This document discusses intelligence driven threat detection and response. The key points are:
1) Organizations must detect threats early before harm occurs by actively hunting for intruders rather than relying on passive detection tools. This requires new capabilities in data analysis and incident response.
2) Intelligence driven security enhances threat detection and response by providing visibility, advanced analytics, signature-less malware detection, and empowering security teams.
3) To achieve intelligence driven security, organizations should advance capabilities in network and endpoint monitoring, advanced analytics, malware analysis, and incident response practices.
PwC industry expert, Josh McKibben, helps us break down what a breach is truly comprised of, analyze key breaches as examples, and look for lessons you can bring back to your organization to avoid being the next headline.
Alien vault sans cyber threat intelligenceAlienVault
Â
Over the last several years, we have seen that attackers are innovating much faster than defenders are. This trend is steering many companies to look towards cyber threat intelligence (CTI) to help them navigate today’s threatening landscape. SANS conducted a survey this year to explore who is using cyber threat intelligence and how they are using it. The survey collected responses from 326 IT professionals working in a variety of industries, in all sizes and from many different regions. 69% of the respondents reported implementing CTI to some extent, with only 16% planning not to pursue CTI in their environments. Which side of this percentage do you fall into? The infographic below provides some of the key questions to ask when getting started with threat intelligence, along with data from the SANS survey to show you how others are using threat intelligence.
The Incident Response Playbook for Android and iOSPriyanka Aash
Â
What is your mobile device incident response plan? If you cannot answer that question, you should attend this session. The session will cover the challenges in mobile, how and why it is different from traditional incident response, and the building blocks you can use to craft your own mobile incident response plan.
(Source: RSA USA 2016-San Francisco)
EC-Council, a globally recognized cybersecurity credentialing body, offers the Certified Ethical Hacker (CEH) and Certified Penetration Testing Professional (CPENT) certifications to help you acquire the skills you need to be a part of Red and Blue Teams. CEH is the most desired cybersecurity training program, upping your ethical hacking skills to the next level. CPENT takes off from where CEH leaves off, giving you a real-world, hands-on penetration testing experience.
PwC industry expert, Josh McKibben, helps us break down what a breach is truly comprised of, analyze key breaches as examples, and look for lessons you can bring back to your organization to avoid being the next headline.
Alien vault sans cyber threat intelligenceAlienVault
Â
Over the last several years, we have seen that attackers are innovating much faster than defenders are. This trend is steering many companies to look towards cyber threat intelligence (CTI) to help them navigate today’s threatening landscape. SANS conducted a survey this year to explore who is using cyber threat intelligence and how they are using it. The survey collected responses from 326 IT professionals working in a variety of industries, in all sizes and from many different regions. 69% of the respondents reported implementing CTI to some extent, with only 16% planning not to pursue CTI in their environments. Which side of this percentage do you fall into? The infographic below provides some of the key questions to ask when getting started with threat intelligence, along with data from the SANS survey to show you how others are using threat intelligence.
The Incident Response Playbook for Android and iOSPriyanka Aash
Â
What is your mobile device incident response plan? If you cannot answer that question, you should attend this session. The session will cover the challenges in mobile, how and why it is different from traditional incident response, and the building blocks you can use to craft your own mobile incident response plan.
(Source: RSA USA 2016-San Francisco)
EC-Council, a globally recognized cybersecurity credentialing body, offers the Certified Ethical Hacker (CEH) and Certified Penetration Testing Professional (CPENT) certifications to help you acquire the skills you need to be a part of Red and Blue Teams. CEH is the most desired cybersecurity training program, upping your ethical hacking skills to the next level. CPENT takes off from where CEH leaves off, giving you a real-world, hands-on penetration testing experience.
Security operations center 5 security controlsAlienVault
Â
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
Â
Learn about the key mistakes organizations are making when it comes to incident response, presented by the chairman and founder of the Ponemon Institute, Dr. Larry Ponemon, and Lancope’s director of security research, Tom Cross. Then learn about how the right mix of people, processes and technology can dramatically improve your incident response efforts and elevate the importance of the CSIRT within your organization.
Some organizations have the resources and skills to secure their IT infrastructure against security threats; however, many organizations cannot do so. Organizations have a state-of-the-art security software solution or pay thousands of dollars for security tools. Even after that, no organization is entirely secure. Certified Threat Intelligence Analyst (C|TIA) allows cybersecurity professionals to enhance their skills in building sufficient organizational cyber threat intelligence. It is a specialist-level program. CTIA is an examination that tests the individuals’ skills and prepares them to make useful threat intelligence in the organization.
Read more: https://www.infosectrain.com/blog/ctia-course-outline/
SOC 3.0: strategic threat intelligence May 2016Sarah Bark
Â
A next generation SOC service which is capable of analysing metadata from dynamic data sources (social media, the dark web, etc) in real-time, when combined with business-centric data, enables the organisation to forecast threats, steer future security spend and direct business decisions. SOC 3.0 services are now becoming available that put next generation threat intelligence within the reach of the SME. Jamal Elmellas, Technical Director, Auriga, outlines how threat intelligence via an and outsourced SOC can be used by the enterprise to anticipate and mitigate cyber attacks.
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkAndrew Gerber
Â
As threats evolve, it is essential to move beyond looking at events toward developing behavioral analysis capabilities. Knowing not only the components but also the rhythms of your environment becomes crucial to enable earlier detection of attackers. This session will review the threat and risk landscape today, recommend approaches to bolster your security control monitoring, apply situational awareness and kill chain techniques, and walk through the construction of two specific use cases. They are 1) detecting compromised accounts via remote access behavior analysis and 2) detecting malicious activity (attacker or insider) by detecting and tracing network jumpers from corporate to guest networks. The session will discuss the design approach and searches used in these two use cases so that you can build other use cases to improve your security capability and posture.
Optimizing Security Operations: 5 Keys to SuccessSirius
Â
Organizations are suffering from cyber fatigue, with too many alerts, too many technologies, and not enough people. Many security operations center (SOC) teams are underskilled and overworked, making it extremely difficult to streamline operations and decrease the time it takes to detect and remediate security incidents.
Addressing these challenges requires a shift in the tactics and strategies deployed in SOCs. But building an effective SOC is hard; many companies struggle first with implementation and then with figuring out how to take their security operations to the next level.
Read to learn:
--Advantages and disadvantages of different SOC models
--Tips for leveraging advanced analytics tools
--Best practices for incorporating automation and orchestration
--How to boost incident response capabilities, and measure your efforts
--How the NIST Cybersecurity Framework and CIS Controls can help you establish a strong foundation
Start building your roadmap to a next-generation SOC.
