Embed Size (px)
Citation preview
BE THE HUNTER
2
At first, there were HACKS Preventative controls filter known attack paths
EVOLUTION OF THREAT ACTORS
& DETECTION IMPLICATIONS
MaliciousTraffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
Corporate Assets
Whitespace Successful HACKS
3
At first, there were HACKS Preventative controls filter known attack paths
Then, ATTACKSDespite increased investment in controls, including
SIEM
EVOLUTION OF THREAT ACTORS
& DETECTION IMPLICATIONS
MaliciousTraffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
More Logs
Corporate Assets
SIE
M
Blocked
Session
Blocked
Session
Blocked
Session
Alert
Whitespace Successful ATTACKS
44
A new approach is needed
55
Organizations’ overall assessment of their risk / security capabilities:
Cybersecurity Poverty Index
Current security approaches are failing
Significant Cybersecurity
Risk Exposure
75%Advantaged
Capabilities
5%Mature Security
Strategies
20%
5
6
Shift priorities and capabilities
Today’s Priorities
Prevention
Response
Monitoring
Monitoring
Prevention
Response
Future State
6
7
Now, successful ATTACK CAMPAIGNS
target any and all whitespace.
Complete visibility into every process and network
sessions is required to eradicate the attacker
opportunity.
Unified platform for advanced threat
detection & investigations
EVOLUTION OF THREAT ACTORS
& DETECTION IMPLICATIONS
MaliciousTraffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
Logs
Endpoint Visibility
Corporate Assets
Blocked
Session
Blocked
Session
Blocked
Session
Alert
Process
Network VisibilityNetwork
Sessions
Secu
rity
An
aly
tic
s
8
On
Prem
Cloud
Capture, enrich and analyze data from across your network
RSA Security Analytics Platform
Investigation
Compliance
Reporting
Endpoint Analysis
Session
Reconstruction
Incident
Management
Capture Time
Data Enrichment
LIVE
LOGS
PACKETS
ENDPOINT
NETFLOW
ActionAnalysisVisibility
LIVE
Threat Intel | Biz Context RSA LIVE
Advanced
Analytics
ENRICH
Rules | Parsers | DS Models Reports | Feeds
Powered by RSA Research, Incident Response & Engineering
LIVE
9
Network Threat Detection and Forensics
HTTP Headers
Basic Packet Capture
Attachment
File Fingerprints
Session Size
Country Src/Dst
URL
Hostname
IP Alias Forwarded
Directory
File Packers
Non Standard
Content Type
Ethernet Connection
Embedded Objects
Top Level Domain
Access Criticality
Sql Query
Mac Address Alias
Email Address
Cookie
Browser
Credit CardsProtocol
Fingerprints
Database Name
SSL CA/Subject
URL in Email
Referrer
Language
Crypto Type
PDF/ Flash Version
Client/ServerApplication
User Name
Port
User Agent
IP Src/Dst
Deep Network Forensics
175+ metadata
fields
Protocols
Ethernet
Modbus
DNMP3PROFIBUS
ControlNet
10
RSA ECAT Scan Techniques
Live Memory
Analysis
Disk Inspection Network Traffic Analysis • Detect & analyze suspicious traffic
• Full system inventory
• Executables, DLLs, Drivers, etc.
