2. 2
At first, there were HACKS
Preventative controls filter known attack paths
EVOLUTION OF THREAT ACTORS
& DETECTION IMPLICATIONS
Malicious
Traffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
Corporate Assets
Whitespace Successful HACKS
3. 3
At first, there were HACKS
Preventative controls filter known attack paths
Then, ATTACKS
Despite increased investment in controls, including
SIEM
EVOLUTION OF THREAT ACTORS
& DETECTION IMPLICATIONS
Malicious
Traffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
More Logs
Corporate Assets
S
I
E
M
Blocked
Session
Blocked
Session
Blocked
Session
Alert
Whitespace Successful ATTACKS
5. 55
Organizations’ overall assessment of their risk / security capabilities:
Cybersecurity Poverty Index
Current security approaches are failing
Significant Cybersecurity
Risk Exposure
75% Advantaged
Capabilities
5%
Mature Security
Strategies
20%
5
6. 6
Shift priorities and capabilities
Today’s Priorities
Prevention
Response
Monitoring
Monitoring
Prevention
Response
Future State
6
7. 7
Now, successful ATTACK CAMPAIGNS
target any and all whitespace.
Complete visibility into every process and network
sessions is required to eradicate the attacker
opportunity.
Unified platform for advanced threat
detection & investigations
EVOLUTION OF THREAT ACTORS
& DETECTION IMPLICATIONS
Malicious
Traffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
Logs
EndpointVisibility
Corporate Assets
Blocked
Session
Blocked
Session
Blocked
Session
Alert
Process
NetworkVisibility
Network
Sessions
SecurityAnalytics
8. 8
On
Prem
Cloud
Capture, enrich and analyze data from across your network
RSA Security Analytics Platform
Investigation
Compliance
Reporting
Endpoint Analysis
Session
Reconstruction
Incident
Management
Capture Time
Data Enrichment
LIVE
LOGS
PACKETS
ENDPOINT
NETFLOW
ActionAnalysisVisibility
LIVE
Threat Intel | Biz Context
RSA LIVE
Advanced
Analytics
ENRICH
Rules | Parsers | DS Models Reports | Feeds
Powered by RSA Research, Incident Response & Engineering
LIVE
9. 9
Network Threat Detection and Forensics
HTTP Headers
Basic Packet
Capture
Attachment
File Fingerprints
Session Size
Country Src/Dst
URL
Hostname
IP Alias Forwarded
Directory
File Packers
Non Standard
Content Type
Ethernet
Connection
Embedded Objects
Top Level Domain
Access Criticality
Sql Query
Mac Address Alias
Email Address
Cookie
Browser
Credit Cards
Protocol
Fingerprints
Database Name
SSL CA/Subject
URL in Email
Referrer
Language
Crypto Type
PDF/ Flash
Version
Client/Server
Application
User Name
Port
User Agent
IP Src/Dst
Deep Network
Forensics
175+
metadata
fields
Protocols
Ethernet
Modbus
DNMP3
PROFIBUS
ControlNet
10. 10
RSA ECAT Scan Techniques
Live Memory
Analysis
Disk Inspection Network Traffic Analysis • Detect & analyze
suspicious traffic
• Full system inventory
• Executables, DLLs,
Drivers, etc.
• Find files on disk & inspect
• Validate integrity of
system & files
• Identify hidden processes,
modifications & tampering
Compare & Flag Anomalies
11. 11
Evolved Security Requirements
EFFICIENT
RESPONSE
Incident response,
investigations and
systems management
need to be integrated
and Easy to Use
ENDPOINT TO
CLOUD VISIBILITY
Fuse together network,
endpoint and system
data & threat intelligence
for Complete
Visibility
RAPID
INVESTIGATIONS
Leverage Visibility to
Investigate Incidents
rapidly and completely
such that Prioritized
Actions can be taken to
mitigate Incidents
ADVANCED THREAT
DETECTION
Utilize intelligence, context
and Advanced
Analytics to highlight
potential incidents from
normal activity
15. 15
LOS ANGELES WORLD AIRPORTS
Achieving Control & Visibility with RSA Security Analytics, RSA SecOps & RSA ECAT
Challenges
• Los Angeles World Airports needs to track everything that happens within its
environment
• Working frequently with the FBI and the Secret Service, it has to be accountable
for its cyber security
• Its goal is to have real-time detection of security events in order to ensure public
safety
• Its SIEM did not give the IR team deep visibility into endpoint devices when
responding to malware or APTs
Results
• RSA Security Analytics has enabled LAWA to greatly improve the speed of its
response to immediate threats
• The solution enables deep-dive into payloads before and after a security event
and delivers more information about each device than was previously possible
• The RSA Archer solution has also helped shorten incident response time as
analysts can see all the information the need in one place, rather than spending
time searching for it
“My favorite thing about Security Analytics is the
great forensics capability, that it can deep dive
into payloads before and after a security event.
