Upload
others
View
16
Download
0
Embed Size (px)
Citation preview
RSA Cyber Security Intelligence
Anusorn Oopkum, RSA
GAP
S E C U R I T Y T E C H N O L O G Y
Where business leaders are focusing
Where most security vendors are focusing
B U S I N E S S R I S K
WANACRY Account lockouts Web shell deletions Buffer overflows SQL injections Cross-site scripting DDOS IDS/IPS events
How bad is it? Can we detect? Who was it? How did they get in? What information was taken? What are the legal implications? Is it under control? What are the damages?
G R I E F O F
MODERN SOC DEFINED • “A security operations center provides centralized
and consolidated cyber security incident prevention, detection and response capabilities”
• Security Operation functions often performed by a SOC • Security Monitoring << KEY FOCUS!!!
• SOC = People, Process and Technology
Organizations’ overall assessment of their security incident capabilities:
LEVELS OF ASOC MATURITY
Ad hoc incident response
65% Incident
response as a key force
5% Incident
response as an emerging
25%
4
ASOC MATURITY FRAMEWORK
PEOPLE
Ad hoc incident response
Incident response as an emerging
Incident response as a key force
• Incident responders
are not specialists
• Limited formalized Training
• Work as needed
• Full-time incident responder
• Regular training and IR community
• Specialized into area of focus
• Participate directly in hacker forum/social media
• Follow the sun coverage
• Report in business impact
• Staff rotation
• Advance threat analyze
ASOC MATURITY FRAMEWORK
PROCESS
Ad hoc incident response
Incident response as an emerging
Incident response as a key force
• Unclear how to
response
• Most investigations initiated as a result of “Alert” fro 3rd parties/Employee
• No prioritization
• Prioritize response for IT asset with other context factor
• Often fixing/reimaging of system, not under stand root cause
• Subscribes Threat Intelligence
• Threat Intelligence operationalized directly into tools
• Aims to understand the full scope of an attacker’s campaign, not just clean malware
• Focuses on responding to highest priority alerts with other context facor
ASOC MATURITY FRAMEWORK
TECHNOLOGY
Ad hoc incident response
Incident response as an emerging
Incident response as a key force
• Perimeter base and
signature base
• SIEM
• No malware analysis
• Typical use excel, email or gerneral purpose IT help desk
• SIEM + Network monitoring tools
• Threat Intel provided by external sources
• Basic compliance/governance reports generated from monitoring system
• Incident management system with response procedure
• Signature-less for malware and anomalies on endpoint
• Big data security analytic for detect/hunting for security anomalies
WHAT MAKES YOUR SOC “MODERN SOC” • PROCESS
• Not just alert triage • Hunting and proactive
• PEOPLE • Expansion of the L1/L2/L3 model • Skill: Malware Analysis, Data Analysis
WHAT MAKES YOUR SOC “MODERN SOC” • TECHNOLOGY
• SIEM, Network Visibility, NetFlow and Endpoint • Incident Management • Behavior Analytics • Threat Intelligence • Work-Flow
Even advanced protections fai l l
Does this really help?
GARTNER’S ”SOC NUCLEAR TRIAD” OF VISIBILITY
• SIEM
• Network Forensics
• Endpoint Detection & Response
• “Significantly reduce the chance that the attacker will operate on your network long enough to accomplish their goals”
DR. ANTON CHUVAKIN – GARTNER RESEARCH VP
Source: http://blogs.gartner.com/anton-chuvakin/2015/08/04/your-soc-nuclear-triad/
AFTER SIEM, STILL NEED MORE VISIBILITY
NETWORK ENDPOINT
AFTER SIEM, STILL NEED MORE VISIBILITY
ANALYTICS and BA THREAT INTELLIGENCE
ANALYTICS and BA THREAT INTELLIGENCE
ORCHESTRATION
Roadmap Recommendations
Current Position
SOC Infrastructure Operation -Incident response with predictive detection
Security Infrastructure / Perimeter Implementation
SOC Infra.
Security Operation
Impossible to develop security operation without
SOC infrastructure
Not ready ready
ready
Expand into Packet & Log Monitoring
SOC Operation/ Procedures -High level of maturity incident response operation
Current Phase Phase 1
Phase 4
Phase 3
Business Alignment -Risk-based view and alignment of Security Operations
Goal Phase 5
Phase 2
Thank You