advanced threats: the new world order · list of rsa offerings within gartner control layers...
TRANSCRIPT
1© Copyright 2012 EMC Corporation. All rights reserved.
Advanced Threats:The New World Order
Gary LauTechnology Consulting ManagerGreater China
2© Copyright 2012 EMC Corporation. All rights reserved.
AgendaChange of Threat Landscape and Business ImpactCase Sharing
– Korean Incidents– EMC CIRC
APTs InvestigationQ&A
3© Copyright 2012 EMC Corporation. All rights reserved.
Traditional Security Is Not Working
Source: Verizon 2012 Data Breach Investigations Report
99% of breaches led to compromise within “days” or less
with 85% leading to data exfiltration in the same time
85% of breaches took “weeks” or more to
discover
5© Copyright 2012 EMC Corporation. All rights reserved.
What is APT?Gartner uses a simple definition for “APT”:
Advanced: It gets through your existing defenses.
Persistent: It will keep trying until it gets in, and once done, it succeeds in remaining hidden from your current level of detection until it attains its objective.
Threat: It can cause harm.“ Strategies for Dealing with Advanced Target Attacks”
Gartner, 6 Jun 2013
6© Copyright 2012 EMC Corporation. All rights reserved.
Aims of APT
Information compromise: Stealing, destroying or modifying business-critical information.Theft of service: Obtain use of the business product or service without paying for it.Denial of service: Disrupting business operations.
7© Copyright 2012 EMC Corporation. All rights reserved.
Known vs Unknown Threat Detection
Known Unknown
• Firewall• IDS/IPS• AV• DLP• SIEM• Others…
• What• Where• HowDetect Investigate
8© Copyright 2012 EMC Corporation. All rights reserved.
Unknown Threat….
Targeted attacks often use custom-created malware that is undetectable by signature-based techniques.Such attacks generally require some means of communication back to an outside party (beaconing).
9© Copyright 2012 EMC Corporation. All rights reserved.
APT leaves clues! • APT footprints
– Payload (one or several)– Compromised host– Remote C2 server– Network communications
• Routable IP address or a domain name pointing to it Registered with a fully qualified domain name
• Or an account with a DDNS provider• Payload
Binaries, strings & functions, etc. Configured with the address\domain
• Proactive Intelligence to detect these clues
10© Copyright 2012 EMC Corporation. All rights reserved.
SpeedResponse Time2Decrease
Dwell Time[Attacker Free Time]
1
TIME
Attack Identified Response
SystemIntrusion
AttackBegins
Cover-UpComplete
Advanced Threats Are Different
Cover-Up DiscoveryLeap Frog Attacks
1TARGETEDSPECIFIC OBJECTIVE
STEALTHYLOW AND SLOW2 3INTERACTIVE
HUMAN INVOLVEMENT
Dwell Time Response Time
11© Copyright 2012 EMC Corporation. All rights reserved.
Resource Shift: Budgets and People
Traditional Defense
Prevention80%
Monitoring15%
Response5%
Prevention80%
Monitoring15%
Response5%
Prevention33%
Increase the ability to detect and respond
Monitoring33%
Response33%
12© Copyright 2012 EMC Corporation. All rights reserved.
It will become increasingly difficult to secure infrastructure
A New Security World
We must focus on people, the flow of data and on transactions
14© Copyright 2012 EMC Corporation. All rights reserved.
SIEM has been a good start SIEM can provide:
– Valuable reporting on device and application activity– Basic alerting on known sequences (i.e. basic
correlation) – Proof of compliance for internal and external auditors– Central view into disparate event sources being
collected
In today’s world…Threats are multi-faceted, dynamic and stealthy
The most dangerous attacks have never been seen before
Threats often don’t leave a footprint in logs
15© Copyright 2012 EMC Corporation. All rights reserved.
Today’s tools need to adapt Today’s tools need to be able to detect and
investigate– Lateral movement of threats as they gain foothold– Covert characteristics of attack tools, techniques &
procedures– Exfiltration or sabotage of critical data
Today’s tools need to be able to scale– To collect and store the volume and diversity of data
required– To provide analytic tools to support security workstreams– Time to respond is critical in a breach situations – and
SIEM often falls short
Traditional SIEM will not meet these needs!
