threat detection and incident response: what's new for 2014
DESCRIPTION
As any security practitioner can tell you, things change quickly in the world of IT security, particularly with respect to new and evolving threats. As a result, organizations need to continuously adapt their security strategies to defend against new threats and take advantage of the latest capabilities for responding quickly when there is a breach. In this session, Mike Rothman, President of Security Analyst firm Securosis, and Jaime Blasco, Director of AlienVault Labs, will give an overview of key changes in the information security world in 2013 and considerations for adapting your 2014 strategy to stay ahead of threats. In this session, Mike and Jaime will cover: *New attack methods and vulnerabilities exploited in 2013 *New options for defending against these and other threats, including use of crowd-sourced threat intelligence *Best practices to ensure you can respond and recover quickly in the event of a breach You'll come away with key insights to ensure your 2014 security strategy is up to dateTRANSCRIPT
THREAT DETECTION AND INCIDENT RESPONSEWHAT’S NEW FOR 2014?
2
INTRODUCTIONS
Mike RothmanPresident, Securosis@[email protected]
Jaime BlascoDirector, AlienVault Labs@jaimeblascob
Meet today’s speakers
AGENDA
• New attack methods and vulnerabilities exploited in 2013
• How to respond and recover quickly from a breach
• Security technologies to consider going into 2014
• Q&A
About Securosis
• Independent analysts with backgrounds on both
the user and vendor side.• Focused on deep technical and industry expertise.• We like pragmatic.• We are security guys - that’s all we do.
The Pendulum Swings Back to Security
http://www.flickr.com/photos/imlichenit/5532476683/
Advanced Malware is Advanced
• Attacks > Defenses
• Advanced Attackers > You
• Attack surface is (pretty much) infinite.
• This isn’t going to change…
Denial of Service hits the mainstream
• 300+ Gbps network attacks
• Availability attacks on the applications
• Favorite tactic of hacktivists
http://www.flickr.com/photos/astanhope/3592189/
The Cloud - Not If, But WHEN
http://www.flickr.com/photos/52859023@N00/644335254
Technology Problems are easy…
Biggest emerging problem is the security skills gap
http://www.flickr.com/photos/morton/
2305095296/
“Best Practices” Moving Forward
• Depends on the maturity of your security
program…
• Determine:• Where you are
• Where you want to be
• Do you understand what that really means?
• But the first job is to…
http://www.flickr.com/photos/clintw/6051081177/
http://www.flickr.com/photos/61063852@N00/5088741119/
React Faster and Better
• You can’t stop all the attacks, so you better
detect them faster.
• And respond better.
• This involves monitoring, forensics, and
incident response.
• Most enterprises don’t do this very well.
Less Mature Programs: Blocking and Tackling
• Malware/Attack Detection
• Evolving Network Security
• Endpoint/Server Hygiene
• Logging and Simple Alerting
http://www.flickr.com/photos/bibbit/6187662743/
More Mature Programs: Deeper Detection
• Network-based Malware Detection• Incident Response Focus/Forensics• Threat Intelligence
http://www.flickr.com/photos/
crowt59/2217016729/
Shopping List 2014
Network Security
• Network-based Malware Detection
• Next Generation Firewall
• Perimeter Re-architecture
• Perimeter Security Gateway
Endpoint Security
• Advanced Malware Protection
• Application HIPS
• Isolation (browser & kernel)
• White Listing
• Endpoint Activity Monitoring
• Whither traditional AV?
http://flic.kr/p/9kC2Q1
Security Monitoring/Management
• Continued investment in monitoring
technologies
• Aggregation of information across the entire
technology stack
• Alerting, Visualization, Reporting
• Threat Intelligence Driven
ALIENVAULT OPEN THREAT EXCHANGE (OTX) COLLABORATIVE THREAT INTELLIGENCE
20
OTX IN ACTION
Continuous updates
Updates provided every 30 minutes
200,000-350,000 validated malicious IP’s at any point
Active and open threat sharing
Since March 2012, OSSIM & USM users have flagged 196 million events as malicious
Average of ~11 million a month (365,000 a day)
Effective against targeted attacks
20% of ‘live’ APT1 domains were in OTX at time of Mandiant report
218 domains were ‘live’ at time of report (the rest were added later the same day), 44 IPs found in OTX
ALIENVAULT UNIFIED SECURITY MANAGEMENT (USM)WITH THREAT INTELLIGENCE POWERED BY OTX
ALIENVAULT IN ACTION
Step 2: Dig deeper by clicking on bad IP to continue investigation.
Step 1: Immediately identify known malicious IPs targeting your network.
DIG DEEPERON BAD IP ADDRESSES
SHARE AND REVIEW COMMENTS ON ACTIVE THREATS
ALIENVAULT IN ACTIONStep 3: Follow step-by-step guidance in responding to the threat.
ALIENVAULT IN ACTION
Optional: Provide contextual feedback to OTX so others can avoid becoming targets of the same threat.
UNIFIED MONITORING, PRESCRIPTIVE GUIDANCE, AND PREVENTATIVE RESPONSE
AlienVault USM delivers unified and coordinated security monitoring for incident response and compliance management.
AlienVault Labs provides coordinated intelligence and analysis of the latest threats, and prescriptive guidance on how to respond.
AlienVault Open Threat Exchange offers real-time insights on incidents affecting others that may impact you, so you can deploy a preventative response.
Critical Success Factor 2014: Invest in Your People
• You can’t find them, so you need to grow them• Training, Internships
http://www.flickr.com/photos/alanenglish/6027912804/
NOW FOR SOME Q&A
More from AlienVault… Join OTX:http
://www.alienvault.com/open-threat-exchange
AlienVault Labs blog:
http://www.alienvault.com/open-threat-exchange/
blog
Download a Free 30-Day Trial of USM:http
://www.alienvault.com/free-trial
Join us for a LIVE Demo of USM:http
://www.alienvault.com/marketing/alienvault-usm-li
ve-demo
More from Securosis… Follow Mike on Twitter:
@securityincite
Securosis blog:
http://securosis.com/blog
Securosis research:
http://securosis.com/research
Securosis publishes (almost)
everything for free. Contribute. Make it
better.
View Webcast On-Demand
View a recorded version of this webcast On-Demand here.