The Keys to a successful Security Operations Center
Transcription
The Keys to a successful Security Operations Center
The Keys to a successful Security Operations Center Mohammad Alazab System Engineer KSA #RSAemeaSummit © Copyright 2015 EMC Corporation. All rights reserved. 1 Why Security Defenses Are Failing – The Strategic View The attack surface is expanding Attackers are becoming more sophisticated Existing strategies & controls are failing Security teams are missing attacks Teams need to increase experience & efficiency Tools & processes must adapt to today’s threats © Copyright 2015 EMC Corporation. All rights reserved. 2 Defense in Depth © Copyright 2015 EMC Corporation. All rights reserved. 3 Does it work? http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ © Copyright 2015 EMC Corporation. All rights reserved. 4 Why Security Defenses Are Failing – The Tactical View 1 System Intrusion TARGETED SPECIFIC OBJECTIVE Attack Begins TIME 2 STEALTHY LOW AND SLOW Cover-Up Discovery Leap Frog Attacks 3 INTERACTIVE HUMAN INVOLVEMENT Cover-Up Complete Dwell Time Response Time Attack Identified 1 © Copyright 2015 EMC Corporation. All rights reserved. Decrease Dwell Time 2 Response Speed Response Time 5 This New Reality Can Be Measured – Gap is Increasing! Attacker Capabilities Time To Discovery - VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT © Copyright 2015 EMC Corporation. All rights reserved. 6 Cyber-Espionage Detection 99% Percent of successful attacks that went undiscovered by logs Percent of incidents that took weeks or more to discover 83% - VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT © Copyright 2014 EMC Corporation. All rights reserved. 7 Must learn to live in a state of compromise Constant compromise © Copyright 2015 EMC Corporation. All rights reserved. does not mean constant loss 8 Strategic Security Investment Shift Needed Now! Monitoring 15% Response 5% Monitoring 33% Response 33% Prevention 80% Prevention 33% Today’s Priorities Intelligence-Driven Security © Copyright 2015 EMC Corporation. All rights reserved. 9 Shift from Prevention to Detection & Response “By 2020, 60% of enterprise information security budgets will be allocated to rapid detection and response approaches — up from less than 10% in 2014.” --Neil Macdonald and Peter Firstbrook, Gartner, Feb. 12, 2014, Designing an Adaptive Security Architecture for Protection From Advanced Attacks © Copyright 2015 EMC Corporation. All rights reserved. 10 SOC is Not A Tool Tier 2 Analyst Tier 1 Analyst Analysis & Tools Support Analyst Threat Intelligence Analyst SOC Manager © Copyright 2015 EMC Corporation. All rights reserved. 11 People, Process and Technology SIEM L2 Analyst Incident Process Threat Analysis L1 Analyst Threat Analyst SOC Manager 1 Centralize Alerts Breach Coordinator SOC Manager 2 Host Visibility CISO Breach Process HR Shift Handoff Report KPIs IT Legal Network Visibility Measure Efficacy Finance IT Handoff External Agencies DLP © Copyright 2014 EMC Corporation. All rights reserved. 12 RSA Advanced SOC - Technology Process People © Copyright 2015 EMC Corporation. All rights reserved. Framework & Alignment Technology 13 TRANSFORM Visibility Analysis Intelligence-Driven Security Action © Copyright 2014 EMC Corporation. All rights reserved. 14 Focus of the RSA Solution Not Just a Technology Challenge! See and understand what is happening in your environment Detect and prioritize even the most advanced of attacks before they impact the business Analyze, investigate, & remediate incidents with unprecedented precision and speed. © Copyright 2015 EMC Corporation. All rights reserved. 