Arrow ECS RSA-Präsentation 12. Mai 2016

RSA ASOC (Advanced

Security Operations Center)

Neue Strategien zum Schutz sensibler

Informationen und zur besseren

Erkennung von Sicherheitsvorfällen

2

Foto: Volker Strecke 8. November 2013

Ganzheitliche Sicherheit

3

Cyber Bedrohungen

Photos: Volker Strecke

Staatlich und wirtschaftlich motivierte Attacken

(kritische Infrastrukturen, Verteidigungsbereiche,

Finanz Institutionen, Industrie, …)

• Designer Malware gezielt auf End User (Spear

Phishing Attacken)

• Verdeckte Netzwerk Angriffe, Beaconing und

verschleierter Netzwerk Datenverkehr

• Langsame und schrittweise Daten Exfiltration

• Veränderte Verschlüsselungsmethoden

Organisierte kriminelle Gruppen

• Einbringen von bösartigen Code in Verkaufssysteme,

Überweisungsprozesse und Geldautomaten

• Infiltration von Datentransfer Systemen in kritischen

Infrastrukturen

• Datendiebstahl auf Applikations-, Datenbank-, und

Middleware-Ebenen inkl. “persönlicher

Informationen” und anderen “Schlüssel-”

Eigenschaften

4

Kritische Infrastrukturen

Photos: Volker Strecke

5

Kritische Infrastrukturen

Quellen:

http://www.kritis.bund.de/

http://www.upkritis.de/

https://www.bsi.bund.de/DE/Themen/Industrie_KRITIS/Strategie/KRITIS/kritischeinfrastrukturen_node.html

https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2015/Lage_der_IT-Sicherheit_in_Deutschland_2015_19112015.html

http://www.bmi.bund.de/DE/Themen/IT-Netzpolitik/IT-Cybersicherheit/it-cybersicherheit_node.html

6

BSI IT Lagebericht 2015

Quelle:

https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2015/Lage_der_IT-Sicherheit_in_Deutschland_2015_19112015.html

Der Lagebericht verdeutlicht, dass die Anzahl der Schwachstellen und Verwundbarkeiten in IT-Systemen weiterhin auf

einem hohen Niveau liegt und sich die asymmetrische Bedrohungslage im Cyber-Raum weiter zuspitzt.

….

Die aktuelle IT-Sicherheitslage ist beeinflusst durch die ungebrochen hohe Innovationsgeschwindigkeit und Komplexität

der Informationstechnik sowie den Wettbewerbsdruck auf dem globalen IT-Markt.

7

The Complexity continues to expand

Mobile

Employees BYOD

On Premise

Cloud

Third

Parties Customers

Partners

Shadow IT

7

8

Komplexe Asymmetrie

9

Komplexe Asymmetrie

Threats

Fraud &

Cybercrime

Identity & Access

Management Issues

Compliance Issues

Photo: Volker Strecke

10

The threat landscape continues to evolve

Targets Threat Actors

Nation

States

Hacktivists Criminals Financial

Information

Intellectual

Property

Personally

Identifiable

Information

HACKS

ATTACKS

ATTACK

CAMPAIGNS

11

Attack Timeline

React faster 2 Reduce Dwell Time

1

TIME

Attack Identified Response

System Intrusion

Attack Begins

Cover-Up Complete

Cover-Up Discovery Leap Frog Attacks

1 TARGETED SPECIFIC OBJECTIVE

STEALTHY LOW AND SLOW 2 3 INTERACTIVE

HUMAN INVOLVEMENT

Dwell Time Response Time

12 VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT

Attacker

Capabilities

Defender

Capabilities

The defender-detection deficit

Increasing gap between attacker and defender capabilities

13 VERIZON 2015 DATA BREACH INVESTIGATIONS REPORT

Attacker

Capabilities

Defender

Capabilities

The defender-detection deficit

Increasing gap between attacker and defender capabilities

14 VERIZON 2016 DATA BREACH INVESTIGATIONS REPORT

Attacker

Capabilities

Defender

Capabilities

The defender-detection deficit

Increasing gap between attacker and defender capabilities

15

55%

15

Breach Readiness

do not have a formal incident

response plan in place

do not have an active

vulnerability management

program in place

lack capability to gather data

from across their environment

and provide centralized

alerting of suspicious activity

40% 30%

https://www.rsa.com/en-us/perspectives/industry/cyber-security-poverty-index

Cybersecurity Poverty Index

16 16

Organizations’ overall assessment of their risk / security capabilities:

