Upload
vankien
View
219
Download
1
Embed Size (px)
Citation preview
1© Copyright 2013 EMC Corporation. All rights reserved.
RSA IT Security Risk Management
Adding Insight to Security
RSA Security SummitAmsterdam, The NetherlandsMay 7, 2014
Alexander van WindenGRC Solutions Consultant
2© Copyright 2013 EMC Corporation. All rights reserved.
Where is Security Today?
Complexity
Data
Breaches
Damage
Companies have built layer upon layer of security, but is it helping?
3© Copyright 2013 EMC Corporation. All rights reserved.
Which of these are most
important?
We believe that doing the right thing should be obvious but for today's IT security organizations it is too often hidden.
Lack of Insight [The Noise Factor]
Web Vulnerability
OS Configuration
Patch Management
Device Vulnerability
Anti-Virus/Malware
Logical Access
IPS/IDS
Physical Access
Firewalls
VPNs
SEIM/Packets
8:02 AM – Malware infection on 10.1.2.308:30 AM – Voice mail from colleague re: new hacker group9:00 AM – Meeting with QSA re: last week’s vulnerability scan11:15 AM – Vulnerability scan on DMZ completed11:30 AM – Meeting with XYZ department on new application being installed next week12:00 PM – Company just like us announced major breach12:02 PM – CVE-2014-123 just released1:45 PM – Meeting with audit committee re: security risks2:00 PM – System outage at Phoenix branch2:15 PM – Weird(?) network traffic reported by network team2:53 PM – Malware outbreak on multiple machines3:00 PM – New contractor onboarding3:20 PM – Present Security awareness training to new employees4:15 PM – Industry ISAC security conference call4:32 PM – HR reports social engineering attempt5:07 PM – Port scan on 192.168.3.456:07 PM – Security policy meeting8:02 PM – Malware infection on 10.10.2.328:30 PM – Multiple failed login attempts on 192.168.100.2311:15 PM – Vulnerability scan found 142 critical vulnerabilities12:00 AM – Malware infection on 10.2.3.4512:02 AM – Sun just released a new patch to JRE 5.4.3.2
Inappropriate access attempt on top secret information?
Do we have a compliance issue?
Is this a high risk business function?
What are the executive concerns?
Meaningless virus infection?
Is this a coordinated advanced attack?
Defense in Depth
4© Copyright 2013 EMC Corporation. All rights reserved.
It will become increasingly difficult to secure infrastructure
The New World of Security
We must focus on people, the flow of data and on transactions
5© Copyright 2012 EMC Corporation. All rights reserved.
Improve monitoring and response capabilities.
Prevention
Monitoring Response
We Need to Change our Approach…
Defense in DepthSecurity
Prevention
Monitoring Response
Prevention
Intelligence-DrivenSecurity
Monitoring Response
6© Copyright 2013 EMC Corporation. All rights reserved.
We provide solutions that disrupt the noise, bring clarity to the signal to amplify your decisions.
Analysis
Visibility + Analysis = Priority
Signal Clarity and Amplification
Noise
Action
Priority + Action = Results
MetricsResults + Metrics = Progress
Visibility
7© Copyright 2013 EMC Corporation. All rights reserved.
Enables organizations to:
establish business context for security
establish security policies and standards
detect and respond to attacks
identify and remediate security deficiencies
reducing the risk of today’s security threats; poor, misaligned security practices; and operational security compliance failures.
IT Security Risk Management
…not a single answer but rather a solution leveraging people, process, and technology as a force multiplier.
Security Strategy
Security Compliance
Threat & Vulnerability Management
Security Policies
Security Operations
8© Copyright 2013 EMC Corporation. All rights reserved.
Gaininsight & visibilityManage
known & unknown risks
Reactive IntelligentProactive
Maturity
Layeredpoint solutions, multiple
management consoles, basic reporting
Managedintegrated
security, expanded visibility, improved analysis/metrics
Advantagedfully risk aware, identify
opportunity
Integratedata sources
Makerisk-based decisions
Planning Your Journey
9© Copyright 2013 EMC Corporation. All rights reserved.
Foundational
Preventative Responsive
IT Security Risk Solutions
Foundation
IT Security Risk Management
Scan Results Indicators and Metrics
Assets
IT Context RegulatoryBiz Context Data
Catalogs
CVE/CVSS CWECPE CCEThreat Intel UCF
Identity
Login/LogoutRepositoriesIntegrations
Workflow
Ticketing ReportsExceptions Notifications
Remediation Workflow
Threat Correlation
Gold Build Images
Incidents & Investigations
Breach Management
Crisis Management
SOC Management
Focused UIs
Persona Based UIInteractive Charts
Searching and Filtering
Pre
venta
tive
Resp
onsiv
e
RSA Archer eGRC
Measure Outcomes
Vulnerability Risk
Management
10© Copyright 2013 EMC Corporation. All rights reserved.