15 Need a Incident Detection & Response Platform “Firms are integrating endpoint, network packet, and log data to broaden their security visibility and analyzing this data with big data security analytics techniques.” -Jon Oltsik, ESG, February 2015, Rethinking Endpoint Security © Copyright 2015 EMC Corporation. All rights reserved. 16 The Power Of A Risk-Based Approach Logs Basic connection information NetFlow Lateral Movement Packets How you got infected and what attacker did Endpoints Where is infection located © Copyright 2015 EMC Corporation. All rights reserved. Security Analytics 17 ASOC Strategy & Priorities Visibility Analysis Action • Visibility from the Cloud to the Endpoint. • Advanced Analytics through Data Sciences • Risk & Impact-based Prioritization of Threats. • Enterprise Class Speed & Scale. • Endpoint Advanced Detection and Validation • Endpoint & Network Active Defense • Flexible Collection & Incident triggered investigations • Identity and Access Profiling and Monitoring • Expanded Community-based Intelligence Enterprise Readiness & Usability © Copyright 2015 EMC Corporation. All rights reserved. 18 RSA ASOC Portfolio Core Products • RSA Security Analytics Logs, packets, NetFlow, & endpoint • RSA ECAT Malware on endpoints • RSA Security Operations Management Incident management & CIRC orchestration © Copyright 2015 EMC Corporation. All rights reserved. 19 RSA Advanced SOC - Process Process People © Copyright 2015 EMC Corporation. All rights reserved. Framework & Alignment Technology 20 RSA SecOps Best Practices NAMING & TERMINOLOGY VERIS RESPONSE PROCESS PRACTITIONER VIEW 25+ CIRC Framework ENGINEERED AS PER THE EXPERTISE OF INDUSTRY AND PRACTITIONERS © Copyright 2015 EMC Corporation. All rights reserved. 21 Advanced Cyber Defense Services Program for NextGen SOC Identity Infrastructure Information (I3) Breach Management Cyber Threat Intelligence Incident Response/Discovery & Retainer Breach Readiness START for Incident Handling Readiness, Response and Resiliency Residencies, Project Management, Education Services & Customer Support © Copyright 2015 EMC Corporation. All rights reserved. 22 RSA Advanced SOC - People Process People © Copyright 2015 EMC Corporation. All rights reserved. Framework & Alignment Technology 23 RSA Advanced Cyber Defense Education Tier 3 RSA Malware Analysis RSA Cyber Defense Workshop RSA Incident Handling and Response RSA Threat Intelligence Security Analyst III Malware Analyst Threat Analyst Tier 2 Security Analyst II Incident Handler Forensic Analyst Tier 1 People RSA Intelligence Driven Event Analysis Security Analyst I Incident Analyst Event Analyst Prerequisites: Knowledge of operating systems, fundamentals of networking, security concepts © Copyright 2015 EMC Corporation. All rights reserved. 24 RSA Advanced SOC Attacker Kill Chain Reconnaissance Weaponiza/on SOC Director / CISO SOC/CIRC Program DISCOVER Personas Capabilities Analysts Delivery Exploita/on Installa/on MANAGE INVESTIGATE Analysts, IT, HR CC Ac/on Policies I Readiness I KPIs I Reports I Staff RESPOND IT, Legal/Privacy, 3rd party… ü Aggregate Alerts ü Forensics ü Ini/ate Plan ü Triage ü Business Impact ü No/fy ü Filter False Posi/ves ü Remedia/on Plan ü Remedia/on Tasks ü Confirm Incident ü Declare a Breach ü RCA © Copyright 2015 EMC Corporation. All rights reserved. 25 Advanced SOC: Critical Success Factors • Get Executive sponsorship • 1-part Technology, 2-parts People, Policy & Process • “It’s a journey!”: Select focus areas for early wins • Preparation: don’t forego “Strategy” • Consider Staff augmentation to reach steady-state • Visibility to see as much as possible • Tools and process to conduct analysis quickly and accurately • Ability to take Early Action before attackers do damage © Copyright 2015 EMC Corporation. All rights reserved. 26 Be the hunter, not the hunted © Copyright 2015 EMC Corporation. All rights reserved. 27 EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.