Control CoverageAttack the control ‘white space’
Adversary Assets
FW IDS AV EndPoint DLP
“Defense in Depth”
log log log log log
SIEM
Emerging Threats•0‐day malware•Trusted C2•Valid Credentials
threatintelligence Intelligence
PacketLog
Governance
full packetcapture
Live Intelligence & CCI
ECAT
DLP
Critical Questions against APTs
Comprehensive Visibility Actionable IntelligenceGovernance
What Matters?
What is going on?
How do I address it?
19© Copyright 2012 EMC Corporation. All rights reserved.
Use a Strategic Security Approach to Implement Tactical Best-Practice ControlsBest Practice Strategies from Gartner
Use a comprehensive approach; no one single technology will stop advanced targeted attacks, even products specifically targeted at advanced forms of attacks.
Acknowledge that technology alone won’t stop APT; your strategy must include the search for compromised systems, improvements in your forensics and incident response capabilities, and rapid response.
20© Copyright 2012 EMC Corporation. All rights reserved.
List of RSA offerings within Gartner control layers Technologies Solution OfferingsAuthentication Technology RSA SecurIDAdvanced Threat Protection Appliances
RSA Security Analytics
Network forensics RSA Security AnalyticsSecurity information and event management
RSA Security Analytics
Security Intelligence Services RSA Security AnalyticsRSA Cyber Crime Intelligence
Endpoint Threat Detection and response
RSA ECAT
Incident Response Capabilities RSA ArcherDLP RSA DLP
Garnter:G00256438
21© Copyright 2012 EMC Corporation. All rights reserved.
Korean IncidentsThe power of Detect and Investigate
25© Copyright 2012 EMC Corporation. All rights reserved.
What changed between 2011->20132011 2013
Target 1 Bank 3 Banks and a TV Station
Destruction Delete Bootfiles & Reboot
Delete MBR & Reboot
Delivery Single Vector Multi-Vector
SIEM No Mostly
Network Forensics No Partial
Investigative Capabilities
None Minimal
Downtime 2 Days 2 Hours
27© Copyright 2012 EMC Corporation. All rights reserved.
Functional Areas
Global Security Organization
ImplementOffice of
Information Security
InvestigateCorporate Protective Services
Enable Business Security
Enablement Group
DetectCritical Incident Response
Group
RISKMGT
28© Copyright 2012 EMC Corporation. All rights reserved.
Sphere of Protection• Fed by more than 2,000 security
devices which generate 12 to 14 million security events per hour
• Protecting critical infrastructure of thousands of customers spanning more than 500 sites in over 100 countries
• Manages Security Incidents, Investigate Suspicious Behavior, Vulnerability Analysis, Malware Analysis, and Threat Management
• Built on EMC Proven Technologies from RSA, including RSA Security Analytics and RSA Archer
• A specialized cross-functional highly skilled team focused just on monitoring for critical threats and incident response
29© Copyright 2012 EMC Corporation. All rights reserved.
EMC CIRC Statistics Reference
• After filtering, alerts that need to be handle is around 200 instances.
• Out of the 200 alerts, ~30 need to do further investigation.
• Need 3 person to handle the in-depth advance investigation.
31© Copyright 2012 EMC Corporation. All rights reserved.
Solutions Highlights
RSA Security Analytics (upgradable from RSA enVision)– Provide enterprise-wide visibility into network traffic and log
event data to reduce attacker free time from weeks to hours.
RSA ECAT (Enterprise Compromise Assessment Tool)– Detect advanced malware and quickly response leveraging
innovative live memory analysis.
RSA Archer– Provide business context hence incident prioritization, manage
remediation procedures.
60© Copyright 2012 EMC Corporation. All rights reserved.
Planning Your Journey
IT RISK CONTROL COMPLIANCE BUSINESS RISK
MATURITY LEVELTechnology Focused Business Risk Focus
61© Copyright 2011 EMC Corporation. All rights reserved.
Establish Beach Head Infiltration Data Exfiltration
RSA ACD Services Portfolio
Breach Readiness
Incident Response/Discovery
Cyber Threat Intelligence
Breach Management
Identity & Access Control
NextGen SOC Design & Implementation
Impacting the Attack “Cyber Kill Chain”