1 © Copyright 2011 EMC Corporation. All rights reserved.
®
Security. Risk Management. Compliance.
Richard Nichols Netwitness Operations Director, RSA
2 © Copyright 2011 EMC Corporation. All rights reserved.
Static (Bolt-On) Defenses
Signature-Based, At Perimeter
Static Infrastructure Physical, IT Controlled
Static Attacks Generic, Code-Based
Old World: Static Security
3 © Copyright 2011 EMC Corporation. All rights reserved.
Dynamic (Built-In) Defenses
Analytics & Risk-Based
Dynamic Infrastructure
Virtual, User-Centric
Advanced Attacks Targeted, Human-Based
New World: Advanced Security
Public Clouds
Hybrid Cloud
4 © Copyright 2011 EMC Corporation. All rights reserved.
IN THE WORLD OF CLOUD AND BIG DATA TRUST AND SECURITY ARE ESSENTIAL
5 © Copyright 2011 EMC Corporation. All rights reserved.
Building Trust In The Cloud
Hybrid Cloud Infrastructure
Private Public
TRUST
Tenets Of
Cloud
Security
Governance
Visibility
Controls
6 © Copyright 2011 EMC Corporation. All rights reserved.
GOVERNANCE
INTELLIGENT CONTROLS
ADVANCED VISIBILITY AND ANALYTICS
RSA Approach
Cloud Mobility Network
Rapid Response and Containment
Collect, Retain and Analyze Internal and External Intelligence
Manage Business Risk, Policies and Workflows
7 © Copyright 2011 EMC Corporation. All rights reserved.
GOVERNANCE
INTELLIGENT CONTROLS
ADVANCED VISIBILITY AND ANALYTICS
• RSA Archer eGRC Suite
• RSA NetWitness • RSA NetWitness
Spectrum • RSA enVision • RSA DLP Suite
• RSA FraudAction • RSA CCI • RSA eFraud Network • RSA NetWitness Live
• RSA Adaptive Authentication
• RSA Access Manager • RSA SecurID • RSA Transaction
Monitoring
• RSA Federated Identity Manager
• RSA Data Protection • RSA DLP Suite • RSA BSAFE
RSA Approach
Cloud Mobility Network
8 © Copyright 2011 EMC Corporation. All rights reserved.
Anatomy of an Attack
9 © Copyright 2011 EMC Corporation. All rights reserved.
Attack Scenario Phishing emails John received a phishing email that was customized for him.
Drive-by Download John clicked on the link and got infected
by Trojan from drive-by download.
Attacker gain access to a critical server
Trojan installed backdoor which allows reverse connection to infected machine.
Hacker dump password hash and gain access to a critical server via RDP.
Data ex-filtration Attacker encrypted sensitive files found on the critical server and transfer out via FTP
2
3
● ● ● ● ● ● ● ●
PASSWORD 4
1
10 © Copyright 2011 EMC Corporation. All rights reserved.
DLP detected file transfer activity
DLP Network detects a transfer of encrypted file over FTP protocol
MENU
11 © Copyright 2011 EMC Corporation. All rights reserved.
Correlation alert triggered from enVision
EnVision generates alert from two correlated events 1. Successful RDP connection to critical
server 2. DLP activity on the same server
MENU
12 © Copyright 2011 EMC Corporation. All rights reserved.
Incident escalation to Archer Dashboard
• EnVision alerts sent to RSA Archer via RCF
• RSA Archer links this incident with business context and prioritize it as HIGH priority
MENU
13 © Copyright 2011 EMC Corporation. All rights reserved.
Seamless integration to NetWitness
• Instant integration from Archer Console to NetWitness with two clicks
• SIEMLink transparently retrieves full session detail from NextGen
MENU
14 © Copyright 2011 EMC Corporation. All rights reserved.
Spectrum Automated Malware Analysis
Spectrum instantly provides detailed analysis of the executable file in question
MENU
15 © Copyright 2011 EMC Corporation. All rights reserved.
Interactive Analysis with Investigator
Context of all network activities to/from critical server
Confirm John’s machine (192.168.100.142) as source of RDP session
MENU
16 © Copyright 2011 EMC Corporation. All rights reserved.
Interactive Analysis with Investigator
• Small executable file
• Transfer over HTTP
• Suspicious filename & extension
• Malware?!?
Drill into all network sessions from John’s machine
Suspicious domain name
MENU
17 © Copyright 2011 EMC Corporation. All rights reserved.
0100010100110010010101
Lessons Learned
Continuous Monitoring
Firewall blocking of FTP transmitting to external
unauthorized servers
Data encryption or tokenization for sensitive data on server
3
4
6
1
Network Segregation
2
5 ● ● ● ● ● ● ● ●
PASSWORD
0110001000101100010100 1010011001001011111101 011000001111000010100
011000001111000010100
DLP Network detect a transfer of encrypted file over FTP protocol
Server access restriction
Strong Authentication of users and admin
18 © Copyright 2011 EMC Corporation. All rights reserved.
RSA NetWitness – what is it and why do I need it?
19 © Copyright 2011 EMC Corporation. All rights reserved.
Threats are Evolving Rapidly
Nation state actors
PII, government, defense industrial base, IP rich organizations
Criminals
Petty criminals Organized crime
Organized, sophisticated supply chains (PII, financial services, retail)
Unsophisticated
Non-state actors
Terrorists Anti-establishment vigilantes
“Hacktivists” Targets of opportunity
PII, Government, critical infrastructure
20 © Copyright 2011 EMC Corporation. All rights reserved.
