SlideShare a Scribd company logo
1 of 20
RSΛ NetWitness®
Suite
Detect Unknown Threats.
Reduce Dwell Time.
Accelerate Response.
Rohit Malhotra
email: rohit.malhotra@rsa.com
Organizations Face Difficult Security Challenges
A real scarcity of skilled security
analysts forces enterprises to get
creative to combat threats and protect
the enterprise.
GROWING SHORTAGE OF
SKILLED SECURITY STAFF
More Endpoints in the enterprise, in the
field, and in the cloud means more
potential entry points for attacks.
A GREATLY EXPANDING
ATTACK SURFACE
The days of simple malware or APTs
are gone. Today’s attacks are targeted,
lengthy, and multifaceted.
MORE SOPHISTICATED
ATTACK CAMPAIGNS
“Organizations took weeks or more to discover that a breach even occurred.”
- Verizon 2016 Data Breach Report
So They Take Preventive Steps to Protect Themselves
Confidential
Data
Endpoints
NGFW IDS / IPS SIEM NGFW
80% of security staff, budget, and activity is generally
dedicated to preventive action
But Breaches Still Occur. What’s Happening?
Confidential
Data
Endpoints
NGFW IDS / IPS SIEM NGFW
NGAV misses
UNKNOWN,
NEW threat NGFW has no
rule for/against
threat traffic
IPS has no
signature for the
threat packets
SIEM captures
logs, but will it
trigger an alert?
NGFW has no
rule for/against
threat traffic
Missing the Little Things Rapidly Adds Up to One Bigger Problem
How big is the compromise?
How long has it been there?
Just how bad is this?
What did the attacker do?
5
The security paradigm must change
PREVENTION
DETECTION &
RESPONSE
Shift priorities and capabilities
Today’s Priorities
Prevention
Response
Monitoring
Monitoring
Prevention
Response
Future State
6
Advanced Threats Are Different
Speed
Response Time2Decrease
Dwell Time1
TIME
Attack Identified Response
System
Intrusion
Attack
Begins
Cover-Up
Complete
Cover-Up Discovery
Leap Frog Attacks
Dwell Time Response Time
Evolution of Threat Actors & Detection
Implications
Firewall
Threat Actors
IDS/IPS
AntiVirus
Corporate Assets
Whitespace Successful HACKS
Network Visibility
Endpoint Visibility
Logs/SIEM
Complete visibility into every process and network
sessions is required to eradicate the attacker
opportunity.
Unified platform for advanced threat
detection & investigations
Blocked
Session
Blocked
Session
Blocked
Session
Alert
Process
Network
Session
SecurityAnalytics
RSA Security Analytics
ModularRSA Advanced SOC Solution
NETWORK
FORENSICS
SIEM &
BEYOND
ENDPOINT
THREAT
ANALYSIS
• Shows how an attacker got in
• Shows what the attacker did
• Helps to determine the source of the attack
• Shows suspicious communication
• Beaconing
• Data Exfiltration
• Outbound encrypted communication
• Service communication over a non-standard port
• Detect advanced threats using Behavior Analytics
• Communication to and from the infected system
• See the complete attack picture
• Reconstruct the malicious payload or exploit
RSA NetWitness® Packets
Providing real-time
analysis and full
visibility of
everything
going in and out of
your network.
HTTP Headers
Basic Packet
Capture
Attachment
File Fingerprints
Session Size
Country Src/Dst
URL
Hostname
IP Alias Forwarded
Directory
File Packers
Non Standard
Content Type
Ethernet
Connection
Embedded Objects
Top Level Domain
Access Criticality
Sql Query
Mac Address Alias
Email Address
Cookie
Browser
Credit Cards
Protocol
Fingerprints
