Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

MT 117 Key Innovations in Cybersecurity

1,690 views

Published on

Cyber attackers are better funded, more focused, and more successful than ever. Making matters worse, defenders have more IT territory to protect, including public cloud, virtual infrastructure, mobile, Internet of Things, and an expanding list of users, applications, and data. An evolution in security strategies is underway; shifting from a preventive approach to one that is more balanced across prevention, monitoring, and response. In this session, we delve into key innovations that enable a more effective defense and how RSA’s NetWitness suite is delivering many of these innovations.

  • Be the first to comment

MT 117 Key Innovations in Cybersecurity

  1. 1. Key Innovations in Cybersecurity THE SHIFT TO DETECTION AND RESPONSE SESSION MT117 BEN SMITH CISSP CRISC @BEN_SMITH
  2. 2. Dell - Internal Use - Confidential Who here is an IT security professional?
  3. 3. Dell - Internal Use - Confidential What you will NOT hear from me today… • “It’s not about if you get breached; it's when you get breached.” • “Even large enterprises that have millions of dollars to spend on security got breached, so everyone is at risk.” • “The breaches we have seen so far are just the beginning – bigger breaches are coming.” • “Legacy security technologies are of limited value in the face of advanced persistent threats.” • “Security incidents can put you out of business.” Gartner, “The Future of Security Sales Revolves Around Digital Risk” (May 2015) [G00278090]
  4. 4. Dell - Internal Use - Confidential Material gaps in detecting, investigating cyber-attacks 24% Organizations satisfied with their current ability to detectand investigate Organizations unable to investigate attacks very quickly using their current data & toolsets 92% Organizations unable to detectattacks very quickly using their current data and toolsets 89% RSA, “Threat Detection Effectiveness Survey” (2016) https://www.rsa.com/en-us/perspectives/resources/threat-detecti on-effectiveness
  5. 5. Dell - Internal Use - Confidential Material gaps in detecting, investigating cyber-attacks < 5% Organizations who know their split of investment between prevention and detection/response Cybersecuritybudgetallocation for rapid detectionand response approaches [2015] 60% Cybersecuritybudgetallocation for rapid detectionand response approaches[2020 prediction] < 20% Gartner, “Shift Cybersecurity Investment to Detection and Response” (Tirosh & Proctor, 2016) [G00292536]
  6. 6. Dell - Internal Use - Confidential Agenda • On the Offense: Cybercrime = a modern business model! • On the Defense: Legacy tools and approaches • The mandatory shift from prevention ► detection & response • Innovation in cybersecurity: technology, processes, procedures • “Business-Driven Security” and the RSA NetWitness Suite
  7. 7. Dell - Internal Use - Confidential The Scrap Value of a Hacked PC Brian Krebs, “The Scrap Value of a Hacked PC, Revisited” (2012), http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
  8. 8. Dell - Internal Use - Confidential Attack sophistication vs. intruder technical knowledge CERT Software Engineering Institute (SEI) at Carnegie Mellon University (2011) [via INSA report: http://www.oss-institute.org/storage/documents/Resources/studies/insa_cyber_intelligence_2011.pdf]
  9. 9. Dell - Internal Use - Confidential Attack Surface • Individual computers (corporate, personal) • Mobile devices • Internet of Things (IoT) • Virtualization • Cloud computing
  10. 10. Dell - Internal Use - Confidential Cybercrime market: not easy to size, but BIG! “The black marketcan be more profitable than the illegal drugtrade:Links to end-users are more direct, and because w orldwide distribution is accomplished electronically, the requirements are negligible. This is because a majority of players, goods, and services areonline-based and can be accessed, harnessed, or controlled remotely, instantaneously. ‘Shipping’ digital goods may only require an email or dow nload, or a username and password to a locked site. This enables greater profitability.” RAND, “Markets for Cybercrime Tools and Stolen Information:Hackers’ Bazaar” (2014), http://www.rand.org/pubs/research_reports/RR610.html;World Economic Forum, “The Global Risks