the evolve your security operations - mcafee...threat hunting uncompressed. short term storage....
TRANSCRIPT
1MCAFEE CONFIDENTIAL
McAfee Confidential
The Evolve Your Security Operations
Toshi Iijima, Regional SIEM Specialist, McAfee
2MCAFEE CONFIDENTIAL
The Objective:Security Operations at 30,000 Feet…. Simple Right?
Time to Identify
Time to Investigate
Time to Contain
Mean Time to Respond (MTTR)
Mean Time to Detect (MTTD)
Industry Average: 3-15 Months Dwell Time
Collect and parse relevant security data
Discover evidence of missed attacks and determine what to pursue
Investigate to disposition and coordinate response
Organizations do this… …with the goal of reducing this…
…to avoid this
3MCAFEE CONFIDENTIAL
The Reality: Most Organizations Are Spending Too Much and Getting Too Little
2017 Cost of Cyber Crime Study.
Percentage increase in cost of
cybersecurity in a year
Average annualized cost of cybersecurity
(USD) $11.7M 22.7%
Average number of security breaches
each year 130Percentage
increase in average annual number of security breaches 27.4%
4MCAFEE CONFIDENTIAL
The Problem:Why is Reducing Mean Time To Respond So Difficult
High Cost for More Data
Closed Architecture
Poor Detection Efficacy
Inefficient Manual Investigation
$$$$ to ingest more data & scale
Not designed to ingest at scale – poor APIs
False positives – Missed attacks – Triage efficiency
Scare expertise – Time to investigate –Inconsistent outcomes
77% add 1TB+ / mo.
63% of SOCs spend 10hrs/mo. customizing
100k+ alerts / week
66% need better training for hunting
5MCAFEE CONFIDENTIAL
The Technology:Not just the SIEM anymore; complementary innovation & new capabilities
SIEM
User & Entity Behavioral Analytics
Network Analytics
Deception
Threat Intelligence
PlatformEndpoint
Detection & Response
Automation & Orchestration
Big Data & Open Source
...
Data Ingestion
Parsing / Normalization
Data Mgmt
Streaming Analytics
Batch / Historical Analytics
Log Mgmt, Compliance, & Forensics
Security Monitoring
Incident Response
Incident Investigation
Last ~10-15 years Present and Future
SIEM
6MCAFEE CONFIDENTIAL
The Vision: Modular, Open, Integrated, Content-driven Sec Ops Architecture
Data Ingestion
Parsing / Normalization
Data Mgmt
Streaming Analytics
Batch / Historical Analytics
Log Mgmt, Compliance, &
Forensics
Security Monitoring
Incident Response
Incident Investigation
Detection & Prioritization Investigation & Response
Malware Analysis
Case Management
Other sources (Network, Deception)
Threat IntelPlatforms
Analyst Operations
“Insights & Actions”
Data Platform & Optimized Sources
“Senses and Memory”
Advanced Analytics
“Signal from Noise”
7MCAFEE CONFIDENTIAL
Correlation
Rule based
correlation.
Real-time. Fast.
Efficient.
Kafka Databus
Data Platform:Traditional Legacy SIEM Architecture All data flows through the SIEM. Costly. Slow. Inefficient.
ESM Cluster
ESM
ESM
EDB
ESM
EDB
EventsLog Retention &
Compliance
Compressed.
Signed. Long
term retention
for compliance
Analytics
Periodic Batch
Analytics. Machine
Learning. Easy.
Effective.
Log Search &
Threat Hunting
Uncompressed.
Short term storage.
Optimized for search
and hunting.
Nitro EDB Data store
Elastic Search
HadoopNitro EDB Data store
In Memory (no Data store)
Data Source
Data Source
Data Source
Data Source
…
Receiver
Receiver
SIEM
Big Database
UI
API?
Analytics
Apps
Performance Bottleneck!!
8MCAFEE CONFIDENTIAL
Correlation
Rule based
correlation.
Real-time. Fast.