As the threat landscape continues to accelerate and evolve, the security industry continues to respond with a variety of disparate new detection technologies. Unfortunately, this approach results in customers struggling to manage a patchwork of uncoordinated security tools, leaving a gap between detection and enforcement at the firewall. So why not consider a open based Next Generation Firewall that not only support proprietary reputation feeds, but highly diverse third party and custom feeds available on the market, within industry groups, or sourced directly by your customer?
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
Â
This webinar and presentation outlines the Infocyte HUNT threat detection and incident response platform, and how it enables state and local government organizations:
- Reduce risk across local, off-network, and cloud IT assets
- Expose and eliminate hidden cyber threats and vulnerabilities
- Streamline your overall security operations
- Achieve and maintain compliance
Using Infocyte, TIG can provide their customers with cost-effective, easy-to-manage, and on-demand cybersecurity consulting services (e.g. compromise assessments, incident response) and managed security services (e.g. managed detection and response).
Visit https://www.infocyte.com/ to learn more and request a demo, or request a cybersecurity risk assessment (Compromise Assessment) using the link below:
https://www.infocyte.com/free-compromise-assessment/
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, and early detection and prevention of events. See a live demonstration that will showcase how to operationalize those resources so that your organization can reap the maximum benefit.
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
Â
As today’s cyber-attackers become more sophisticated and nefarious, organizations must adopt the right mix of conventional and next-generation security tools to effectively defend their infrastructure from advanced threats. The Critical Security Controls effort is a growing movement that has been helping government agencies and large enterprises prioritize their cyber security spending accordingly.
By leveraging NetFlow and other types of flow data, Lancope’s StealthWatch System delivers continuous network visibility to fulfill a number of the highest priority controls, enhancing timely detection of targeted threats and improving incident response.
Learn the latest about the Critical Security Controls and hear how the StealthWatch System fits in.
AlienVault Threat Alerts are a simple yet powerful tool that comes built-in with Spiceworks. When a device on your network has been interacting with a known malicious host or suspicious IP, you’ll immediately get an alert in your feed and you’ll get an alert email.
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, detecting, preventing threats. And most importantly, having your security team serve your business and mission. Learn how to organize your security resources to get the best benefit. See a live demonstration of operationalizing those resources so your security teams can do more for your organization.
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
Â
In this security insight brief, 21CT researchers look at the malicious network behaviors that concern organizations the most, and how to use security analytics to find them before damage is done. Understanding these 12 indicators of compromise are critical to identifying a network breach.
Security operations center 5 security controlsAlienVault
Â
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
Â
Learn about the key mistakes organizations are making when it comes to incident response, presented by the chairman and founder of the Ponemon Institute, Dr. Larry Ponemon, and Lancope’s director of security research, Tom Cross. Then learn about how the right mix of people, processes and technology can dramatically improve your incident response efforts and elevate the importance of the CSIRT within your organization.
Some organizations have the resources and skills to secure their IT infrastructure against security threats; however, many organizations cannot do so. Organizations have a state-of-the-art security software solution or pay thousands of dollars for security tools. Even after that, no organization is entirely secure. Certified Threat Intelligence Analyst (C|TIA) allows cybersecurity professionals to enhance their skills in building sufficient organizational cyber threat intelligence. It is a specialist-level program. CTIA is an examination that tests the individuals’ skills and prepares them to make useful threat intelligence in the organization.
Read more: https://www.infosectrain.com/blog/ctia-course-outline/
SOC 3.0: strategic threat intelligence May 2016Sarah Bark
Â
A next generation SOC service which is capable of analysing metadata from dynamic data sources (social media, the dark web, etc) in real-time, when combined with business-centric data, enables the organisation to forecast threats, steer future security spend and direct business decisions. SOC 3.0 services are now becoming available that put next generation threat intelligence within the reach of the SME. Jamal Elmellas, Technical Director, Auriga, outlines how threat intelligence via an and outsourced SOC can be used by the enterprise to anticipate and mitigate cyber attacks.
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkAndrew Gerber
Â
As threats evolve, it is essential to move beyond looking at events toward developing behavioral analysis capabilities. Knowing not only the components but also the rhythms of your environment becomes crucial to enable earlier detection of attackers. This session will review the threat and risk landscape today, recommend approaches to bolster your security control monitoring, apply situational awareness and kill chain techniques, and walk through the construction of two specific use cases. They are 1) detecting compromised accounts via remote access behavior analysis and 2) detecting malicious activity (attacker or insider) by detecting and tracing network jumpers from corporate to guest networks. The session will discuss the design approach and searches used in these two use cases so that you can build other use cases to improve your security capability and posture.
Optimizing Security Operations: 5 Keys to SuccessSirius
Â
Organizations are suffering from cyber fatigue, with too many alerts, too many technologies, and not enough people. Many security operations center (SOC) teams are underskilled and overworked, making it extremely difficult to streamline operations and decrease the time it takes to detect and remediate security incidents.
Addressing these challenges requires a shift in the tactics and strategies deployed in SOCs. But building an effective SOC is hard; many companies struggle first with implementation and then with figuring out how to take their security operations to the next level.
Read to learn:
--Advantages and disadvantages of different SOC models
--Tips for leveraging advanced analytics tools
--Best practices for incorporating automation and orchestration
--How to boost incident response capabilities, and measure your efforts
--How the NIST Cybersecurity Framework and CIS Controls can help you establish a strong foundation
Start building your roadmap to a next-generation SOC.
As the threat landscape continues to accelerate and evolve, the security industry continues to respond with a variety of disparate new detection technologies. Unfortunately, this approach results in customers struggling to manage a patchwork of uncoordinated security tools, leaving a gap between detection and enforcement at the firewall. So why not consider a open based Next Generation Firewall that not only support proprietary reputation feeds, but highly diverse third party and custom feeds available on the market, within industry groups, or sourced directly by your customer?
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
Â
This webinar and presentation outlines the Infocyte HUNT threat detection and incident response platform, and how it enables state and local government organizations:
- Reduce risk across local, off-network, and cloud IT assets
- Expose and eliminate hidden cyber threats and vulnerabilities
- Streamline your overall security operations
- Achieve and maintain compliance
Using Infocyte, TIG can provide their customers with cost-effective, easy-to-manage, and on-demand cybersecurity consulting services (e.g. compromise assessments, incident response) and managed security services (e.g. managed detection and response).
Visit https://www.infocyte.com/ to learn more and request a demo, or request a cybersecurity risk assessment (Compromise Assessment) using the link below:
https://www.infocyte.com/free-compromise-assessment/
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, and early detection and prevention of events. See a live demonstration that will showcase how to operationalize those resources so that your organization can reap the maximum benefit.