Devices
Issue
Vulnerability
Patch
1
2
3
5
VulnerabilityScanner
4
Brian, IT Security Analyst, runs his vulnerability scanner.
The Vulnerability Scanner finds number of issues on IT systems.
Pages of results are delivered to Alice, IT Administrator, to fix.
Patches are pushed out or configurations are updated to fix the vulnerabilities.
Some patches are missed, don’t fix the problem, or there isn’t enough time to get to them. The vulnerability will sit unaddressed, possibly forever…
What does this mean for business risk? What about my most valuable assets?
Are we improving? Do we have the right coverage?
What happens if the threats change? Can I get more protection quickly?
Carlos, CISO, is left wondering:
Trying to avoid the vulnerability pit…
Vulnerability Management Today
11© Copyright 2013 EMC Corporation. All rights reserved.
Vulnerability Risk Management allows enterprises to proactively manage IT
security risks through the combination of asset business context, actionable threat
intelligence, vulnerability assessment results, and comprehensive workflow.
What is VRM?
12© Copyright 2013 EMC Corporation. All rights reserved.
VRM In A Nutshell
Scan all networks
Identify all types of vulnerabilities
Scan without affecting IT SLAs
Identify real issues
Assign reliable severity ratings
Prioritize issues based on real risk
Identify the right action
Fix/except issues
Manage through workflows
Track the real status of issues
Generate trend reports, etc.
Create dashboards
Create an accurate asset repository
Track technical and business context
Update with ease
RE
QU
IRE
D
CA
PA
BIL
ITIE
SC
HA
LLE
NG
ES
Discover Vulnerabilities
Classify Issues
AddressIssues
Track and Report
Catalog AssetsS
TE
PS
No Relation Between Technical And Business DataLack Of Context And Reliable Prioritization
Lack Of Flexible Workflows And AutomationIneffective And Time Consuming Reporting
VRM[solution]
Scan Results
Business Context
Threat Intel
+
+=
Prioritized Issues
Workflow
KPIs
Reports
Scalability
Speed
Accuracy
Addressed by Qualys, McAfee and others
Inaccurate and incomplete
Lack of a single system of records
13© Copyright 2013 EMC Corporation. All rights reserved.
RSA VRM DATA WAREHOUSE
INDEXING
RAW DATA STORAGE
NORMALIZATION
VULNERABILITY ANALYTICS
INVESTIGATIVE UI
ANALYTICS ENGINE
DATA COLLECTOR
IT Security Analyst CISO
DevicesFindings
ExceptionsKPIs
VRM
Vuln. Scan Results(Qualys, McAfee)
Vuln. Data Pubs(NVD CVE)
Threat Intelligence(US-CERT)
Asset Taxonomies(NVD CPE)
Other Asset Data(CSV, CMDB, Etc.) Administrator
ARCHER VULNERABILITYRISK MANAGEMENT
INTEGRATION WITH GRC
REPORTING AND DASHBOARDS
WORKFLOW
Vulnerability Risk Management
14© Copyright 2013 EMC Corporation. All rights reserved.
Asset Discovery and ManagementKnow what you have
Issue Prioritization
Issue Lifecycle TrackingDo the right thing
Exception and SLA Management
Dashboards and ReportingMeasure effectiveness, not just activity
Measure and Report KPIs
IT Security Analyst
IT Administrator
CISO
The Value of VRM
15© Copyright 2013 EMC Corporation. All rights reserved.
IT Security Risk Solutions
Foundation
IT Security Risk Management
Scan Results Indicators and Metrics
Assets
IT Context RegulatoryBiz Context Data
Catalogs
CVE/CVSS CWECPE CCEThreat Intel UCF
Identity
Login/LogoutRepositoriesIntegrations
Workflow
Ticketing ReportsExceptions Notifications
Remediation Workflow
Threat Correlation
Gold Build Images
Incidents & Investigations
Breach Management
Crisis Management
SOC Management
Focused UIs
Persona Based UIInteractive Charts
Searching and Filtering
Pre
venta
tive
Resp
onsiv
e
RSA Archer eGRC
Measure Outcomes
Security Operations
Management
16© Copyright 2013 EMC Corporation. All rights reserved.