Database Name
SSL CA/Subject
URL in Email
Referrer
Language
Crypto Type
PDF/ Flash
Version
Client/Server
Application
User Name
Port
User Agent
IP Src/Dst
Session
Characteristics
Deep Network
Forensics
225+
metadata
fields
“You can't hide
a packet once
it's traversed the wire,
you can't unsend it”
Prevention
Detection
Remediation
/Control
A BALANCED APPROACH TO ENDPOINT SECURITY SOLUTION
EPP:
For Blocking and
Prevention
EDR:
For Rapid
detection and
Response
Why RSA NetWitness Endpoint?
Detect by threat behavior
rather than by signature
Rapid Response Enabled
by Full Scope Visibility
Intelligent Risk-Level
Scoring System
More rapidly expose
new, unknown, and
non-malware threats on
endpoints
Eliminate white noise;
prioritize threats more
efficiently & accurately
Provide all data needed
to confirm threats and
quickly take action
73
RISK
!
!
!
!
!
!
!
!
! !
!
!
Rapidly and Accurately Analyze ALL Threats
IP/Domain Information & Geo
Threat Intelligence + RSA Community
YARA Rules Engine
Blacklisting (Multi-A/V)
File / App Whitelisting & Reputation
“Gold Image” Baselining
Certificate Validation
Live Memory Analysis
Direct Physical Disk Inspection
User-Initiated Suspicious Behavior
Endpoint/Module Behavior Analytics
73
85
99
21
87
RSA NetWitness Endpoint combines multiple detection methodologies to
detect both KNOWN and UNKNOWN threats faster and more accurately.
How Customers Use RSA NetWitness Endpoint
Proactive Assessments of Key Assets
Selectively deploy, monitor, and protect your most valuable, at-risk corporate assets
Protective Endpoint Monitoring and Alerting
Gain greater visibility, detect threats faster, and focus response more effectively
Hunting Tool for Incident Response
Investigate compromised systems to collect incident data for forensic analysis
Deeper Understanding of the Full Scope of an Incident
Fully eradicate a threat actor by leveraging both network and endpoint visibility and analysis
Detect Unknown Threats. Reduce Dwell Time. Accelerate Response –
Gartner
“Traditional defense-in-depth components are still necessary, but are no longer sufficient in
protecting against advanced targeted attacks and advanced malware” – Gartner
Source: Gartner’s “Five Styles of Advanced Threat Defense”
Network Traffic Analysis
RSA
Payload Analysis
Endpoint Behavior Analysis
RSA
Network Forensics
RSA
Endpoint Forensics
RSA
Where
to Look
Network
Payload
Endpoint
Time
Detect Unknown Threats. Reduce Dwell Time. Accelerate Response -
Frost & Sullivan
The network security
team at Frost and
Sullivan views Advanced
Persistent Threat (APT)
defense as not a singular
technology, but rather as
a collection of
technologies used in
concert.
Network security
forensics is the
requisite technology
used when a
suspected security
breach has occurred.
What Do Organizations Need to Be Successful?
Effective means to help overburdened and unfocused security
teams investigate and respond rapidly to REAL threats.
Capabilities to accurately detect new, never-seen-before,
targeted and even “file-less” threats on their endpoints
Deep visibility and insight into everything that is actually
happening on their endpoints at any time
Must be ARMED to
quickly identify and
respond to attacks
before they can
damage the business
Constant compromise does not mean constant loss
Security
Attacks are
Inevitable
THANK YOU

