The Keys to a successful Security Operations Center

Transcription

The Keys to a successful Security Operations Center
The Keys to
a successful
Security
Operations
Center
Mohammad Alazab
System Engineer KSA
#RSAemeaSummit
© Copyright 2015 EMC Corporation. All rights reserved.
1
Why Security Defenses Are Failing – The
Strategic View
The attack surface
is expanding
Attackers are becoming
more sophisticated
Existing strategies &
controls are failing
Security teams are
missing attacks
Teams need to increase
experience & efficiency
Tools & processes must
adapt to today’s threats
© Copyright 2015 EMC Corporation. All rights reserved.
2
Defense in Depth
© Copyright 2015 EMC Corporation. All rights reserved.
3
Does it work?
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
© Copyright 2015 EMC Corporation. All rights reserved.
4
Why Security Defenses Are Failing – The
Tactical View
1
System
Intrusion
TARGETED
SPECIFIC OBJECTIVE
Attack
Begins
TIME
2
STEALTHY
LOW AND SLOW
Cover-Up Discovery
Leap Frog Attacks
3
INTERACTIVE
HUMAN INVOLVEMENT
Cover-Up
Complete
Dwell Time
Response Time
Attack Identified
1
© Copyright 2015 EMC Corporation. All rights reserved.
Decrease
Dwell Time
2
Response
Speed
Response Time
5
This New Reality Can Be Measured – Gap is
Increasing!
Attacker
Capabilities
Time To
Discovery
-  VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT
© Copyright 2015 EMC Corporation. All rights reserved.
6
Cyber-Espionage Detection
99%
Percent of successful attacks that went
undiscovered by logs
Percent of incidents that took weeks or more to
discover
83%
-  VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT
© Copyright 2014 EMC Corporation. All rights reserved.
7
Must learn to live in a
state of compromise
Constant compromise
© Copyright 2015 EMC Corporation. All rights reserved.
does not mean constant loss
8
Strategic Security Investment Shift Needed Now!
Monitoring
15%
Response
5%
Monitoring
33%
Response
33%
Prevention
80%
Prevention
33%
Today’s
Priorities
Intelligence-Driven
Security
© Copyright 2015 EMC Corporation. All rights reserved.
9
Shift from Prevention to Detection & Response
“By 2020, 60% of enterprise information
security budgets will be allocated to rapid
detection and response approaches — up from
less than 10% in 2014.”
--Neil Macdonald and Peter Firstbrook, Gartner,
Feb. 12, 2014, Designing an Adaptive Security Architecture
for Protection From Advanced Attacks
© Copyright 2015 EMC Corporation. All rights reserved.
10
SOC is Not A Tool
Tier 2 Analyst
Tier 1 Analyst
Analysis & Tools
Support Analyst
Threat Intelligence
Analyst
SOC Manager
© Copyright 2015 EMC Corporation. All rights reserved.
11
People, Process and Technology
SIEM
L2
Analyst
Incident
Process
Threat
Analysis
L1
Analyst
Threat
Analyst
SOC
Manager 1
Centralize
Alerts
Breach
Coordinator
SOC
Manager 2
Host
Visibility
CISO
Breach
Process
HR
Shift
Handoff
Report
KPIs
IT
Legal
Network
Visibility
Measure
Efficacy
Finance
IT
Handoff
External
Agencies
DLP
© Copyright 2014 EMC Corporation. All rights reserved.
12
RSA Advanced SOC - Technology
Process
People
© Copyright 2015 EMC Corporation. All rights reserved.
Framework &
Alignment
Technology
13
TRANSFORM
Visibility
Analysis
Intelligence-Driven Security
Action
© Copyright 2014 EMC Corporation. All rights reserved.
14
Focus of the RSA Solution Not Just a
Technology Challenge!
Ÿ  See and understand what is happening in your
environment
Ÿ  Detect and prioritize even the most advanced of
attacks before they impact the business
Ÿ  Analyze, investigate, & remediate incidents with
unprecedented precision and speed.
© Copyright 2015 EMC Corporation. All rights reserved.
15
Need a Incident Detection & Response Platform
“Firms are integrating endpoint, network packet,
and log data to broaden their security visibility and
analyzing this data with big data security analytics
techniques.”
-Jon Oltsik, ESG, February 2015, Rethinking Endpoint Security
© Copyright 2015 EMC Corporation. All rights reserved.
