Upload
truongkien
View
238
Download
2
Embed Size (px)
Citation preview
Arrow ECS RSA-Präsentation 12. Mai 2016
RSA ASOC (Advanced
Security Operations Center)
Neue Strategien zum Schutz sensibler
Informationen und zur besseren
Erkennung von Sicherheitsvorfällen
2
Foto: Volker Strecke 8. November 2013
Ganzheitliche Sicherheit
3
Cyber Bedrohungen
Photos: Volker Strecke
Staatlich und wirtschaftlich motivierte Attacken
(kritische Infrastrukturen, Verteidigungsbereiche,
Finanz Institutionen, Industrie, …)
• Designer Malware gezielt auf End User (Spear
Phishing Attacken)
• Verdeckte Netzwerk Angriffe, Beaconing und
verschleierter Netzwerk Datenverkehr
• Langsame und schrittweise Daten Exfiltration
• Veränderte Verschlüsselungsmethoden
Organisierte kriminelle Gruppen
• Einbringen von bösartigen Code in Verkaufssysteme,
Überweisungsprozesse und Geldautomaten
• Infiltration von Datentransfer Systemen in kritischen
Infrastrukturen
• Datendiebstahl auf Applikations-, Datenbank-, und
Middleware-Ebenen inkl. “persönlicher
Informationen” und anderen “Schlüssel-”
Eigenschaften
4
Kritische Infrastrukturen
Photos: Volker Strecke
5
Kritische Infrastrukturen
Quellen:
http://www.kritis.bund.de/
http://www.upkritis.de/
https://www.bsi.bund.de/DE/Themen/Industrie_KRITIS/Strategie/KRITIS/kritischeinfrastrukturen_node.html
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2015/Lage_der_IT-Sicherheit_in_Deutschland_2015_19112015.html
http://www.bmi.bund.de/DE/Themen/IT-Netzpolitik/IT-Cybersicherheit/it-cybersicherheit_node.html
6
BSI IT Lagebericht 2015
Quelle:
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2015/Lage_der_IT-Sicherheit_in_Deutschland_2015_19112015.html
Der Lagebericht verdeutlicht, dass die Anzahl der Schwachstellen und Verwundbarkeiten in IT-Systemen weiterhin auf
einem hohen Niveau liegt und sich die asymmetrische Bedrohungslage im Cyber-Raum weiter zuspitzt.
….
Die aktuelle IT-Sicherheitslage ist beeinflusst durch die ungebrochen hohe Innovationsgeschwindigkeit und Komplexität
der Informationstechnik sowie den Wettbewerbsdruck auf dem globalen IT-Markt.
7
The Complexity continues to expand
Mobile
Employees BYOD
On Premise
Cloud
Third
Parties Customers
Partners
Shadow IT
7
8
Komplexe Asymmetrie
9
Komplexe Asymmetrie
Threats
Fraud &
Cybercrime
Identity & Access
Management Issues
Compliance Issues
Photo: Volker Strecke
10
The threat landscape continues to evolve
Targets Threat Actors
Nation
States
Hacktivists Criminals Financial
Information
Intellectual
Property
Personally
Identifiable
Information
HACKS
ATTACKS
ATTACK
CAMPAIGNS
11
Attack Timeline
React faster 2 Reduce Dwell Time
1
TIME
Attack Identified Response
System Intrusion
Attack Begins
Cover-Up Complete
Cover-Up Discovery Leap Frog Attacks
1 TARGETED SPECIFIC OBJECTIVE
STEALTHY LOW AND SLOW 2 3 INTERACTIVE
HUMAN INVOLVEMENT
Dwell Time Response Time
12 VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT
Attacker
Capabilities
Defender
Capabilities
The defender-detection deficit
Increasing gap between attacker and defender capabilities
13 VERIZON 2015 DATA BREACH INVESTIGATIONS REPORT
Attacker
Capabilities
Defender
Capabilities
The defender-detection deficit
Increasing gap between attacker and defender capabilities
14 VERIZON 2016 DATA BREACH INVESTIGATIONS REPORT
Attacker
Capabilities
Defender
Capabilities
The defender-detection deficit
Increasing gap between attacker and defender capabilities
15
55%
15
Breach Readiness
do not have a formal incident
response plan in place
do not have an active
vulnerability management
program in place
lack capability to gather data
from across their environment
and provide centralized
alerting of suspicious activity
40% 30%
https://www.rsa.com/en-us/perspectives/industry/cyber-security-poverty-index
Cybersecurity Poverty Index
16 16
Organizations’ overall assessment of their risk / security capabilities:
Cybersecurity Poverty Index
