network Forensics
RSA
Endpoint Forensics
RSA
Where
to Look
Network
Payload
Endpoint
Time
17. Detect Unknown Threats. Reduce Dwell Time. Accelerate Response -
Frost & Sullivan
The network security
team at Frost and
Sullivan views Advanced
Persistent Threat (APT)
defense as not a singular
technology, but rather as
a collection of
technologies used in
concert.
Network security
forensics is the
requisite technology
used when a
suspected security
breach has occurred.
18. What Do Organizations Need to Be Successful?
Effective means to help overburdened and unfocused security
teams investigate and respond rapidly to REAL threats.
Capabilities to accurately detect new, never-seen-before,
targeted and even “file-less” threats on their endpoints
Deep visibility and insight into everything that is actually
happening on their endpoints at any time
19. Must be ARMED to
quickly identify and
respond to attacks
before they can
damage the business
Constant compromise does not mean constant loss
Security
Attacks are
Inevitable
We need to fundamentally change our approach.
We have to acknowledge that in today’s modern enterprise, we cannot rely on prevention based on static rules or prior knowledge.
Instead, we must develop and improve our ability to detect compromises and rapidly take the right measures to respond in order to minimize damage or loss to the organization.
Despite many organizations acknowledging the need to change or improve, they continue to pursue the same failed strategies. Organizations must radically shift priorities, technologies, and resources.
The vast majority of the spend is still preventative and perimeter-based. RSA research indicates that 80% of security staff and budgets, activity and tools, today are focused on prevention. Monitoring and response lag, and even the monitoring spend is today heavily weighted toward ineffective, incomplete approaches.
Going forward, there needs to be a much more even split of resources across prevention, monitoring, and response. Without rebalancing these resources, it will become increasingly difficult to have the ability to detect a breach in a timely fashion and have the capability to respond fast enough to avoid loss.
How are today’s threats different? It’s not just that they are more sophisticated, but attack methods have fundamentally changed.
First they are targeted, with a specific objective. Previously, we may have seen threats such as mass malware that can infect PCs or random attacks on unnecessary services running on external-facing servers. Advanced threats typically use custom malware that targets an individual or group of employees at a specific organization. The attackers are seeking specific information – intellectual property or confidential documents. And their entry point to the organization is the compromise of an individual user’s credentials that they can use to establish an non-suspicious initial foothold in their target organization.
Second, once their initial intrusion is successful, advanced attackers are much more stealthy. Unlike a “smash and grab” password theft or website defacement, advanced attackers seek to remain hidden inside the organization, establishing multiple footholds in case their initial access is shut down, and keeping suspicious activity that might alert security operations teams to a minimum as they seek their target. They cover their tracks by erasing logs and other evidence of their activity.
And they are much more interactive. They don’t follow set scripts. They react to being detected and having access shut down by coming in through another backdoor they established and using different tactics than the ones that led to their discovery.
Against these fundamentally different attacks, we need a fundamentally different response. We need to spend less time trying to keep attackers out, but focus instead on accelerating our ability to detect and respond to intrusions, and reducing the amount of time they are in the network (which we call “dwell time”). Our goal is to ensure that intrusion and compromise do not result in business damage or loss.
KEY TAKEWAY: organizations don’t need to deploy everything, they can pick the part of the solution that is right for them. As they grow, everything is integrated and seamless so the solution will grow with them.
Choose the full solution or augment existing tools with RSA’s flexible, modular approach
Enhance or replace your existing SIEM’s capabilities with better visibility, analysis and workflow.
Evolve from a log-centric view with network packet capture to enable deep network forensics and detection
Augment traditional AV with advanced endpoint malware detection
Use out-of-the-box-integrations and open APIs to integrate with existing systems and applications within your SOC
RSA performs deep data enrichment right at the time of capture making it much faster and more valuable for analysis in the midst of an investigation. This includes additional context, such as asset criticality, vulnerability data, risk level, event type, event source, device information, IP information, configuration data, etc
Unlike other packet capture solutions provided by IBM and Solera who perform only very basic enrichment around generic session information (like source IP address, destination IP address, protocol) but don’t give the same depth of enrichment as SA
THIS MEANS that there are more clues for the system to detect and the analyst to investigate so they can quickly detect and investigate issues. An example is a PDF file with executable content – no other packet capture solution can spot and recreate it. The enrichment on capture also makes the data much faster to query for analysis and reporting.
NOTE: The metadata includes session based details to lead the analyst to the right answer
NOTE: SA Maintains the link between the sessionized data and the raw data which is how its so fast on retrieval and reconstruction. Faster than other packet capture tools.
Key takeaway: Others offer some simple characteristics seen with basic packet capture….we go way beyond with deep network forensics generating hundreds of metadata fields.
This detail, thanks to capture time data enrichment, really sets us apart and gives analysts the ability to spot more attacks and investigate with incredible detail.
Here is a way that Gartner looks at the problem.
We know that traditional defense-in-depth components are still necessary, but are no longer sufficient on their own when facing the sophistication of today’s targeted attacks. Instead, we need to look across data sets (network, packets, and endpoint) – as well as across time. We must bring all the data together, analyze it, and react quickly. Each ‘style’ or category listed above is compulsory – but even the best technology, left alone in its own silo – cannot meet the needs of today’s security operations centers.
We believe that today’s organizations need to be able to look across multiple datasets with deep visibility to the endpoint, analyze that data in real-time, but also understand it with the perspective of time in order to portray the most accurate picture of what happened, how, and why. This enables teams to understand priority and the full scope of the attack.