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
Â
As today’s cyber-attackers become more sophisticated and nefarious, organizations must adopt the right mix of conventional and next-generation security tools to effectively defend their infrastructure from advanced threats. The Critical Security Controls effort is a growing movement that has been helping government agencies and large enterprises prioritize their cyber security spending accordingly.
By leveraging NetFlow and other types of flow data, Lancope’s StealthWatch System delivers continuous network visibility to fulfill a number of the highest priority controls, enhancing timely detection of targeted threats and improving incident response.
Learn the latest about the Critical Security Controls and hear how the StealthWatch System fits in.
AlienVault Threat Alerts are a simple yet powerful tool that comes built-in with Spiceworks. When a device on your network has been interacting with a known malicious host or suspicious IP, you’ll immediately get an alert in your feed and you’ll get an alert email.
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, detecting, preventing threats. And most importantly, having your security team serve your business and mission. Learn how to organize your security resources to get the best benefit. See a live demonstration of operationalizing those resources so your security teams can do more for your organization.
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
Â
In this security insight brief, 21CT researchers look at the malicious network behaviors that concern organizations the most, and how to use security analytics to find them before damage is done. Understanding these 12 indicators of compromise are critical to identifying a network breach.
TechBook: Mainframe EMC Symmetrix Remote Data Facility (SRDF) Four-Site Migra...EMC
Â
This EMC Engineering TechBook describes best practices and a detailed example of using SRDF four-site migration (also known as dual-site migration) in a mainframe environment to migrate from existing local and remote Symmetrix arrays to replacement local and remote Symmetrix arrays, providing immediate remote protection of production data at migration cutover.
Dedupe-Centric Storage for General Applications EMC
Â
Proliferation and preservation of many versions and copies of data drives much of the tremendous data growth most companies are experiencing. IT administrators are left to deal with the consequences. Because deduplication addresses one of the key elements of data growth, it should be at the heart of any data management strategy. This paper demonstrates how storage systems can be built with a deduplication engine powerful enough to become a platform that general applications can leverage.
White Paper: EMC Greenplum Data Computing Appliance Enhances EMC IT's Global ...EMC
Â
This White Paper illustrates a synergistic model for deploying EMC's Greenplum Data Computing Appliance (DCA) with EMC IT's incumbent Global Data Warehouse infrastructure.
White Paper: Using VMware Storage APIs for Array Integration with EMC Symmetr...EMC
Â
This white paper discusses how VMware's vSphere Storage APIs for Array Integration, also known as VAAI, can be used to offload perform various virtual machine operations on the EMC Symmetrix.
"Wat maakt dat we consumeren op een manier die onverantwoord is, zowel sociaal als ecologisch gezien?
Houdt overconsumptie ons niet weg van de dingen die er echt toe doen? Kunnen we als samenleving kiezen
voor een duurzame manier van samen leven en hoe doen we dit dan?"
Consumenten worden tegenwoordig overspoeld met informatie over nieuwe producten en diensten. Neem
daarbij nog de vele reclame en het wordt quasi onmogelijk om de juiste keuzes te maken. In deze vorming
wordt uitgelegd hoe je door bewust te kiezen het milieu en je portemonnee spaart. Er worden handige tips en
tricks aangereikt om bewuster te leven.
Information Securityfind an article online discussing defense-in-d.pdfforladies
Â
Information Security
find an article online discussing defense-in-depth. List your source and provide a paragraph
summary of what the article stated.
Solution
Abstract
The exponential growth of the Internet interconnections has led to a significant growth of cyber
attack incidents often with disastrous and grievous consequences. Malware is the primary choice
of weapon to carry out malicious intents in the cyberspace, either by exploitation into existing
vulnerabilities or utilization of unique characteristics of emerging technologies. The
development of more innovative and effective malware defense mechanisms has been regarded
as an urgent requirement in the cybersecurity community. To assist in achieving this goal, we
first present an overview of the most exploited vulnerabilities in existing hardware, software, and
network layers. This is followed by critiques of existing state-of-the-art mitigation techniques as
why they do or don\'t work. We then discuss new attack patterns in emerging technologies such
as social media, cloud computing, smartphone technology, and critical infrastructure. Finally, we
describe our speculative observations on future research directions.
A multi-layered approach to cyber security utilising machine learning and advanced analytics is
essential to defend against sophisticated multi-stage attacks including:
Insider Threats | Advanced Human Attacks | Supply Chain Infection | Ransomware |
Compromised User Accounts | Data Loss
Prepare for a cyber security incident or attack and how to adequately manage the aftermath with
an organised approach to Incident Response – coordinating resources, people, information,
technology and complying with regulations.
INSIDER THREATS
Insider threat can originate from employees, contractors, third party services or anyone with
access rights to your network, corporate data or business premises.
The challenge is to identify attacks and understand how they develop in real-time by analysing
and correlating the subtle signs of compromise that an insider makes when they infiltrate the
network.
Traditional security measures are no longer sufficient to combat insider threat. A more
sophisticated, intelligence-based approach is required. Cyberseer uses machine-learning
technology to form a behavioural baseline for every user to determine normal activity and spot
new, previously unidentified threat behaviours. The move to a more proactive approach towards
security will enable companies to take action to thwart developing situations escalating into
exfiltrated information or damaging incidents.
ADVANCED HUMAN ATTACKS
Advanced threats use a set of stealthy and continuous processes to target an organisation, which
is often orchestrated for business or political motives by individuals (or groups). The “advanced”
process signifies sophisticated techniques using malware to exploit vulnerabilities in
organisations systems. They are considered persistent because an external command and control
system .
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
Â
A key business goal of any organization is to maintain the constant availability of data and systems that can be trusted for decision-making purposes. The evolving threat landscape has resulted in increasing focus, right to board level, on cybersecurity. IT operational and security teams should demonstrate a comprehensive, cohesive approach in their response to security incidents and data breaches.
In this presentation we will look at the cause and effect of the problem, analyze preparedness and learn how you can better prepare, detect, respond and recover from cyber-attacks.
The Pros and Cons of Different Security Detection Technologies.pdfSecurityDetectionSol
Â
we provide an overview of leading Security Detection Solutions and technologies and discuss their relative advantages to help inform organizations’ decisions.
Why the DoD Uses Advanced Network-traffic Analytics to Secure its NetworkNovetta
Â
Advanced network-traffic analytics changed the way many of the largest agencies within the Department of Defense handle their cyber security efforts, and we've just published a whitepaper describing why and how. The paper provides important information about how an enterprise can significantly reduce damages caused by sophisticated attackers, including:[clear]
A description of the limitations of today’s security solutions and how advanced network-traffic analytics can help improve enterprise security.
Two case studies about how the Department of Defense benefits today from advanced analytics.
