We have to acknowledge that in today’s modern enterprise, we cannot rely on prevention based on static rules or prior knowledge.
Instead, we must develop and improve our ability to detect compromises and rapidly take the right measures to respond in order to minimize damage or loss to the organization.
Despite many organizations acknowledging the need to change or improve, they continue to pursue the same failed strategies. Organizations must radically shift priorities, technologies, and resources.
The vast majority of the spend is still preventative and perimeter-based. RSA research indicates that 80% of security staff and budgets, activity and tools, today are focused on prevention. Monitoring and response lag, and even the monitoring spend is today heavily weighted toward ineffective, incomplete approaches.
Going forward, there needs to be a much more even split of resources across prevention, monitoring, and response. Without rebalancing these resources, it will become increasingly difficult to have the ability to detect a breach in a timely fashion and have the capability to respond fast enough to avoid loss.
How are today’s threats different? It’s not just that they are more sophisticated, but attack methods have fundamentally changed.
First they are targeted, with a specific objective. Previously, we may have seen threats such as mass malware that can infect PCs or random attacks on unnecessary services running on external-facing servers. Advanced threats typically use custom malware that targets an individual or group of employees at a specific organization. The attackers are seeking specific information – intellectual property or confidential documents. And their entry point to the organization is the compromise of an individual user’s credentials that they can use to establish an non-suspicious initial foothold in their target organization.
Second, once their initial intrusion is successful, advanced attackers are much more stealthy. Unlike a “smash and grab” password theft or website defacement, advanced attackers seek to remain hidden inside the organization, establishing multiple footholds in case their initial access is shut down, and keeping suspicious activity that might alert security operations teams to a minimum as they seek their target. They cover their tracks by erasing logs and other evidence of their activity.
And they are much more interactive. They don’t follow set scripts. They react to being detected and having access shut down by coming in through another backdoor they established and using different tactics than the ones that led to their discovery.
Against these fundamentally different attacks, we need a fundamentally different response. We need to spend less time trying to keep attackers out, but focus instead on accelerating our ability to detect and respond to intrusions, and reducing the amount of time they are in the network (which we call “dwell time”). Our goal is to ensure that intrusion and compromise do not result in business damage or loss.
KEY TAKEWAY: organizations don’t need to deploy everything, they can pick the part of the solution that is right for them. As they grow, everything is integrated and seamless so the solution will grow with them.
Choose the full solution or augment existing tools with RSA’s flexible, modular approach Enhance or replace your existing SIEM’s capabilities with better visibility, analysis and workflow. Evolve from a log-centric view with network packet capture to enable deep network forensics and detection Augment traditional AV with advanced endpoint malware detection Use out-of-the-box-integrations and open APIs to integrate with existing systems and applications within your SOC
RSA performs deep data enrichment right at the time of capture making it much faster and more valuable for analysis in the midst of an investigation. This includes additional context, such as asset criticality, vulnerability data, risk level, event type, event source, device information, IP information, configuration data, etc Unlike other packet capture solutions provided by IBM and Solera who perform only very basic enrichment around generic session information (like source IP address, destination IP address, protocol) but don’t give the same depth of enrichment as SA THIS MEANS that there are more clues for the system to detect and the analyst to investigate so they can quickly detect and investigate issues. An example is a PDF file with executable content – no other packet capture solution can spot and recreate it. The enrichment on capture also makes the data much faster to query for analysis and reporting.
NOTE: The metadata includes session based details to lead the analyst to the right answer NOTE: SA Maintains the link between the sessionized data and the raw data which is how its so fast on retrieval and reconstruction. Faster than other packet capture tools.
Key takeaway: Others offer some simple characteristics seen with basic packet capture….we go way beyond with deep network forensics generating hundreds of metadata fields.
This detail, thanks to capture time data enrichment, really sets us apart and gives analysts the ability to spot more attacks and investigate with incredible detail.
Here is a way that Gartner looks at the problem.
We know that traditional defense-in-depth components are still necessary, but are no longer sufficient on their own when facing the sophistication of today’s targeted attacks. Instead, we need to look across data sets (network, packets, and endpoint) – as well as across time. We must bring all the data together, analyze it, and react quickly. Each ‘style’ or category listed above is compulsory – but even the best technology, left alone in its own silo – cannot meet the needs of today’s security operations centers.
We believe that today’s organizations need to be able to look across multiple datasets with deep visibility to the endpoint, analyze that data in real-time, but also understand it with the perspective of time in order to portray the most accurate picture of what happened, how, and why. This enables teams to understand priority and the full scope of the attack.
