The document discusses the evolution of security information and event management (SIEM) systems towards intelligence-driven security analytics, highlighting the limitations of traditional SIEM in addressing complex threats. It introduces RSA Security Analytics as a unified platform that enhances incident detection and investigation capabilities, leveraging big data and real-time analysis to improve security measures. The shift from compliance-focused systems to proactive, intelligence-driven security is emphasized as essential for modern threat detection and response.

1. From SIEM to
Security Analytics
The Path Forward
Seth Geftic, Product Marketing Manager
Steve Garrett, Product Manager
© Copyright 2012 EMC Corporation. All rights reserved.
1

2. Agenda
 The Shift From SIEM
 What is RSA Security Analytics
 Beyond SIEM: Intelligence Driven Security
 Intelligence Driven Security In Action
© Copyright 2012 EMC Corporation. All rights reserved.
2

3. The Shift Away From SIEM
© Copyright 2012 EMC Corporation. All rights reserved.
3

4. The purpose of SIEM has evolved
 The original purchase driver behind SIEMs were
– Satisfying compliance requirements more easily
▪ Collecting and retaining logs with less operational overhead
▪ Creating compliance reports more easily
– Troubleshooting operational problems
▪ Determining root cause of failures
 Making IDS work better was often a driver too
– The security team was deluged with IDS alerts
– Many of the IDS rules were crude and fired too often
© Copyright 2012 EMC Corporation. All rights reserved.
4

5. Why hasn’t SIEM lived up to
expectations?
 Things have become more complex
– IT environments have expanded
– Hackers have become more sophisticated
– IDS has become less and less relevant
 SIEMs response has been to add more log sources
– More diversity of sources (Security Device, OS, Application
etc)
– Greater volume of sources as the number of critical
systems has expanded
 But this has not solved the problem
– SIEM has not been able to scale to the volume required
– Its impractical to create correlation rules to detect every
complex threat
– Many threats no longer even have a footprint in the logs
© Copyright 2012 EMC Corporation. All rights reserved.
5

6. The result for organizations?
 Honeymoon period for customers post
implementation
– Compliance reports run more smoothly
– Security teams get at least *some* visibility into
activity
 Disillusionment follows for many pretty soon
after
– As team matures they start to try extract more
value from the data
– At this point, performance and correlation
limitations come to the fore
© Copyright 2012 EMC Corporation. All rights reserved.
6

7. Today’s tools need to adapt
 Today’s tools need to be able to detect and
investigate
– Lateral movement of threats as they gain foothold
– Covert characteristics of attack tools, techniques &
procedures
– Exfiltration or sabotage of critical data
 Today’s tools need to be able to scale
– To collect and store the volume and diversity of data
required
– To provide analytic tools to support security work
streams
– Time to respond is critical in a breach situations – and
SIEM often falls short
© Copyright 2012 EMC Corporation. All rights reserved.
7

8. Security Analytics & The Security
Maturity Voyage
Visibility
and
Understanding
Network
Monitoring &
Investigation
Traditional
SIEM
Compliance
Advanced
Analysis
Incident
Detection
SECURITY
ANALYTICS
Security Team
Sophistication
& Skillset
© Copyright 2012 EMC Corporation. All rights reserved.
8

9. Use Case Needs Grow
 Compliance + Tier 1 Security (often met with traditional
SIEM)
– Compliance requirements
– Incident detection
– Limited investigations
 Moving Beyond SIEM
– Increased visibility
– Deep forensics and investigations
– Supplement traditional SIEM
 Advanced Security Operations
– Find more sophisticated attacks
– Increased “hunting” ability
– Conduct complex data analysis for next gen SOC
© Copyright 2012 EMC Corporation. All rights reserved.
9

10. Today’s Security Requirements
Big Data
Infrastructure
“Need a fast and
scalable infrastructure to
conduct real time and
long term analysis”
Comprehensive
Visibility
“See everything
happening in my
environment and
normalize it”
High Powered
Analytics
Integrated
Intelligence
“Give me the speed and
smarts to detect,
investigate and prioritize
potential threats”
“Help me understand
what to look for and
what others have
discovered”
© Copyright 2012 EMC Corporation. All rights reserved.
10