16
The Power Of A Risk-Based Approach
Logs
Basic connection
information
NetFlow
Lateral
Movement
Packets
How you got
infected and what
attacker did
Endpoints
Where is infection located
© Copyright 2015 EMC Corporation. All rights reserved.
Security
Analytics
17
ASOC Strategy & Priorities
Visibility
Analysis
Action
•  Visibility from the Cloud to the
Endpoint.
•  Advanced Analytics through Data
Sciences
•  Risk & Impact-based
Prioritization of Threats.
•  Enterprise Class Speed & Scale.
•  Endpoint Advanced Detection and
Validation
•  Endpoint & Network Active
Defense
•  Flexible Collection & Incident
triggered investigations
•  Identity and Access Profiling and
Monitoring
•  Expanded Community-based
Intelligence
Enterprise Readiness & Usability
© Copyright 2015 EMC Corporation. All rights reserved.
18
RSA ASOC Portfolio
Core Products
•  RSA Security Analytics
­  Logs, packets, NetFlow, & endpoint
•  RSA ECAT
­  Malware on endpoints
•  RSA Security Operations Management
­  Incident management & CIRC orchestration
© Copyright 2015 EMC Corporation. All rights reserved.
19
RSA Advanced SOC - Process
Process
People
© Copyright 2015 EMC Corporation. All rights reserved.
Framework &
Alignment
Technology
20
RSA SecOps Best Practices
NAMING &
TERMINOLOGY
VERIS
RESPONSE
PROCESS
PRACTITIONER
VIEW
25+
CIRC
Framework
ENGINEERED AS PER THE EXPERTISE OF INDUSTRY AND
PRACTITIONERS
© Copyright 2015 EMC Corporation. All rights reserved.
21
Advanced Cyber Defense Services
Program for NextGen SOC
Identity Infrastructure Information (I3)
Breach Management
Cyber Threat Intelligence
Incident Response/Discovery & Retainer
Breach Readiness
START for Incident
Handling
Readiness, Response and Resiliency
Residencies, Project Management, Education Services & Customer Support
© Copyright 2015 EMC Corporation. All rights reserved.
22
RSA Advanced SOC - People
Process
People
© Copyright 2015 EMC Corporation. All rights reserved.
Framework &
Alignment
Technology
23
RSA Advanced Cyber Defense Education
Tier
3
RSA Malware
Analysis
RSA Cyber
Defense
Workshop
RSA Incident
Handling and
Response
RSA Threat
Intelligence
Security Analyst III
Malware Analyst
Threat Analyst
Tier
2
Security Analyst II
Incident Handler
Forensic Analyst
Tier
1
People
RSA Intelligence Driven
Event Analysis
Security Analyst I
Incident Analyst
Event Analyst
Prerequisites: Knowledge of operating systems, fundamentals of networking, security concepts
© Copyright 2015 EMC Corporation. All rights reserved.
24
RSA Advanced SOC
Attacker Kill
Chain
Reconnaissance Weaponiza/on SOC Director / CISO SOC/CIRC
Program
DISCOVER
Personas
Capabilities
Analysts Delivery Exploita/on Installa/on MANAGE
INVESTIGATE
Analysts, IT, HR CC Ac/on Policies I Readiness I KPIs I Reports I Staff RESPOND
IT, Legal/Privacy, 3rd party… ü  Aggregate Alerts ü  Forensics ü  Ini/ate Plan ü  Triage ü  Business Impact ü  No/fy ü  Filter False Posi/ves ü  Remedia/on Plan ü  Remedia/on Tasks ü  Confirm Incident ü  Declare a Breach ü  RCA © Copyright 2015 EMC Corporation. All rights reserved.
25
Advanced SOC: Critical Success Factors
•  Get Executive sponsorship
•  1-part Technology, 2-parts People, Policy & Process
•  “It’s a journey!”: Select focus areas for early wins
•  Preparation: don’t forego “Strategy”
•  Consider Staff augmentation to reach steady-state
•  Visibility to see as much as possible
•  Tools and process to conduct analysis quickly and accurately
•  Ability to take Early Action before attackers do damage
© Copyright 2015 EMC Corporation. All rights reserved.
26
Be the hunter,
not the hunted
© Copyright 2015 EMC Corporation. All rights reserved.
27
EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.