Current security approaches are failing
Significant Cybersecurity
Risk Exposure
75% Advantaged
Capabilities
5% Mature Security
Strategies
20%
16 https://www.rsa.com/en-us/perspectives/industry/cyber-security-poverty-index
17 17
The security paradigm must change
PREVENTION
DETECTION &
RESPONSE
18 18
The capabilities that matter most now
Visibility
& Analytics
establish foundation /
make responders
faster & smarter
Identity
Assurance
& Governance
address the
most consequential
attack vector
Risk
Intelligence
prioritize
effectively
19
At first, there were HACKS Preventative controls filter known attack paths
Evolution of Threat Actors &
Detection Implications
Malicious
Traffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
Corporate Assets
Whitespace Successful
HACKS
20
At first, there were HACKS Preventative controls filter known attack paths
Then, ATTACKS Despite increased investment in controls, including
SIEM
Evolution of Threat Actors &
Detection Implications
Malicious
Traffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
More Logs
Corporate Assets
S
I
E
M
Blocked
Session
Blocked
Session
Blocked
Session
Alert
Whitespace Successful
ATTACKS
21
Now, successful ATTACK CAMPAIGNS
target any and all whitespace.
Complete visibility into every process and network
sessions is required to eradicate the attacker
opportunity.
Unified platform for advanced threat
detection & investigations,
Evolution of Threat Actors &
Detection Implications
Malicious
Traffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
Logs
Endpoint VIsibility
Corporate Assets
Blocked
Session
Blocked
Session
Blocked
Session
Alert
Process
Network VIsibility Network
Sessions
Security
Analy
tics
22
Info
rma
tio
ns-S
ich
erh
eit -
Au
fga
be
n
Advanced Security
Operations Advanced Security
Operations
Aufspüren und Abwehren
von Cyber-Angriffen
Identity & Data
Protection Identity Trust
Management
Verwalten von Zugangs-
Berechtigungen und
Idenditäten
Fraud & Risk
Intelligence Fraud & Risk
Intelligence
Bekämpfen von
Online Fraud und
Cybercrime
Governance, Risk,
& Compliance Governance, Risk,
& Compliance (GRC)
Verstehen und Managen
von Unternehmens-
Risiken
23
Info
rma
tio
ns-S
ich
erh
eit -
Lö
su
ng
en
Advanced Security
Operations Advanced Security
Operations
• Security Analytics
• ECAT
• VRM
• SecOps
Identity & Data
Protection Identity Trust
Management
• SecurID • Adaptive Authentication
• Via
Fraud & Risk
Intelligence Fraud & Risk
Intelligence
• Web Threat Detection • Cyber Crime Intelligence
• Anti Fraud Services
Governance, Risk,
& Compliance Governance, Risk,
& Compliance (GRC)
• Archer
24
RSA in action
Cloud
Security Analytics
Governance, Risk, & Compliance
Identity
logs, packets, netflow,
endpoint, identity,
threat, vulernability
Data Enterprise
25
RSA’s product and service portfolio
Logs, packets, netflow,
Endpoint, id, vulns,
Threat (ext & int)
Data
Security Analytics
Governance, Risk, & Compliance
Identity & Access
SECURITY OPERATIONS Security Analytics
ECAT
Security Operations & Breach Management
Advanced Cyber Defense / Incident Response Services
GOVERNANCE, RISK & COMPLIANCE Archer GRC
IDENTITY Via Access – Via Lifecycle & Governance
SecurID
Cloud Enterprise
26
Incident
Management
Threat
Intelligence
Management
Breach
Management
SOC
Program
Management
IT Security
Risk
Management
Do
ma
in
Se
cu
rity
Op
era
tio
ns
Ma
na
ge
me
nt
People
Process
Technology Orchestration
RSA Archer Security Operations Management Applying Intelligence-Driven Security Critical Incident Response
27
SANS, Building a World-Class Security Operations
Center, Alissa Torres, May 2015
Network
Flows
Network
Traffic
System
Logs
Endpoint
Data Threat
Intel
Feeds
Security
Events
Identity/
Asset
Context
Visibility
By centralizing these various source of
Data into a security monitoring system,
The SOC gains actionable insight into
Possible anomalies indicative of threat
Activity.