In addition, you get more information from the
same device. For example, if you receive firewall
logging information, you actually get more from
Security Analytics than any other SIEM that I
have.”
- BOB CHEONG, CISO, LOS ANGELES
WORLD AIRPORTS
16. 16
KMD
Boosting Attack Defenses and Cutting Response Times with RSA
Challenges
• As the IT service provider to the Danish government, KMD
handles personal data about almost all Danish citizens. It is
imperative that it protects this information.
• A growth in rate, volume and complexity of cyber attacks has
increased in recent years, KMD needed a more in depth
approach to monitoring and combating threats.
Results
• A combination of RSA Security Analytics, ECAT and Security
Operations Management enable the KMD team to identify and
address potential breaches rapidly.
• RSA Archer collates all alerts and feeds to provide clear visibility
of the organization’s security posture.
“With RSA… we don't have any missing pieces
anymore. We can detect advanced malware and
security incidents on the perimeter, and use RSA
Archer to register and handle them all. It's the
backbone of our security analytics center.”
- RASMUS THEEDE, CORPORATE VP
GROUP SECURITY, KMD
17. 17
PARTNERS HEALTHCARE
Boosting Visibility and Insights with RSA Security Analytics
Challenges
• Partners HealthCare holds patient data, intellectual property and
employee personal information, all of which must be protected
• Security is an increasingly important priority for the board, so clear
visibility and reporting on security status is essential
• The organization needed to boost automation and standardize
processes to enhance its security posture and compliance
Results
• RSA Security Analytics provides clear visibility across all network
traffic, allowing the team to identiy correlations across the business
• RSA Archer provides enterprise-wide GRC support, integrating input
from SOC and other feeds, an enabling the team to create standard
processes and workflows
“Analytics are critical. [RSA Security Analytics]
can help us determine standard behavior, and
what’s one standard deviation away, or two
standard deviations away, so that we have better
visibility into what potential attackers are doing.”
- JIGAR KADAKIA, CHIEF INFORMATION
SECURITY AND PRIVACY OFFICER,
PARTNERS HEALTHCARE
18. 18
ADP
Keeping personal Data Private with RSA Security Analytics
Challenges
• As a global provider of HR and payroll services, ADP handles
more social security data than any other company. It is
imperative that it protects this information.
• ADP needed to understand cyberthreats and fraud attempts,
inside and outside its environment.
Results
• RSA Security Analytics enables the ADP team to see attacks
across the entire infrastructure.
• RSA Archer® collates all security information and business
processes to provide clear visibility of the organization’s security
posture.
“RSA Security Analytics is used to defend ADP
every single day. It gives us the ability to see
attacks across our entire infrastructure.”
- ROLAND CLOUTIER, GLOBAL CHIEF
SECURITY OFFICER, ADP
Notas del editor
Let’s take a deeper look at the evolution of threat actors and they way we have tried to defend against them. At first, there were hacks. These were not that advanced or targeted, perhaps a young script kiddie looking for a quick smash and grab of data for bragging rights. We in turn introduced firewalls, intrusion protection and detection systems and anti-virus. These perventative controls were effective at blocking some attacks because there were utilizing known attack vectors. Of course, we were still seeing successful hacks occur, because, by definition – organizations need to let traffic flow through their preventative controls to remain is business. That traffic that flows through is whitespace – or opportunity – for hackers to exploit.