Report” (2016), https://www.weforum.org/reports/the-global-risks-report-2016/; RSA, “Current State of Cybercrime” (2016), https://www.rsa.com/en-us/perspectives/resources/2016-current-state-of-cybercrime "The Internet of Things is a grow ing reality, introducing new efficiencies as wellas new vulnerabilities and interconnected consequences. Recent technological advances have been beneficial in many respects, but have also openedthe door to a growingwave of cyberattacks – including economic espionage, cybercrime, and even state-sponsored exploits – that are increasingly perpetrated against businesses." In a six month study, RSA uncovered more than 500 fraud-dedicated social media groups aroundthe world with an estimated total of more than 220,000 members. More than 60 percent, or approximately 133,000 members, w ere found on Facebook alone. The types of information openly shared in socialmedia include live compromised financialinformation such as credit card numbers w ith PII and authorization codes, cybercrime tutorials, malw are and hacking tools, and cash out and muling services.
  11. 11. Dell - Internal Use - Confidential The industrialization of cybercrime Specialization Division of Labor
  12. 12. Dell - Internal Use - Confidential Cybercrime…is a business! Sophos, “TeslaCrypt ransomware attacks gamers – ‘all your files are belong to us!’” https://nakedsecurity.sophos.com/2015/03/16/teslacrypt-ransomware-attacks-gamers-all-your-files-are-belong-to-us/
  13. 13. Dell - Internal Use - Confidential Different levels of participants in the underground market RAND, “Markets for Cybercrime Tools and Stolen Information: Hackers’ Bazaar” (2014), http://www.rand.org/pubs/research_reports/RR610.html
  14. 14. Dell - Internal Use - Confidential Everything you might need is available “on the market” • Web infrastructure & core applications • Multi-lingual call centers ready to impersonate / support • Application development tools & technical services • Rentable cybercrime infrastructure (including ready-to-use botnets) • Anonymized payment systems (BTC) • Research & development (zero-day research)
  15. 15. Dell - Internal Use - Confidential Organizations face difficult security challenges A real scarcity of skilled security analysts forces enterprises to get creative to combat threats and protect the enterprise. GROWING SHORTAGE OF SKILLED SECURITY STAFF More endpoints in the enterprise, in the field, and in the cloud means more potential entry points for attacks. A GREATLY EXPANDING ATTACK SURFACE The days of simple malware or APTs are gone. Today’s attacks are targeted, lengthy, and multifaceted. MORE SOPHISTICATED ATTACK CAMPAIGNS
  16. 16. Dell - Internal Use - Confidential So they take preventive steps to protect themselves Confidential Data Endpoints NGFW IDS / IPS SIEM NGFW 80% of security staff, budget, and activity is generally dedicated to preventive action
  17. 17. Dell - Internal Use - Confidential But breaches still occur…what’s happening? Confidential Data Endpoints NGFW IDS / IPS SIEM NGFW NGAV misses UNKNOWN, NEW threat NGFW has no rule for / against threat traffic IPS has no signature for the threat packets SIEM captures logs, but will it trigger an alert? NGFW has no rule for/against threat traffic How big is the compromise? How long has it been there? Just how bad is this? What did the attacker do? Missing the little things rapidly adds up to one bigger problem
  18. 18. Dell - Internal Use - Confidential Account lockouts Failed user access attempts Web shell deletions Buffer overflows SQL injections Cross-site scripting Denial-of-service IDS/IPS events Incident-level fixes S E C U R I T Y D E T A I L How bad is it? Who was it? How did they get in? What information was taken? What are the legal implications? Is it under control? What are the damages? What do we tell people? B U S I N E S S R I S K
  19. 19. Dell - Internal Use - Confidential Why does the gap exist? Lack of context & ability to prioritizeAlert fatigue Multiple disconnected point solutions SECURITY EXCLUSION SECURITY INCLUSION BUSINESS / IT RISK MANAGEMENT FW A/V IDS / IPS SIEM NGFW SANDBOX GW 2FA ACCESS MGMT PROV SSO PAM FEDERATION GRC SPREADSHEETS VULN MGMT CMDB
  20. 20. Dell - Internal Use - Confidential Moving from purely prevention ► monitoring & response