Definitions of IOC (Indicators of Compromise)
Analysis
Security operations analysts can analyze
data from various sources and further
interrogate and triage devices of
interest to scope an incident.
Action
Based on finding, automated and manual
interventions can be made to include patching,
firewall modification, system quarantine or
reimage, and credential revocation.
Data Aggregation
for Improved
Incident Handling
SECURITY
MONITORING & ANALYTICS
SYSTEM
Network Traffic + Logs + Endpoint + … transforms Visibility
28
RSA SECURITY ANALYTICS + ECAT
Visibility
Analysis
Action
Be the hunter,
not the hunted
29
RSA Security Analytics Architecture - Log-Centric Action Analysis Visibility
Security Operations
LIVE GRC
Security
Operations
Threat Intelligence | Rules | Parsers | Feeds | Reports | RSA Research RSA LIVE
INTELLIGENCE
NetFlow
Packets
Logs
LIVE
LIVE
Capture Time
Data
Enrichment
(Metadata)
30
RSA Security Analytics Architecture - Information-Centric Action Analysis Visibility
Security Operations
LIVE GRC
Security
Operations
Threat Intelligence | Rules | Parsers | Feeds | Reports | RSA Research RSA LIVE
INTELLIGENCE
Capture Time
Data
Enrichment
(Metadata)
NetFlow
Packets
Logs
Endpoint
LIVE
LIVE
31
RSA Security Analytics Architecture - Information-Centric Action Analysis Visibility
Security Operations
LIVE GRC
Security
Operations
Threat Intelligence | Rules | Parsers | Feeds | Reports | RSA Research RSA LIVE
INTELLIGENCE
NetFlow
Packets
Logs
Endpoint
LIVE
LIVE
3rd Party SIEM
Capture Time
Data
Enrichment
(Metadata)
32
RSA ECAT
• Signature-less endpoint threat detection
• Deep endpoint visibility & real-time alerting
• Confirm infections quickly & respond with precision
Enterprise Compromise Assessment Tool
Scan
Monitor & Alert
Analyze
Respond
Visibility
Analysis
Action
33
HOW RSA ECAT WORKS
Agent • Endpoints, Servers, VMs
• Windows & Mac OS
• Monitors for suspicious activity
• Scans for full system inventory
• Identify all executables, DLL’s,
drivers, etc.
• Low system impact (2MB on
disk, 10-20MB in memory)
Server
• Analyzes scan data &
flags anomalies
• Maintain repository for
global correlation
• Automatically download
unknown files for
additional analysis
ECAT Server
34
User clicks on malicious
email attachment .exe drops on
machine, exploits a
vulnerability
Malware opens a
browser process &
connects to C2 for
instructions
Attacker navigates to
sensitive data Attacker uses FTP to
exfiltrate data
RSA ECAT Behavior Tracking
• Monitor operations performed & look for suspicious activity
• Identify any new, unknown file that loads
• Behavior tracking both on and off corporate network
• Low system impact (10-20MB)
Monitor Endpoint Behaviour
35
RSA ECAT SCAN TECHNIQUES
Live Memory
Analysis
Disk Inspection Network Traffic Analysis
• Detect & analyze suspicious traffic
• Full system inventory
• Executables, DLLs, Drivers, etc.
• Find files on disk & inspect
• Validate integrity of system & files
• Identify hidden processes,
modifications & tampering
• Alert on suspicious activity in real-time
• Syslog sent to RSA Security Analytics
or other SIEM
• Early warning of potentially malicious
activity
• Triage and prioritize investigations
quickly
Compare & Flag Anomalies
36
PIVOT BETWEEN ENDPOINT & NETWORK VIEWS
Syslog alert of suspicious activity
& critical endpoint data
RSA Security Analytics
RSA ECAT
Right click
to pivot
between
SA/ECAT
37 37
Intelligence-Driven Identity & Access Management - Sichtbarkeit
38 38
Intelligence-Driven Identity & Access Management - Compliance
39 39
Eine sichere Identität
ist der Schlüssel zu
einem erfolgreichen
Security-Programm !
