advanced threats: the new world order · list of rsa offerings within gartner control layers...

1© Copyright 2012 EMC Corporation. All rights reserved.

Advanced Threats:The New World Order

Gary LauTechnology Consulting ManagerGreater China

[email protected]


AgendaChange of Threat Landscape and Business ImpactCase Sharing

– Korean Incidents– EMC CIRC

APTs InvestigationQ&A


Traditional Security Is Not Working

Source: Verizon 2012 Data Breach Investigations Report

99% of breaches led to compromise within “days” or less

with 85% leading to data exfiltration in the same time

85% of breaches took “weeks” or more to

discover


What is APT?


What is APT?Gartner uses a simple definition for “APT”:

Advanced: It gets through your existing defenses.

Persistent: It will keep trying until it gets in, and once done, it succeeds in remaining hidden from your current level of detection until it attains its objective.

Threat: It can cause harm.“ Strategies for Dealing with Advanced Target Attacks”

Gartner, 6 Jun 2013


Aims of APT

Information compromise: Stealing, destroying or modifying business-critical information.Theft of service: Obtain use of the business product or service without paying for it.Denial of service: Disrupting business operations.


Known vs Unknown Threat Detection

Known Unknown

• Firewall• IDS/IPS• AV• DLP• SIEM• Others…

• What• Where• HowDetect Investigate


Unknown Threat….

Targeted attacks often use custom-created malware that is undetectable by signature-based techniques.Such attacks generally require some means of communication back to an outside party (beaconing).


APT leaves clues! • APT footprints

– Payload (one or several)– Compromised host– Remote C2 server– Network communications

• Routable IP address or a domain name pointing to it Registered with a fully qualified domain name

• Or an account with a DDNS provider• Payload

Binaries, strings & functions, etc. Configured with the address\domain

• Proactive Intelligence to detect these clues


SpeedResponse Time2Decrease

Dwell Time[Attacker Free Time]

1

TIME

Attack Identified Response

SystemIntrusion

AttackBegins

Cover-UpComplete

Advanced Threats Are Different

Cover-Up DiscoveryLeap Frog Attacks

1TARGETEDSPECIFIC OBJECTIVE

STEALTHYLOW AND SLOW2 3INTERACTIVE

HUMAN INVOLVEMENT

Dwell Time Response Time


Resource Shift: Budgets and People

Traditional Defense

Prevention80%

Monitoring15%

Response5%

Prevention80%

Monitoring15%

Response5%

Prevention33%

Increase the ability to detect and respond

Monitoring33%

Response33%


It will become increasingly difficult to secure infrastructure

A New Security World

We must focus on people, the flow of data and on transactions


You need Visibility!!


SIEM has been a good start SIEM can provide:

– Valuable reporting on device and application activity– Basic alerting on known sequences (i.e. basic

correlation) – Proof of compliance for internal and external auditors– Central view into disparate event sources being

collected

In today’s world…Threats are multi-faceted, dynamic and stealthy

The most dangerous attacks have never been seen before

Threats often don’t leave a footprint in logs


Today’s tools need to adapt Today’s tools need to be able to detect and

investigate– Lateral movement of threats as they gain foothold– Covert characteristics of attack tools, techniques &

procedures– Exfiltration or sabotage of critical data

Today’s tools need to be able to scale– To collect and store the volume and diversity of data

required– To provide analytic tools to support security workstreams– Time to respond is critical in a breach situations – and

SIEM often falls short

Traditional SIEM will not meet these needs!

Control CoverageAttack the control ‘white space’

Adversary Assets

FW IDS AV EndPoint DLP

“Defense in Depth”

log log log log log

SIEM

Emerging Threats•0‐day malware•Trusted C2•Valid Credentials

threatintelligence Intelligence

PacketLog

Governance

full packetcapture

Live Intelligence & CCI

ECAT

DLP


Holistic Approach to Address APT

Critical Questions against APTs

Comprehensive Visibility Actionable IntelligenceGovernance

What Matters?

What is going on?

How do I address it?


Use a Strategic Security Approach to Implement Tactical Best-Practice ControlsBest Practice Strategies from Gartner

Use a comprehensive approach; no one single technology will stop advanced targeted attacks, even products specifically targeted at advanced forms of attacks.

Acknowledge that technology alone won’t stop APT; your strategy must include the search for compromised systems, improvements in your forensics and incident response capabilities, and rapid response.


List of RSA offerings within Gartner control layers Technologies Solution OfferingsAuthentication Technology RSA SecurIDAdvanced Threat Protection Appliances

RSA Security Analytics

Network forensics RSA Security AnalyticsSecurity information and event management

RSA Security Analytics

Security Intelligence Services RSA Security AnalyticsRSA Cyber Crime Intelligence

Endpoint Threat Detection and response

RSA ECAT

Incident Response Capabilities RSA ArcherDLP RSA DLP

Garnter:G00256438


Korean IncidentsThe power of Detect and Investigate


Disruptive Attacks - 2011


Disruptive Attacks - 2013


Multi-Vector Co-ordinated Attack


What changed between 2011->20132011 2013

Target 1 Bank 3 Banks and a TV Station

Destruction Delete Bootfiles & Reboot

Delete MBR & Reboot

Delivery Single Vector Multi-Vector

SIEM No Mostly

Network Forensics No Partial

Investigative Capabilities

None Minimal

Downtime 2 Days 2 Hours


EMC CIRC


Functional Areas

Global Security Organization

ImplementOffice of

Information Security

InvestigateCorporate Protective Services

Enable Business Security

Enablement Group

DetectCritical Incident Response

Group

RISKMGT


Sphere of Protection• Fed by more than 2,000 security

devices which generate 12 to 14 million security events per hour

• Protecting critical infrastructure of thousands of customers spanning more than 500 sites in over 100 countries

• Manages Security Incidents, Investigate Suspicious Behavior, Vulnerability Analysis, Malware Analysis, and Threat Management

• Built on EMC Proven Technologies from RSA, including RSA Security Analytics and RSA Archer

• A specialized cross-functional highly skilled team focused just on monitoring for critical threats and incident response


EMC CIRC Statistics Reference

• After filtering, alerts that need to be handle is around 200 instances.

• Out of the 200 alerts, ~30 need to do further investigation.

• Need 3 person to handle the in-depth advance investigation.


Investigating against APTs- a case study


Solutions Highlights

RSA Security Analytics (upgradable from RSA enVision)– Provide enterprise-wide visibility into network traffic and log

event data to reduce attacker free time from weeks to hours.

RSA ECAT (Enterprise Compromise Assessment Tool)– Detect advanced malware and quickly response leveraging

innovative live memory analysis.

RSA Archer– Provide business context hence incident prioritization, manage

remediation procedures.


Planning Your Journey

IT RISK CONTROL COMPLIANCE BUSINESS RISK

MATURITY LEVELTechnology Focused Business Risk Focus


Establish Beach Head Infiltration Data Exfiltration

RSA ACD Services Portfolio

Breach Readiness

Incident Response/Discovery

Cyber Threat Intelligence

Breach Management

Identity & Access Control

NextGen SOC Design & Implementation

Impacting the Attack “Cyber Kill Chain”

advanced threats: the new world order · list of rsa offerings within gartner control layers...

Documents