SlideShare a Scribd company logo

Achieving high-fidelity security

B
balejandre

Fortalecimiento de la seguridad combinando las capacidades de analíticos sobre logs y paquetes de red, además de las capacidades avanzadas de detección de malware,

Technology
1 of 10
Download to read offline
IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING Achieving High-Fidelity Security Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT An ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper Prepared for RSA February 2016
Table of Contents ©2016 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com Achieving High-Fidelity Security: Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT Executive Summary..................................................................................................................................1 Achieving High-Fidelity Security........................................................................................................1 Visibility Provided by Endpoint Monitoring............................................................................................1 Visibility Gaps in Endpoint Monitoring.............................................................................................1 Visibility Provided by Network Data........................................................................................................2 Visibility Gaps in Network Data ........................................................................................................2 Issues with Current Programs ..................................................................................................................3 Overconfidence...................................................................................................................................3 High-Fidelity Challenges.....................................................................................................................3 Combining Network and Endpoint Data Creates High-Fidelity Security................................................4 The Right Data for the Right Job........................................................................................................4 Obtaining High-Fidelity Security with RSA Security Analytics and RSA ECAT .....................................5 RSA Security Analytics........................................................................................................................5 RSA ECAT..........................................................................................................................................5 Customer Perspective ...............................................................................................................................6 EMA Perspective ......................................................................................................................................7 About RSA...............................................................................................................................................7
Page 1 ©2016 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.comPage 1 Achieving High-Fidelity Security: Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT Executive Summary Achieving High-Fidelity Security The term “hi-fidelity” was first coined in the entertainment industry in the 1950s to indicate advances in audio technology that provided the listener with a richer “just like being there” experience. In the security context, “high fidelity” communicates the ability to provide a richer experience to the security analyst to deliver better security outcomes. High-fidelity security systems provide more comprehensive and timelier information from multiple sources, both internal and external, in the appropriate volume and with the appropriate types of data to provide the best context and priority for decision making and to drive appropriate detection and incident response activities. This paper discusses the benefits of using both network and endpoint data with a strong analysis toolset to create high-fidelity security. Visibility Provided by Endpoint Monitoring Quite simply the endpoint is where the bad action takes place. Each device connected to an organization’s network where information resides or is processed, especially if it’s a device people work on directly, is a potential point for security threats to enter and exploit an enterprise. In today’s environments, endpoints are no longer just desktop or laptop computers. The definition of an endpoint has expanded to include everything from servers to smartphones and tablets to special function and embedded Internet of Things (IoT) devices. However, IT professionals have been somewhat slow to acknowledge these newer endpoints. While over 90% of IT professionals use smartphones themselves, only 64% of respondents identified smartphones as endpoints in EMA’s 2016 “Achieving High-Fidelity Security” research. Servers scored even lower, with only 57% considering those as endpoints. While the shift to a more mobile workforce has been taking place, the shift in understanding of what a potentially vulnerable endpoint is has lagged behind. To make matters worse security threats targeting these endpoints are many and varied and go well beyond malware. Threats also include attack modes that include misusing user credentials, running rogue services, using unapproved applications and sharing company data, running apps that leak confidential data, and many others. Whatever the mode, the detailed data about the execution of the attack that is contained within the endpoint is far richer than anything that can be gained at the network level alone or by merely looking at activity logs. Given that threats at some point in their lifecycle operate directly on endpoints, it is only common sense that monitoring systems should have a strong capability for monitoring the endpoints directly. Visibility Gaps in Endpoint Monitoring Security data from the endpoint is extremely important when it comes to an overall security monitoring program. But it only goes so far. Endpoint data by definition covers the last mile of an attack, but on its own does not provide a 360-degree view of the security posture of an organization. Endpoint data can be compartmentalized since the endpoint monitoring system only knows about the activities happening within the monitored and impacted endpoints. Attacks that hit unmonitored endpoints obviously will not be picked up unless additional security monitoring is being used. This brings us to the importance of network-level visibility.
Page 2 ©2016 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.comPage 2 Achieving High-Fidelity Security: Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT Visibility Provided by Network Data The two most popular network security monitoring data sources used by organizations today are network flows and deep packet inspection (DPI). Network flows are used by 42% of respondents, and DPI (which is sometimes referred to as “full packet capture”) is used by 36%. Of course, when trying to get a full picture of security threats, DPI provides a much more complete view than network flows, but for practical purposes using network flows also has its place. Network flow (netflow) tools, such as NetFlow, J-Flow, sFlow, etc., are great at identifying the usage of odd protocols and abnormal traffic patterns at an overview level. But they can’t provide information on the details of a network conversation, such as details on the data and files that were passed. DPI- based monitoring systems can provide those details. A best practice is to use DPI to monitor Internet egress points and very sensitive network segments and to use netflow to cover other internal network segments, in particular to monitor for attackers’ lateral movement. Organizations need visibility to prevent and detect breaches. Most attacks traverse the perimeter of the network, meaning network-based tools have the opportunity to identify an attack at an early stage and to alert on and address it before a significant incursion occurs. Maximally effective network tools can identify many types of activity, from reconnaissance and initial malware payload drops to the use of malformed protocols, protocol tunneling, abnormal encrypted traffic, and unusual/abnormal communication between hosts. Any of these can be indicative of not only compromise but also lateral movement, data collection, and data exfiltration. Visibility Gaps in Network Data Unfortunately, there are also gaps in network data. First, network monitoring systems for practical purposes are generally only deployed at the perimeters and at select internal network segments. When this is the case, data gaps can occur within or between local segments where the network is not being as closely monitored. This can lead to a false sense of security via false negatives in those missing areas of network coverage. Second, network solutions can’t detect, at least initially, attacks that occur off network (for example, attacks that come in the form of removable media or come across home, hotel, or coffee shop networks). Not only are these attack vectors common, but compromising mobile devices that are connected to other endpoint systems for charging can also be an attack technique. This threat combined with the potential gaps in network data means an organization could be compromised on multiple internal hosts before the enterprise even sees the first network communication to or from those hosts. Third, there is a problem with false positives. In cases where the inbound communication and/or data payload is detected but no outbound response is observed, there is no way for the network detection tool to be certain that the incursion was successful or is simply lying dormant Confirmation of the scope of an attack is also difficult to discern if the communications are encrypted. While there are ways to peer into encrypted network traffic, this requires the deployment of specialized decryption devices. In each of these cases, a false positive (or false negative) response may occur. The obvious point of this paper is that many of these gaps can be filled with the complementary use of endpoint and network monitoring tools.