A high-level review of the technical architecture of an advanced network analytics solution and how it can be used to thwart attacks.
A discussion of how enterprises and their security teams will benefit from a network-traffic analytics approach to enterprise security.
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
Â
Cutting through the APT hype to help businesses prevent, detect and mitigate advanced threats.
Sophisticated cyber-espionage operations aimed at pilfering
trade secrets and other sensitive data from corporate networks currently present the biggest threat to businesses. Advanced threat actors ranging from nation-state adversaries to organized cyber-crime gangs are using zero-day exploits, customized malware toolkits and clever social engineering tricks to break into corporate networks, avoid detection,
and steal valuable information over an extended period
of time.
In this presentation, we will cut through some of the hype
surrounding Advanced Persistent Threats (APTs), explain the
intricacies of these attacks and present recommendations to
help you improve your security posture through prevention,
detection and mitigation.
Cyber Threat Intelligence is a process in which information from different sources is collected, then analyzed to identify and detect threats against any environment. The information collected could be evidence-based knowledge that could support the context, mechanism, indicators, or implications about an already existing threat against an environment, and/or the knowledge about an upcoming threat that could potentially affect the environment. Credit: Marlabs Inc
Internet, Cyber-attacks and threats are becoming more prevalent. This Infographic explains the current state, and things to consider for yourself and your business.
The intelligence lifecycle entails transforming raw data into final intelligence for decision-making. Deconstruct this domain to boost your organization's cyber defenses.
Network security is a dynamic art, with dangers appearing as fast as black hats can exploit vulnerabilities. While there are basic “golden rules” which can make life difficult for the bad guys, it remains a challenge to keep networks secure. John Chambers, Executive Chairman of Cisco, famously said “there are two types of companies: those that have been hacked, and those who don’t know they have been hacked”. The question for most organizations isn’t if they’re going to be breached, but how quickly they can isolate and mitigate the threat. In this paper, we’ll examine best practices for effective cybersecurity – from both a proactive (access hardening) and reactive (threat isolation and mitigation) perspective. We’ll address how network automation can help minimize cyberattacks by closing vulnerability gaps and how it can improve incident response times in the event of a cyberthreat. Finally, we’ll lay a vision for continuous network security, to explore how machine-to-machine automation may deliver an auto-securing and self-healing network.
Go to www.esgjrconsultinginc.com
Toward Continuous Cybersecurity With Network AutomationKen Flott
Â
Network security is a dynamic art, with dangers appearing as
fast as black hats can exploit vulnerabilities. While there are
basic “golden rules” which can make life difficult for the bad
guys, it remains a challenge to keep networks secure. John
Chambers, Executive Chairman of Cisco, famously said “there
are two types of companies: those that have been hacked, and
those who don’t know they have been hacked”. The question
for most organizations isn’t if they’re going to be breached, but
how quickly they can isolate and mitigate the threat.
In this paper, we’ll examine best practices for effective
cybersecurity – from both a proactive (access hardening)
and reactive (threat isolation and mitigation) perspective.
We’ll address how network automation can help minimize
cyberattacks by closing vulnerability gaps and how it can
improve incident response times in the event of a cyberthreat.
Finally, we’ll lay a vision for continuous network security, to
explore how machine-to-machine automation may deliver an
auto-securing and self-healing network.
Digitalization has transformed the way business’s function. With the evolution of technologies, attackers are also evolving. They are finding innovative and more invasive ways to attack organizations. Due to this, the organization's security operations center (SOC) is expected to be
more agile and dynamic in detecting and responding to attacks. Most organizations' security operations and incident response teams are overworked due to high volumes of security threats and alerts that they need to manage every day.
Threat intelligence provides information across a wide range of sources to assist associations with safeguarding their resources by working with a designated network safety procedure. Call Us: +1 (978)-923-0040
Similar to Intelligence Driven Threat Detection and Response (20)
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDEMC
Â
CloudBoost is a cloud-enabling solution from EMC
Facilitates secure, automatic, efficient data transfer to private and public clouds for Long-Term Retention (LTR) of backups. Seamlessly extends existing data protection solutions to elastic, resilient, scale-out cloud storage
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOEMC
Â
With EMC XtremIO all-flash array, improve
1) your competitive agility with real-time analytics & development
2) your infrastructure agility with elastic provisioning for performance & capacity
3) your TCO with 50% lower capex and opex and double the storage lifecycle.
• Citrix & EMC XtremIO: Better Together
• XtremIO Design Fundamentals for VDI
• Citrix XenDesktop & XtremIO
-- Image Management & Storage
-- Demonstrations
-- XtremIO XenDesktop Integration
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC
Â
Explore findings from the EMC Forum IT Study and learn how cloud computing, social, mobile, and big data megatrends are shaping IT as a business driver globally.
Reference architecture with MIRANTIS OPENSTACK PLATFORM.The changes that are going on in IT with disruptions from technology, business and culture and so IT to solve the issues has to change from moving from traditional models to broker provider model.
Force Cyber Criminals to Shop Elsewhere
Learn the value of having an Identity Management and Governance solution and how retailers today are benefiting by strengthening their defenses and bolstering their Identity Management capabilities.
Container-based technology has experienced a recent revival and is becoming adopted at an explosive rate. For those that are new to the conversation, containers offer a way to virtualize an operating system. This virtualization isolates processes, providing limited visibility and resource utilization to each, such that the processes appear to be running on separate machines. In short, allowing more applications to run on a single machine. Here is a brief timeline of key moments in container history.
This white paper provides an overview of EMC's data protection solutions for the data lake - an active repository to manage varied and complex Big Data workloads
This infographic highlights key stats and messages from the analyst report from J.Gold Associates that addresses the growing economic impact of mobile cybercrime and fraud.
This white paper describes how an intelligence-driven governance, risk management, and compliance (GRC) model can create an efficient, collaborative enterprise GRC strategy across IT, Finance, Operations, and Legal areas.
The Trust Paradox: Access Management and Trust in an Insecure AgeEMC
Â
This white paper discusses the results of a CIO UK survey on a“Trust Paradox,” defined as employees and business partners being both the weakest link in an organization’s security as well as trusted agents in achieving the company’s goals.
DevOps and Testing slides at DASA ConnectKari Kakkonen
Â
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Â
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Â
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
Â
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
Â
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
Â
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
Â
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Â
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Â
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Â
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Â
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
Â
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Â
Intelligence Driven Threat Detection and Response
1. INTELLIGENCE DRIVEN THREAT DETECTION
& RESPONSE
RSA Whitepaper
OVERVIEW
Organizations today must learn to cope with constant infiltration. Keeping cyber
attackers out of enterprise IT environments has become extremely difficult and, in some
cases, impossible because custom-crafted attacks can easily circumvent traditional
threat detection tools and exploit inherent weaknesses in modern networks. Infiltration,
however, does not need to result in data theft and other forms of business damage,
especially if organizations become adept at detecting and responding to attacks early.
