Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Detect Unknown Threats, Reduce Dwell Time, Accelerate Response


Published on

Rohit Mehrotra, RSA

Published in: Technology
  • You have to choose carefully. ⇒ ⇐ offers a professional writing service. I highly recommend them. The papers are delivered on time and customers are their first priority. This is their website: ⇒ ⇐
    Are you sure you want to  Yes  No
    Your message goes here
  • If you’re struggling with your assignments like me, check out ⇒ ⇐. My friend sent me a link to to tis site. This awesome company. After I was continuously complaining to my family and friends about the ordeals of student life. They wrote my entire research paper for me, and it turned out brilliantly. I highly recommend this service to anyone in my shoes. ⇒ ⇐.
    Are you sure you want to  Yes  No
    Your message goes here

Detect Unknown Threats, Reduce Dwell Time, Accelerate Response

  1. 1. RSΛ NetWitness® Suite Detect Unknown Threats. Reduce Dwell Time. Accelerate Response. Rohit Malhotra email:
  2. 2. Organizations Face Difficult Security Challenges A real scarcity of skilled security analysts forces enterprises to get creative to combat threats and protect the enterprise. GROWING SHORTAGE OF SKILLED SECURITY STAFF More Endpoints in the enterprise, in the field, and in the cloud means more potential entry points for attacks. A GREATLY EXPANDING ATTACK SURFACE The days of simple malware or APTs are gone. Today’s attacks are targeted, lengthy, and multifaceted. MORE SOPHISTICATED ATTACK CAMPAIGNS “Organizations took weeks or more to discover that a breach even occurred.” - Verizon 2016 Data Breach Report
  3. 3. So They Take Preventive Steps to Protect Themselves Confidential Data Endpoints NGFW IDS / IPS SIEM NGFW 80% of security staff, budget, and activity is generally dedicated to preventive action
  4. 4. But Breaches Still Occur. What’s Happening? Confidential Data Endpoints NGFW IDS / IPS SIEM NGFW NGAV misses UNKNOWN, NEW threat NGFW has no rule for/against threat traffic IPS has no signature for the threat packets SIEM captures logs, but will it trigger an alert? NGFW has no rule for/against threat traffic Missing the Little Things Rapidly Adds Up to One Bigger Problem How big is the compromise? How long has it been there? Just how bad is this? What did the attacker do?
  5. 5. 5 The security paradigm must change PREVENTION DETECTION & RESPONSE
  6. 6. Shift priorities and capabilities Today’s Priorities Prevention Response Monitoring Monitoring Prevention Response Future State 6
  7. 7. Advanced Threats Are Different Speed Response Time2Decrease Dwell Time1 TIME Attack Identified Response System Intrusion Attack Begins Cover-Up Complete Cover-Up Discovery Leap Frog Attacks Dwell Time Response Time
  8. 8. Evolution of Threat Actors & Detection Implications Firewall Threat Actors IDS/IPS AntiVirus Corporate Assets Whitespace Successful HACKS Network Visibility Endpoint Visibility Logs/SIEM Complete visibility into every process and network sessions is required to eradicate the attacker opportunity. Unified platform for advanced threat detection & investigations Blocked Session Blocked Session Blocked Session Alert Process Network Session SecurityAnalytics RSA Security Analytics
  10. 10. • Shows how an attacker got in • Shows what the attacker did • Helps to determine the source of the attack • Shows suspicious communication • Beaconing • Data Exfiltration • Outbound encrypted communication • Service communication over a non-standard port • Detect advanced threats using Behavior Analytics • Communication to and from the infected system • See the complete attack picture • Reconstruct the malicious payload or exploit RSA NetWitness® Packets Providing real-time analysis and full visibility of everything going in and out of your network.
  11. 11. HTTP Headers Basic Packet Capture Attachment File Fingerprints Session Size Country Src/Dst URL Hostname IP Alias Forwarded Directory File Packers Non Standard Content Type Ethernet Connection Embedded Objects Top Level Domain Access Criticality Sql Query Mac Address Alias Email Address Cookie Browser Credit Cards Protocol Fingerprints Database Name SSL CA/Subject URL in Email Referrer Language Crypto Type PDF/ Flash Version Client/Server Application User Name Port User Agent IP Src/Dst Session Characteristics Deep Network Forensics 225+ metadata fields “You can't hide a packet once it's traversed the wire, you can't unsend it”
  12. 12. Prevention Detection Remediation /Control A BALANCED APPROACH TO ENDPOINT SECURITY SOLUTION EPP: For Blocking and Prevention EDR: For Rapid detection and Response
  13. 13. Why RSA NetWitness Endpoint? Detect by threat behavior rather than by signature Rapid Response Enabled by Full Scope Visibility Intelligent Risk-Level Scoring System More rapidly expose new, unknown, and non-malware threats on endpoints Eliminate white noise; prioritize threats more efficiently & accurately Provide all data needed to confirm threats and quickly take action 73 RISK ! ! ! ! ! ! ! ! ! ! ! !
  14. 14. Rapidly and Accurately Analyze ALL Threats IP/Domain Information & Geo Threat Intelligence + RSA Community YARA Rules Engine Blacklisting (Multi-A/V) File / App Whitelisting & Reputation “Gold Image” Baselining Certificate Validation Live Memory Analysis Direct Physical Disk Inspection User-Initiated Suspicious Behavior Endpoint/Module Behavior Analytics 73 85 99 21 87 RSA NetWitness Endpoint combines multiple detection methodologies to detect both KNOWN and UNKNOWN threats faster and more accurately.
  15. 15. How Customers Use RSA NetWitness Endpoint Proactive Assessments of Key Assets Selectively deploy, monitor, and protect your most valuable, at-risk corporate assets Protective Endpoint Monitoring and Alerting Gain greater visibility, detect threats faster, and focus response more effectively Hunting Tool for Incident Response Investigate compromised systems to collect incident data for forensic analysis Deeper Understanding of the Full Scope of an Incident Fully eradicate a threat actor by leveraging both network and endpoint visibility and analysis
  16. 16. Detect Unknown Threats. Reduce Dwell Time. Accelerate Response – Gartner “Traditional defense-in-depth components are still necessary, but are no longer sufficient in protecting against advanced targeted attacks and advanced malware” – Gartner Source: Gartner’s “Five Styles of Advanced Threat Defense” Network Traffic Analysis RSA Payload Analysis Endpoint Behavior Analysis RSA Network Forensics RSA Endpoint Forensics RSA Where to Look Network Payload Endpoint Time
  17. 17. Detect Unknown Threats. Reduce Dwell Time. Accelerate Response - Frost & Sullivan The network security team at Frost and Sullivan views Advanced Persistent Threat (APT) defense as not a singular technology, but rather as a collection of technologies used in concert. Network security forensics is the requisite technology used when a suspected security breach has occurred.
  18. 18. What Do Organizations Need to Be Successful? Effective means to help overburdened and unfocused security teams investigate and respond rapidly to REAL threats. Capabilities to accurately detect new, never-seen-before, targeted and even “file-less” threats on their endpoints Deep visibility and insight into everything that is actually happening on their endpoints at any time
  19. 19. Must be ARMED to quickly identify and respond to attacks before they can damage the business Constant compromise does not mean constant loss Security Attacks are Inevitable
  20. 20. THANK YOU