Page 3 ©2016 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.comPage 3 Achieving High-Fidelity Security: Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT Issues with Current Programs Overconfidence When asked about the maturity of their endpoint and network security program in terms of prevention, detection, and response, over 60% of the respondents identified all three aspects of network and endpoint as having “strong” or “very strong” maturity. (See Table 1 below.) Function/Maturity Network Maturity: Strong or Very Strong Endpoint Maturity: Strong or Very Strong Prevention 66% 63% Detection 71% 67% Incident Response 65% 62% Table 1. Endpoint and Network Program Self-Reported Maturity However, based upon other information collected in the survey, these results seem to be a sign of overconfidence. It is very likely organizations don’t yet understand the level and type of network and endpoint monitoring needed to protect against today’s threats. Surprisingly, the answers given leaned more towards strong or very strong maturity in both areas, whereas the results of other parts of our research indicated these security programs were actually very underdeveloped. For example, EMA asked about confidence in and use of network and endpoint tools. Only 15% of respondents were confident in the accuracy of their network and endpoint tools. Figures 1 through 3, shown in the following section, depict other inconsistencies. High-Fidelity Challenges Clearly a high-fidelity security approach that combines network and endpoint level monitoring would solve many of these security monitoring challenges. So what’s preventing companies from going down this path? Largely, it’s because the security systems they have in place lack key capabilities. When respondents were asked to indicate the top challenges inhibiting the combined use of network and endpoint security data, the top response was lack of analysis capabilities in their existing solutions (59%), as shown in Figure 1. Figure 2 illustrates perhaps the most glaring challenge organizations have in achieving high-fidelity security: Over 60% of organizations do not have any network analysis tools (packet capture, netflow, etc.) deployed. Figure 3 shows another major challenge: lack of historical data for analysis. Forty-two percent (42%) of respondents do not store the data they do collect for any length of time, which means it is not available for historical detective analysis or post-event investigation and forensics. 59% Lack analysis capabilities 60% Do not have network analysis capabilities 42% Do not maintain historical data for analysis Figure 1. Lack of Analysis Capabilities Figure 2. Lack of Network Analysis Tools Figure 3. Lack of Historical Data
Page 4 ©2016 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.comPage 4 Achieving High-Fidelity Security: Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT Combining Network and Endpoint Data Creates High-Fidelity Security The Right Data for the Right Job Due in part to these fundamental issues, organizations often rely on the wrong data when it comes to their security monitoring programs. Figure 4 shows responses concerning the types of data respondents used most often for providing an early warning of a breach. Though each of the data types listed has its place in detection and investigations, some are better than others. 22% 21% 17% 16% 13% 7% 4% Access logs Network Security Logs (Firewall, IDS, DNS, etc.) Systems Log Monitoring (Application, Server, User chg, etc) Network Data (Packets, Flows, etc.) Endpoint Change Data Performance Logs Other Figure 4. Data Used for Early Breach Detection This data is highly indicative that many of the respondents either did not understand the value of the data or did not have the tools to leverage the data, regardless of their understanding. Access logs can indicate access attempts, but in most environments successful logins either are not logged or are not investigated unless they are preceded by a significant number of failed logins. This approach will not show an exploited vulnerability, a malware-based attack, or even a previously phished, legitimate credential. Network security logs and systems logs are similar in nature as they will both identify attempts to access resources that violate policy, but unless a successful attempt has been preceded by numerous failed attempts, it doesn’t tend to be investigated in a timely manner. In the opinion of EMA, network packet data flows and DPI provide the best data for early threat warning, and, when combined with endpoint monitoring data are generally superior for threat detection and response. When asked how important it was to integrate their endpoint security system with network security, less than 20% of organizations thought this was “very important,” “extremely important,” or “critical.” Clearly organizations have a long way to go to understand the critical and complementary value of network and endpoint monitoring data. The role of metadata in this area is also crucial. Metadata, or data about data, can provide valuable information about the characteristics of an attempted attack, such as the creator, the time and date of creation, and even the geographical location it came from. It is encouraging that over 80% of organizations that use network data in security investigations employ systems that create metadata. And, of these organizations, almost 85% found metadata to be extremely valuable to their investigations. However, 60% of organizations only keep this metadata for two weeks or less, which is a short time window given that incidents often persist for over six months before being detected.
Page 5 ©2016 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.comPage 5 Achieving High-Fidelity Security: Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT Obtaining High-Fidelity Security with RSA Security Analytics and RSA ECAT RSA Security Analytics RSA Security Analytics (SA) enables organizations to collect, manage, and analyze their security activity, leveraging logs, events, netflow, DPI, endpoint data (provided by RSA ECAT), and other data. It does this through two core elements: its capture infrastructure and its analysis and retention infrastructure. The capture infrastructure features a highly configurable Decoder that works with packet capture data (as well as a version that works with netflow, logs, and events). The Concentrator portion, which sits behind the Decoder, aggregates the metadata and enables query scalability, letting organizations deploy the solution across diverse network topologies and geographies. Finally, the Broker and Security Analytics server allows for queries to be distributed across enterprise-level deployments. The analysis and retention infrastructure is made up of an Archiver, which manages long-term data storage as well as an Event Stream Analysis (ESA) service which processes high volumes of disparate event data, including correlating logs, packets, netflow, and endpoint-sourced information as well as executing real-time machine learning and data science models. The metadata can also be fed into Hadoop infrastructures for more historical analysis. Security Analytics’ interface presents incident data, investigations, and reports in multiple formats that can be customized by role/function to match incident management and investigative workflow needs. Dashboards are also customizable by the user. RSA ECAT RSA® ECAT is designed to enable active endpoint defense against advanced threats by rapidly detecting and blocking or quarantining suspicious files and processes without the need for signatures. Through its behavior-based detection, RSA ECAT lets organizations discover attacks that