Detecting attacks before they result in harm requires security teams to reduce their
reliance on passive forms of threat detection, such as alerts from signature-based
scanning tools. Instead, organizations must actively hunt for intruders by constantly
scouring their IT environment for subtle signs of malicious or suspicious activity.
Finding these early signs of problems requires organizations to cultivate new
capabilities in data analysis and incident response.
Cultivating new capabilities, however, can be prohibitively difficult for security teams
pinched by staffing shortages and overwhelmed by the scope of ever-expanding
applications, infrastructures, and threats. The challenge most security teams face is
how to prioritize which problems to address, given the constraints they have—
distinguishing the most serious threats from the myriad of nuisance threats.
The challenge is addressed by Intelligence Driven Security, an information security
strategy that delivers the visibility, analytical insights, and corrective actions needed to
help organizations mitigate the risk of operating in a digital world. Intelligence Driven
Security enhances the speed and effectiveness of cyber threat detection and response by:
• Providing visibility into digital activity within logs, the network and at end points
• Using advanced analytics from diverse data sources to uncover hidden threats and to
guide decisions on how best to mount a targeted, effective response
• Utilizing signature-less malware detection on networks and endpoints
• Empowering security teams to be more effective through efficient processes, workflow
automation, threat intelligence, and education
To achieve Intelligence Driven Security in threat detection and response, organizations
should advance their capabilities in four areas:
1. Network and endpoint monitoring that is constant and comprehensive, including
capabilities such as full-packet capture and behavior-based threat detection on
hosts
2. Advanced analytics techniques that can sift through massive amounts of
information, such as network traffic, in near-real time to spot suspicious behaviors
and accelerate investigations
3. Malware analysis using methods that don’t rely on file signatures and go straight to
the actual behavior of executables, whether collected on the network or endpoints,
to detect hostile activity
4. Incident detection and response practices that align security personnel, processes,
and technologies to streamline and accelerate workflows so security operations
teams can spend less time on routine tasks and more time defending high-priority
assets and addressing the riskiest threats
2. Intelligence Driven Threat Detection & Response
CONTENTS
Overview..................................................................................................................... 1
A Constant State of Compromise.................................................................................. 3
Intelligence Driven Threat Detection and Response................................................ 3
Network and Endpoint Monitoring: See Everything........................................................ 4
Comprehensive visibility on networks and endpoints............................................. 4
Real-time data collection and parsing................................................................... 5
Deployment wherever monitoring is needed.......................................................... 5
Advanced Analytics: Uncovering Hidden Threats........................................................... 5
Single, integrated platform for security monitoring and analytics........................... 5
Timely analysis of Big Data...................................................................................6
Detection based on behaviors, not signatures....................................................... 7
Scalable without performance penalties............................................................... 7
Malware Analysis: Trust Nothing.................................................................................. 7
Risk-aware malware detection..............................................................................8
Centralized correlation of suspicious endpoint activity..........................................8
Prioritized alerts to accelerate malware investigation and remediation...................8
Incident Response: Fast, Focused Action......................................................................9
Practice and planning for effective breach readiness.............................................9
Data-driven incident response for faster, better results..........................................9
Consolidated context to speed investigations...................................................... 10
Conclusion................................................................................................................ 10
Intelligence Driven Threat Detection and Response Solutions from RSA........................11
page 2
3. Intelligence Driven Threat Detection & Response
A CONSTANT STATE OF COMPROMISE
Most organizations’ IT environments have been infiltrated by outside parties. In many
cases, attackers have established a persistent presence. That’s not alarmist; it’s a
reality created by a different breed of attacker taking advantage of today’s
hyperconnected networks.
Today’s most dangerous attackers aren’t part-time activists or moonlighters looking to
make mischief or a statement. They’re professionals looking to make money. They’re
nation-states looking to advance their strategic agenda. And they enjoy many
advantages.
Increasing interconnection among IT systems and applications has brought new
efficiency and opportunities for organizations. Networks are open to more partners and
supply chains to facilitate ever-more collaborative business processes. But attackers
also exploit that openness by targeting vulnerabilities in the value chain, making the
weaknesses of less secure participants a collective weakness. Meanwhile, the
virtualization and outsourcing of IT infrastructure and applications offers efficiency
advantages that have become impossible to ignore. But moving to the cloud also
moves critical IT functions off-premises, often in a range of locations with varying
policies and procedures for information security.
Today’s interconnected IT environments are harder to defend and offer many more
places for intruders to conceal their activities. Combined with the fact that many
attackers modify malware to escape detection by traditional signature-based scanning
tools such as anti-virus software, firewalls and intrusion detection systems, and it’s
clear to see that infiltration has become the new norm. The question is how well
organizations can adapt to this constant state of breach.
Stretched security teams can no longer focus exclusively on preventing infiltration.
They must balance attack prevention—an impossible goal—with complementary
competencies in attack detection and remediation. Today’s organizations may be
vulnerable to infiltration, but that doesn’t mean that data theft or business damage is
inevitable. Organizations must proactively identify and neutralize the threats inside
their IT environment before attackers achieve their objectives. The best way to do this is
by leveraging Intelligence Driven Security, a strategy for solving today’s most serious
and sensitive security challenges.
Intelligence Driven Threat Detection and Response
Intelligence Driven Security helps organizations neutralize cyber threats before they
cause significant problems. The strategy delivers the following capabilities:
• Unprecedented visibility into networks and their end points, capturing and parsing
enormous amounts of security relevant data.
• Sophisticated analytics to sift through the data, identify anomalies and then alert
organizations of potential problems tied to its information assets
• Activation of incident response processes to make threat investigation and
remediation much more efficient and effective
page 3
4. Intelligence Driven Threat Detection & Response
Intelligence Driven Security stops cyber attacks before damage is done
Free Lateral
Movement
Applying the Intelligence Driven Security strategy to incident detection and response
means organizations should cultivate capabilities in four interrelated areas that are
critical to discovering, investigating and responding to advanced attacks:
1. Network and endpoint monitoring
2. Advanced analysis of security-related data
3. Malware identification and analysis
4. Incident response and breach remediation
NETWORK AND ENDPOINT MONITORING: SEE EVERYTHING
Faced with constant streams of data moving over the network, the temptation—and
until recently, the only option—has been to focus data collection and analytics on select
problem areas. Security teams often collect and analyze logs from critical systems, but
this log-oriented approach to threat detection leaves many blind spots that
sophisticated adversaries can exploit.