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Organizations Face Difficult Security Challenges
A real scarcity of skilled security
analysts forces enterprises to get
creative to combat threats and protect
GROWING SHORTAGE OF
SKILLED SECURITY STAFF
More Endpoints in the enterprise, in the
field, and in the cloud means more
potential entry points for attacks.
A GREATLY EXPANDING
The days of simple malware or APTs
are gone. Today’s attacks are targeted,
lengthy, and multifaceted.
“Organizations took weeks or more to discover that a breach even occurred.”
- Verizon 2016 Data Breach Report
So They Take Preventive Steps to Protect Themselves
NGFW IDS / IPS SIEM NGFW
80% of security staff, budget, and activity is generally
dedicated to preventive action
But Breaches Still Occur. What’s Happening?
NGFW IDS / IPS SIEM NGFW
NEW threat NGFW has no
IPS has no
signature for the
logs, but will it
trigger an alert?
NGFW has no
Missing the Little Things Rapidly Adds Up to One Bigger Problem
How big is the compromise?
How long has it been there?
Just how bad is this?
What did the attacker do?
The security paradigm must change
Shift priorities and capabilities
Advanced Threats Are Different
Attack Identified Response
Leap Frog Attacks
Dwell Time Response Time
Evolution of Threat Actors & Detection
Whitespace Successful HACKS
Complete visibility into every process and network
sessions is required to eradicate the attacker
Unified platform for advanced threat
detection & investigations
RSA Security Analytics
• Shows how an attacker got in
• Shows what the attacker did
• Helps to determine the source of the attack
• Shows suspicious communication
• Data Exfiltration
• Outbound encrypted communication
• Service communication over a non-standard port
• Detect advanced threats using Behavior Analytics
• Communication to and from the infected system
• See the complete attack picture
• Reconstruct the malicious payload or exploit
RSA NetWitness® Packets
analysis and full
going in and out of
IP Alias Forwarded
Top Level Domain
Mac Address Alias
URL in Email
“You can't hide
a packet once
it's traversed the wire,
you can't unsend it”
A BALANCED APPROACH TO ENDPOINT SECURITY SOLUTION
For Blocking and
Why RSA NetWitness Endpoint?
Detect by threat behavior
rather than by signature
Rapid Response Enabled
by Full Scope Visibility
More rapidly expose
new, unknown, and
non-malware threats on
Eliminate white noise;
prioritize threats more
efficiently & accurately
Provide all data needed
to confirm threats and
quickly take action
Rapidly and Accurately Analyze ALL Threats
IP/Domain Information & Geo
Threat Intelligence + RSA Community
YARA Rules Engine
File / App Whitelisting & Reputation
“Gold Image” Baselining
Live Memory Analysis
Direct Physical Disk Inspection
User-Initiated Suspicious Behavior
Endpoint/Module Behavior Analytics
RSA NetWitness Endpoint combines multiple detection methodologies to
detect both KNOWN and UNKNOWN threats faster and more accurately.
How Customers Use RSA NetWitness Endpoint
Proactive Assessments of Key Assets
Selectively deploy, monitor, and protect your most valuable, at-risk corporate assets
Protective Endpoint Monitoring and Alerting
Gain greater visibility, detect threats faster, and focus response more effectively
Hunting Tool for Incident Response
Investigate compromised systems to collect incident data for forensic analysis
Deeper Understanding of the Full Scope of an Incident
Fully eradicate a threat actor by leveraging both network and endpoint visibility and analysis
Detect Unknown Threats. Reduce Dwell Time. Accelerate Response –
“Traditional defense-in-depth components are still necessary, but are no longer sufficient in
protecting against advanced targeted attacks and advanced malware” – Gartner
Source: Gartner’s “Five Styles of Advanced Threat Defense”
Network Traffic Analysis
Endpoint Behavior Analysis
Detect Unknown Threats. Reduce Dwell Time. Accelerate Response -
Frost & Sullivan
The network security
team at Frost and
Sullivan views Advanced
Persistent Threat (APT)
defense as not a singular
technology, but rather as
a collection of
technologies used in
forensics is the
used when a
breach has occurred.
What Do Organizations Need to Be Successful?
Effective means to help overburdened and unfocused security
teams investigate and respond rapidly to REAL threats.
Capabilities to accurately detect new, never-seen-before,
targeted and even “file-less” threats on their endpoints
Deep visibility and insight into everything that is actually
happening on their endpoints at any time
Must be ARMED to
quickly identify and
respond to attacks
before they can
damage the business
Constant compromise does not mean constant loss