might otherwise be hidden. It accomplishes this with kernel- and user-level system monitoring, enabling real-time alerting, using unique scan techniques, full device inventorying, profiling, risk scoring, and automatically scanning the system when unknown files or processes are loaded. If a possible threat is detected, ECAT quickly analyzes the endpoint to confirm an infection. The system then scores and flags suspicious endpoints and the associated activity for further investigation. ECAT also maintains a global repository of all existing files and IP addresses connected to the network to help reduce investigation time. It also performs a wide range of file checks to determine if a file is malicious and to provide more context—incorporating YARA rules, STIX-delivered threat intelligence, and the results of multiple AV engines to complement its behavior-based analytics. If an endpoint compromise has occurred, ECAT enables security teams to take quick action. ECAT helps the analyst to determine the scope of an attack instantly—for example, by simply right-clicking on a malicious file, the system will show all other endpoints with that same file. ECAT automatically gathers critical forensic information that allows teams to see all modified and deleted files at a glance. Finally, ECAT allows teams to conduct precise blocking. By providing the exact location of malicious files, ECAT lets teams quarantine and block malicious files quickly. In addition, RSA has integrated Security Analytics and the RSA ECAT endpoint monitoring tools together to provide a unified data source, analytics, reporting, and a single console for security detection and investigations.
Page 6 ©2016 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.comPage 6 Achieving High-Fidelity Security: Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT Customer Perspective Perhaps the easiest way to understand the benefits of high-fidelity security and how it can be achieved using RSA Security Analytics and ECAT is to discuss how a real customer is using these solutions. This customer perspective was drawn from an interview with cyber security personnel at a large healthcare services provider. Any healthcare services company is responsible for safeguarding a tremendous amount of extremely confidential data—security cannot be an afterthought. The systems processing, storing, and transmitting this data represent a wide variety of device platforms that combine to deliver the data in diverse forms. Before introducing RSA Security Analytics and ECAT into its environment, the company had several issues. Though the security team relied heavily on packet capture and endpoint information, this data was maintained by separate teams with separate systems. These teams had little operational integration and no mid-level management in common, so coordination between them was cumbersome at best. The security team in charge of investigations did not have direct access to certain types of data, and making formal requests for delivery of copies was required to pursue investigations. To top it off, the security team would receive the data raw and unparsed, with no metadata. Reporting was a manual process that required cobbling data together from several different tools. After implementing RSA Security Analytics and ECAT, the situation improved significantly. Now, the security group has much greater visibility into its security data because it is piped directly into Security Analytics from the respective network points and systems. Using the now-unified data, Security Analytics creates confidence ratings for alerts, which has led to both higher accuracy when determining security threats and vastly improved work prioritization, thus reducing risk to the environment. When responding to incidents, the security team values the network and endpoint visibility they get from Security Analytics and ECAT. For example, once an alert against an internal host is presented in Security Analytics, the security team can pivot on the IP address to determine what other alerts have been presented against that host, or they can pivot on the alert to determine what other hosts in the environment have been exposed to the same threat. Using the IP address (or DNS information), the analyst can pivot into ECAT to get more details about the host in question and perform further investigation or remediation activities remotely. Before the deployment, the healthcare provider had also been plagued by false-positive alerts that wasted the time of its limited staff. The Security Analytics–ECAT combination has also dramatically reduced the false positives by providing better context with its metadata. Not only has the metadata improved accuracy, the Security Analytics alert filtering has also significantly improved the security team’s ability to retrieve data and focus only on information that is relevant to the current situation. They were using a top five antivirus provider that was creating a huge number of false infection alerts, but by using Security Analytics and ECAT together they were able to isolate and remove these false positives from the investigation queue. The benefits the company has gained by being able to combine deep packet inspection and endpoint data and augment them with unified metadata has been tremendous for accelerating investigations and closing incidents. Investigations have been reduced from hours or days to just minutes or hours, leading to a 10X reduction in resolution time!
Page 7 ©2016 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.comPage 7 Achieving High-Fidelity Security: Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT The benefits the company has gained by being able to combine deep packet inspection and endpoint data and augment them with unified metadata has been tremendous for accelerating investigations and closing incidents. Investigations have been reduced from hours or days to just minutes or hours, leading to a 10X reduction in resolution time! EMA Perspective Organizations today face a high level of complexity when trying to secure their systems and data and must address a stunning number of issues, such as the ever-expanding number and types of endpoints, the sophistication of threats being used against them, and the sheer amount of security data being produced and captured, to name a few. To deal with these issues, organizations need better information, analysis, and prioritization to identify and act on the most important security threats. Generally, organizations have relied on either endpoint or network-sourced security data to make decisions. But in order to have optimal situational awareness they really need the combination of network and endpoint security and the ability to enrich that data with metadata and use it for both detection and response. Only through this combination can organizations have all the information they need to effectively identify and respond to security threats. RSA Security Analytics and ECAT provide an opportunity for security organizations to propel their security operations and analysts forward. Using a single interface with all the relevant data for both detection and investigation, combined with the drill-down and pivoting capability between the two products, allows a high degree of flexibility for the investigation of events and incidents. When used together, RSA ECAT and RSA Security Analytics provide visibility and agility at levels unparalleled by other tools that use more limited data feeds. Together they provide a comprehensive security monitoring solution, accelerating incident detection and investigation and significantly reducing the time to resolve. This provides a high return on investment for both security and IT operations teams. About RSA RSA provides more than 30,000 customers around the world with the essential security capabilities to protect their most valuable assets from cyber threats. With RSA’s award-winning products, organizations effectively detect, investigate, and respond to advanced attacks; confirm and manage identities; and ultimately, reduce IP theft, fraud, and cybercrime.
About Enterprise Management Associates, Inc. Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help EMA’s clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise line of business users, IT professionals and IT vendors at www.enterprisemanagement.com or blogs.enterprisemanagement.com. You can also follow EMA on Twitter, Facebook or LinkedIn. This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. “EMA” and “Enterprise Management Associates” are trademarks of Enterprise Management Associates, Inc. in the United States and other countries. ©2016 Enterprise Management Associates, Inc. All Rights Reserved. EMA™, ENTERPRISE MANAGEMENT ASSOCIATES® , and the mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc. Corporate Headquarters: 1995 North 57th Court, Suite 120 Boulder, CO 80301 Phone: +1 303.543.9500 Fax: +1 303.543.7687 www.enterprisemanagement.com 3334.021916