Intelligence Driven Security aims to eliminate blind spots by providing comprehensive
visibility both on the network and on endpoints such as servers and employees’
computers.
Comprehensive visibility on networks and endpoints
Intelligence Driven Security solutions use logs as one of many data sources, but they
achieve far greater visibility by also incorporating network packet-capture capabilities.
Full network packet-capture means recording, parsing, normalizing, analyzing, and
reassembling all data traffic at every layer of the network stack. As network traffic is
captured, it’s analyzed and tagged to facilitate subsequent threat analysis and
investigation. Capturing and tagging network data enables security analysts to
reconstruct users’ sessions and activities to understand not just basic details such as
what time or to which IP address specific data packets were transmitted, but exactly
what information was sent in and out and the resulting damage. Full packet collection
and session reconstruction help organizations detect security anomalies and
reconstruct security incidents with certainty and detail so they can investigate their
losses and remediate problems faster and more effectively.
page 4
?
Kill Chain
Initial
Targeting Compromise
Establish
Network
Foothold
Domain
Compromise
Staging and
Exfiltration
Persistence
Intelligence
Driven Security
Needed to
Detect Here
Typical Point
of Discovery
or Notification
Late
Detection
5. Intelligence Driven Threat Detection & Response
Intelligence Driven Security solutions also provide deep visibility into activities on
endpoints, including servers and laptops. To detect suspicious endpoint activity that
could indicate malware and other threats, solutions must analyze both what is
happening in a computer’s memory and what is stored on the physical disk. By
comparing running processes to files on disk—without relying on intervening operating
systems and hypervisors, which may themselves be manipulated by malware—
organizations gain insight into whether endpoint executables and processes are
legitimate or have been maliciously injected. A deep, x-ray view of endpoints and
automated detection of suspicious activity is crucial for identifying and investigating
threats faster.
Real-time data collection and parsing
Security data such as logs, network packets, and endpoint activities are collected from
diverse sources, parsed, and stored in a way that makes the information easy to
centrally search and analyze. For example, effective network packet collection systems
parse and tag data traffic as it’s getting collected for subsequent indexing, storage, and
analysis. Internal security data and visibility are further enriched with threat intelligence
from external sources. External threat data enables organizations to learn from others’
experiences to enhance their own threat detection capabilities.
Deployment wherever monitoring is needed
When visibility is urgently needed, such as when an organization is in the middle of an
actual incident investigation, ease and speed of deployment are critical. Network and
endpoint monitoring tools can often be up-and-running wherever they’re needed within
a few days. This would include installing equipment with full packet capture capabilities
at the organization’s main network ingress and egress points, as well as capturing data
traffic to and from IT systems handling intellectual property and other high-value
information. Software agents that scan for malware activity on endpoints can usually be
pushed out to them within hours, depending on the size and scale of the
implementation.
ADVANCED ANALYTICS: UNCOVERING HIDDEN THREATS
The unprecedented visibility created by an Intelligence Driven Security strategy does
much more than capture the forensic data needed to re-create cybercrime scenes. It
creates new opportunities to be far more proactive and predictive in threat detection, so
organizations can prevent serious breaches and business damage. Intelligence Driven
Security systems enable novel approaches to analyzing and reporting on user, machine,
and resource behaviors—learning what behaviors are normal for a particular system,
user, or resource and then finding and alerting on subtle signs when something is amiss.
Intelligence Driven Security systems incorporate the following principles:
Single, integrated platform for security monitoring and analytics
Intelligence Driven Security operations centralize the monitoring, detection, analysis,
investigation and reporting of anomalies and incidents. Analysts can pivot through
terabytes of log data, metadata and re-created network sessions with just a few clicks.
Because details on both networks and endpoints are available through a centralized
system and single console, analysts don’t need to toggle among different security tools
and applications. Queries leverage this integration, saving analysts considerable time
and effort. This means investigations that once took days can now be handled in mere
minutes.
page 5
6. Intelligence Driven Threat Detection & Response
Technology integration is what makes this high degree of efficiency possible. The
analytics platform must work with a variety of tools generating security-related
information about servers, networks, endpoints and other vital IT systems. Metadata
parsing and management consolidate events, logs and network data from many
sources so they are all accessible for centralized analysis, alerting and reporting.
This integration extends beyond internal systems to the consumption of external threat
intelligence. Intelligence feeds that can be ingested directly by the analytics platform,
including open-source community intelligence, APT-tagged domains, blacklists, and
suspicious proxies, are critical to providing timely detection of security issues.
Timely analysis of Big Data
Intelligence Driven Security systems capture and analyze massive amounts of rapidly
changing data from multiple sources, pivoting on terabytes of data in real time.
Security-related analysis is stratified to enable different types of detection. For example,
data can be captured and analyzed as it traverses the network. This type of “capture
time” analysis identifies suspicious activities by looking for the tools, services,
communications and techniques often used by attackers without depending on logs,
events, or signatures from other security systems. Examples of this capture time
analysis includes the detection of non-browser software programs running HTTP,
protocols over non-traditional ports, and executables embedded in PDF files.
Additionally, these sophisticated tools can detect subtle signs of attack by correlating
events that seem innocuous in isolation but that are problematic when strung together.
Analytical techniques fuse internal inputs from various sources using metadata. These
advanced detection mechanisms also act as trip-wires that can provide early warning of
potential infiltration. Processing of these information flows happens as they occur,
meaning suspicious activities are spotted while there’s still time for security teams to
stop attacks in progress.
With Intelligence Driven Security systems, security operations teams can also perform
batch analysis on huge volumes of historical security data. Such data are needed not
only to fulfill most companies’ data retention and audit requirements but they are also
invaluable in uncovering adversarial tactics that may have taken many months to
execute and may even be ongoing. For instance, batch analysis of security data archives
can help uncover previously overlooked cyber-attacks in which illicit data was
transmitted only sporadically in small, stealthy streams over weeks or months. These
types “low and slow” attack techniques are hard to spot when they are occurring,
because they are designed to seem innocuous by taking cover under existing processes
and communication streams. These techniques usually become suspicious only when
executed in a particular pattern over a specific window of time. Detailed, automated
analyses of security data archives can discover attackers in the midst of establishing a
foothold, as well as reveal information losses those organizations may not even realize
they sustained. Oftentimes, batch analyses of security data can uncover treasure troves
of information about attacker techniques and indicators of compromise that security
teams can use in the future to detect similar attacks. Perhaps more importantly, batch
analysis techniques help organizations learn what is “typical” within an IT environment
so that future deviations from normal—which often indicate problems—can be
identified and investigated as they arise.
page 2
7. Intelligence Driven Threat Detection & Response
Detection based on behaviors, not signatures
Intelligence Driven Security systems monitor the IT environment for signs of unusual
behaviors—of people, applications, infrastructure, and communications—not just for
explicit indicators such as previously identified malware signatures or blacklisted IP
addresses or domains. Sophisticated attackers can circumvent such telltale, static
monitoring approaches by modifying lines of code, by provisioning a new virtual
machine in a public cloud, or by registering a new Internet domain as a command-and-control
or drop site. It’s much harder, though for attackers to circumvent security
monitoring systems that are watching for unusual patterns and behaviors. Sooner or
later, hostile malware or users must do something unusual that breaks with system
norms, and that is when Intelligence Driven analytic systems will find them.