We then started to see more sophisticated attacks that were bypassing each layer of preventative controls that were put into place because the attacks often used valid user credentials, trusted access paths, and new exploits. This is where we saw the rise of SIEM – which did a good job of ingesting logs from preventative controls across an organization. The good news was that we were blocking more attacks, but the bad news was that despite this investment, reported breaches continued to increase year over year. Why? Because logs only report on preventative controls – which are good for known attack vectors – but not the new attack patterns introduced at this time. And, attackers easily hide themselves by simply deleting the logs they trigger.
In 2015, in the opening keynote of the RSA Conference, we made a bold statement: the Security industry is failing.
Mid-year, we conducted a survey of more than 500 companies world-wide. We asked them to self-assess against the NIST Cybersecurity Framework, a set of baseline best practices required of critical infrastructure operators in the US which is gaining popularity world-wide.
We summarized the results in what we call the RSA Cybersecurity Poverty Index.
Overall, we found that 3 out 4 organizations reported significant cybersecurity risk exposure. And of the remainder, only 5% have truly “advantaged” capabilities that make them resilient to cyber risk and threats.
This is what a failed approach looks like.
Despite many organizations acknowledging the need to change or improve, they continue to pursue the same failed strategies. Organizations must radically shift priorities, technologies, and resources.
The vast majority of the spend is still preventative and perimeter-based. RSA research indicates that 80% of security staff and budgets, activity and tools, today are focused on prevention. Monitoring and response lag, and even the monitoring spend is today heavily weighted toward ineffective, incomplete approaches.
Going forward, there needs to be a much more even split of resources across prevention, monitoring, and response. Without rebalancing these resources, it will become increasingly difficult to have the ability to detect a breach in a timely fashion and have the capability to respond fast enough to avoid loss.
Today, there are attack campaigns. These are the targeted, well resourced and advanced attacks that target the whitespace that preventative controls and SIEM leave open for attackers. We believe that only with a unified platform designed for advanced threat detection and investigations – with complete visibility – from endpoint and across the entire network will shut out the opportunity the white space offers today’s attackers. Preventative controls, and the logs collected from them are not enough.
RSA has unparalleled data collection capabilities that provide the ability to capture data from across your network and enrich it live with intelligence metadata that speeds analysis.
And that feeds into both real-time and historic analytics platform. Our real-time analysis is able to detect and alert on attacks and compromises.
Historic analytics in the Pivotal Hadoop-based security warehouse enable us to deliver ongoing detection of covert channels.
And finally, we provide cost-effective compliance archiving.
All of which gives you the end-to-end, enterprise visibility you need to detect and take action against the attackers in your network.
API flexibility allows RSA Security Analytics to form heart of security ecosystem
Integrates with other security tools such as SIEM, IDS/IPS, firewalls, Splunk, FireEye, etc.
Integrate asset criticality and business context data from RSA Archer; data discover from RSA DLP, endpoint visibility from RSA ECAT
Open interface for access and transformation of collected data
Gain an x-ray view of what’s happening on the endpoint with unique scan techniques
Go deep into the inner workings of the endpoint to thoroughly check the integrity of the system, provide a complete view of what’s happening, and identify anomalous activity.
Through per-process live memory analysis, direct physical disk inspection, and network traffic analysis, RSA ECAT identifies suspicious activity and flags it for further review.
Automatically download a copy of unknown files to the server for further analysis
Inventory & profile endpoints in a matter of minutes to efficiently confirm infections
RSA ECAT collects a full inventory of everything running on the endpoint and provides all of the information needed to analyze and confirm infections.
Endpoint scans complete in a matter of minutes, which means analysts receive all of the data they need quickly, making them more productive.
Process
Drivers
DLLs
Services
Autoruns
Scheduled tasks
Net cnx.
Hosts file
..Visible and hidden
In order to evolve from a purely preventative approach , we believe there are requirements that must be fulfilled. An organization needs complete visibility across their entire network – with capabilities for advanced threat direction via advanced analytics. They then need to be able to perform rapid investigations to take prioritized action for an efficient and effective response.