Recommended

Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
 
LIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityLIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityRobert Herjavec
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosecErfan Mallick
 
Enterprise Security featuring UBA
Enterprise Security featuring UBAEnterprise Security featuring UBA
Enterprise Security featuring UBASplunk
 
Data Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsData Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsMelissa Lim
 
Darktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalDarktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalJerome Chapolard
 
UNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSS
UNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSSUNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSS
UNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSSIJNSA Journal
 
Network Access Control as a Network Security Solution
Network Access Control as a Network Security SolutionNetwork Access Control as a Network Security Solution
Network Access Control as a Network Security SolutionConor Ryan
 

Recommended

Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
 
LIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityLIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityRobert Herjavec
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosecErfan Mallick
 
Enterprise Security featuring UBA
Enterprise Security featuring UBAEnterprise Security featuring UBA
Enterprise Security featuring UBASplunk
 
Data Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsData Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsMelissa Lim
 
Darktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalDarktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalJerome Chapolard
 
UNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSS
UNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSSUNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSS
UNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSSIJNSA Journal
 
Network Access Control as a Network Security Solution
Network Access Control as a Network Security SolutionNetwork Access Control as a Network Security Solution
Network Access Control as a Network Security SolutionConor Ryan
 
Darktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalDarktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalCMR WORLD TECH
 
Antigena Overview
Antigena OverviewAntigena Overview
Antigena OverviewAustin Eppstein
 
Darktrace white paper_ics_final
Darktrace white paper_ics_finalDarktrace white paper_ics_final
Darktrace white paper_ics_finalCMR WORLD TECH
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewRobert Herjavec
 
Enterprise Immune System
Enterprise Immune SystemEnterprise Immune System
Enterprise Immune SystemAustin Eppstein
 
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...Amazon Web Services
 
GBS - Prevent network security fires
GBS - Prevent network security firesGBS - Prevent network security fires
GBS - Prevent network security firesKristin Helgeson
 
Websense security prediction 2014
Websense security prediction 2014Websense security prediction 2014
Websense security prediction 2014Bee_Ware
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data BreachKunal Sharma
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attackAndreanne Clarke
 
Splunk for security
Splunk for securitySplunk for security
Splunk for securityGreg Hanchin
 
IRJET- Review on “Using Big Data to Defend Machines against Network Attacks”
IRJET- Review on “Using Big Data to Defend Machines against Network Attacks”IRJET- Review on “Using Big Data to Defend Machines against Network Attacks”
IRJET- Review on “Using Big Data to Defend Machines against Network Attacks”IRJET Journal
 
Cisco amp everywhere
Cisco amp everywhereCisco amp everywhere
Cisco amp everywhereCisco Canada
 
Forcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPSForcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPSLarry Austin
 
Balance Risk With Better Threat Detection
Balance Risk With Better Threat DetectionBalance Risk With Better Threat Detection
Balance Risk With Better Threat DetectionSecureData Europe
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and ITKomalah Nair
 
Cisco amp for networks
Cisco amp for networksCisco amp for networks
Cisco amp for networksCisco Canada
 
Lookingglass whitepaper
Lookingglass whitepaperLookingglass whitepaper
Lookingglass whitepaperDaniel Coulbourne
 
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Trend Micro (EMEA) Limited
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentationAndrew Wong
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionMichael Boman
 
Evaluation of DDoS attacks generated on mobile devices and their effect on th...
Evaluation of DDoS attacks generated on mobile devices and their effect on th...Evaluation of DDoS attacks generated on mobile devices and their effect on th...
Evaluation of DDoS attacks generated on mobile devices and their effect on th...Andres Almeida
 

More Related Content

What's hot

Darktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalDarktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalCMR WORLD TECH
 
Darktrace white paper_ics_final
Darktrace white paper_ics_finalDarktrace white paper_ics_final
Darktrace white paper_ics_finalCMR WORLD TECH
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewRobert Herjavec
 
Enterprise Immune System
Enterprise Immune SystemEnterprise Immune System
Enterprise Immune SystemAustin Eppstein
 
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...Amazon Web Services
 
GBS - Prevent network security fires
GBS - Prevent network security firesGBS - Prevent network security fires
GBS - Prevent network security firesKristin Helgeson
 
Websense security prediction 2014
Websense security prediction 2014Websense security prediction 2014
Websense security prediction 2014Bee_Ware
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data BreachKunal Sharma
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attackAndreanne Clarke
 
Splunk for security
Splunk for securitySplunk for security
Splunk for securityGreg Hanchin
 
IRJET- Review on “Using Big Data to Defend Machines against Network Attacks”
IRJET- Review on “Using Big Data to Defend Machines against Network Attacks”IRJET- Review on “Using Big Data to Defend Machines against Network Attacks”
IRJET- Review on “Using Big Data to Defend Machines against Network Attacks”IRJET Journal
 
Cisco amp everywhere
Cisco amp everywhereCisco amp everywhere
Cisco amp everywhereCisco Canada
 
Forcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPSForcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPSLarry Austin
 
Balance Risk With Better Threat Detection
Balance Risk With Better Threat DetectionBalance Risk With Better Threat Detection
Balance Risk With Better Threat DetectionSecureData Europe
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and ITKomalah Nair
 
Cisco amp for networks
Cisco amp for networksCisco amp for networks
Cisco amp for networksCisco Canada
 

What's hot (18)

Darktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalDarktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digital
 
Antigena Overview
Antigena OverviewAntigena Overview
Antigena Overview
 
Darktrace white paper_ics_final
Darktrace white paper_ics_finalDarktrace white paper_ics_final
Darktrace white paper_ics_final
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR Overview
 
Enterprise Immune System
Enterprise Immune SystemEnterprise Immune System
Enterprise Immune System
 
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
 
GBS - Prevent network security fires
GBS - Prevent network security firesGBS - Prevent network security fires
GBS - Prevent network security fires
 
Websense security prediction 2014
Websense security prediction 2014Websense security prediction 2014
Websense security prediction 2014
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data Breach
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
 
Splunk for security
Splunk for securitySplunk for security
Splunk for security
 
IRJET- Review on “Using Big Data to Defend Machines against Network Attacks”
IRJET- Review on “Using Big Data to Defend Machines against Network Attacks”IRJET- Review on “Using Big Data to Defend Machines against Network Attacks”
IRJET- Review on “Using Big Data to Defend Machines against Network Attacks”
 
Cisco amp everywhere
Cisco amp everywhereCisco amp everywhere
Cisco amp everywhere
 
Forcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPSForcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPS
 
Balance Risk With Better Threat Detection
Balance Risk With Better Threat DetectionBalance Risk With Better Threat Detection
Balance Risk With Better Threat Detection
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and IT
 
Cisco amp for networks
Cisco amp for networksCisco amp for networks
Cisco amp for networks
 
Lookingglass whitepaper
Lookingglass whitepaperLookingglass whitepaper
Lookingglass whitepaper
 

Viewers also liked

Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentationAndrew Wong
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionMichael Boman
 
Evaluation of DDoS attacks generated on mobile devices and their effect on th...
Evaluation of DDoS attacks generated on mobile devices and their effect on th...Evaluation of DDoS attacks generated on mobile devices and their effect on th...
Evaluation of DDoS attacks generated on mobile devices and their effect on th...Andres Almeida
 
Rsa
RsaRsa
Rsayaya
 
Sql injection
Sql injectionSql injection
Sql injectionMinoxx
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointLancope, Inc.
 