Cybersecurity Poverty Index

Current security approaches are failing

Significant Cybersecurity

Risk Exposure

75% Advantaged

Capabilities

5% Mature Security

Strategies

20%

16 https://www.rsa.com/en-us/perspectives/industry/cyber-security-poverty-index

17 17

The security paradigm must change

PREVENTION

DETECTION &

RESPONSE

18 18

The capabilities that matter most now

Visibility

& Analytics

establish foundation /

make responders

faster & smarter

Identity

Assurance

& Governance

address the

most consequential

attack vector

Risk

Intelligence

prioritize

effectively

19

At first, there were HACKS Preventative controls filter known attack paths

Evolution of Threat Actors &

Detection Implications

Malicious

Traffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

Corporate Assets

Whitespace Successful

HACKS

20

At first, there were HACKS Preventative controls filter known attack paths

Then, ATTACKS Despite increased investment in controls, including

SIEM

Evolution of Threat Actors &

Detection Implications

Malicious

Traffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

More Logs

Corporate Assets

S

I

E

M

Blocked

Session

Blocked

Session

Blocked

Session

Alert

Whitespace Successful

ATTACKS

21

Now, successful ATTACK CAMPAIGNS

target any and all whitespace.

Complete visibility into every process and network

sessions is required to eradicate the attacker

opportunity.

Unified platform for advanced threat

detection & investigations,

Evolution of Threat Actors &

Detection Implications

Malicious

Traffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

Logs

Endpoint VIsibility

Corporate Assets

Blocked

Session

Blocked

Session

Blocked

Session

Alert

Process

Network VIsibility Network

Sessions

Security

Analy

tics

22

Info

rma

tio

ns-S

ich

erh

eit -

Au

fga

be

n

Advanced Security

Operations Advanced Security

Operations

Aufspüren und Abwehren

von Cyber-Angriffen

Identity & Data

Protection Identity Trust

Management

Verwalten von Zugangs-

Berechtigungen und

Idenditäten

Fraud & Risk

Intelligence Fraud & Risk

Intelligence

Bekämpfen von

Online Fraud und

Cybercrime

Governance, Risk,

& Compliance Governance, Risk,

& Compliance (GRC)

Verstehen und Managen

von Unternehmens-

Risiken

23

Info

rma

tio

ns-S

ich

erh

eit -

Lö

su

ng

en

Advanced Security

Operations Advanced Security

Operations

• Security Analytics

• ECAT

• VRM

• SecOps

Identity & Data

Protection Identity Trust

Management

• SecurID • Adaptive Authentication

• Via

Fraud & Risk

Intelligence Fraud & Risk

Intelligence

• Web Threat Detection • Cyber Crime Intelligence

• Anti Fraud Services

Governance, Risk,

& Compliance Governance, Risk,

& Compliance (GRC)

• Archer

24

RSA in action

Cloud

Security Analytics

Governance, Risk, & Compliance

Identity

logs, packets, netflow,

endpoint, identity,

threat, vulernability

Data Enterprise

25

RSA’s product and service portfolio

Logs, packets, netflow,

Endpoint, id, vulns,

Threat (ext & int)

Data

Security Analytics

Governance, Risk, & Compliance

Identity & Access

SECURITY OPERATIONS Security Analytics

ECAT

Security Operations & Breach Management

Advanced Cyber Defense / Incident Response Services

GOVERNANCE, RISK & COMPLIANCE Archer GRC

IDENTITY Via Access – Via Lifecycle & Governance

SecurID

Cloud Enterprise

26

Incident

Management

Threat

Intelligence

Management

Breach

Management

SOC

Program

Management

IT Security

Risk

Management

Do

ma

in

Se

cu

rity

Op

era

tio

ns

Ma

na

ge

me

nt

People

Process

Technology Orchestration

RSA Archer Security Operations Management Applying Intelligence-Driven Security Critical Incident Response

27

SANS, Building a World-Class Security Operations

Center, Alissa Torres, May 2015

Network

Flows

Network

Traffic

System

Logs

Endpoint

Data Threat

Intel

Feeds

Security

Events

Identity/

Asset

Context

Visibility

By centralizing these various source of

Data into a security monitoring system,

The SOC gains actionable insight into

Possible anomalies indicative of threat

Activity.