Efficient.
Kafka Databus
Data Platform:ESM 11 = No Compromises. High Performance. Low Cost.Data flows to the apps that need it. Each app fit for purpose and can scale independently.
ESM Cluster
ESM
ESM
EDB
ESM
EDB
EventsLog Retention &
Compliance
Compressed.
Signed. Long
term retention
for compliance
Analytics
Periodic Batch
Analytics. Machine
Learning. Easy.
Effective.
Log Search &
Threat Hunting
Uncompressed.
Short term storage.
Optimized for search
and hunting.
EDB Data store
Elastic Search
Hadoop EDB Data store
In Memory (no Data store)
9MCAFEE CONFIDENTIAL
Advanced Analytics:MBA: Rapidly Turn Data into Insights
Real-time analytics
▪ Onboard fast with preconfigured security use cases
▪ Continuous critical event and state change endpoint monitoring
Go deep with Big Data and Behavioral Analytics
▪ Empower the team with high quality leads and fewer false positives
▪ Unsupervised machine learning automatically creates a baseline of normal behavior without human intervention and detects near-invisible insider threats
▪ Broad data coverage covers the entire attack lifecycle and exposes threats other analytics offers cannot see
▪ Risk scoring allows for pro-active security response
Range of analytic capabilities to fit diverse needs
10MCAFEE CONFIDENTIAL
Activity
User/Machine Asset MethodBehavioral
Risk Score
Rentity = importance(t)´vulnerability(t)
User
Machine
Rbehavior = P(event | y)´wy ´
wu 2-i ×Ru[i]uÎU
å +w f 2- j ×R f [ j ]fÎF
å +wm 2-k ×Rm[k ]
mÎM
åé
ëêê
ù
ûúú
wu +w f +wm
Advanced Analytics: Aggregating Behaviors for Entity Risk
• Joshua Newman works at an unusual hour 15
• … and accesses repositories that he and his peers do not usually access 65
• … and takes from a folder on a repository an unusual number of times 80
• … and moves a significantly high volume of data than normal 96
• … VPN’s in from China 46
11MCAFEE CONFIDENTIAL
Human-Machine-Teaming
Analyst Operations:McAfee Investigator : Quickly Investigate and ActReduce incident response time
Artifacts selectively collected at
machine speed
1413Key Findings summarized
11Expert Guided
triage process
12MCAFEE CONFIDENTIAL
Multiple Indicators on Confirming Conviction
ESM
MBA Investigator
ePO
2
MBA generates risk scores1
2
3
ESM correlation detects { multiple threat indicators }
Trigger to Investigator initiates case generation
Investigator selectively gathers additional evidence
4
Case is ready for review by analyst5
4
3
Automation, Bridging Analysts to Insights and Decisions
ePO dispatches real-time search
Decision Respond
5
Analyst
Video Demo
1
13MCAFEE CONFIDENTIAL
Call to Action:How Can We Help ?
Connect with your local sales teams !!
▪McAfee Security Operations Workshop▪Tech-checks for existing SIEM customers▪Technical product deep dives –Investigator, McAfee Behavioral Analytics
Follow McAfee on….
14MCAFEE CONFIDENTIAL
The McAfee Reality:Open, Integrated Security OperationsCollaboration across Security Operations enables faster response times and operational efficiencies
SIEM: Broad Data Collection
Advanced Analytics:
Risk scoring, anomaly detection
SIEM: Long-termCompliance,
archive & forensics
SIEM:Real-time
correlation & detection
SIEM: Short-term
Search & hunting
Sandboxing:Malware Analysis
EDR:Endpoint telemetry,
process trace
SIEMView all alerts,
coordinate action
Investigator:Automated
analysis, guided investigation
EDR:Response
Collaboration with 3rd party solutions
SIA Partner and Open Solutions
Advanced Analytics Investigate and Act
Collect, Enrich, and Share Data at any Scale
Turn Data into Insight
Data Platform
Expert-guided investigation for confident action