Seguridad sql injection
Seguridad sql injectionSeguridad sql injection
Seguridad sql injectionGary Briceño
 
Exploiting Web applications SQL Injection
Exploiting Web applications SQL InjectionExploiting Web applications SQL Injection
Exploiting Web applications SQL InjectionConferencias FIST
 
Viii congreso isaca 2015 grc
Viii congreso isaca 2015 grcViii congreso isaca 2015 grc
Viii congreso isaca 2015 grcbalejandre
 
Panda Security - Adaptive Defense
Panda Security - Adaptive DefensePanda Security - Adaptive Defense
Panda Security - Adaptive DefensePanda Security
 
Panda Security - Endpoint Protection
Panda Security - Endpoint ProtectionPanda Security - Endpoint Protection
Panda Security - Endpoint ProtectionPanda Security
 
Panda Security - Adaptive Defense 360
Panda Security - Adaptive Defense 360Panda Security - Adaptive Defense 360
Panda Security - Adaptive Defense 360Panda Security
 
CIFRADO RSA
CIFRADO RSACIFRADO RSA
CIFRADO RSArul05
 
Data Loss Prevention de RSA
Data Loss Prevention de RSAData Loss Prevention de RSA
Data Loss Prevention de RSAAEC Networks
 

Viewers also liked (20)

Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And Attribution
 
Evaluation of DDoS attacks generated on mobile devices and their effect on th...
Evaluation of DDoS attacks generated on mobile devices and their effect on th...Evaluation of DDoS attacks generated on mobile devices and their effect on th...
Evaluation of DDoS attacks generated on mobile devices and their effect on th...
 
114986362 ddos
114986362 ddos114986362 ddos
114986362 ddos
 
Malware_Popayan-securinf.com
Malware_Popayan-securinf.comMalware_Popayan-securinf.com
Malware_Popayan-securinf.com
 
Rsa
RsaRsa
Rsa
 
Sql injection
Sql injectionSql injection
Sql injection
 
RSA
RSARSA
RSA
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
Seguridad sql injection
Seguridad sql injectionSeguridad sql injection
Seguridad sql injection
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
 
Exploiting Web applications SQL Injection
Exploiting Web applications SQL InjectionExploiting Web applications SQL Injection
Exploiting Web applications SQL Injection
 
Viii congreso isaca 2015 grc
Viii congreso isaca 2015 grcViii congreso isaca 2015 grc
Viii congreso isaca 2015 grc
 
Panda Security - Adaptive Defense
Panda Security - Adaptive DefensePanda Security - Adaptive Defense
Panda Security - Adaptive Defense
 
Panda Security - Endpoint Protection
Panda Security - Endpoint ProtectionPanda Security - Endpoint Protection
Panda Security - Endpoint Protection
 
Ransomware
RansomwareRansomware
Ransomware
 
Panda Security - Adaptive Defense 360
Panda Security - Adaptive Defense 360Panda Security - Adaptive Defense 360
Panda Security - Adaptive Defense 360
 
CIFRADO RSA
CIFRADO RSACIFRADO RSA
CIFRADO RSA
 
Data Loss Prevention de RSA
Data Loss Prevention de RSAData Loss Prevention de RSA
Data Loss Prevention de RSA
 

Similar to Achieving high-fidelity security

UNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSS
UNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSSUNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSS
UNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSSIJNSA Journal
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationE.S.G. JR. Consulting, Inc.
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationKen Flott
 
IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...
IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...
IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...IRJET Journal
 
Improve network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicImprove network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicNetmagic Solutions Pvt. Ltd.
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosecCMR WORLD TECH
 
Network Security of Data Protection
Network Security of Data ProtectionNetwork Security of Data Protection
Network Security of Data ProtectionUthsoNandy
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Tiffany Sandoval
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guideMatt Ford
 
GBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headachesGBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headachesKristin Helgeson
 
supply chain management.pptx
supply chain management.pptxsupply chain management.pptx
supply chain management.pptxMinnySkyy
 
Intelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseIntelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseEMC
 
Gigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsGigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsTom Kopko
 
TACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentTACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentSaikat Chaudhuri
 
Personam Solution - How it Works Brief
Personam Solution - How it Works BriefPersonam Solution - How it Works Brief
Personam Solution - How it Works BriefSunny Geo
 
Personam Solution - How it Works Brief
Personam Solution - How it Works BriefPersonam Solution - How it Works Brief
Personam Solution - How it Works BriefSunny Geo
 

Similar to Achieving high-fidelity security (20)

UNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSS
UNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSSUNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSS
UNCONSTRAINED ENDPOINT SECURITY SYSTEM: UEPTSS
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
 
IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...
IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...
IRJET- Local Security Enhancement and Intrusion Prevention in Android Dev...
 
Improve network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicImprove network safety through better visibility – Netmagic
Improve network safety through better visibility – Netmagic
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosec
 
Network Security of Data Protection
Network Security of Data ProtectionNetwork Security of Data Protection
Network Security of Data Protection
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
 
4777.team c.final
4777.team c.final4777.team c.final
4777.team c.final
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guide
 
GBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headachesGBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headaches
 
supply chain management.pptx
supply chain management.pptxsupply chain management.pptx
supply chain management.pptx
 
Intelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseIntelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and Response
 
Gigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsGigamon - Network Visibility Solutions
Gigamon - Network Visibility Solutions
 
Wfh remote access tips
Wfh remote access tipsWfh remote access tips
Wfh remote access tips
 
TACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentTACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN Environment
 
Personam Solution - How it Works Brief
Personam Solution - How it Works BriefPersonam Solution - How it Works Brief
Personam Solution - How it Works Brief
 
Personam Solution - How it Works Brief
Personam Solution - How it Works BriefPersonam Solution - How it Works Brief
Personam Solution - How it Works Brief
 
Big security for big data
Big security for big dataBig security for big data
Big security for big data
 

More from balejandre

A Data-driven Maturity Model for Modernized, Automated, and Transformed IT
A Data-driven Maturity Model for Modernized, Automated, and Transformed ITA Data-driven Maturity Model for Modernized, Automated, and Transformed IT
A Data-driven Maturity Model for Modernized, Automated, and Transformed ITbalejandre
 
Ataques de seguridad y GRC
Ataques de seguridad y GRCAtaques de seguridad y GRC
Ataques de seguridad y GRCbalejandre
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Nuevo Enfoque de la Auditoría Empresarial a través de GRC
Nuevo Enfoque de la Auditoría Empresarial a través de GRCNuevo Enfoque de la Auditoría Empresarial a través de GRC
Nuevo Enfoque de la Auditoría Empresarial a través de GRCbalejandre
 
Itss bc my grc 2013 v1
Itss bc my grc 2013 v1Itss bc my grc 2013 v1
Itss bc my grc 2013 v1balejandre
 
Grc y seguridad
Grc y seguridadGrc y seguridad
Grc y seguridadbalejandre
 
11479 Ponemon Report Egrc Ar
11479 Ponemon Report Egrc Ar11479 Ponemon Report Egrc Ar
11479 Ponemon Report Egrc Arbalejandre
 