Definitions of IOC (Indicators of Compromise)

Analysis

Security operations analysts can analyze

data from various sources and further

interrogate and triage devices of

interest to scope an incident.

Action

Based on finding, automated and manual

interventions can be made to include patching,

firewall modification, system quarantine or

reimage, and credential revocation.

Data Aggregation

for Improved

Incident Handling

SECURITY

MONITORING & ANALYTICS

SYSTEM

Network Traffic + Logs + Endpoint + … transforms Visibility

28

RSA SECURITY ANALYTICS + ECAT

Visibility

Analysis

Action

Be the hunter,

not the hunted

29

RSA Security Analytics Architecture - Log-Centric Action Analysis Visibility

Security Operations

LIVE GRC

Security

Operations

Threat Intelligence | Rules | Parsers | Feeds | Reports | RSA Research RSA LIVE

INTELLIGENCE

NetFlow

Packets

Logs

LIVE

LIVE

Capture Time

Data

Enrichment

(Metadata)

30

RSA Security Analytics Architecture - Information-Centric Action Analysis Visibility

Security Operations

LIVE GRC

Security

Operations

Threat Intelligence | Rules | Parsers | Feeds | Reports | RSA Research RSA LIVE

INTELLIGENCE

Capture Time

Data

Enrichment

(Metadata)

NetFlow

Packets

Logs

Endpoint

LIVE

LIVE

31

RSA Security Analytics Architecture - Information-Centric Action Analysis Visibility

Security Operations

LIVE GRC

Security

Operations

Threat Intelligence | Rules | Parsers | Feeds | Reports | RSA Research RSA LIVE

INTELLIGENCE

NetFlow

Packets

Logs

Endpoint

LIVE

LIVE

3rd Party SIEM

Capture Time

Data

Enrichment

(Metadata)

32

RSA ECAT

• Signature-less endpoint threat detection

• Deep endpoint visibility & real-time alerting

• Confirm infections quickly & respond with precision

Enterprise Compromise Assessment Tool

Scan

Monitor & Alert

Analyze

Respond

Visibility

Analysis

Action

33

HOW RSA ECAT WORKS

Agent • Endpoints, Servers, VMs

• Windows & Mac OS

• Monitors for suspicious activity

• Scans for full system inventory

• Identify all executables, DLL’s,

drivers, etc.

• Low system impact (2MB on

disk, 10-20MB in memory)

Server

• Analyzes scan data &

flags anomalies

• Maintain repository for

global correlation

• Automatically download

unknown files for

additional analysis

ECAT Server

34

User clicks on malicious

email attachment .exe drops on

machine, exploits a

vulnerability

Malware opens a

browser process &

connects to C2 for

instructions

Attacker navigates to

sensitive data Attacker uses FTP to

exfiltrate data

RSA ECAT Behavior Tracking

• Monitor operations performed & look for suspicious activity

• Identify any new, unknown file that loads

• Behavior tracking both on and off corporate network

• Low system impact (10-20MB)

Monitor Endpoint Behaviour

35

RSA ECAT SCAN TECHNIQUES

Live Memory

Analysis

Disk Inspection Network Traffic Analysis

• Detect & analyze suspicious traffic

• Full system inventory

• Executables, DLLs, Drivers, etc.

• Find files on disk & inspect

• Validate integrity of system & files

• Identify hidden processes,

modifications & tampering

• Alert on suspicious activity in real-time

• Syslog sent to RSA Security Analytics

or other SIEM

• Early warning of potentially malicious

activity

• Triage and prioritize investigations

quickly

Compare & Flag Anomalies

36

PIVOT BETWEEN ENDPOINT & NETWORK VIEWS

Syslog alert of suspicious activity

& critical endpoint data

RSA Security Analytics

RSA ECAT

Right click

to pivot

between

SA/ECAT

37 37

Intelligence-Driven Identity & Access Management - Sichtbarkeit

38 38

Intelligence-Driven Identity & Access Management - Compliance

39 39

Eine sichere Identität

ist der Schlüssel zu

einem erfolgreichen

Security-Programm !