• Find files on disk & inspect
• Validate integrity of system & files
• Identify hidden processes, modifications & tampering
Compare & Flag Anomalies
11
Evolved Security Requirements
EFFICIENT RESPONSE
Incident response, investigations and
systems management need to be integrated
and Easy to Use
ENDPOINT TO CLOUD VISIBILITY
Fuse together network, endpoint and system
data & threat intelligence
for Complete Visibility
RAPID INVESTIGATIONS
Leverage Visibility to Investigate Incidents
rapidly and completely
such that PrioritizedActions can be taken to
mitigate Incidents
ADVANCED THREAT DETECTION
Utilize intelligence, context
and Advanced Analytics to highlight
potential incidents from normal activity
12
Prioritized Action
LIVE
Alerts
Investigation
Workflow
GRC
On
Prem
CloudLOGS
PACKETS
ENDPOINT
NETFLOW
13
Dom
ain
RSA S
ecO
ps
Framework & Alignment
People
Process
Technology
Incident Response
Breach Response
SOC ProgramManagement
RSA SECURITY OPERATIONS MANAGEMENT
15
LOS ANGELES WORLD AIRPORTSAchieving Control & Visibility with RSA Security Analytics, RSA SecOps & RSA ECAT
Challenges
• Los Angeles World Airports needs to track everything that happens within its
environment
• Working frequently with the FBI and the Secret Service, it has to be accountable
for its cyber security
• Its goal is to have real-time detection of security events in order to ensure public
safety
• Its SIEM did not give the IR team deep visibility into endpoint devices when
responding to malware or APTs
Results
• RSA Security Analytics has enabled LAWA to greatly improve the speed of its
response to immediate threats
• The solution enables deep-dive into payloads before and after a security event
and delivers more information about each device than was previously possible
• The RSA Archer solution has also helped shorten incident response time as
analysts can see all the information the need in one place, rather than spending
time searching for it
“My favorite thing about Security Analytics is the
great forensics capability, that it can deep dive
into payloads before and after a security event.
In addition, you get more information from the
same device. For example, if you receive firewall
logging information, you actually get more from
Security Analytics than any other SIEM that I
have.”
- BOB CHEONG, CISO, LOS ANGELES
WORLD AIRPORTS
16
KMDBoosting Attack Defenses and Cutting Response Times with RSA
Challenges
• As the IT service provider to the Danish government, KMD
handles personal data about almost all Danish citizens. It is
imperative that it protects this information.
• A growth in rate, volume and complexity of cyber attacks has
increased in recent years, KMD needed a more in depth
approach to monitoring and combating threats.
Results
• A combination of RSA Security Analytics, ECAT and Security
Operations Management enable the KMD team to identify and
address potential breaches rapidly.
• RSA Archer collates all alerts and feeds to provide clear visibility
of the organization’s security posture.
“With RSA… we don't have any missing pieces
anymore. We can detect advanced malware and
security incidents on the perimeter, and use RSA
Archer to register and handle them all. It's the
backbone of our security analytics center.”
- RASMUS THEEDE, CORPORATE VP
GROUP SECURITY, KMD
17
PARTNERS HEALTHCAREBoosting Visibility and Insights with RSA Security Analytics
Challenges
• Partners HealthCare holds patient data, intellectual property and
employee personal information, all of which must be protected
• Security is an increasingly important priority for the board, so clear
visibility and reporting on security status is essential
• The organization needed to boost automation and standardize
processes to enhance its security posture and compliance
Results
• RSA Security Analytics provides clear visibility across all network
traffic, allowing the team to identiy correlations across the business
• RSA Archer provides enterprise-wide GRC support, integrating input
from SOC and other feeds, an enabling the team to create standard
processes and workflows
“Analytics are critical. [RSA Security Analytics]
can help us determine standard behavior, and
what’s one standard deviation away, or two
standard deviations away, so that we have better
visibility into what potential attackers are doing.”
- JIGAR KADAKIA, CHIEF INFORMATION
SECURITY AND PRIVACY OFFICER,
PARTNERS HEALTHCARE
18
ADPKeeping personal Data Private with RSA Security Analytics
Challenges
• As a global provider of HR and payroll services, ADP handles
more social security data than any other company. It is
imperative that it protects this information.
• ADP needed to understand cyberthreats and fraud attempts,
inside and outside its environment.
Results
• RSA Security Analytics enables the ADP team to see attacks
across the entire infrastructure.
• RSA Archer® collates all security information and business
processes to provide clear visibility of the organization’s security
posture.
“RSA Security Analytics is used to defend ADP
every single day. It gives us the ability to see
attacks across our entire infrastructure.”
- ROLAND CLOUTIER, GLOBAL CHIEF
SECURITY OFFICER, ADP