More Related Content

What's hot

ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
mdagrossa
 

What's hot (20)

Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup Story
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see   illuminating the entire kill chainYou can't detect what you can't see   illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chain
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
 
Cyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber CriminalsCyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber Criminals
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection:  Don’t Pay Up. Backup.Ransomware Detection:  Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture  Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
 

Viewers also liked

Viewers also liked (19)

ABC of Infosec
ABC of InfosecABC of Infosec
ABC of Infosec
 
Cyber Crime Management
Cyber Crime ManagementCyber Crime Management
Cyber Crime Management
 
State of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of BotnetsState of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of Botnets
 
Is Cyber Security the Elephant in the Boardroom?
Is Cyber Security the Elephant in the Boardroom? Is Cyber Security the Elephant in the Boardroom?
Is Cyber Security the Elephant in the Boardroom?
 
Get the Basics Right
Get the Basics RightGet the Basics Right
Get the Basics Right
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey  Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
 
Cybersecurity: Mock Cyberwar Game
Cybersecurity: Mock Cyberwar Game   Cybersecurity: Mock Cyberwar Game
Cybersecurity: Mock Cyberwar Game
 
Upgrading Your Firewall? Its Time for an Inline Security Fabric
Upgrading Your Firewall? Its Time for an Inline Security FabricUpgrading Your Firewall? Its Time for an Inline Security Fabric
Upgrading Your Firewall? Its Time for an Inline Security Fabric
 
Sumit dhar
Sumit dharSumit dhar
Sumit dhar
 
SMAC in Healthcare: Arvind Sivaramakrishnan, CIO Apollo Hospitals
SMAC in Healthcare:   Arvind Sivaramakrishnan, CIO Apollo HospitalsSMAC in Healthcare:   Arvind Sivaramakrishnan, CIO Apollo Hospitals
SMAC in Healthcare: Arvind Sivaramakrishnan, CIO Apollo Hospitals
 
Preparing for the Future Innovation in Digital Healthcare: Manas Tripathi
Preparing for the Future Innovation in Digital Healthcare: Manas TripathiPreparing for the Future Innovation in Digital Healthcare: Manas Tripathi
Preparing for the Future Innovation in Digital Healthcare: Manas Tripathi
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
 
ciso-platform-annual-summit-2013-Fgont-ipv6-myths-dynamic
ciso-platform-annual-summit-2013-Fgont-ipv6-myths-dynamicciso-platform-annual-summit-2013-Fgont-ipv6-myths-dynamic
ciso-platform-annual-summit-2013-Fgont-ipv6-myths-dynamic
 
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersDon’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
 
EWD 3トレーニングコース#3 EWD 3 モジュールの概要
EWD 3トレーニングコース#3 EWD 3 モジュールの概要EWD 3トレーニングコース#3 EWD 3 モジュールの概要
EWD 3トレーニングコース#3 EWD 3 モジュールの概要
 
Take Control of Your Imaging and Printing: Siva Kumar
Take Control of Your Imaging and Printing: Siva KumarTake Control of Your Imaging and Printing: Siva Kumar
Take Control of Your Imaging and Printing: Siva Kumar
 
CIO Productivity Conclave 2016
CIO Productivity Conclave 2016CIO Productivity Conclave 2016
CIO Productivity Conclave 2016
 
Enabling the Future of Healthcare Through Integration and Interoperability: V...
Enabling the Future of Healthcare Through Integration and Interoperability: V...Enabling the Future of Healthcare Through Integration and Interoperability: V...
Enabling the Future of Healthcare Through Integration and Interoperability: V...
 
IT to IoT: The Journey to Nextgen - By Rajesh Batra
IT to IoT: The Journey to Nextgen - By Rajesh BatraIT to IoT: The Journey to Nextgen - By Rajesh Batra
IT to IoT: The Journey to Nextgen - By Rajesh Batra
 

Similar to Detect Unknown Threats, Reduce Dwell Time, Accelerate Response

Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
Blue Coat
 
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
James Perry, Jr.
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEET
TravarsaPrivateLimit
 
Honeypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressHoneypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World Congress
Vallie Joseph
 

Similar to Detect Unknown Threats, Reduce Dwell Time, Accelerate Response (20)

Prezentare_RSA.pptx
Prezentare_RSA.pptxPrezentare_RSA.pptx
Prezentare_RSA.pptx
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
 
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
 
Security and-visibility
Security and-visibilitySecurity and-visibility
Security and-visibility
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEET
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
 
NetWitness
NetWitnessNetWitness
NetWitness
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
Eximbank security presentation
Eximbank security presentationEximbank security presentation
Eximbank security presentation
 
Honeypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressHoneypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World Congress
 
LIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityLIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming Security
 
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
A Vision for Shared, Central Intelligence  to Ebb a Growing Flood of AlertsA Vision for Shared, Central Intelligence  to Ebb a Growing Flood of Alerts
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
 
Managing Cyber Security Risks
Managing Cyber Security RisksManaging Cyber Security Risks
Managing Cyber Security Risks
 
2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...
2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...
2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...
 