Centralizing Incident Response Teams
Specialized TeamReporting to:
– CSO/CISO CIO
Consisting of:– People– Process– Technology
Detect, Investigate and Respond
SOC Manager
Tier 2 Analyst
Analysis & Tools Support Analyst
Tier 1 Analyst
Threat Analyst
17© Copyright 2013 EMC Corporation. All rights reserved.
Lack of Context Lack of ProcessLack of Best Practices
Event focused and reactive with no centralization of alerts or incident management…
SOC Challenges Today
18© Copyright 2013 EMC Corporation. All rights reserved.
Shift Handoff
SOCManager 1
SOCManager 2
CISO
Finance
Legal
Incident Process
ThreatAnalysis
ReportKPIs
BreachProcess
ITHandoff
CentralizeAlerts
MeasureEfficacy
L1 Analyst
BreachCoordinator
HR
IT
L2 Analyst
ThreatAnalyst
SIEM
DLP
NetworkVisibility
eFraud
HostVisibility
Complexities of a SOC
19© Copyright 2013 EMC Corporation. All rights reserved.
IncidentManagement
BreachManagement
SOCProgram
Management
IT SecurityRisk
Management
Dom
ain
Secu
rity
Opera
tions
Managem
ent
People
Process
TechnologyOrchestrate&
Manage
What is SecOps?
Consistent, predictable business process
20© Copyright 2013 EMC Corporation. All rights reserved.
RSA SecOps
AggregateAlerts toIncidents
IncidentResponse
BreachResponse
SOC Program
Management
Dashboard &Report
RSA Archer Enterprise
Management (Context)
RSA Archer BCM
(Crisis Events)
ALERTS
CONTEXT
Capture & Analyze – Packets, Logs & Threat Feeds
LAUNCH TO SA
Security Operations Management
21© Copyright 2013 EMC Corporation. All rights reserved.
Enable SOC/IR Analysts to Be More Effective
Incident PrioritizationVisibility & Biz ContextWorkflow to guide IR processThreat IntelligenceResponse Procedures
Optimize SOC Investments
AutomationMonitor KPIsIdentify gaps & improveMeasure Security ControlsManage SOC Team
Manage IT Security & Business Risk
Data Breach ManagementEnterprise RiskVendor RiskCompliance Risk… and more
The Value of SecOps
IT Security Analyst
Incident Coordinator
CISO
24© Copyright 2013 EMC Corporation. All rights reserved.
New and My Incident Queue
Overall Incident Status
Analyst Focused Dashboard
25© Copyright 2013 EMC Corporation. All rights reserved.
Contextual Launch to Collect Data
Launch to SATo CollectAdditional
Data
26© Copyright 2013 EMC Corporation. All rights reserved.
New and My Incident Queue
Link to Business Context
Cross-Reference Alerts to Asset Details and Business Context
27© Copyright 2013 EMC Corporation. All rights reserved.
Incident Coordinator Dashboard
Shift Handover Analyst Workload
Incident Trends
28© Copyright 2013 EMC Corporation. All rights reserved.
Breach Coordinator Dashboard
Current Breaches, Impact and Records Affected
29© Copyright 2013 EMC Corporation. All rights reserved.
IT Operations Dashboard
Current Breaches, Impact and Records AffectedFindings Addressed by IT Help Desk
30© Copyright 2013 EMC Corporation. All rights reserved.
SOC Manager / CISO Dashboard
Overall View of Security Operation Center
32© Copyright 2013 EMC Corporation. All rights reserved.
VRM – Vulnerability Analytics Brian’s, IT Security Analyst, dashboard
Are all my devices scanned?
Is remediation time as per SLA?
Are issues handled on time?
Track Issues
Facebook style timeline to check overall
operational health
Brian focuses on what is important
33© Copyright 2013 EMC Corporation. All rights reserved.
Devices, Vulnerabilities & Issues Single system of record
1
1 Assets have business context from Archer, CMDBs, etc.
How many devices do I have? Which ones are business critical? How do I discover new devices? Brian, now has the full information.
2
2 Brian easily lists high severity active issues
3 Investigates vulnerability, impacted device & related issues
3 3
4 Assigns Ticket
4
34© Copyright 2013 EMC Corporation. All rights reserved.
VRM – Issue Workflow
1 Manage Tickets
2 Assign Workflows
3 Grant Exception
1
2
3
4 Get Approval
4
35© Copyright 2013 EMC Corporation. All rights reserved.
VRM – Management Dashboard
1 Assess Security Risk 2 Check KPIs 3 Compare operational efficiency
1 2
3