From SIEM to SA: The Path Forward

From SIEM to
Security Analytics
The Path Forward
Seth Geftic, Product Marketing Manager
Steve Garrett, Product Manager

© Copyright 2012 EMC Corporation. All rights reserved.

1

Agenda
 The Shift From SIEM
 What is RSA Security Analytics
 Beyond SIEM: Intelligence Driven Security

 Intelligence Driven Security In Action


2

The Shift Away From SIEM


3

The purpose of SIEM has evolved
 The original purchase driver behind SIEMs were
– Satisfying compliance requirements more easily
▪ Collecting and retaining logs with less operational overhead
▪ Creating compliance reports more easily

– Troubleshooting operational problems
▪ Determining root cause of failures

 Making IDS work better was often a driver too
– The security team was deluged with IDS alerts
– Many of the IDS rules were crude and fired too often


4

Why hasn’t SIEM lived up to
expectations?
 Things have become more complex

– IT environments have expanded
– Hackers have become more sophisticated
– IDS has become less and less relevant

 SIEMs response has been to add more log sources

– More diversity of sources (Security Device, OS, Application
etc)
– Greater volume of sources as the number of critical
systems has expanded

 But this has not solved the problem

– SIEM has not been able to scale to the volume required
– Its impractical to create correlation rules to detect every
complex threat
– Many threats no longer even have a footprint in the logs


5

The result for organizations?
 Honeymoon period for customers post
implementation
– Compliance reports run more smoothly
– Security teams get at least *some* visibility into
activity

 Disillusionment follows for many pretty soon
after
– As team matures they start to try extract more
value from the data
– At this point, performance and correlation
limitations come to the fore

6

Today’s tools need to adapt
 Today’s tools need to be able to detect and
investigate
– Lateral movement of threats as they gain foothold
– Covert characteristics of attack tools, techniques &
procedures
– Exfiltration or sabotage of critical data

 Today’s tools need to be able to scale
– To collect and store the volume and diversity of data
required
– To provide analytic tools to support security work
streams
– Time to respond is critical in a breach situations – and
SIEM often falls short

7

Security Analytics & The Security
Maturity Voyage
Visibility
and
Understanding

Network
Monitoring &
Investigation

Traditional
SIEM
Compliance

Advanced
Analysis

Incident
Detection
SECURITY
ANALYTICS
Security Team
Sophistication
& Skillset


8

Use Case Needs Grow
 Compliance + Tier 1 Security (often met with traditional
SIEM)
– Compliance requirements
– Incident detection
– Limited investigations
 Moving Beyond SIEM
– Increased visibility
– Deep forensics and investigations
– Supplement traditional SIEM
 Advanced Security Operations
– Find more sophisticated attacks
– Increased “hunting” ability
– Conduct complex data analysis for next gen SOC


9

Today’s Security Requirements
Big Data
Infrastructure
“Need a fast and
scalable infrastructure to
conduct real time and
long term analysis”

Comprehensive
Visibility
“See everything
happening in my
environment and
normalize it”

High Powered
Analytics

Integrated
Intelligence

“Give me the speed and
smarts to detect,
investigate and prioritize
potential threats”

“Help me understand
what to look for and
what others have
discovered”


10

What is RSA Security Analytics


11

RSA Security Analytics
Unified platform for incident detection, investigations, compliance
reporting and advanced security analysis

SIEM
Log Parsing
Compliance Reports
Incident Alerts


RSA Security
Analytics

Network Security
Monitoring

Full Packet Capture
Big Data Infrastructure
Capture Time Data
Comprehensive Visibility
Enrichment
High Powered Analysis
Deep Dive Investigations
Intelligence Driven Context