11. What is RSA Security Analytics
© Copyright 2012 EMC Corporation. All rights reserved.
11

12. RSA Security Analytics
Unified platform for incident detection, investigations, compliance
reporting and advanced security analysis
SIEM
Log Parsing
Compliance Reports
Incident Alerts
© Copyright 2012 EMC Corporation. All rights reserved.
RSA Security
Analytics
Network Security
Monitoring
Full Packet Capture
Big Data Infrastructure
Capture Time Data
Comprehensive Visibility
Enrichment
High Powered Analysis
Deep Dive Investigations
Intelligence Driven Context
12

13. Big data security analytics:
RSA Security Analytics architecture
LIVE
Distributed
Data
Collection
Capture
Time Data
Enrichment
PARSING &
METADATA TAGGING
PACKETS
LIVE
LIVE
Reporting
& Alerting
PACKET
METADATA
LOGS
Investigation
& Forensics
Compliance
Malware
Analysis
Intelligence
Feeds
LOG
METADATA
RSA LIVE
INTELLIGENCE
Incident
Response
Endpoint
Visibility
& Analysis
Additional
Business &
IT Context
Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions
© Copyright 2012 EMC Corporation. All rights reserved.
13

14. RSA Security Analytics “SIEM-like”
deployment
LIVE
Distributed
Data
Collection
Capture
Time Data
Enrichment
PARSING &
METADATA TAGGING
LOGS
LOGS
LOG
METADATA
LIVE
LIVE
Reporting
& Alerting
Investigation
& Forensics
Compliance
Malware
Analysis
Intelligence
Feeds
RSA LIVE
INTELLIGENCE
Incident
Response
Endpoint
Visibility
& Analysis
Additional
Business &
IT Context
Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions
© Copyright 2012 EMC Corporation. All rights reserved.
14

15. RSA Security Analytics with a traditional
SIEM
LIVE
LIVE
Distributed
Data
Collection
LIVE
PARSING &
Capture
METADATA TAGGING
Time Data
Enrichment
Alerting
PACKETS
PACKET
METADATA
3rd Party
SIEM
Collection
LOGS
© Copyright 2012 EMC Corporation. All rights reserved.
Investigation
& Forensics
Malware
Analysis
Intel
Feeds
Alerts
Alert Triage
Investigations
Compliance
& Reporting
15

16. What Makes SA Different?
 Single platform for log & network security
monitoring
 Capture time data enrichment
 Superior event stream & on-request analysis
 Incorporates business and IT data, incident
response & endpoint visibility
 Operationalizes threat intelligence
 Security platform where compliance is an
outcome, not the other way around
© Copyright 2012 EMC Corporation. All rights reserved.
16

17. Beyond SIEM – Intelligence Driven Security
© Copyright 2012 EMC Corporation. All rights reserved.
17

18. What is Intelligence Driven Security?
 The process of using all the security-related
information available, both internally and
externally, to detect hidden threats and even
predict future ones.
 It is knowledge that enables an organization to
make informed risk decisions and take action.
© Copyright 2012 EMC Corporation. All rights reserved.
18

19. Meet the Adversary: Mr. X
Persona
Mission in Life
Tactics
Primary Data
Source(s)
Cyber Criminal,
Government
sponsored or
non-state actor
Exfiltrate any and all data available by
creating threat surface specialized for
a given target.
Malicious
Code, Social
Media,
Phishing,
Spear
Phishing
Must Have: Facebook,
LinkedIn, Malware
Mr. X
Note: Average price of a zeroday exploit generated by the
criminal underground is $25.
Mr. X has been busy:
 Combination of Waterhole Attacks with Zero Day Exploits (non-profits and think tanks)
–
–
–
–
Targeting users who visit very specific websites
Latest IE 0-day attack focused on a specific non-profit site
Downloaded and executed shellcode directly from memory, never hit disk
Dropped non-persistent (Aurora) 9002 RAT
 Multiple attack groups on the same victim, steady evolution of adversary backdoors
 NO slowdown in attack operations, very specific targeting of intelligence based on attacker
taskings (Lawsuits, Key Personnel, C-Suite, M/A activity)
 Email Exfiltration – MAPI tool, Theft of Lotus Notes Email
 Continued heavy use of Windows Service DLLs, some signed
© Copyright 2012 EMC Corporation. All rights reserved.
19