Intelligence-Driven Identity & Access Management - Sicherheit
40
Processes
Tools
People
Business Ziele: - Managing Threats
- Managing Fraud
- Managing Risks
- Proving Compliance
Security Funktionen: - Governance
- Visibility and Analytics
- Controls
Intelligence-Driven Security Management
Photo: Volker Strecke
41
RSA ECAT EVALUATION
https://emcinformation.com/267502/REG/.ashx
42
Advanced Security Operations at Work
EMC CRITICAL INCIDENT RESPONSE CENTER
EMC Critical Incident Response Center, Bedford, MA
• Surveillance of worldwide approx. 500
Subsidiaries, 1400 Security Devices
and 250.000 Endpoints
• 5 Data Centers, 500 Applications, 97%
virtualized, 7PB of Storage
• RSA Products in use:
• Archer eGRC Platform
• Security Analytics
• Enterprise Compromise
Assessment Tool (ECAT)
• enVision SIEM
• Data Loss Prevention, …
• Advanced Analytics build on EMC
Pivotal SA
Business Context Visibility Integrated Approach Process Automation
43
Achieving Security and Privacy
1.Organization permits the personal use of communication systems
•Personally identifiable information should be removed or masked before security
analysis.
2. Organization does not permit the personal use of communications systems.
•Legitimate use of personal data to secure network and preserve intellectual
property.
3. Only data traffic to internal network segments within an organization is
monitored.
•Applications can limit exposure of personal information
Source:
http://germany.emc.com/about/news/press/2013/20131014-01.htm
http://www.kpmg.de/bescheinigungen/RequestReportLaw.aspx?37823
44
Cyber Security Trends 2016 and beyond
Source: Script Volker Strecke RSA Conference 2016 San Francisco February 29 - March 4
Identity as Key Security Aspect (due to a rising theft of non-resetable data (identities, personal data, sensible
data)
Machine Learning Systems (Artificial Intelligence) (Behavior-based recognition,optimization and decision
making)
Security Orchestration and Threat Intelligence Sharing (Secure Information Exchange and
Collaboration)
Advanced Endpoint Security (Advanced Malware Prevention, Advanced Detection and Response)
Ubiquitous Cloud Data Encryption (Secure Point-to-Point data transactions)
Increasing concern about Cybersecurity/Information Security team’s ability to detect and
respond to Incidents (increasing number of complex attack events on information theft and data manipulation)
Attackers vs. Defenders - Security Gaps (due to increasing complexity of systems, processes and skills
gap)
Increasing Maturity around IoT and ICS Security - how to defend devices, architectures,
frameworks (mobile devices, sensors, medical devices, cars, cameras, monitors, …)
45
Aktivitäten: ….
Ganzheitliche Sicherheit
Foto: Volker Strecke 8. November 2013
46
WISSEN - ENTSCHEIDEN - TUN
• Identifizierung, Klassifizierung Ihrer sensiblen Daten
• Userzugriffsregeln
• Export / Import
• Schwachstellen
• Analysen, Reports
Risikobetrachtungen
Sensibilisierung, Kommunikation
Handlungspläne
Schutz - Erkennen von Bedrohungen - Analysieren - Beheben
Aktivitäten: ….
Gehen Sie skalierbar vor !
Beginnen Sie z.B. mit RSA ECAT oder SecurID !
47
RSA Communities:
https://community.emc.com/community/by-category/security
48
RSA / Arrow ECS - Beitrag zum Security-Insider Kompendium:
zum Thema Endpoint Security
mit RSA ECAT :
http://www.security-insider.de/it-sicherheit-fuer-den-mittelstand-v-34422-13274/
Rückfragen: [email protected]
RSA / ArrowECS / Partner - Kooperation
Wissen - Entscheiden - Tun
49
RSA / Arrow ECS - Webcasts und Workshops:
Informationen und Registrierung:
http://www.arrowecs.de/events.html
RSA Eval / NFR: auf Anfrage
RSA Produkt Infos:
http://www.arrowecs.de/rsa.html
https://www.rsa.com/de-de/products-services
Rückfragen: [email protected]
http://education.arrowecs.de/portfolio/rsa_security.cfm
RSA / Arrow ECS - Trainings:
RSA / ArrowECS / Partner - Kooperation
Wissen - Entscheiden - Tun
EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.
Volker Strecke
Tel. +49 89 93099 140
[email protected] EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.
Viel Erfolg !
Photo: Volker Strecke