Why Penetration Testing Services Cyber51
Why Penetration Testing Services Cyber51Why Penetration Testing Services Cyber51
Why Penetration Testing Services Cyber51
 
Anton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability Intelligence
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
 

More from Rahul Neel Mani

More from Rahul Neel Mani (15)

7th Annual DynamicCISO Summit & Excellence Awards 2020 Report
7th Annual DynamicCISO Summit & Excellence Awards 2020 Report7th Annual DynamicCISO Summit & Excellence Awards 2020 Report
7th Annual DynamicCISO Summit & Excellence Awards 2020 Report
 
TweetChat - A Grey Head Digital Initiative
TweetChat - A Grey Head Digital InitiativeTweetChat - A Grey Head Digital Initiative
TweetChat - A Grey Head Digital Initiative
 
Cybersecurity: Glimpses from the 2017
Cybersecurity: Glimpses from the 2017Cybersecurity: Glimpses from the 2017
Cybersecurity: Glimpses from the 2017
 
5th Annual DynamicCISO Summit 9-10 March 2018, Mumbai
5th Annual DynamicCISO Summit 9-10 March 2018, Mumbai5th Annual DynamicCISO Summit 9-10 March 2018, Mumbai
5th Annual DynamicCISO Summit 9-10 March 2018, Mumbai
 
CIO Productivity Conclave 2017
CIO Productivity Conclave 2017 CIO Productivity Conclave 2017
CIO Productivity Conclave 2017
 
Being a Digital Industrial By Anthony Thomas, Group Chief Information Officer...
Being a Digital Industrial By Anthony Thomas, Group Chief Information Officer...Being a Digital Industrial By Anthony Thomas, Group Chief Information Officer...
Being a Digital Industrial By Anthony Thomas, Group Chief Information Officer...
 
Key Imperatives for the CIO in Digital Age By Lalatendu Das Digital VP, Assoc...
Key Imperatives for the CIO in Digital Age By Lalatendu Das Digital VP, Assoc...Key Imperatives for the CIO in Digital Age By Lalatendu Das Digital VP, Assoc...
Key Imperatives for the CIO in Digital Age By Lalatendu Das Digital VP, Assoc...
 
Traversing the Digital Vortex, Lux Rao, Director & Leader, Digital Transforma...
Traversing the Digital Vortex, Lux Rao, Director & Leader, Digital Transforma...Traversing the Digital Vortex, Lux Rao, Director & Leader, Digital Transforma...
Traversing the Digital Vortex, Lux Rao, Director & Leader, Digital Transforma...
 
Mobile First Healthcare: Chris Kozup Aruba (HPE)
Mobile First Healthcare: Chris Kozup Aruba (HPE)Mobile First Healthcare: Chris Kozup Aruba (HPE)
Mobile First Healthcare: Chris Kozup Aruba (HPE)
 
Can India Really Achieve the Stiff Target of Digital Healthcare?
Can India Really Achieve the Stiff Target of Digital Healthcare?Can India Really Achieve the Stiff Target of Digital Healthcare?
Can India Really Achieve the Stiff Target of Digital Healthcare?
 
Becoming Future Ready: Building New Capabilities to Thrive
Becoming Future Ready: Building New Capabilities to ThriveBecoming Future Ready: Building New Capabilities to Thrive
Becoming Future Ready: Building New Capabilities to Thrive
 
Who Will Manage the Growing Web: Growing Internet and Shortfall of Cybersecur...
Who Will Manage the Growing Web: Growing Internet and Shortfall of Cybersecur...Who Will Manage the Growing Web: Growing Internet and Shortfall of Cybersecur...
Who Will Manage the Growing Web: Growing Internet and Shortfall of Cybersecur...
 