12

Big data security analytics:
RSA Security Analytics architecture
LIVE

Distributed
Data
Collection

Capture
Time Data
Enrichment
PARSING &
METADATA TAGGING

PACKETS

LIVE
LIVE
Reporting
& Alerting

PACKET
METADATA
LOGS

Investigation
& Forensics

Compliance
Malware
Analysis

Intelligence
Feeds
LOG
METADATA

RSA LIVE
INTELLIGENCE

Incident
Response

Endpoint
Visibility
& Analysis

Additional
Business &
IT Context

Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions


13

RSA Security Analytics “SIEM-like”
deployment
LIVE

Distributed
Data
Collection

Capture
Time Data
Enrichment

PARSING &
METADATA TAGGING

LOGS
LOGS

LOG
METADATA

LIVE
LIVE
Reporting
& Alerting
Investigation
& Forensics

Compliance
Malware
Analysis

Intelligence
Feeds

RSA LIVE
INTELLIGENCE

Incident
Response

Endpoint
Visibility
& Analysis

Additional
Business &
IT Context

Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions


14

RSA Security Analytics with a traditional
SIEM
LIVE

LIVE

Distributed
Data
Collection

LIVE

PARSING &
Capture
METADATA TAGGING

Time Data
Enrichment

Alerting
PACKETS

PACKET
METADATA

3rd Party
SIEM
Collection
LOGS


Investigation
& Forensics

Malware
Analysis
Intel
Feeds

Alerts
Alert Triage

Investigations

Compliance
& Reporting

15

What Makes SA Different?
 Single platform for log & network security
monitoring
 Capture time data enrichment
 Superior event stream & on-request analysis
 Incorporates business and IT data, incident
response & endpoint visibility

 Operationalizes threat intelligence
 Security platform where compliance is an
outcome, not the other way around


16

Beyond SIEM – Intelligence Driven Security


17

What is Intelligence Driven Security?
 The process of using all the security-related
information available, both internally and
externally, to detect hidden threats and even
predict future ones.
 It is knowledge that enables an organization to
make informed risk decisions and take action.


18

Meet the Adversary: Mr. X
Persona

Mission in Life

Tactics

Primary Data
Source(s)

Cyber Criminal,
Government
sponsored or
non-state actor

Exfiltrate any and all data available by
creating threat surface specialized for
a given target.

Malicious
Code, Social
Media,
Phishing,
Spear
Phishing

Must Have: Facebook,
LinkedIn, Malware

Mr. X

Note: Average price of a zeroday exploit generated by the
criminal underground is $25.

Mr. X has been busy:
 Combination of Waterhole Attacks with Zero Day Exploits (non-profits and think tanks)
–
–
–
–

Targeting users who visit very specific websites
Latest IE 0-day attack focused on a specific non-profit site
Downloaded and executed shellcode directly from memory, never hit disk
Dropped non-persistent (Aurora) 9002 RAT

 Multiple attack groups on the same victim, steady evolution of adversary backdoors
 NO slowdown in attack operations, very specific targeting of intelligence based on attacker
taskings (Lawsuits, Key Personnel, C-Suite, M/A activity)
 Email Exfiltration – MAPI tool, Theft of Lotus Notes Email
 Continued heavy use of Windows Service DLLs, some signed


19

Mr. X – How Does he do it?

Ability to Detect

Your Network
A: Web App
Vulnerability

B: Drop Webshells or
Trojan Backdoor
D: Pass The Hash

C: Command
and Control

IDS

SIEM

SA

A
B
C
D

E: Seize Domain
Admin Credentials

E
F
G

H: Transmit
Stolen Data

F: Gain Access to
Trade Secrets
G: Upload
Stolen Data to
Staging Server


H

Yes
Possible

Yes – Full Visibility
with Logs and
Packets with
Threat Intelligence

No

20

Intelligence Driven Security with
Security Analytics
A: Web App
Vulnerability

B: Drop Webshells or
Trojan Backdoor

 RSA Live Threat Intelligence May Have Identified Risk of the
Transfer as a Starting Point for Investigation


21

Security Analytics
C: Command
and Control

Traversing Your Infrastructure
D: Pass The Hash
E: Seize Domain Admin Credentials
F: Gain Access to Trade Secrets
G: Upload Stolen Data to Staging Server

 Mr. X use a variety of techniques to communicate while traversing your
infrastructure which Security Analytics can detect and parse

– Named Pipes commonly abused (pipehello is NOT from Microsoft)
– Abuse of the Windows Task Scheduler over SMB connections via NET USE, allowing
command shell capabilities with SYSTEM privelidges

 Security Analytics combines Log Data with Packet Data for Deep Visibility


22

Security Analytics
H: Transmit
Stolen Data

Your Network
G: Upload Stolen Data to Staging Server

 RSA Live Threat Intelligence May Have Identified Risk of the Transfer based on
Remote Host or Outbound Protocol Anomalies ( such as self-signed certs)
–
–

Security Analytics will flag these sessions as suspicious and identify where the data travelled
Event reconstruction may be possible


23

Anyone see this Movie?


