Security. Risk Management. . · PDF file• EnVision alerts sent to RSA Archer via RCF...

1 © Copyright 2011 EMC Corporation. All rights reserved.

®

Security. Risk Management. Compliance.

Richard Nichols Netwitness Operations Director, RSA


Static (Bolt-On) Defenses

Signature-Based, At Perimeter

Static Infrastructure Physical, IT Controlled

Static Attacks Generic, Code-Based

Old World: Static Security


Dynamic (Built-In) Defenses

Analytics & Risk-Based

Dynamic Infrastructure

Virtual, User-Centric

Advanced Attacks Targeted, Human-Based

New World: Advanced Security

Public Clouds

Hybrid Cloud


IN THE WORLD OF CLOUD AND BIG DATA TRUST AND SECURITY ARE ESSENTIAL


Building Trust In The Cloud

Hybrid Cloud Infrastructure

Private Public

TRUST

Tenets Of

Cloud

Security

Governance

Visibility

Controls


GOVERNANCE

INTELLIGENT CONTROLS

ADVANCED VISIBILITY AND ANALYTICS

RSA Approach

Cloud Mobility Network

Rapid Response and Containment

Collect, Retain and Analyze Internal and External Intelligence

Manage Business Risk, Policies and Workflows


GOVERNANCE

INTELLIGENT CONTROLS

ADVANCED VISIBILITY AND ANALYTICS

• RSA Archer eGRC Suite

• RSA NetWitness • RSA NetWitness

Spectrum • RSA enVision • RSA DLP Suite

• RSA FraudAction • RSA CCI • RSA eFraud Network • RSA NetWitness Live

• RSA Adaptive Authentication

• RSA Access Manager • RSA SecurID • RSA Transaction

Monitoring

• RSA Federated Identity Manager

• RSA Data Protection • RSA DLP Suite • RSA BSAFE

RSA Approach

Cloud Mobility Network


Anatomy of an Attack


Attack Scenario Phishing emails John received a phishing email that was customized for him.

Drive-by Download John clicked on the link and got infected

by Trojan from drive-by download.

Attacker gain access to a critical server

Trojan installed backdoor which allows reverse connection to infected machine.

Hacker dump password hash and gain access to a critical server via RDP.

Data ex-filtration Attacker encrypted sensitive files found on the critical server and transfer out via FTP

2

3

● ● ● ● ● ● ● ●

PASSWORD 4

1


DLP detected file transfer activity

DLP Network detects a transfer of encrypted file over FTP protocol

MENU


Correlation alert triggered from enVision

EnVision generates alert from two correlated events 1. Successful RDP connection to critical

server 2. DLP activity on the same server

MENU


Incident escalation to Archer Dashboard

• EnVision alerts sent to RSA Archer via RCF

• RSA Archer links this incident with business context and prioritize it as HIGH priority

MENU


Seamless integration to NetWitness

• Instant integration from Archer Console to NetWitness with two clicks

• SIEMLink transparently retrieves full session detail from NextGen

MENU


Spectrum Automated Malware Analysis

Spectrum instantly provides detailed analysis of the executable file in question

MENU


Interactive Analysis with Investigator

Context of all network activities to/from critical server

Confirm John’s machine (192.168.100.142) as source of RDP session

MENU


Interactive Analysis with Investigator

• Small executable file

• Transfer over HTTP

• Suspicious filename & extension

• Malware?!?

Drill into all network sessions from John’s machine

Suspicious domain name

MENU


0100010100110010010101

Lessons Learned

Continuous Monitoring

Firewall blocking of FTP transmitting to external

unauthorized servers

Data encryption or tokenization for sensitive data on server

3

4

6

1

Network Segregation

2

5 ● ● ● ● ● ● ● ●

PASSWORD

0110001000101100010100 1010011001001011111101 011000001111000010100

011000001111000010100

DLP Network detect a transfer of encrypted file over FTP protocol

Server access restriction

Strong Authentication of users and admin


RSA NetWitness – what is it and why do I need it?