20. Mr. X – How Does he do it?
Ability to Detect
Your Network
A: Web App
Vulnerability
B: Drop Webshells or
Trojan Backdoor
D: Pass The Hash
C: Command
and Control
IDS
SIEM
SA
A
B
C
D
E: Seize Domain
Admin Credentials
E
F
G
H: Transmit
Stolen Data
F: Gain Access to
Trade Secrets
G: Upload
Stolen Data to
Staging Server
© Copyright 2012 EMC Corporation. All rights reserved.
H
Yes
Possible
Yes – Full Visibility
with Logs and
Packets with
Threat Intelligence
No
20

21. Intelligence Driven Security with
Security Analytics
A: Web App
Vulnerability
B: Drop Webshells or
Trojan Backdoor
 RSA Live Threat Intelligence May Have Identified Risk of the
Transfer as a Starting Point for Investigation
© Copyright 2012 EMC Corporation. All rights reserved.
21

22. Intelligence Driven Security with
Security Analytics
C: Command
and Control
Traversing Your Infrastructure
D: Pass The Hash
E: Seize Domain Admin Credentials
F: Gain Access to Trade Secrets
G: Upload Stolen Data to Staging Server
 Mr. X use a variety of techniques to communicate while traversing your
infrastructure which Security Analytics can detect and parse
– Named Pipes commonly abused (pipehello is NOT from Microsoft)
– Abuse of the Windows Task Scheduler over SMB connections via NET USE, allowing
command shell capabilities with SYSTEM privelidges
 Security Analytics combines Log Data with Packet Data for Deep Visibility
© Copyright 2012 EMC Corporation. All rights reserved.
22

23. Intelligence Driven Security with
Security Analytics
H: Transmit
Stolen Data
Your Network
G: Upload Stolen Data to Staging Server
 RSA Live Threat Intelligence May Have Identified Risk of the Transfer based on
Remote Host or Outbound Protocol Anomalies ( such as self-signed certs)
–
–
Security Analytics will flag these sessions as suspicious and identify where the data travelled
Event reconstruction may be possible
© Copyright 2012 EMC Corporation. All rights reserved.
23

24. Anyone see this Movie?
© Copyright 2011 EMC Corporation. All rights reserved.
24

25. Event Stream Analysis:
Intelligence Driven Security in Action
© Copyright 2011 EMC Corporation. All rights reserved.
25

26. Intelligence Driven Security with Security
Analytics – Event Stream Analysis
Log Decoder
Concentrator
18k EPS
• Full Visibility
LIVE
Log Decoder
Concentrator
ESA
24k EPS
– Log Data and Packet
Data normalized into
Meta Data
– Additional Context may
be added into ESA from
other business systems
LIVE
Packet Decoder
Concentrator
2 GB/s
Additional
Context
LIVE
© Copyright 2011 EMC Corporation. All rights reserved.
26

27. Intelligence Driven Security with Security
Analytics – Event Stream Analysis
STATIC
CONTEXT
DYNAMIC
CONTEXT
DYNAMIC
CONTEXT
• Leverage the power of ESA’s Correlation Engine to Create Dynamic Risk
Categorization using Context Windows
Suspicious Internal IP
Suspicious Internal IP
10.221.32.12
161.169.207.15
..
..
Suspicious Host Alias
Ssl-irc.scumware.org
Mirror.wikileaks.info
Updatekernal.com
…
Critical Asset List
10.100.32.10
10.100.32.104
© Copyright 2011 EMC Corporation. All rights reserved.
• Suspicious Internal Hosts IP List based on Packet Analysis and RSA
Live Threat Intel
•
As an example, any host running a named pipe such as “pipehello”
•
Entries age out after preconfigured time (8 hours for instance)
• Suspicious Host Alias List based on Packet Analysis and
RSA Live Threat Intel
• Entries age out after preconfigured time (12 hours
for instance)
• Critical Asset List may come from Feed File or CSV file
which provides Business Context
• Entries can be configured to be static and not
age out
27