24

Event Stream Analysis:
Intelligence Driven Security in Action


25

Intelligence Driven Security with Security
Analytics – Event Stream Analysis
Log Decoder

Concentrator
18k EPS

• Full Visibility
LIVE

Log Decoder

Concentrator

ESA
24k EPS

– Log Data and Packet
Data normalized into
Meta Data
– Additional Context may
be added into ESA from
other business systems

LIVE

Packet Decoder

Concentrator
2 GB/s
Additional
Context

LIVE


26


STATIC
CONTEXT

DYNAMIC
CONTEXT

DYNAMIC
CONTEXT

• Leverage the power of ESA’s Correlation Engine to Create Dynamic Risk
Categorization using Context Windows

Suspicious Internal IP
10.221.32.12
161.169.207.15
..
..
Suspicious Host Alias
Ssl-irc.scumware.org
Mirror.wikileaks.info
Updatekernal.com
…

Critical Asset List
10.100.32.10
10.100.32.104


• Suspicious Internal Hosts IP List based on Packet Analysis and RSA
Live Threat Intel
•

As an example, any host running a named pipe such as “pipehello”

•

Entries age out after preconfigured time (8 hours for instance)

• Suspicious Host Alias List based on Packet Analysis and
RSA Live Threat Intel
• Entries age out after preconfigured time (12 hours
for instance)

• Critical Asset List may come from Feed File or CSV file
which provides Business Context
• Entries can be configured to be static and not
age out

27

• When one of the Suspicious Hosts attempts to login on one of the Critical Assets, you
may deem this as an elevation of Risk, and choose to add the IP address of the Host
to a new list

DYNAMIC
CONTEXT

• Elevated Risk Internal IP List based on Log Data from
Domain Controller
Elevated Risk Internal IP
10.221.32.12
161.169.207.15
..
..

If A->B->C AND the Host IP
address is included in the
Elevated Risk Context Window,
then tell me about it!”


• ESA determines that a host in the Suspicious Host IP list
attempted to login to a host in the Critical Asset List
• ESA places this IP address into the Elevated Risk Internal IP
list, which can be configured to age out after a
preconfigured time

• Context Window can be referenced with the Incoming
Event Streams and used to make a more intelligent
decision to fire an Alert

28

RSA Security Analytics
• Cornerstone in the Security Operations
journey

• Flexible platform that grows with your needs
– Compliance  incident detection investigation
and forensics  advanced analysis
– From logs  packets or packets  logs

• Security platform where compliance is a
byproduct, not the other way around


29

RSA Advanced Cyber Defense Services
A portfolio of services to help you achieve security operations excellence
• Strategy & Roadmap
Current strategy review and
recommendations for desired
future state
• Incident Response
Rapid breach response service
and SLA-based retainer
• NextGen Security Operations
SOC/CIRC evolution and security
program transformations; moving
from reactive to proactive

www.rsa.im/ACDpractice

30

RSA Advanced Cyber Defense Training
A comprehensive learning path for security analysts
• Focus on proven
methodologies for
operating and
managing a
CIRC/SOC
• Hands-on labs
designed around
real-world use cases
and teamwork in a
CIRC/SOC
• Delivered by highly
experienced RSA
Security Practitioners

www.emc.com/rsa-training

31

Reimagining Security Analysis:
Removing Hay vs. Digging For Needles
All Network
Traffic & Logs

Terabytes of data
100% of total

Downloads
of executables

Thousands of data points
5% of total

Type does
not match
extension

Hundreds of data points
0.2% of total

!

Create alerts to/from
critical assets
A few dozen alerts

33

Integrated Intelligence
Know What To Look For
RSA LIVE INTELLIGENCE SYSTEM

Threat Intelligence – Rules – Parsers – Alerts – Feeds – Apps – Directory Services – Reports and Custom Actions

1

2
Gathers advanced
threat intelligence
and content

3
Aggregates &
consolidates data

Automatically
distributes
correlation rules,
blacklists, parsers,
views, feeds

OPERATIONALIZE INTELLIGENCE:
Take advantage of what others have already found and apply
against your current and historical data


34

SA vs. SIEM
Attack Step

Traditional
SIEM

RSA Security
Analytics

Alert for access over non-standard port

No

Yes

Recreate activity of suspect IP address across
environment

No

Yes

Show user activity across AD and VPN

Yes

Yes

Alert for different credentials used for AD and
VP

Yes

Yes

Reconstruct exfiltrated data

No

Yes


35

From SIEM to SA: The Path Forward

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a From SIEM to SA: The Path Forward

Similar a From SIEM to SA: The Path Forward (20)

Más de EMC

Más de EMC (20)

Último

Último (20)

From SIEM to SA: The Path Forward