Now, with advanced analytics taking your visibility and providing detection, you need to drive the correct response to respond to the treat. By combining alerts into incidents, you can provide analysts with a prioritized queue and drive the right action efficiently . Whether that action is further investigation to identify the true scope of an incident; or an out of the box workflow to respond to a specific threat or potential breach; or to report out compliance to your GRC platform. Efficient and effective reaction is key to response for any security team.
Key Takeway: The RSA Security Operations Management (SecOps) solution orchestrates and manages a SOC. Its core functions include incident management, breach management and SOC program management. When all functions of the SecOps solution are implemented, the overall SOC deployment will be a consistent and predictable business process.
RSA offers technologies such as SecOps (for SOC orchestration & management) and services such as Advanced Cyber Defense (ACD) consulting and Education Services (training) to give organizations the process and tools they need to operate with an incredible level of precision.
Unlike any other vendor. None can compete with our breadth and depth of technology, knowledge, and services offered to get the most out of their SOC.
Unlike SIEM vendors (like HP, McAfee) that include some basic workflow capabilities for issues detected by the SIEM but can’t help manage the broader SOC processes or alerts raised by other security tools (i.e. breach response, persona-based workflows, comprehensive reporting)
Unlike Splunk, which is a multi-purpose tool with very few “off-the shelf” capabilities to use the product in a security context
Most other competitors only sell classes and professional to deploy and operate their tools and do not provide broader analyst and SOC best practice trainings
THIS MEANS that SOC teams can leverage best practices to get the most out of their people and process, and not just throw more technology at the problem. It also gives SOC managers the ability to get more value out of the tools they have already purchased by using them to the best of their ability.
BEFORE
Visibility limited to logs and NetFlow
Relied on prevention tools to block and alert malware activity
IR team lacked endpoint visibility which impacted response
Unable to see where malware resided
AFTER
Detect both external and insider threats
Correlate logs with egress traffic and threat intelligence
Deep dive into payloads for analysis before & after events
Analyze device master file table and perform memory dumps
Search other devices to see if malware spread
Immediate access to vulnerability data, risk info, threat info, policy management, and business continuity information all from the same platform
Greatly improved incident handling and response process
About the Customer
LAX International Airport, Ontario International Airport and Van Nuys Airport. LAX International Airport is the world busiest airport in terms of origin and destination of travel. Van Nuys Airport is the world busiest airport in terms of small planes. Considered critical infrastructure by DHS.
Describe your “before” scenario. What challenge(s) was your company facing that compelled you to consider an RSA solution? Describe in details the RSA solution you used to resolve these challenges?
Before the RSA Security Analytics solution, our SIEM relied on logging events to find any threats. But there are not many security related events from most of these logs. We relied on our malware tracking system to block and alert on any C&C callback. As we get these alerts, we are not sure whether the same malicious code exists in other devices. As our SIEM's logging events correlate with NetFlow information, it was difficult to build the use cases to extract security events from this combination alone.
With this challenge, I have selected the RSA Security Analytics solution to correlate logging events with egress traffic and match it with the security intelligence feeds. This is a powerful correlation to detect both external and insider threats. RSA Security Analytics has a great forensic capability that allows us to do a deep dive into the actual payloads for analysis before and after a security event. For example, we investigated a recent spear phishing attack on several of our executives and found that there were several variations of the same attack using Security Analytics. . Security Analytics has greatly improved our security detection capability.
Another challenge we faced was that our IR team did not have visibility down to the endpoint device whenever they respond to a malware or APT threat. We don't know whether the same malicious code exists in other devices in my network. To gain this visibility, I selected the ECAT solution because it has a combination of BIT-9, Yara Rules Engine and the OPSWAT Metascan. It allows us to view the device master file table or perform a memory dump for further analysis. Once we determine a malicious process in the device memory, we can search other devices for the same malicious code.
