advanced cyber defense - dell emc germany · grey goose stuxnet australian . mining . taidoor . rba...
Post on 24-Jun-2018
214 Views
Preview:
TRANSCRIPT
1 © Copyright 2013 EMC Corporation. All rights reserved.
Advanced Cyber Defense A Readiness, Response & Resilience (R3)
Strategy for Targeted Attacks
Azeem Aleem- Manager Advanced Cyber Defense, EMEA
2 © Copyright 2013 EMC Corporation. All rights reserved.
ACD Service Portfolio
Readiness, Response & Resilience
Strategy & Roadmap
Incident Response
Cyber Threat Intelligence
Vulnerability Risk Management
Security Operations Management
NextGen SOC Design & Implementation
3 © Copyright 2013 EMC Corporation. All rights reserved.
Cyber attacks are real and growing The internet enables remote attacks with lower risk of detection
2003 2006 2009 2012
Titan Rain
Aurora PLA Unit 61398 recruitment scholarships Night
Dragon
Shady RAT
Grey Goose Stuxnet
Australian Mining
RBA Taidoor
Safe
Duqu
Comodo
Black Tulip
Nitro IMF
RSA
Lockheed Martin
2004 2005 2007 2008 2010 2011 2013
Ghost Net
Nortel
State Dept.
US Naval War College
Oak Ridge
Los Alamos
Commerce Secretary
Estonia
Red October
4 © Copyright 2013 EMC Corporation. All rights reserved.
Challenge: Organizations are not ready Security Market Sizing (excl. Services)
$0
$5.000
$10.000
$15.000
$20.000
$25.000
$30.000
$35.000
$40.000
2013 2014 2015 2016 2017
Hardware &Software
SpecializedThreatAnalysis &Protection
$000,000
Gartner, 2013
IDC, 2013
Source: 2013 VDB Investigations Report
• In 84% of cases, the initial compromise took hours – or even less.
• In 66% of cases, the breach wasn’t discovered for months – or even years.
• In 22% of cases, it took months to contain the breach.
6 © Copyright 2013 EMC Corporation. All rights reserved.
Incident Response? Implementation of Proactive Cyber Compliance and Regulation?
Understand the Threat :Learning from our mistakes- DIY syndrome?
A Case for Intelligence Driven Security ?
7 © Copyright 2013 EMC Corporation. All rights reserved.
SIEM Platform
Security Team Reviews Signature Based Alerts
What we see Why organizations are not ready
Desktop Support Team
Signature Based Tools
Fire Wall
Virus
SIEM GENERATES AN ALERT
Proxy
IDS/IPS
Log Alerts
Log Alerts
Log Alerts
Log Alerts
•No formal processes •No incident management system, no metrics •Ad-hoc (email) communication •Flat Team Structure •Tool break/fix competes with analysis & response •No / Minimal Analysis •No closure step on reported incidents
8 © Copyright 2013 EMC Corporation. All rights reserved.
There’s no such thing as an isolated incident
Behind every major
safety incident, there are 29 minor
incidents, 300 near misses and thousands of bad practices
See and manage the whole incident space - not just the exceptions
9 © Copyright 2013 EMC Corporation. All rights reserved.
Applying ACD to the Breach Cycle
ADVANCED CYBER
DEFENSE APPROACH
CYBER CYCLE
BREACH EXPOSURE TIME
“BET”
Data Exfiltration
Late Detection
Threat Vector “Malware”
(Undetected)
Cyber Kill Chain
“Breach Life Cycle”
Establish Network Foothold
Target Threat Visibility &
Mitigation Goal
10 © Copyright 2013 EMC Corporation. All rights reserved.
RSA ACD Services Portfolio Control mapping for Readiness, Response & Resilience (R3)
Intelligence Value
High
High
Low
Defense Effectiveness
Packet Analysis
Strong Authentication
SIEM
DLP
SSO
Change Control
Firewalls
IDS\IPS
Training & Awareness
Policy, Standards &
Guidelines
Host Analysis
Physical Security
Network Encryption
Vulnerability Management
File Encryption
Disk Encryption
Patch Management
Vendor / MSSP Governance
Low
File Analysis
Large investments here!
Not enough being invested
here!
Workflow Automation
Threat Intelligence
Anti Virus
Background Checks
SOC Procedures
Risk Assessment
Readiness
Response
Resilience
ACD Approach (R3): Enhance Readiness Accelerate Response Sustain Resilience
11 © Copyright 2013 EMC Corporation. All rights reserved.
Single UI
Incident Management & Reporting
Visibility
Security Architecture
Team
Device Administration
Data Warehouse &
Ticketing System
IT Team
What We Need Intelligence driven model for Readiness, Response & Resilience
Workflow & Automation,
Rules, Alerts & Reports
Threat Triage
Analytic Intelligence Content Intelligence
Expertise
Level 1 Triage
Level 2 Triage
Level 3 Triage
Threat Intelligence
Controls
A/V IDS/IPS
Firewall/VPN Proxy
Packets Host File
DLP
SIEM Log Alerts
DLP Alerts
Signature less Alerts
Context
Business Context
Risk Context
Threat Context
Line of Business Owner Policy
Assessments Criticality
Vulnerability
Subscriptions Community
Open Source
12 © Copyright 2013 EMC Corporation. All rights reserved.