Preventing Social Engineering Attacks: The Critical Elements
Preventing Social Engineering Attacks: The Critical ElementsPreventing Social Engineering Attacks: The Critical Elements
Preventing Social Engineering Attacks: The Critical Elements
 
Threat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachThreat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a Breach
 
Challenges of Vulnerability Management
 Challenges of Vulnerability Management Challenges of Vulnerability Management
Challenges of Vulnerability Management
 

Recently uploaded

Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
UK Journal
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 

Recently uploaded (20)

WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 

Detect Unknown Threats, Reduce Dwell Time, Accelerate Response

  • 1. RSΛ NetWitness® Suite Detect Unknown Threats. Reduce Dwell Time. Accelerate Response. Rohit Malhotra email: rohit.malhotra@rsa.com
  • 2. Organizations Face Difficult Security Challenges A real scarcity of skilled security analysts forces enterprises to get creative to combat threats and protect the enterprise. GROWING SHORTAGE OF SKILLED SECURITY STAFF More Endpoints in the enterprise, in the field, and in the cloud means more potential entry points for attacks. A GREATLY EXPANDING ATTACK SURFACE The days of simple malware or APTs are gone. Today’s attacks are targeted, lengthy, and multifaceted. MORE SOPHISTICATED ATTACK CAMPAIGNS “Organizations took weeks or more to discover that a breach even occurred.” - Verizon 2016 Data Breach Report
  • 3. So They Take Preventive Steps to Protect Themselves Confidential Data Endpoints NGFW IDS / IPS SIEM NGFW 80% of security staff, budget, and activity is generally dedicated to preventive action
  • 4. But Breaches Still Occur. What’s Happening? Confidential Data Endpoints NGFW IDS / IPS SIEM NGFW NGAV misses UNKNOWN, NEW threat NGFW has no rule for/against threat traffic IPS has no signature for the threat packets SIEM captures logs, but will it trigger an alert? NGFW has no rule for/against threat traffic Missing the Little Things Rapidly Adds Up to One Bigger Problem How big is the compromise? How long has it been there? Just how bad is this? What did the attacker do?
  • 5. 5 The security paradigm must change PREVENTION DETECTION & RESPONSE
  • 6. Shift priorities and capabilities Today’s Priorities Prevention Response Monitoring Monitoring Prevention Response Future State 6
  • 7. Advanced Threats Are Different Speed Response Time2Decrease Dwell Time1 TIME Attack Identified Response System Intrusion Attack Begins Cover-Up Complete Cover-Up Discovery Leap Frog Attacks Dwell Time Response Time
  • 8. Evolution of Threat Actors & Detection Implications Firewall Threat Actors IDS/IPS AntiVirus Corporate Assets Whitespace Successful HACKS Network Visibility Endpoint Visibility Logs/SIEM Complete visibility into every process and network sessions is required to eradicate the attacker opportunity. Unified platform for advanced threat detection & investigations Blocked Session Blocked Session Blocked Session Alert Process Network Session SecurityAnalytics RSA Security Analytics
  • 9. ModularRSA Advanced SOC Solution NETWORK FORENSICS SIEM & BEYOND ENDPOINT THREAT ANALYSIS
  • 10. • Shows how an attacker got in • Shows what the attacker did • Helps to determine the source of the attack • Shows suspicious communication • Beaconing • Data Exfiltration • Outbound encrypted communication • Service communication over a non-standard port • Detect advanced threats using Behavior Analytics • Communication to and from the infected system • See the complete attack picture • Reconstruct the malicious payload or exploit RSA NetWitness® Packets Providing real-time analysis and full visibility of everything going in and out of your network.