Advanced Threats
of organizations believe they have been the victim of an Advanced Threats
83% of organizations don’t believe they have sufficient resources to prevent Advanced
Threats
65%
Source: Ponemon Institute Survey Conducted “Growing Risk of Advanced Threats”
of breaches led to data compromise within “days” or less
99% of breaches took “weeks”
or more to discover
85%
Source: Verizon 2012 Data Breach Investigations Report
21 © Copyright 2011 EMC Corporation. All rights reserved.
ATTACKER FREE TIME
Attack Begins
System Intrusion
Attacker Surveillance
Cover-up Complete
Access Probe
Leap Frog Attacks
Complete
Target Analysis
Time
Attack Set-up
Discovery / Persistence
Maintain foothold
Cover-up Starts
Attack Forecast
Physical Security
Containment & eradication
System Reaction Damage
Identification
Recovery
Defender discovery
Monitoring & Controls
Impact Analysis
Response Threat Analysis
Attack Identified
Incident Reporting
Need to collapse attacker free time
Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
New Security Concept: “OFFENSE IN DEPTH”
22 © Copyright 2011 EMC Corporation. All rights reserved.
A revolutionary approach to enterprise
network monitoring
A platform for pervasive visibility into content and behavior
Providing precise and actionable
intelligence
RSA NetWitness Is…
Know Everything. Answer Anything.
23 © Copyright 2011 EMC Corporation. All rights reserved.
Know Everything…Answer Anything
» Why are packed or obfuscated executables being used on our systems?
» What critical threats are my Anti-Virus and IPS missing?
» I am worried about targeted malware and APTs -- how can I fingerprint and analyze
these activities in my environment?
» We need to better understand and manage the risks associated with insider threats –
I want visibility into end-user activity and to be alerted on certain types of behavior?
» On our high value assets, how can we have certainty that our security controls are
functioning exactly as implemented?
» How can I detect new variants of Zeus or other 0day malware on my network?
» We need to examine critical incidents as if we had an HD video camera recording it
all…
Invest in Certainty. Invest in Agility.
24 © Copyright 2011 EMC Corporation. All rights reserved.
Enabling A Revolution in Network Monitoring NetWitness Product Tour
25 © Copyright 2011 EMC Corporation. All rights reserved.
Understanding the NetWitness Network Monitoring Platform
Network traffic
Logs
Fusion of Threat Intelligence
Normalized Data, Application Layer Context
26 © Copyright 2011 EMC Corporation. All rights reserved.
NetWitness Components
Appliances
• Decoder - Real-time, distributed, highly configurable network recording appliance (full packet)
• Concentrator and Broker - Aggregate and analyze data across multiple capture locations; Request-brokering across entire infrastructure
• Eagle - Portable hybrid appliance combining elements of Decoder, Concentrator and Investigator in a field-deployable solution
APPLICATIONS
• Informer – Visualization, reporting, alerting and live charting server
• Investigator Enterprise – Interactive analysis with NetWitness appliances
• Live - Real-time integration of the collective intelligence of the world with your data.
• Spectrum – Automated malware prioritization and analysis
• SIEMLink - Provides immediate access to NetWitness analytics from within your IDS or SIEM console
• SDK/API - Free for rapid development of any conceivable network analysis application
27 © Copyright 2011 EMC Corporation. All rights reserved.
Automated Analysis, Reporting and Alerting
Informer • Flexible dashboard, chart and
summary displays for unified view of threat vectors
• Automated answers to any question:
• Network Security • Security / HR • Legal / R&D / Compliance • I/T Operations
• HTML, CSV and PDF report formats included
• Supports CEF, SNMP, syslog, SMTP data push for full integration in SIEM
28 © Copyright 2011 EMC Corporation. All rights reserved.
Getting Answers to the Toughest New Questions
• Interactive data-driven session analysis of layer 2-7 content
• Award-winning, patented, port agnostic session analysis
• Infinite freeform analysis paths and content /context investigation points
• Data presented as the user experienced (Web, Voice, Files, Emails, Chats, etc.)
• Supports massive data-sets – Instantly navigate terabytes of
data - analysis that once took days, now takes minutes
• Freeware Version used by over 50,000 security experts worldwide
Investigator
29 © Copyright 2011 EMC Corporation. All rights reserved.
Signature-Free, Automated Malware Analysis, Prioritization, and Workflow
Spectrum • Mimics the techniques of leading
malware analysts • Leverages NetWitness Live by
fusing information from leading threat intelligence and reputation services
• Utilizes NetWitness’ pervasive network monitoring capability for full network visibility
• Provides transparency and efficiency to malware analytic processes by delivering complete answers
30 © Copyright 2011 EMC Corporation. All rights reserved.
Threat Intelligence Delivery System
Live • Automate insight into advanced threats • Leverages global security community to
correlate and illuminate the most pertinent information
• Fuses intelligence with your network data in real-time
• Solutions to problem-sets: – Advanced threats – Malware – BOTNets – Policy/Audit – Enterprise Monitoring – Fraud – User Attribution – Risk prioritization
• Prioritized and detailed reporting
31 © Copyright 2011 EMC Corporation. All rights reserved.
Thank you!