IPS
NextGen SOC
Incident Management
Dashboard
Metrics & Reporting
ALERTS, THREATS AV
IPS
WEB
FW
Log Capture & Analysis
VMS DATA
CONFIG DATA
ASSET DATA
Security Monitoring & Analytics
Full Packet Capture & Analysis
INTEL
INTEL
INTEL
INTEL
CONTEXT, NEW INTEL
COMMUNITY INTEL
DLP Data & Incidents
Business Continuity Management Module
Threat Management Module
Risk Management Module
Incident Management Module
Tier 2&3 INTEL
Custom Threat Intel Portal
Advanced Security Operations (After)
13 © Copyright 2013 EMC Corporation. All rights reserved.
• Formally documented processes and procedures • Specific roles and responsibilities
- Team structure with specialization - Formal workflow supported by process
• Threat monitoring improved - Formal development of Monitoring Use Cases - Higher-value assets monitored more closely - Threat intelligence feeds detection processes
• Incident management system maintains records • Metrics to show threat trends and team performance
Benefits of “Intelligence-Driven” SOC
14 © Copyright 2013 EMC Corporation. All rights reserved.
Operations Effectiveness Trending
Operations &
Reporting
15 © Copyright 2013 EMC Corporation. All rights reserved.
Operations Effectiveness Trending
0
1
2
3
4
5
BusinessAlignment
RiskAlignment
ContentIntelligence
AnalyticIntelligence
ThreatIntelligence
IncidentResponse
Defense-in-depth
KeyPerformance
Indicators
Global Telecommunications Company (>100kemployees)
Global Financial Services (>25k employees)
Global Financial Services (>40k employees)
Global Banking (>80k employees)
Global Medical Device Mfr (>25k employees)
16 © Copyright 2013 EMC Corporation. All rights reserved.
Phased Maturity Requirement
Low Risk Gap Medium Risk Gap High Risk Gap
17 © Copyright 2013 EMC Corporation. All rights reserved.
Service Delivery Framework RSA Program for NextGen SOC
Assess Current
State & Gaps
Design Technical
Architecture
Design & Plan Operations
Upgrades & HealthChecks
Implement & Automate
Operations
Network Monitoring &
Packet Capture
Host Monitoring
Threat Intelligence
Data Loss Prevention
Add Context (Other Asset,
Risk & Security Data)
Optimize Infrastructure (Incl. Cloud &
Big Data)
Enhance Maturity
Program & Project Management, Residencies, Support & Education Services
Customer Transition & Knowledge
Transfer
Strategy Design Implement Operate
Fraud Intelligence
18 © Copyright 2013 EMC Corporation. All rights reserved.
LOW
MEDIUM
High Value Asset
Register
Content Intelligence
Threat Intelligence
Business Continuity
Data Correlation Infected
Media Handling
“Big Data” Analysis
Capabilities
RoE with Press & Media
SIEM Maturity
Triage Documentation
Backup
SOC Analyst
Training
Security Policy
RoE with State and other
Agencies
GRC
Maturity HIGH
DLP Maturity
Quarantine Capabilities
End User
Awareness Training
Analytic
Intelligence
Operations Effectiveness Trending
19 © Copyright 2013 EMC Corporation. All rights reserved.
Intel Driven Incident Response Workflow
Intel
Reactive
Predictive
20 © Copyright 2013 EMC Corporation. All rights reserved.
Aligned Roles & Responsibilities
Tier 1 Analysts • Event intake, analysis & triage • SOPs & Analysis • SLA to resolution\escalation
Tier 2 Analysts • Incident intake, analysis & triage • Additional free-form analysis • SLA to resolution\escalation
SOC Manager • Reporting & Metrics • Personnel & Ops Management • Strategy & Planning
Tier 3 Analysts • Advanced & Malware Analysis • Host & Network Forensics • Attribution, cause & origin • Web & E-mail operations
Content Analysts • Workflow automation • Alert & Rule Creation • Correlation & Integration • Report Development • Contextual enrichment
Threat Analyst • Tracking of TTPs • Open source research • Subscription feeds • Threat Validation • Impact Analysis & Attribution
21 © Copyright 2013 EMC Corporation. All rights reserved.
Key Performance Indicators • Establish metrics leveraging existing tools such as:
• Breach exposure time • Time to resolution
• Establish Reporting Templates such as: • Advisory template • Weekly Status updates template • Cyber Threat Alert Template • Cyber Threat Spot Report Template
0
20
40
60
80
100
1234
% of IncidentsClosed
Baseline
0
5
10
15
1 2 3 4
Closure Time (Hours)
Closure Time(Hours)
Mean time to Resolution Incidents Closed by Severity Example
22 © Copyright 2013 EMC Corporation. All rights reserved.
CIRC Dashboard Average Time to Close
– Low – Medium – High
Incident Totals by Month – 3521 DEC, 2012 – 2053 JAN, 2013 – 1579 FEB, 2013 – 2308 MAR, 2013 – 2819 APR, 2013
25 © Copyright 2013 EMC Corporation. All rights reserved.
Intelligence Driven Security as Competitive Advantage
Demo
危機 -20
-15
-10
-5
0
5
10
15
20
0 20 40 60 80 100 120 140 160 180 200 220 240
Event Trading Day
Valu
e Re
actio
n TM
(%)
Winner portfolio
Loser portfolio
Source: Oxford Metrica
26 © Copyright 2013 EMC Corporation. All rights reserved.
Summary • Start with the basics (i.e., Top 10 Gaps) • Formalize your Security Operations Program
– Roles & Responsibilities; Documented Processes; etc…
• Automate where possible Goal: Single Pane of Glass for analysts
• Provide analysts with both Threat Intelligence and Context
• Data analytics
top related