For example, when it comes to detecting malware, endpoint threat detection solutions
don’t look for “known bad” files; look for suspicious behaviors. By comparing what’s
actually running in memory with what should be running based on the files residing on
the local disk, malware detection tools are better able to identify discrepancies and get
a direct, more reliable view of whether illicit code is present.
Intelligence Driven Security systems establish what “good” behavior looks like within
an IT environment by monitoring and learning a variety of machine and human
activities, from what ports on servers are typically used for outside communications to
employees’ individual log-in locations and habits. Activities observed to be outside the
norm are flagged for investigation by security analysts. If analysts dismiss an event as a
false positive, security tools can “learn” from that experience and are less likely to flag
future recurrences.
Scalable without performance penalties
Data collection and analysis are handled by a distributed computing architecture, not a
monolithic, centralized, database. By spreading the workload among many computing
nodes, organizations get faster results and a highly modular, scalable system. To
enable data gathering and analysis in a new network segment or at a branch office,
organizations simply add a new node. This modular, distributed system can scale
linearly as an organization’s data analytics requirements increase, without a
performance penalty or a big jump in cost.
MALWARE ANALYSIS: TRUST NOTHING
Hostile software that anti-virus researchers have already flagged as malicious isn’t
generally the malware used in targeted cyber-attacks. Nevertheless, some security tools
still purport to protect organizations by scanning their IT environments using the
signatures of easily altered malware.
Intelligence Driven Security systems forego signature-based scanning because of its
obvious ineffectiveness. Instead, it uses the “trust nothing” approach to malware
detection that assumes all programs are hostile, all communications are suspect, every
machine is polluted, and every operating system is corrupt.
page 3
INTELLIGENCE DRIVEN THREAT DETECTION
IN ACTION
When infiltrations go undetected, cyber
attackers typically escalate privileges, move
laterally through IT systems and
masquerade as legitimate users after
gaining domain-level access. Once attackers
reach this state, they cannot be detected
and eradicated with conventional security
tools. Instead, security teams must contain
the threat through persistent, proactive
hunting.
These principles are illustrated in a
RSA threat research report on the rising use
of Web shells in cyber attacks. A poisoned
Web shell can be a stand-alone file that only
contains Web shell code or it can inject
malicious code directly into legitimate Web
pages. Because Web shells defy traditional
definitions of malware, they are practically
undetectable by antivirus software and
other traditional security tools. Web shell
exploits confer several advantages over
Trojans and other conventional forms of
malware:
• Low detection rates because of the variety
and customization of code and because
attackers can mask their illicit activities as
normal traffic and files on Web servers
• Enables attackers to maintain low-level
persistence in the IT environment through
various methods to update and replace
malicious backdoors
• Achieves initial entry through Web
application framework exploits instead of
through spear-phishing attacks, which are
more readily identifiable
• Connectivity can be initiated from any
source address, rendering IP address
blocking ineffective
• No need for telltale beaconing activity
Please read RSA’s blog for details of how
Intelligence Driven threat detection helped
many companies identify and remediate
Web shell exploits.
8. Intelligence Driven Threat Detection & Response
Risk-aware malware detection
Advanced threat detection tools examine the behavior of machines, networks, and
processes to determine whether they are or have been compromised by malware.
Such tools do more than detect incidents; they assess risk and prioritize alerts for
remediation. Files determined to be malicious may warrant a lower prioritization score if
they’re determined to be “garden variety” malware that causes more of a nuisance than
a true threat. Conversely, files that bear no outward signs of tampering may contain a
custom-compiled executable designed to run only when it reaches certain systems or
when a covert command is given. To uncover this type of dangerous, customized
malware, advanced threat detection systems use a series of analytical techniques to
rate the risk levels of suspicious files.
For example, an organization may set a rule requiring the security system to analyze
every new executable coming into its networks. The malware detection system would
then “sandbox” new executables, running them in a quarantined environment,
recording everything they do, and elevating their risk score if suspicious behaviors are
observed, such as changing registry settings or replacing operating system DLLs. Of
course, legitimate software could also perform these actions: to integrate functions
with existing software or to install a patch, for instance. But if the new executable
demonstrates one of these behaviors along with initiating unusual network
connections, then its overall risk score skyrockets.
Intelligence Driven malware detection correlates multiple factors to make probabilistic
decisions about risk and presents prioritized alerts to human security analysts. It is
ultimately up to these analysts to decide the severity of a threat, but their decisions are
greatly accelerated and more accurate because of the background work done by their
Intelligence Driven Security tools.
Centralized correlation of suspicious endpoint activity
Scan results from endpoints are sent to a central server where known and unknown
files are identified and suspicious activity is flagged. Files (including processes, drivers,
DLLs, etc.) are analyzed and suspect levels are assigned based on the behavior
observed. File behavior can be correlated at a global level across the enterprise to
show if the potential malware is active on one machine and dormant on another.
Organizations also gain insight into how prevalent a particular file is across the
environment. For example, if a particular file is found on thousands of machines across
the enterprise, then it may be a standard IT application that can be filtered out of
security analysts’ view during an investigation. On the other hand, if a malicious file is
identified, organizations can quickly gauge the scope of the infection by instantly
showing all other machines with that same malicious file.
Prioritized alerts to accelerate malware investigation and remediation
To minimize the burden on security analysts, an Intelligence Driven approach to
malware detection learns from previous scan results and a baseline of the environment
to automatically flag unknown, suspicious files. Before scan results are presented to
analysts, they’re checked against a global repository of items that analysts have
previously investigated and whitelisted, meaning the files can be trusted. Trusted files
are removed from scan results to quickly eliminate clutter for security analysts.
page 4
9. Intelligence Driven Threat Detection & Response
Endpoint threat detection consoles do not just present a list of scan results; they also
prioritize prospective problems so analysts can identify which should be investigated
first. To speed investigations, the endpoint threat detection console provides rich
details about prospective problems. For instance, it correlates suspicious behaviors
about a file (e.g., a driver, a process, a DLL), and then reveals what’s known about the
file (e.g., file size, file attributes, MD5 file hash) through static and heuristic analysis.