More from balejandre (7)

A Data-driven Maturity Model for Modernized, Automated, and Transformed IT
A Data-driven Maturity Model for Modernized, Automated, and Transformed ITA Data-driven Maturity Model for Modernized, Automated, and Transformed IT
A Data-driven Maturity Model for Modernized, Automated, and Transformed IT
 
Ataques de seguridad y GRC
Ataques de seguridad y GRCAtaques de seguridad y GRC
Ataques de seguridad y GRC
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 
Nuevo Enfoque de la Auditoría Empresarial a través de GRC
Nuevo Enfoque de la Auditoría Empresarial a través de GRCNuevo Enfoque de la Auditoría Empresarial a través de GRC
Nuevo Enfoque de la Auditoría Empresarial a través de GRC
 
Itss bc my grc 2013 v1
Itss bc my grc 2013 v1Itss bc my grc 2013 v1
Itss bc my grc 2013 v1
 
Grc y seguridad
Grc y seguridadGrc y seguridad
Grc y seguridad
 
11479 Ponemon Report Egrc Ar
11479 Ponemon Report Egrc Ar11479 Ponemon Report Egrc Ar
11479 Ponemon Report Egrc Ar
 

Recently uploaded

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Recently uploaded (20)

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

Achieving high-fidelity security

  • 1. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING Achieving High-Fidelity Security Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT An ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper Prepared for RSA February 2016
  • 2. Table of Contents ©2016 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com Achieving High-Fidelity Security: Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT Executive Summary..................................................................................................................................1 Achieving High-Fidelity Security........................................................................................................1 Visibility Provided by Endpoint Monitoring............................................................................................1 Visibility Gaps in Endpoint Monitoring.............................................................................................1 Visibility Provided by Network Data........................................................................................................2 Visibility Gaps in Network Data ........................................................................................................2 Issues with Current Programs ..................................................................................................................3 Overconfidence...................................................................................................................................3 High-Fidelity Challenges.....................................................................................................................3 Combining Network and Endpoint Data Creates High-Fidelity Security................................................4 The Right Data for the Right Job........................................................................................................4 Obtaining High-Fidelity Security with RSA Security Analytics and RSA ECAT .....................................5 RSA Security Analytics........................................................................................................................5 RSA ECAT..........................................................................................................................................5 Customer Perspective ...............................................................................................................................6 EMA Perspective ......................................................................................................................................7 About RSA...............................................................................................................................................7
  • 3. Page 1 ©2016 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.comPage 1 Achieving High-Fidelity Security: Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT Executive Summary Achieving High-Fidelity Security The term “hi-fidelity” was first coined in the entertainment industry in the 1950s to indicate advances in audio technology that provided the listener with a richer “just like being there” experience. In the security context, “high fidelity” communicates the ability to provide a richer experience to the security analyst to deliver better security outcomes. High-fidelity security systems provide more comprehensive and timelier information from multiple sources, both internal and external, in the appropriate volume and with the appropriate types of data to provide the best context and priority for decision making and to drive appropriate detection and incident response activities. This paper discusses the benefits of using both network and endpoint data with a strong analysis toolset to create high-fidelity security. Visibility Provided by Endpoint Monitoring Quite simply the endpoint is where the bad action takes place. Each device connected to an organization’s network where information resides or is processed, especially if it’s a device people work on directly, is a potential point for security threats to enter and exploit an enterprise. In today’s environments, endpoints are no longer just desktop or laptop computers. The definition of an endpoint has expanded to include everything from servers to smartphones and tablets to special function and embedded Internet of Things (IoT) devices. However, IT professionals have been somewhat slow to acknowledge these newer endpoints. While over 90% of IT professionals use smartphones themselves, only 64% of respondents identified smartphones as endpoints in EMA’s 2016 “Achieving High-Fidelity Security” research. Servers scored even lower, with only 57% considering those as endpoints. While the shift to a more mobile workforce has been taking place, the shift in understanding of what a potentially vulnerable endpoint is has lagged behind. To make matters worse security threats targeting these endpoints are many and varied and go well beyond malware. Threats also include attack modes that include misusing user credentials, running rogue services, using unapproved applications and sharing company data, running apps that leak confidential data, and many others. Whatever the mode, the detailed data about the execution of the attack that is contained within the endpoint is far richer than anything that can be gained at the network level alone or by merely looking at activity logs. Given that threats at some point in their lifecycle operate directly on endpoints, it is only common sense that monitoring systems should have a strong capability for monitoring the endpoints directly. Visibility Gaps in Endpoint Monitoring Security data from the endpoint is extremely important when it comes to an overall security monitoring program. But it only goes so far. Endpoint data by definition covers the last mile of an attack, but on its own does not provide a 360-degree view of the security posture of an organization. Endpoint data can be compartmentalized since the endpoint monitoring system only knows about the activities happening within the monitored and impacted endpoints. Attacks that hit unmonitored endpoints obviously will not be picked up unless additional security monitoring is being used. This brings us to the importance of network-level visibility.
  • 4. Page 2 ©2016 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.comPage 2 Achieving High-Fidelity Security: Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT Visibility Provided by Network Data The two most popular network security monitoring data sources used by organizations today are network flows and deep packet inspection (DPI). Network flows are used by 42% of respondents, and DPI (which is sometimes referred to as “full packet capture”) is used by 36%. Of course, when trying to get a full picture of security threats, DPI provides a much more complete view than network flows, but for practical purposes using network flows also has its place. Network flow (netflow) tools, such as NetFlow, J-Flow, sFlow, etc., are great at identifying the usage of odd protocols and abnormal traffic patterns at an overview level. But they can’t provide information on the details of a network conversation, such as details on the data and files that were passed. DPI- based monitoring systems can provide those details. A best practice is to use DPI to monitor Internet egress points and very sensitive network segments and to use netflow to cover other internal network segments, in particular to monitor for attackers’ lateral movement. Organizations need visibility to prevent and detect breaches. Most attacks traverse the perimeter of the network, meaning network-based tools have the opportunity to identify an attack at an early stage and to alert on and address it before a significant incursion occurs. Maximally effective network tools can identify many types of activity, from reconnaissance and initial malware payload drops to the use of malformed protocols, protocol tunneling, abnormal encrypted traffic, and unusual/abnormal communication between hosts. Any of these can be indicative of not