We are using the Archer Security Operations module in conjunction with Security Analytics. SECOPS allows your incident handler to have immediate access to your vulnerability data, risk info, threat info, policy management, and business continuity information all from the same platform. Security Analytics will send its alerts to Archer SECOPS and automatically generate an incident ticket for the SOC personnel to work on. With this workflow, it has greatly improved our incident handling and response process. In addition, the SECOPS Manager can use this information to quality check his incident handler approach to each incident and refine the response process.
BEFORE
Visibility limited to logs and NetFlow
Relied on prevention tools to block and alert malware activity
IR team lacked endpoint visibility which impacted response
Unable to see where malware resided
AFTER
Detect both external and insider threats
Correlate logs with egress traffic and threat intelligence
Deep dive into payloads for analysis before & after events
Analyze device master file table and perform memory dumps
Search other devices to see if malware spread
Immediate access to vulnerability data, risk info, threat info, policy management, and business continuity information all from the same platform
Greatly improved incident handling and response process
About the Customer
LAX International Airport, Ontario International Airport and Van Nuys Airport. LAX International Airport is the world busiest airport in terms of origin and destination of travel. Van Nuys Airport is the world busiest airport in terms of small planes. Considered critical infrastructure by DHS.
Describe your “before” scenario. What challenge(s) was your company facing that compelled you to consider an RSA solution? Describe in details the RSA solution you used to resolve these challenges?
Before the RSA Security Analytics solution, our SIEM relied on logging events to find any threats. But there are not many security related events from most of these logs. We relied on our malware tracking system to block and alert on any C&C callback. As we get these alerts, we are not sure whether the same malicious code exists in other devices. As our SIEM's logging events correlate with NetFlow information, it was difficult to build the use cases to extract security events from this combination alone.
With this challenge, I have selected the RSA Security Analytics solution to correlate logging events with egress traffic and match it with the security intelligence feeds. This is a powerful correlation to detect both external and insider threats. RSA Security Analytics has a great forensic capability that allows us to do a deep dive into the actual payloads for analysis before and after a security event. For example, we investigated a recent spear phishing attack on several of our executives and found that there were several variations of the same attack using Security Analytics. . Security Analytics has greatly improved our security detection capability.
Another challenge we faced was that our IR team did not have visibility down to the endpoint device whenever they respond to a malware or APT threat. We don't know whether the same malicious code exists in other devices in my network. To gain this visibility, I selected the ECAT solution because it has a combination of BIT-9, Yara Rules Engine and the OPSWAT Metascan. It allows us to view the device master file table or perform a memory dump for further analysis. Once we determine a malicious process in the device memory, we can search other devices for the same malicious code.
We are using the Archer Security Operations module in conjunction with Security Analytics. SECOPS allows your incident handler to have immediate access to your vulnerability data, risk info, threat info, policy management, and business continuity information all from the same platform. Security Analytics will send its alerts to Archer SECOPS and automatically generate an incident ticket for the SOC personnel to work on. With this workflow, it has greatly improved our incident handling and response process. In addition, the SECOPS Manager can use this information to quality check his incident handler approach to each incident and refine the response process.
BEFORE
Visibility limited to logs and NetFlow
Relied on prevention tools to block and alert malware activity
IR team lacked endpoint visibility which impacted response
Unable to see where malware resided
AFTER
Detect both external and insider threats
Correlate logs with egress traffic and threat intelligence
Deep dive into payloads for analysis before & after events
Analyze device master file table and perform memory dumps
Search other devices to see if malware spread
Immediate access to vulnerability data, risk info, threat info, policy management, and business continuity information all from the same platform
Greatly improved incident handling and response process
About the Customer
LAX International Airport, Ontario International Airport and Van Nuys Airport. LAX International Airport is the world busiest airport in terms of origin and destination of travel. Van Nuys Airport is the world busiest airport in terms of small planes. Considered critical infrastructure by DHS.
Describe your “before” scenario. What challenge(s) was your company facing that compelled you to consider an RSA solution? Describe in details the RSA solution you used to resolve these challenges?
Before the RSA Security Analytics solution, our SIEM relied on logging events to find any threats. But there are not many security related events from most of these logs. We relied on our malware tracking system to block and alert on any C&C callback. As we get these alerts, we are not sure whether the same malicious code exists in other devices. As our SIEM's logging events correlate with NetFlow information, it was difficult to build the use cases to extract security events from this combination alone.