  21. 21. Dell - Internal Use - Confidential A more balanced approach is needed! Today’s investment mix Prevention Response Monitoring Prevention Response Ideal mix Monitoring
  22. 22. Dell - Internal Use - Confidential Organizing the innovations Preventive Detective Investigative Response
  23. 23. Dell - Internal Use - Confidential Multi-factor authentication & biometrics hits mainstream Innovation: Preventive
  24. 24. Dell - Internal Use - Confidential The coming maturation of the cyberinsurance industry Innovation: Preventive • ~$3.25B annual premiums – Dominated by AIG, ACE, Chubb, Zurich, and Beazley Group CIAB, “Cyber Insurance Market Watch Survey’” (2016), https://www.ciab.com/uploadedFiles/Resources/Cyber_Survey/2ndCyberMarketWatch_ExecutiveSummary_FINAL.pdf; Insurance Journal, “Where Cyber Insurance Underwriting Stands Today” (2015), http://www.insurancejournal.com/news/national/2015/06/12/371591.htm NIST’s Cybersecurity Framework (CSF)
  25. 25. Dell - Internal Use - Confidential Increase visibility and situational awareness by leveraging more data – not just logs Innovation: Detective Logs Full Network Traffic Endpoint/Host Secondary Sources Primary Sources & Context Events IDS Asset Information Threat Intelligence
  26. 26. Dell - Internal Use - Confidential Behavioral analytics (UBA / UEBA) versus static rules Innovation: Detective LEADING INDICATORS OF A PLANNED C2 (COMMAND AND CONTROL) EXPLOIT Beaconing Behavior Rare Domains Rare User Agents Missing Referrers Domain Age (Whois) • Real-time Analytics – Data Science algorithms – Scores on multiple C2 behavior indicators – Uses streaming HTTP activity • Low False Positives – Learns from ongoing and historical activity – Supervised whitelisting option
  27. 27. Dell - Internal Use - Confidential Humans are great anomaly detectors…people catch people! Innovation: Detective
  28. 28. Dell - Internal Use - Confidential Increasing visibility via public cloud security APIs Innovation: Detective / Investigative AWS CloudTrail MicrosoftAzure Management API
  29. 29. Dell - Internal Use - Confidential Speed & scope of sharing of community-oriented threat intelligence Innovation: Detective / Investigative • InformationSharing and Analysis Center (ISAC)model
  30. 30. Dell - Internal Use - Confidential Security monitoring teams; virtual MSSP SOCs Innovation: Response SOC Manager Tier 2 Analyst Security Architect Tier 1 Analyst Threat Intelligence Analyst
  31. 31. Dell - Internal Use - Confidential RSA is very active innovating across all of these areas Preventive Detective Investigative Response • Authentication capabilities incorporating software tokens & biometrics (more secure and more convenient) • Collaborating with cyber-insurance underwriters to mitigate risk • Behavior-based analytics for smarter detection • Tooling for human hunters • Creating & consuming community threat intelligence • Providing a set of products & services to build SOCs • Security monitoring technology = comprehensive visibility – Logs/event, network traffic, endpoint, threat intelligence, public cloud APIs…
  32. 32. Dell - Internal Use - Confidential Under attack: your data, your endpoints, your network
  33. 33. Dell - Internal Use - Confidential RSA NetWitness Suite [ packets + logs + endpoint ] NetWitness Server master console NetWitness Endpoint agent console NetWitness Logs ingestion & indexing NetWitness Packets ingestion & indexing RSA Live threat intelligence NetWitness SecOps Manager response workflow, orchestration
  34. 34. Dell - Internal Use - Confidential Business-Driven Security C O N T E X T U A L I N T E L L I G E N C E C O N T E X T U A L I N T E L L I G E N C E S EC U R I T Y EX C L U S I O N S EC U R I T Y I N C L U S I O NA N A L Y T I C S O R C H E S T R A T I O N & R E S P O N S E P O W E R & S P E E D O F I N S I G H T R I G H T P I C T U R E R I G H T A C T I O N S B U S I N E S S C O N T E X T R S A S E C U R I D S U I T E R S A C Y B E R A N A L Y T I C S P L A T FO R M R S A N ET W I T N ES S S U I T E R S A A R C H E R S U I T E R S A FRAUD & RISK INTELLIGENCE S U I T E
  35. 35. PORTFOLIO Respond in minutes, not months N E T W I T N ESS S U I T E Reimagine your identity strategy S E C U R I D S U I T E Take command of risk A R C H E R S U I T E Take command of your evolving security posture R I S K & C YB E R S E C U R I T Y P R A C T I C E Expose cybercriminals, protect customers FRAUD & RISK INTELLIGENCE SUITE

×