only compromise but also lateral movement, data collection, and data exfiltration. Visibility Gaps in Network Data Unfortunately, there are also gaps in network data. First, network monitoring systems for practical purposes are generally only deployed at the perimeters and at select internal network segments. When this is the case, data gaps can occur within or between local segments where the network is not being as closely monitored. This can lead to a false sense of security via false negatives in those missing areas of network coverage. Second, network solutions can’t detect, at least initially, attacks that occur off network (for example, attacks that come in the form of removable media or come across home, hotel, or coffee shop networks). Not only are these attack vectors common, but compromising mobile devices that are connected to other endpoint systems for charging can also be an attack technique. This threat combined with the potential gaps in network data means an organization could be compromised on multiple internal hosts before the enterprise even sees the first network communication to or from those hosts. Third, there is a problem with false positives. In cases where the inbound communication and/or data payload is detected but no outbound response is observed, there is no way for the network detection tool to be certain that the incursion was successful or is simply lying dormant Confirmation of the scope of an attack is also difficult to discern if the communications are encrypted. While there are ways to peer into encrypted network traffic, this requires the deployment of specialized decryption devices. In each of these cases, a false positive (or false negative) response may occur. The obvious point of this paper is that many of these gaps can be filled with the complementary use of endpoint and network monitoring tools.
  • 5. Page 3 ©2016 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.comPage 3 Achieving High-Fidelity Security: Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT Issues with Current Programs Overconfidence When asked about the maturity of their endpoint and network security program in terms of prevention, detection, and response, over 60% of the respondents identified all three aspects of network and endpoint as having “strong” or “very strong” maturity. (See Table 1 below.) Function/Maturity Network Maturity: Strong or Very Strong Endpoint Maturity: Strong or Very Strong Prevention 66% 63% Detection 71% 67% Incident Response 65% 62% Table 1. Endpoint and Network Program Self-Reported Maturity However, based upon other information collected in the survey, these results seem to be a sign of overconfidence. It is very likely organizations don’t yet understand the level and type of network and endpoint monitoring needed to protect against today’s threats. Surprisingly, the answers given leaned more towards strong or very strong maturity in both areas, whereas the results of other parts of our research indicated these security programs were actually very underdeveloped. For example, EMA asked about confidence in and use of network and endpoint tools. Only 15% of respondents were confident in the accuracy of their network and endpoint tools. Figures 1 through 3, shown in the following section, depict other inconsistencies. High-Fidelity Challenges Clearly a high-fidelity security approach that combines network and endpoint level monitoring would solve many of these security monitoring challenges. So what’s preventing companies from going down this path? Largely, it’s because the security systems they have in place lack key capabilities. When respondents were asked to indicate the top challenges inhibiting the combined use of network and endpoint security data, the top response was lack of analysis capabilities in their existing solutions (59%), as shown in Figure 1. Figure 2 illustrates perhaps the most glaring challenge organizations have in achieving high-fidelity security: Over 60% of organizations do not have any network analysis tools (packet capture, netflow, etc.) deployed. Figure 3 shows another major challenge: lack of historical data for analysis. Forty-two percent (42%) of respondents do not store the data they do collect for any length of time, which means it is not available for historical detective analysis or post-event investigation and forensics. 59% Lack analysis capabilities 60% Do not have network analysis capabilities 42% Do not maintain historical data for analysis Figure 1. Lack of Analysis Capabilities Figure 2. Lack of Network Analysis Tools Figure 3. Lack of Historical Data
  • 6. Page 4 ©2016 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.comPage 4 Achieving High-Fidelity Security: Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT Combining Network and Endpoint Data Creates High-Fidelity Security The Right Data for the Right Job Due in part to these fundamental issues, organizations often rely on the wrong data when it comes to their security monitoring programs. Figure 4 shows responses concerning the types of data respondents used most often for providing an early warning of a breach. Though each of the data types listed has its place in detection and investigations, some are better than others. 22% 21% 17% 16% 13% 7% 4% Access logs Network Security Logs (Firewall, IDS, DNS, etc.) Systems Log Monitoring (Application, Server, User chg, etc) Network Data (Packets, Flows, etc.) Endpoint Change Data Performance Logs Other Figure 4. Data Used for Early Breach Detection This data is highly indicative that many of the respondents either did not understand the value of the data or did not have the tools to leverage the data, regardless of their understanding. Access logs can indicate access attempts, but in most environments successful logins either are not logged or are not investigated unless they are preceded by a significant number of failed logins. This approach will not show an exploited vulnerability, a malware-based attack, or even a previously phished, legitimate credential. Network security logs and systems logs are similar in nature as they will both identify attempts to access resources that violate policy, but unless a successful attempt has been preceded by numerous failed attempts, it doesn’t tend to be investigated in a timely manner. In the opinion of EMA, network packet data flows and DPI provide the best data for early threat warning, and, when combined with endpoint monitoring data are generally superior for threat detection and response. When asked how important it was to integrate their endpoint security system with network security, less than 20% of organizations thought this was “very important,” “extremely important,” or “critical.” Clearly organizations have a long way to go to understand the critical and complementary value of network and endpoint monitoring data. The role of metadata in this area is also crucial. Metadata, or data about data, can provide valuable information about the characteristics of an attempted attack, such as the creator, the time and date of creation, and even the geographical location it came from. It is encouraging that over 80% of organizations that use network data in security investigations employ systems that create metadata. And, of these organizations, almost 85% found metadata to be extremely valuable to their investigations. However, 60% of organizations only keep this metadata for two weeks or less, which is a short time window given that incidents often persist for over six months before being detected.
  • 7. Page 5 ©2016 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.comPage 5 Achieving High-Fidelity Security: Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT Obtaining High-Fidelity Security with RSA Security Analytics and RSA ECAT RSA Security Analytics RSA Security Analytics (SA) enables organizations to collect, manage, and analyze their security activity, leveraging logs, events, netflow, DPI, endpoint data (provided by RSA ECAT), and other data. It does this through two core elements: its capture infrastructure and its analysis and retention infrastructure. The capture infrastructure features a highly configurable Decoder that works with packet capture data (as well as a version that works with netflow, logs, and events). The Concentrator portion, which sits behind the Decoder, aggregates the metadata and enables query scalability, letting organizations deploy the solution across diverse network topologies and geographies. Finally, the Broker and Security Analytics server allows for queries to be distributed across enterprise-level deployments. The analysis and retention infrastructure is made up of an Archiver, which manages long-term data storage as well as an Event Stream Analysis (ESA) service which processes high volumes of disparate event data, including correlating logs, packets, netflow, and endpoint-sourced information as well as executing real-time machine learning and data science models. The metadata can also be fed into Hadoop infrastructures for more historical analysis. Security Analytics’ interface presents incident data, investigations, and reports in multiple formats that can be customized by role/function to match incident management and investigative workflow needs. Dashboards are also customizable by the user. RSA ECAT