Security analysts use the tools and information in the console to determine if the file is
malicious, and should be blacklisted, or non-malicious, and should be whitelisted. If an
item is deemed malicious, all occurrences of the problem across the entire IT
environment can be instantly identified. Then, once a remedy is determined, the
security operations team can perform any necessary forensics investigations and/or
clean all the affected endpoints.
INCIDENT RESPONSE: FAST, FOCUSED ACTION
The growing size and complexity of IT environments have increased the scope of
vulnerabilities, but that doesn’t mean all potential entry points present an equal risk.
When a true attack or incident is suspected, security teams must act fast to cut off
attackers within their IT environment and mitigate the damage. Doing that requires
planning, staff training and, sometimes, outside assistance.
Practice and planning for effective breach readiness
Well-prepared security teams know what the organization’s valuable information assets
are and which systems, applications and users have access to them. Awareness of
these parameters help security analysts narrow their field of investigation during a
breach so they can address problems faster and with greater confidence.
Security operations teams should conduct breach readiness assessments and
remediation drills to improve the speed and efficacy of their reactions to cyber attacks.
As part of these assessments, security teams take inventory of the high-value IT assets
that must be protected, review workflows for investigating and remediating incidents and
evaluate areas for improvement. Proactive planning and practice compels organizations
to map their security policies to their business priorities and regulatory requirements. It
enables organizations to progressively improve their capabilities in threat detection,
management and response. It optimizes staffing and skills on the security operations
team so that scarce resources are deployed to maximum effect. It also provides targeted
training to improve the incident response skills of security personnel.
Data-driven incident response for faster, better results
Security operations teams often find potential evidence of an infiltration or breach, but
must initiate an investigation to understand the cause. Often organizations explore
potential causes without success for weeks or even months. When that happens, it
helps to bring in people with specialized expertise and tools in incident response (IR).
IR specialists can deploy technologies that capture activity on networks and endpoints
in key segments of the IT environment. Based on the scans, analyses and supplemental
information these technologies generate, experienced IR professionals can usually
pinpoint where and how security breaches are occurring and shut down ongoing cyber
attacks much faster than organizations can do on their own.
page 5
10. Intelligence Driven Threat Detection & Response
Consolidated context to speed investigations
Intelligence Driven Security solutions collect a rich assortment of background and
supporting detail to aid in incident investigations. Alerts from multiple security
monitoring systems are aggregated into a single security management console, from
which analysts can drill down to see data sources, affected machines, and other
incident-related information with a few clicks of the mouse. The security management
console also integrates with enterprise risk management software to provide contextual
information on the business criticality of identified incidents and affected systems.
Priority ratings are assigned to each incident based on the information assets at stake,
the risks posed to the organization, and the seriousness of the security issue. Taken
together, this supplemental information helps analysts investigate incidents more
thoroughly, accurately, and quickly.
Additionally, Intelligence Driven Security systems ingest information from external
sources to enrich the organization’s internal security data. The security analytics
platform and management dashboard identifies, aggregates, and operationalizes the
best sources of intelligence and context from inside and outside the organization to
accelerate the analysts’ decision making and workflows.
CONCLUSION
Intelligence Driven threat detection and response helps organizations achieve
predictably high standards of security despite today’s rapidly escalating and
unpredictable threat environment. Intelligence Driven threat detection relies on gaining
full visibility into networks and endpoints and applying advanced data analytics
techniques to uncover malware without using hashes or signatures exclusively.
Intelligence Driven threat response is led by experienced security personnel who are
aided in their work by advanced security analytics and management tools. These tools
greatly improve the speed and accuracy of security investigations by providing complete
context around incidents from within a single management console and by prioritizing
potential problems for further evaluation.
Intelligence Driven Security enables unprecedented efficiencies in threat detection and
response, because it optimizes how an organization’s security personnel, processes
and technologies work together as a whole. Tools are integrated to enhance security
analysts’ visibility and understanding and to enable centralized analysis and reporting.
Tools also guide investigative workflows and remediation processes based on proven
procedures and the organization’s policies. By supporting security teams with a
harmonized set of tools and processes, organizations can minimize the time that
security analysts must spend on routine processes and free them up to focus on
neutralizing high-priority threats. The end result is stronger, more agile security that not
only helps organizations overcome their top security threats but also operate in the
digital world with greater confidence.
page 4
11. Intelligence Driven Threat Detection & Response
INTELLIGENCE DRIVEN THREAT DETECTION AND RESPONSE
SOLUTIONS FROM RSA
RSA® Advanced Cyber Defense Practice provides a holistic range of solutions to help
clients protect their organizational mission, drive operational efficiencies and evolve
with a dynamic threat environment. Targeted attacks often focus on the theft of critical
assets and data and utilize techniques that bypass traditional defenses. RSA helps
organizations enhance their existing security capabilities and implement
countermeasures designed to prevent cyber adversaries from achieving their objectives.
Services offered by RSA include gap analysis, maturity modeling, cyber threat
intelligence, infrastructure hardening and security operations development and
automation. Services are designed to help organizations converge their technical and
operational capabilities into a unified security program that aligns with risk
management priorities and business objectives. RSA emphasizes the preventive
measures required to protect the organization while also providing incident response
and remediation services to reduce breach exposure time and to mitigate attacks.
RSA® Education Services provide training courses on information security geared to IT
staff, software developers, security professionals and an organization’s general
employees. Courses are taught by security experts from RSA’s Advanced Cyber Defense
Practice and combine theory, technology, and scenario-based exercises to engage
participants in active learning. The current curriculum covers topics such as malware
analysis and cyber threat intelligence. RSA Education Services also offers a workshop
on addressing advanced threats such as APTs. Courses are designed to deliver the
maximum amount of information in the shortest period to minimize staff downtime.
RSA® Enterprise Compromise Assessment Tool (ECAT) is an enterprise threat detection
and response solution designed to monitor and protect IT environments from
undesirable software and the most elusive malware—including deeply hidden rootkits,
advanced persistent threats (APTs) and unidentified viruses. RSA ECAT automates the
detection of anomalies within computer applications and memory without relying on
virus signatures. Instead of analyzing malware samples to create signatures, RSA ECAT
establishes a baseline of anomalies from “known good” applications, filtering out
background noise to uncover malicious activity in compromised machines. The RSA
ECAT console presents a centralized view of activities occurring within a computer’s
memory, which can be used to quickly identify malware, regardless of whether a
signature exists or if the malware has been seen before. Once a single malicious
anomaly is identified, RSA ECAT can scan across thousands of machines to identify
other endpoints that have been compromised or are at risk.
page 5