Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
•Download as PPTX, PDF•
3 likes•909 views
Rohit Mehrotra, RSA
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (19)
Similar to Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Similar to Detect Unknown Threats, Reduce Dwell Time, Accelerate Response (20)
More from Rahul Neel Mani
More from Rahul Neel Mani (15)
Recently uploaded
Recently uploaded (20)
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
- 1. RSΛ NetWitness® Suite Detect Unknown Threats. Reduce Dwell Time. Accelerate Response. Rohit Malhotra email: rohit.malhotra@rsa.com
- 2. Organizations Face Difficult Security Challenges A real scarcity of skilled security analysts forces enterprises to get creative to combat threats and protect the enterprise. GROWING SHORTAGE OF SKILLED SECURITY STAFF More Endpoints in the enterprise, in the field, and in the cloud means more potential entry points for attacks. A GREATLY EXPANDING ATTACK SURFACE The days of simple malware or APTs are gone. Today’s attacks are targeted, lengthy, and multifaceted. MORE SOPHISTICATED ATTACK CAMPAIGNS “Organizations took weeks or more to discover that a breach even occurred.” - Verizon 2016 Data Breach Report
- 3. So They Take Preventive Steps to Protect Themselves Confidential Data Endpoints NGFW IDS / IPS SIEM NGFW 80% of security staff, budget, and activity is generally dedicated to preventive action
- 4. But Breaches Still Occur. What’s Happening? Confidential Data Endpoints NGFW IDS / IPS SIEM NGFW NGAV misses UNKNOWN, NEW threat NGFW has no rule for/against threat traffic IPS has no signature for the threat packets SIEM captures logs, but will it trigger an alert? NGFW has no rule for/against threat traffic Missing the Little Things Rapidly Adds Up to One Bigger Problem How big is the compromise? How long has it been there? Just how bad is this? What did the attacker do?
- 5. 5 The security paradigm must change PREVENTION DETECTION & RESPONSE
- 6. Shift priorities and capabilities Today’s Priorities Prevention Response Monitoring Monitoring Prevention Response Future State 6
- 7. Advanced Threats Are Different Speed Response Time2Decrease Dwell Time1 TIME Attack Identified Response System Intrusion Attack Begins Cover-Up Complete Cover-Up Discovery Leap Frog Attacks Dwell Time Response Time
- 8. Evolution of Threat Actors & Detection Implications Firewall Threat Actors IDS/IPS AntiVirus Corporate Assets Whitespace Successful HACKS Network Visibility Endpoint Visibility Logs/SIEM Complete visibility into every process and network sessions is required to eradicate the attacker opportunity. Unified platform for advanced threat detection & investigations Blocked Session Blocked Session Blocked Session Alert Process Network Session SecurityAnalytics RSA Security Analytics
- 9. ModularRSA Advanced SOC Solution NETWORK FORENSICS SIEM & BEYOND ENDPOINT THREAT ANALYSIS
- 10. • Shows how an attacker got in • Shows what the attacker did • Helps to determine the source of the attack • Shows suspicious communication • Beaconing • Data Exfiltration • Outbound encrypted communication • Service communication over a non-standard port • Detect advanced threats using Behavior Analytics • Communication to and from the infected system • See the complete attack picture • Reconstruct the malicious payload or exploit RSA NetWitness® Packets Providing real-time analysis and full visibility of everything going in and out of your network.
- 11. HTTP Headers Basic Packet Capture Attachment File Fingerprints Session Size Country Src/Dst URL Hostname IP Alias Forwarded Directory File Packers Non Standard Content Type Ethernet Connection Embedded Objects Top Level Domain Access Criticality Sql Query Mac Address Alias Email Address Cookie Browser Credit Cards Protocol Fingerprints Database Name SSL CA/Subject URL in Email Referrer Language Crypto Type PDF/ Flash Version Client/Server Application User Name Port User Agent IP Src/Dst Session Characteristics Deep Network Forensics 225+ metadata fields “You can't hide a packet once it's traversed the wire, you can't unsend it”
- 12. Prevention Detection Remediation /Control A BALANCED APPROACH TO ENDPOINT SECURITY SOLUTION EPP: For Blocking and Prevention EDR: For Rapid detection and Response
- 13. Why RSA NetWitness Endpoint? Detect by threat behavior rather than by signature Rapid Response Enabled by Full Scope Visibility Intelligent Risk-Level Scoring System More rapidly expose new, unknown, and non-malware threats on endpoints Eliminate white noise; prioritize threats more efficiently & accurately Provide all data needed to confirm threats and quickly take action 73 RISK ! ! ! ! ! ! ! ! ! ! ! !
- 14. Rapidly and Accurately Analyze ALL Threats IP/Domain Information & Geo Threat Intelligence + RSA Community YARA Rules Engine Blacklisting (Multi-A/V) File / App Whitelisting & Reputation “Gold Image” Baselining Certificate Validation Live Memory Analysis Direct Physical Disk Inspection User-Initiated Suspicious Behavior Endpoint/Module Behavior Analytics 73 85 99 21 87 RSA NetWitness Endpoint combines multiple detection methodologies to detect both KNOWN and UNKNOWN threats faster and more accurately.