With this challenge, I have selected the RSA Security Analytics solution to correlate logging events with egress traffic and match it with the security intelligence feeds. This is a powerful correlation to detect both external and insider threats. RSA Security Analytics has a great forensic capability that allows us to do a deep dive into the actual payloads for analysis before and after a security event. For example, we investigated a recent spear phishing attack on several of our executives and found that there were several variations of the same attack using Security Analytics. . Security Analytics has greatly improved our security detection capability.
Another challenge we faced was that our IR team did not have visibility down to the endpoint device whenever they respond to a malware or APT threat. We don't know whether the same malicious code exists in other devices in my network. To gain this visibility, I selected the ECAT solution because it has a combination of BIT-9, Yara Rules Engine and the OPSWAT Metascan. It allows us to view the device master file table or perform a memory dump for further analysis. Once we determine a malicious process in the device memory, we can search other devices for the same malicious code.
We are using the Archer Security Operations module in conjunction with Security Analytics. SECOPS allows your incident handler to have immediate access to your vulnerability data, risk info, threat info, policy management, and business continuity information all from the same platform. Security Analytics will send its alerts to Archer SECOPS and automatically generate an incident ticket for the SOC personnel to work on. With this workflow, it has greatly improved our incident handling and response process. In addition, the SECOPS Manager can use this information to quality check his incident handler approach to each incident and refine the response process.
BEFORE
Visibility limited to logs and NetFlow
Relied on prevention tools to block and alert malware activity
IR team lacked endpoint visibility which impacted response
Unable to see where malware resided
AFTER
Detect both external and insider threats
Correlate logs with egress traffic and threat intelligence
Deep dive into payloads for analysis before & after events
Analyze device master file table and perform memory dumps
Search other devices to see if malware spread
Immediate access to vulnerability data, risk info, threat info, policy management, and business continuity information all from the same platform
Greatly improved incident handling and response process
About the Customer
LAX International Airport, Ontario International Airport and Van Nuys Airport. LAX International Airport is the world busiest airport in terms of origin and destination of travel. Van Nuys Airport is the world busiest airport in terms of small planes. Considered critical infrastructure by DHS.
Describe your “before” scenario. What challenge(s) was your company facing that compelled you to consider an RSA solution? Describe in details the RSA solution you used to resolve these challenges?
Before the RSA Security Analytics solution, our SIEM relied on logging events to find any threats. But there are not many security related events from most of these logs. We relied on our malware tracking system to block and alert on any C&C callback. As we get these alerts, we are not sure whether the same malicious code exists in other devices. As our SIEM's logging events correlate with NetFlow information, it was difficult to build the use cases to extract security events from this combination alone.
With this challenge, I have selected the RSA Security Analytics solution to correlate logging events with egress traffic and match it with the security intelligence feeds. This is a powerful correlation to detect both external and insider threats. RSA Security Analytics has a great forensic capability that allows us to do a deep dive into the actual payloads for analysis before and after a security event. For example, we investigated a recent spear phishing attack on several of our executives and found that there were several variations of the same attack using Security Analytics. . Security Analytics has greatly improved our security detection capability.
Another challenge we faced was that our IR team did not have visibility down to the endpoint device whenever they respond to a malware or APT threat. We don't know whether the same malicious code exists in other devices in my network. To gain this visibility, I selected the ECAT solution because it has a combination of BIT-9, Yara Rules Engine and the OPSWAT Metascan. It allows us to view the device master file table or perform a memory dump for further analysis. Once we determine a malicious process in the device memory, we can search other devices for the same malicious code.
We are using the Archer Security Operations module in conjunction with Security Analytics. SECOPS allows your incident handler to have immediate access to your vulnerability data, risk info, threat info, policy management, and business continuity information all from the same platform. Security Analytics will send its alerts to Archer SECOPS and automatically generate an incident ticket for the SOC personnel to work on. With this workflow, it has greatly improved our incident handling and response process. In addition, the SECOPS Manager can use this information to quality check his incident handler approach to each incident and refine the response process.