Intelligence-Driven Identity & Access Management - Sicherheit

40

Processes

Tools

People

Business Ziele: - Managing Threats

- Managing Fraud

- Managing Risks

- Proving Compliance

Security Funktionen: - Governance

- Visibility and Analytics

- Controls

Intelligence-Driven Security Management

Photo: Volker Strecke

41

RSA ECAT EVALUATION

https://emcinformation.com/267502/REG/.ashx

42

Advanced Security Operations at Work

EMC CRITICAL INCIDENT RESPONSE CENTER

EMC Critical Incident Response Center, Bedford, MA

• Surveillance of worldwide approx. 500

Subsidiaries, 1400 Security Devices

and 250.000 Endpoints

• 5 Data Centers, 500 Applications, 97%

virtualized, 7PB of Storage

• RSA Products in use:

• Archer eGRC Platform

• Security Analytics

• Enterprise Compromise

Assessment Tool (ECAT)

• enVision SIEM

• Data Loss Prevention, …

• Advanced Analytics build on EMC

Pivotal SA

Business Context Visibility Integrated Approach Process Automation

43

Achieving Security and Privacy

1.Organization permits the personal use of communication systems

•Personally identifiable information should be removed or masked before security

analysis.

2. Organization does not permit the personal use of communications systems.

•Legitimate use of personal data to secure network and preserve intellectual

property.

3. Only data traffic to internal network segments within an organization is

monitored.

•Applications can limit exposure of personal information

Source:

http://germany.emc.com/about/news/press/2013/20131014-01.htm

http://www.kpmg.de/bescheinigungen/RequestReportLaw.aspx?37823

44

Cyber Security Trends 2016 and beyond

Source: Script Volker Strecke RSA Conference 2016 San Francisco February 29 - March 4

Identity as Key Security Aspect (due to a rising theft of non-resetable data (identities, personal data, sensible

data)

Machine Learning Systems (Artificial Intelligence) (Behavior-based recognition,optimization and decision

making)

Security Orchestration and Threat Intelligence Sharing (Secure Information Exchange and

Collaboration)

Advanced Endpoint Security (Advanced Malware Prevention, Advanced Detection and Response)

Ubiquitous Cloud Data Encryption (Secure Point-to-Point data transactions)

Increasing concern about Cybersecurity/Information Security team’s ability to detect and

respond to Incidents (increasing number of complex attack events on information theft and data manipulation)

Attackers vs. Defenders - Security Gaps (due to increasing complexity of systems, processes and skills

gap)

Increasing Maturity around IoT and ICS Security - how to defend devices, architectures,

frameworks (mobile devices, sensors, medical devices, cars, cameras, monitors, …)

45

Aktivitäten: ….

Ganzheitliche Sicherheit

Foto: Volker Strecke 8. November 2013

46

WISSEN - ENTSCHEIDEN - TUN

• Identifizierung, Klassifizierung Ihrer sensiblen Daten

• Userzugriffsregeln

• Export / Import

• Schwachstellen

• Analysen, Reports

Risikobetrachtungen

Sensibilisierung, Kommunikation

Handlungspläne

Schutz - Erkennen von Bedrohungen - Analysieren - Beheben

Aktivitäten: ….

Gehen Sie skalierbar vor !

Beginnen Sie z.B. mit RSA ECAT oder SecurID !

47

RSA Communities:

https://community.emc.com/community/by-category/security

48

RSA / Arrow ECS - Beitrag zum Security-Insider Kompendium:

zum Thema Endpoint Security

mit RSA ECAT :

http://www.security-insider.de/it-sicherheit-fuer-den-mittelstand-v-34422-13274/

Rückfragen: rsa@arrowecs.de

RSA / ArrowECS / Partner - Kooperation

Wissen - Entscheiden - Tun

49

RSA / Arrow ECS - Webcasts und Workshops:

Informationen und Registrierung:

http://www.arrowecs.de/events.html

RSA Eval / NFR: auf Anfrage

RSA Produkt Infos:

http://www.arrowecs.de/rsa.html

https://www.rsa.com/de-de/products-services

Rückfragen: rsa@arrowecs.de

http://education.arrowecs.de/portfolio/rsa_security.cfm

RSA / Arrow ECS - Trainings:

RSA / ArrowECS / Partner - Kooperation

Wissen - Entscheiden - Tun

EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.

Volker Strecke

Tel. +49 89 93099 140

volker.strecke@arrow.com EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.

Viel Erfolg !

Photo: Volker Strecke