28. Intelligence Driven Security with Security
Analytics – Event Stream Analysis
• When one of the Suspicious Hosts attempts to login on one of the Critical Assets, you
may deem this as an elevation of Risk, and choose to add the IP address of the Host
to a new list
DYNAMIC
CONTEXT
• Elevated Risk Internal IP List based on Log Data from
Domain Controller
Suspicious Internal IP
Elevated Risk Internal IP
10.221.32.12
161.169.207.15
..
..
If A->B->C AND the Host IP
address is included in the
Elevated Risk Context Window,
then tell me about it!”
© Copyright 2011 EMC Corporation. All rights reserved.
• ESA determines that a host in the Suspicious Host IP list
attempted to login to a host in the Critical Asset List
• ESA places this IP address into the Elevated Risk Internal IP
list, which can be configured to age out after a
preconfigured time
• Context Window can be referenced with the Incoming
Event Streams and used to make a more intelligent
decision to fire an Alert
28

29. RSA Security Analytics
• Cornerstone in the Security Operations
journey
• Flexible platform that grows with your needs
– Compliance  incident detection investigation
and forensics  advanced analysis
– From logs  packets or packets  logs
• Security platform where compliance is a
byproduct, not the other way around
© Copyright 2011 EMC Corporation. All rights reserved.
29

30. RSA Advanced Cyber Defense Services
A portfolio of services to help you achieve security operations excellence
• Strategy & Roadmap
Current strategy review and
recommendations for desired
future state
• Incident Response
Rapid breach response service
and SLA-based retainer
• NextGen Security Operations
SOC/CIRC evolution and security
program transformations; moving
from reactive to proactive
www.rsa.im/ACDpractice
© Copyright 2013 EMC Corporation. All rights reserved.
30

31. RSA Advanced Cyber Defense Training
A comprehensive learning path for security analysts
• Focus on proven
methodologies for
operating and
managing a
CIRC/SOC
• Hands-on labs
designed around
real-world use cases
and teamwork in a
CIRC/SOC
• Delivered by highly
experienced RSA
Security Practitioners
www.emc.com/rsa-training
© Copyright 2013 EMC Corporation. All rights reserved.
31

33. Reimagining Security Analysis:
Removing Hay vs. Digging For Needles
All Network
Traffic & Logs
Terabytes of data
100% of total
Downloads
of executables
Thousands of data points
5% of total
Type does
not match
extension
Hundreds of data points
0.2% of total
!
© Copyright 2011 EMC Corporation. All rights reserved.
Create alerts to/from
critical assets
A few dozen alerts
33

34. Integrated Intelligence
Know What To Look For
RSA LIVE INTELLIGENCE SYSTEM
Threat Intelligence – Rules – Parsers – Alerts – Feeds – Apps – Directory Services – Reports and Custom Actions
1
2
Gathers advanced
threat intelligence
and content
3
Aggregates &
consolidates data
Automatically
distributes
correlation rules,
blacklists, parsers,
views, feeds
OPERATIONALIZE INTELLIGENCE:
Take advantage of what others have already found and apply
against your current and historical data
© Copyright 2011 EMC Corporation. All rights reserved.
34

35. SA vs. SIEM
Attack Step
Traditional
SIEM
RSA Security
Analytics
Alert for access over non-standard port
No
Yes
Recreate activity of suspect IP address across
environment
No
Yes
Show user activity across AD and VPN
Yes
Yes
Alert for different credentials used for AD and
VP
Yes
Yes
Reconstruct exfiltrated data
No
Yes
© Copyright 2011 EMC Corporation. All rights reserved.
35