Threats are Evolving Rapidly

Nation state actors

PII, government, defense industrial base, IP rich organizations

Criminals

Petty criminals Organized crime

Organized, sophisticated supply chains (PII, financial services, retail)

Unsophisticated

Non-state actors

Terrorists Anti-establishment vigilantes

“Hacktivists” Targets of opportunity

PII, Government, critical infrastructure


Advanced Threats

of organizations believe they have been the victim of an Advanced Threats

83% of organizations don’t believe they have sufficient resources to prevent Advanced

Threats

65%

Source: Ponemon Institute Survey Conducted “Growing Risk of Advanced Threats”

of breaches led to data compromise within “days” or less

99% of breaches took “weeks”

or more to discover

85%

Source: Verizon 2012 Data Breach Investigations Report


ATTACKER FREE TIME

Attack Begins

System Intrusion

Attacker Surveillance

Cover-up Complete

Access Probe

Leap Frog Attacks

Complete

Target Analysis

Time

Attack Set-up

Discovery / Persistence

Maintain foothold

Cover-up Starts

Attack Forecast

Physical Security

Containment & eradication

System Reaction Damage

Identification

Recovery

Defender discovery

Monitoring & Controls

Impact Analysis

Response Threat Analysis

Attack Identified

Incident Reporting

Need to collapse attacker free time

Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)

New Security Concept: “OFFENSE IN DEPTH”


A revolutionary approach to enterprise

network monitoring

A platform for pervasive visibility into content and behavior

Providing precise and actionable

intelligence

RSA NetWitness Is…

Know Everything. Answer Anything.


Know Everything…Answer Anything

» Why are packed or obfuscated executables being used on our systems?

» What critical threats are my Anti-Virus and IPS missing?

» I am worried about targeted malware and APTs -- how can I fingerprint and analyze

these activities in my environment?

» We need to better understand and manage the risks associated with insider threats –

I want visibility into end-user activity and to be alerted on certain types of behavior?

» On our high value assets, how can we have certainty that our security controls are

functioning exactly as implemented?

» How can I detect new variants of Zeus or other 0day malware on my network?

» We need to examine critical incidents as if we had an HD video camera recording it

all…

Invest in Certainty. Invest in Agility.


Enabling A Revolution in Network Monitoring NetWitness Product Tour


Understanding the NetWitness Network Monitoring Platform

Network traffic

Logs

Fusion of Threat Intelligence

Normalized Data, Application Layer Context


NetWitness Components

Appliances

• Decoder - Real-time, distributed, highly configurable network recording appliance (full packet)

• Concentrator and Broker - Aggregate and analyze data across multiple capture locations; Request-brokering across entire infrastructure

• Eagle - Portable hybrid appliance combining elements of Decoder, Concentrator and Investigator in a field-deployable solution

APPLICATIONS

• Informer – Visualization, reporting, alerting and live charting server

• Investigator Enterprise – Interactive analysis with NetWitness appliances

• Live - Real-time integration of the collective intelligence of the world with your data.

• Spectrum – Automated malware prioritization and analysis

• SIEMLink - Provides immediate access to NetWitness analytics from within your IDS or SIEM console

• SDK/API - Free for rapid development of any conceivable network analysis application


Automated Analysis, Reporting and Alerting

Informer • Flexible dashboard, chart and

summary displays for unified view of threat vectors

• Automated answers to any question:

• Network Security • Security / HR • Legal / R&D / Compliance • I/T Operations

• HTML, CSV and PDF report formats included

• Supports CEF, SNMP, syslog, SMTP data push for full integration in SIEM


Getting Answers to the Toughest New Questions

• Interactive data-driven session analysis of layer 2-7 content

• Award-winning, patented, port agnostic session analysis

• Infinite freeform analysis paths and content /context investigation points

• Data presented as the user experienced (Web, Voice, Files, Emails, Chats, etc.)

• Supports massive data-sets – Instantly navigate terabytes of

data - analysis that once took days, now takes minutes

• Freeware Version used by over 50,000 security experts worldwide

Investigator


Signature-Free, Automated Malware Analysis, Prioritization, and Workflow

Spectrum • Mimics the techniques of leading

malware analysts • Leverages NetWitness Live by

fusing information from leading threat intelligence and reputation services

• Utilizes NetWitness’ pervasive network monitoring capability for full network visibility

• Provides transparency and efficiency to malware analytic processes by delivering complete answers


Threat Intelligence Delivery System

Live • Automate insight into advanced threats • Leverages global security community to

correlate and illuminate the most pertinent information

• Fuses intelligence with your network data in real-time

• Solutions to problem-sets: – Advanced threats – Malware – BOTNets – Policy/Audit – Enterprise Monitoring – Fraud – User Attribution – Risk prioritization

• Prioritized and detailed reporting


Thank you!

Date post:	31-Jan-2018
Category:	Documents
Upload:	vandiep
View:	235 times
Download:	2 times

Security. Risk Management. . · PDF file• EnVision alerts sent to RSA Archer via RCF...

Documents