  • 11. HTTP Headers Basic Packet Capture Attachment File Fingerprints Session Size Country Src/Dst URL Hostname IP Alias Forwarded Directory File Packers Non Standard Content Type Ethernet Connection Embedded Objects Top Level Domain Access Criticality Sql Query Mac Address Alias Email Address Cookie Browser Credit Cards Protocol Fingerprints Database Name SSL CA/Subject URL in Email Referrer Language Crypto Type PDF/ Flash Version Client/Server Application User Name Port User Agent IP Src/Dst Session Characteristics Deep Network Forensics 225+ metadata fields “You can't hide a packet once it's traversed the wire, you can't unsend it”
  • 12. Prevention Detection Remediation /Control A BALANCED APPROACH TO ENDPOINT SECURITY SOLUTION EPP: For Blocking and Prevention EDR: For Rapid detection and Response
  • 13. Why RSA NetWitness Endpoint? Detect by threat behavior rather than by signature Rapid Response Enabled by Full Scope Visibility Intelligent Risk-Level Scoring System More rapidly expose new, unknown, and non-malware threats on endpoints Eliminate white noise; prioritize threats more efficiently & accurately Provide all data needed to confirm threats and quickly take action 73 RISK ! ! ! ! ! ! ! ! ! ! ! !
  • 14. Rapidly and Accurately Analyze ALL Threats IP/Domain Information & Geo Threat Intelligence + RSA Community YARA Rules Engine Blacklisting (Multi-A/V) File / App Whitelisting & Reputation “Gold Image” Baselining Certificate Validation Live Memory Analysis Direct Physical Disk Inspection User-Initiated Suspicious Behavior Endpoint/Module Behavior Analytics 73 85 99 21 87 RSA NetWitness Endpoint combines multiple detection methodologies to detect both KNOWN and UNKNOWN threats faster and more accurately.
  • 15. How Customers Use RSA NetWitness Endpoint Proactive Assessments of Key Assets Selectively deploy, monitor, and protect your most valuable, at-risk corporate assets Protective Endpoint Monitoring and Alerting Gain greater visibility, detect threats faster, and focus response more effectively Hunting Tool for Incident Response Investigate compromised systems to collect incident data for forensic analysis Deeper Understanding of the Full Scope of an Incident Fully eradicate a threat actor by leveraging both network and endpoint visibility and analysis
  • 16. Detect Unknown Threats. Reduce Dwell Time. Accelerate Response – Gartner “Traditional defense-in-depth components are still necessary, but are no longer sufficient in protecting against advanced targeted attacks and advanced malware” – Gartner Source: Gartner’s “Five Styles of Advanced Threat Defense” Network Traffic Analysis RSA Payload Analysis Endpoint Behavior Analysis RSA Network Forensics RSA Endpoint Forensics RSA Where to Look Network Payload Endpoint Time
  • 17. Detect Unknown Threats. Reduce Dwell Time. Accelerate Response - Frost & Sullivan The network security team at Frost and Sullivan views Advanced Persistent Threat (APT) defense as not a singular technology, but rather as a collection of technologies used in concert. Network security forensics is the requisite technology used when a suspected security breach has occurred.
  • 18. What Do Organizations Need to Be Successful? Effective means to help overburdened and unfocused security teams investigate and respond rapidly to REAL threats. Capabilities to accurately detect new, never-seen-before, targeted and even “file-less” threats on their endpoints Deep visibility and insight into everything that is actually happening on their endpoints at any time
  • 19. Must be ARMED to quickly identify and respond to attacks before they can damage the business Constant compromise does not mean constant loss Security Attacks are Inevitable