RSA® ECAT is designed to enable active endpoint defense against advanced threats by rapidly detecting and blocking or quarantining suspicious files and processes without the need for signatures. Through its behavior-based detection, RSA ECAT lets organizations discover attacks that might otherwise be hidden. It accomplishes this with kernel- and user-level system monitoring, enabling real-time alerting, using unique scan techniques, full device inventorying, profiling, risk scoring, and automatically scanning the system when unknown files or processes are loaded. If a possible threat is detected, ECAT quickly analyzes the endpoint to confirm an infection. The system then scores and flags suspicious endpoints and the associated activity for further investigation. ECAT also maintains a global repository of all existing files and IP addresses connected to the network to help reduce investigation time. It also performs a wide range of file checks to determine if a file is malicious and to provide more context—incorporating YARA rules, STIX-delivered threat intelligence, and the results of multiple AV engines to complement its behavior-based analytics. If an endpoint compromise has occurred, ECAT enables security teams to take quick action. ECAT helps the analyst to determine the scope of an attack instantly—for example, by simply right-clicking on a malicious file, the system will show all other endpoints with that same file. ECAT automatically gathers critical forensic information that allows teams to see all modified and deleted files at a glance. Finally, ECAT allows teams to conduct precise blocking. By providing the exact location of malicious files, ECAT lets teams quarantine and block malicious files quickly. In addition, RSA has integrated Security Analytics and the RSA ECAT endpoint monitoring tools together to provide a unified data source, analytics, reporting, and a single console for security detection and investigations.
  • 8. Page 6 ©2016 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.comPage 6 Achieving High-Fidelity Security: Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT Customer Perspective Perhaps the easiest way to understand the benefits of high-fidelity security and how it can be achieved using RSA Security Analytics and ECAT is to discuss how a real customer is using these solutions. This customer perspective was drawn from an interview with cyber security personnel at a large healthcare services provider. Any healthcare services company is responsible for safeguarding a tremendous amount of extremely confidential data—security cannot be an afterthought. The systems processing, storing, and transmitting this data represent a wide variety of device platforms that combine to deliver the data in diverse forms. Before introducing RSA Security Analytics and ECAT into its environment, the company had several issues. Though the security team relied heavily on packet capture and endpoint information, this data was maintained by separate teams with separate systems. These teams had little operational integration and no mid-level management in common, so coordination between them was cumbersome at best. The security team in charge of investigations did not have direct access to certain types of data, and making formal requests for delivery of copies was required to pursue investigations. To top it off, the security team would receive the data raw and unparsed, with no metadata. Reporting was a manual process that required cobbling data together from several different tools. After implementing RSA Security Analytics and ECAT, the situation improved significantly. Now, the security group has much greater visibility into its security data because it is piped directly into Security Analytics from the respective network points and systems. Using the now-unified data, Security Analytics creates confidence ratings for alerts, which has led to both higher accuracy when determining security threats and vastly improved work prioritization, thus reducing risk to the environment. When responding to incidents, the security team values the network and endpoint visibility they get from Security Analytics and ECAT. For example, once an alert against an internal host is presented in Security Analytics, the security team can pivot on the IP address to determine what other alerts have been presented against that host, or they can pivot on the alert to determine what other hosts in the environment have been exposed to the same threat. Using the IP address (or DNS information), the analyst can pivot into ECAT to get more details about the host in question and perform further investigation or remediation activities remotely. Before the deployment, the healthcare provider had also been plagued by false-positive alerts that wasted the time of its limited staff. The Security Analytics–ECAT combination has also dramatically reduced the false positives by providing better context with its metadata. Not only has the metadata improved accuracy, the Security Analytics alert filtering has also significantly improved the security team’s ability to retrieve data and focus only on information that is relevant to the current situation. They were using a top five antivirus provider that was creating a huge number of false infection alerts, but by using Security Analytics and ECAT together they were able to isolate and remove these false positives from the investigation queue. The benefits the company has gained by being able to combine deep packet inspection and endpoint data and augment them with unified metadata has been tremendous for accelerating investigations and closing incidents. Investigations have been reduced from hours or days to just minutes or hours, leading to a 10X reduction in resolution time!
  • 9. Page 7 ©2016 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.comPage 7 Achieving High-Fidelity Security: Combining Network and Endpoint Monitoring with RSA Security Analytics and RSA ECAT The benefits the company has gained by being able to combine deep packet inspection and endpoint data and augment them with unified metadata has been tremendous for accelerating investigations and closing incidents. Investigations have been reduced from hours or days to just minutes or hours, leading to a 10X reduction in resolution time! EMA Perspective Organizations today face a high level of complexity when trying to secure their systems and data and must address a stunning number of issues, such as the ever-expanding number and types of endpoints, the sophistication of threats being used against them, and the sheer amount of security data being produced and captured, to name a few. To deal with these issues, organizations need better information, analysis, and prioritization to identify and act on the most important security threats. Generally, organizations have relied on either endpoint or network-sourced security data to make decisions. But in order to have optimal situational awareness they really need the combination of network and endpoint security and the ability to enrich that data with metadata and use it for both detection and response. Only through this combination can organizations have all the information they need to effectively identify and respond to security threats. RSA Security Analytics and ECAT provide an opportunity for security organizations to propel their security operations and analysts forward. Using a single interface with all the relevant data for both detection and investigation, combined with the drill-down and pivoting capability between the two products, allows a high degree of flexibility for the investigation of events and incidents. When used together, RSA ECAT and RSA Security Analytics provide visibility and agility at levels unparalleled by other tools that use more limited data feeds. Together they provide a comprehensive security monitoring solution, accelerating incident detection and investigation and significantly reducing the time to resolve. This provides a high return on investment for both security and IT operations teams. About RSA RSA provides more than 30,000 customers around the world with the essential security capabilities to protect their most valuable assets from cyber threats. With RSA’s award-winning products, organizations effectively detect, investigate, and respond to advanced attacks; confirm and manage identities; and ultimately, reduce IP theft, fraud, and cybercrime.
  • 10. About Enterprise Management Associates, Inc. Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help EMA’s clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise line of business users, IT professionals and IT vendors at www.enterprisemanagement.com or blogs.enterprisemanagement.com. You can also follow EMA on Twitter, Facebook or LinkedIn. This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. “EMA” and “Enterprise Management Associates” are trademarks of Enterprise Management Associates, Inc. in the United States and other countries. ©2016 Enterprise Management Associates, Inc. All Rights Reserved. EMA™, ENTERPRISE MANAGEMENT ASSOCIATES® , and the mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc. Corporate Headquarters: 1995 North 57th Court, Suite 120 Boulder, CO 80301 Phone: +1 303.543.9500 Fax: +1 303.543.7687 www.enterprisemanagement.com 3334.021916