- 15. How Customers Use RSA NetWitness Endpoint Proactive Assessments of Key Assets Selectively deploy, monitor, and protect your most valuable, at-risk corporate assets Protective Endpoint Monitoring and Alerting Gain greater visibility, detect threats faster, and focus response more effectively Hunting Tool for Incident Response Investigate compromised systems to collect incident data for forensic analysis Deeper Understanding of the Full Scope of an Incident Fully eradicate a threat actor by leveraging both network and endpoint visibility and analysis
- 16. Detect Unknown Threats. Reduce Dwell Time. Accelerate Response – Gartner “Traditional defense-in-depth components are still necessary, but are no longer sufficient in protecting against advanced targeted attacks and advanced malware” – Gartner Source: Gartner’s “Five Styles of Advanced Threat Defense” Network Traffic Analysis RSA Payload Analysis Endpoint Behavior Analysis RSA Network Forensics RSA Endpoint Forensics RSA Where to Look Network Payload Endpoint Time
- 17. Detect Unknown Threats. Reduce Dwell Time. Accelerate Response - Frost & Sullivan The network security team at Frost and Sullivan views Advanced Persistent Threat (APT) defense as not a singular technology, but rather as a collection of technologies used in concert. Network security forensics is the requisite technology used when a suspected security breach has occurred.
- 18. What Do Organizations Need to Be Successful? Effective means to help overburdened and unfocused security teams investigate and respond rapidly to REAL threats. Capabilities to accurately detect new, never-seen-before, targeted and even “file-less” threats on their endpoints Deep visibility and insight into everything that is actually happening on their endpoints at any time
- 19. Must be ARMED to quickly identify and respond to attacks before they can damage the business Constant compromise does not mean constant loss Security Attacks are Inevitable
- 20. THANK YOU
Editor's Notes
- We need to fundamentally change our approach. We have to acknowledge that in today’s modern enterprise, we cannot rely on prevention based on static rules or prior knowledge. Instead, we must develop and improve our ability to detect compromises and rapidly take the right measures to respond in order to minimize damage or loss to the organization.
- Despite many organizations acknowledging the need to change or improve, they continue to pursue the same failed strategies. Organizations must radically shift priorities, technologies, and resources. The vast majority of the spend is still preventative and perimeter-based. RSA research indicates that 80% of security staff and budgets, activity and tools, today are focused on prevention. Monitoring and response lag, and even the monitoring spend is today heavily weighted toward ineffective, incomplete approaches. Going forward, there needs to be a much more even split of resources across prevention, monitoring, and response. Without rebalancing these resources, it will become increasingly difficult to have the ability to detect a breach in a timely fashion and have the capability to respond fast enough to avoid loss.
- How are today’s threats different? It’s not just that they are more sophisticated, but attack methods have fundamentally changed. First they are targeted, with a specific objective. Previously, we may have seen threats such as mass malware that can infect PCs or random attacks on unnecessary services running on external-facing servers. Advanced threats typically use custom malware that targets an individual or group of employees at a specific organization. The attackers are seeking specific information – intellectual property or confidential documents. And their entry point to the organization is the compromise of an individual user’s credentials that they can use to establish an non-suspicious initial foothold in their target organization. Second, once their initial intrusion is successful, advanced attackers are much more stealthy. Unlike a “smash and grab” password theft or website defacement, advanced attackers seek to remain hidden inside the organization, establishing multiple footholds in case their initial access is shut down, and keeping suspicious activity that might alert security operations teams to a minimum as they seek their target. They cover their tracks by erasing logs and other evidence of their activity. And they are much more interactive. They don’t follow set scripts. They react to being detected and having access shut down by coming in through another backdoor they established and using different tactics than the ones that led to their discovery. Against these fundamentally different attacks, we need a fundamentally different response. We need to spend less time trying to keep attackers out, but focus instead on accelerating our ability to detect and respond to intrusions, and reducing the amount of time they are in the network (which we call “dwell time”). Our goal is to ensure that intrusion and compromise do not result in business damage or loss.
- KEY TAKEWAY: organizations don’t need to deploy everything, they can pick the part of the solution that is right for them. As they grow, everything is integrated and seamless so the solution will grow with them. Choose the full solution or augment existing tools with RSA’s flexible, modular approach Enhance or replace your existing SIEM’s capabilities with better visibility, analysis and workflow. Evolve from a log-centric view with network packet capture to enable deep network forensics and detection Augment traditional AV with advanced endpoint malware detection Use out-of-the-box-integrations and open APIs to integrate with existing systems and applications within your SOC
- RSA performs deep data enrichment right at the time of capture making it much faster and more valuable for analysis in the midst of an investigation. This includes additional context, such as asset criticality, vulnerability data, risk level, event type, event source, device information, IP information, configuration data, etc Unlike other packet capture solutions provided by IBM and Solera who perform only very basic enrichment around generic session information (like source IP address, destination IP address, protocol) but don’t give the same depth of enrichment as SA THIS MEANS that there are more clues for the system to detect and the analyst to investigate so they can quickly detect and investigate issues. An example is a PDF file with executable content – no other packet capture solution can spot and recreate it. The enrichment on capture also makes the data much faster to query for analysis and reporting. NOTE: The metadata includes session based details to lead the analyst to the right answer NOTE: SA Maintains the link between the sessionized data and the raw data which is how its so fast on retrieval and reconstruction. Faster than other packet capture tools.
- Key takeaway: Others offer some simple characteristics seen with basic packet capture….we go way beyond with deep network forensics generating hundreds of metadata fields. This detail, thanks to capture time data enrichment, really sets us apart and gives analysts the ability to spot more attacks and investigate with incredible detail.
- Here is a way that Gartner looks at the problem. We know that traditional defense-in-depth components are still necessary, but are no longer sufficient on their own when facing the sophistication of today’s targeted attacks. Instead, we need to look across data sets (network, packets, and endpoint) – as well as across time. We must bring all the data together, analyze it, and react quickly. Each ‘style’ or category listed above is compulsory – but even the best technology, left alone in its own silo – cannot meet the needs of today’s security operations centers. We believe that today’s organizations need to be able to look across multiple datasets with deep visibility to the endpoint, analyze that data in real-time, but also understand it with the perspective of time in order to portray the most accurate picture of what happened, how, and why. This enables teams to understand priority and the full scope of the attack.