Editor's Notes

  1. We need to fundamentally change our approach. We have to acknowledge that in today’s modern enterprise, we cannot rely on prevention based on static rules or prior knowledge. Instead, we must develop and improve our ability to detect compromises and rapidly take the right measures to respond in order to minimize damage or loss to the organization.
  2. Despite many organizations acknowledging the need to change or improve, they continue to pursue the same failed strategies. Organizations must radically shift priorities, technologies, and resources. The vast majority of the spend is still preventative and perimeter-based. RSA research indicates that 80% of security staff and budgets, activity and tools, today are focused on prevention. Monitoring and response lag, and even the monitoring spend is today heavily weighted toward ineffective, incomplete approaches. Going forward, there needs to be a much more even split of resources across prevention, monitoring, and response. Without rebalancing these resources, it will become increasingly difficult to have the ability to detect a breach in a timely fashion and have the capability to respond fast enough to avoid loss.
  3. How are today’s threats different? It’s not just that they are more sophisticated, but attack methods have fundamentally changed. First they are targeted, with a specific objective. Previously, we may have seen threats such as mass malware that can infect PCs or random attacks on unnecessary services running on external-facing servers. Advanced threats typically use custom malware that targets an individual or group of employees at a specific organization. The attackers are seeking specific information – intellectual property or confidential documents. And their entry point to the organization is the compromise of an individual user’s credentials that they can use to establish an non-suspicious initial foothold in their target organization. Second, once their initial intrusion is successful, advanced attackers are much more stealthy. Unlike a “smash and grab” password theft or website defacement, advanced attackers seek to remain hidden inside the organization, establishing multiple footholds in case their initial access is shut down, and keeping suspicious activity that might alert security operations teams to a minimum as they seek their target. They cover their tracks by erasing logs and other evidence of their activity. And they are much more interactive. They don’t follow set scripts. They react to being detected and having access shut down by coming in through another backdoor they established and using different tactics than the ones that led to their discovery. Against these fundamentally different attacks, we need a fundamentally different response. We need to spend less time trying to keep attackers out, but focus instead on accelerating our ability to detect and respond to intrusions, and reducing the amount of time they are in the network (which we call “dwell time”). Our goal is to ensure that intrusion and compromise do not result in business damage or loss.
  4. KEY TAKEWAY: organizations don’t need to deploy everything, they can pick the part of the solution that is right for them. As they grow, everything is integrated and seamless so the solution will grow with them. Choose the full solution or augment existing tools with RSA’s flexible, modular approach Enhance or replace your existing SIEM’s capabilities with better visibility, analysis and workflow. Evolve from a log-centric view with network packet capture to enable deep network forensics and detection Augment traditional AV with advanced endpoint malware detection Use out-of-the-box-integrations and open APIs to integrate with existing systems and applications within your SOC
  5. RSA performs deep data enrichment right at the time of capture making it much faster and more valuable for analysis in the midst of an investigation. This includes additional context, such as asset criticality, vulnerability data, risk level, event type, event source, device information, IP information, configuration data, etc   Unlike other packet capture solutions provided by IBM and Solera who perform only very basic enrichment around generic session information (like source IP address, destination IP address, protocol) but don’t give the same depth of enrichment as SA THIS MEANS that there are more clues for the system to detect and the analyst to investigate so they can quickly detect and investigate issues. An example is a PDF file with executable content – no other packet capture solution can spot and recreate it. The enrichment on capture also makes the data much faster to query for analysis and reporting. NOTE: The metadata includes session based details to lead the analyst to the right answer NOTE: SA Maintains the link between the sessionized data and the raw data which is how its so fast on retrieval and reconstruction. Faster than other packet capture tools.
  6. Key takeaway: Others offer some simple characteristics seen with basic packet capture….we go way beyond with deep network forensics generating hundreds of metadata fields. This detail, thanks to capture time data enrichment, really sets us apart and gives analysts the ability to spot more attacks and investigate with incredible detail.
  7. Here is a way that Gartner looks at the problem. We know that traditional defense-in-depth components are still necessary, but are no longer sufficient on their own when facing the sophistication of today’s targeted attacks. Instead, we need to look across data sets (network, packets, and endpoint) – as well as across time. We must bring all the data together, analyze it, and react quickly. Each ‘style’ or category listed above is compulsory – but even the best technology, left alone in its own silo – cannot meet the needs of today’s security operations centers. We believe that today’s organizations need to be able to look across multiple datasets with deep visibility to the endpoint, analyze that data in real-time, but also understand it with the perspective of time in order to portray the most accurate picture of what happened, how, and why. This enables teams to understand priority and the full scope of the attack.