Cyber attackers are better funded, more focused, and more successful than ever. Making matters worse, defenders have more IT territory to protect, including public cloud, virtual infrastructure, mobile, Internet of Things, and an expanding list of users, applications, and data. An evolution in security strategies is underway; shifting from a preventive approach to one that is more balanced across prevention, monitoring, and response. In this session, we delve into key innovations that enable a more effective defense and how RSA’s NetWitness suite is delivering many of these innovations.
MT125 Virtustream Enterprise Cloud: Purpose Built to Run Mission Critical App...
MT 117 Key Innovations in Cybersecurity
1. Key Innovations in Cybersecurity
THE SHIFT TO DETECTION AND RESPONSE
SESSION MT117
BEN SMITH CISSP CRISC @BEN_SMITH
2. Dell - Internal Use - Confidential
Who here is an IT security professional?
3. Dell - Internal Use - Confidential
What you will NOT hear from me today…
• “It’s not about if you get breached; it's when you get breached.”
• “Even large enterprises that have millions of dollars to spend on
security got breached, so everyone is at risk.”
• “The breaches we have seen so far are just the beginning – bigger
breaches are coming.”
• “Legacy security technologies are of limited value in the face of
advanced persistent threats.”
• “Security incidents can put you out of business.”
Gartner, “The Future of Security Sales Revolves Around Digital Risk” (May 2015) [G00278090]
4. Dell - Internal Use - Confidential
Material gaps in detecting, investigating cyber-attacks
24%
Organizations satisfied with their current ability to detectand investigate
Organizations unable to investigate attacks very quickly using their current data & toolsets
92%
Organizations unable to detectattacks very quickly using their current data and toolsets
89%
RSA, “Threat Detection Effectiveness Survey” (2016) https://www.rsa.com/en-us/perspectives/resources/threat-detecti on-effectiveness
5. Dell - Internal Use - Confidential
Material gaps in detecting, investigating cyber-attacks
< 5%
Organizations who know their split of investment between prevention and detection/response
Cybersecuritybudgetallocation for rapid detectionand response approaches [2015]
60%
Cybersecuritybudgetallocation for rapid detectionand response approaches[2020 prediction]
< 20%
Gartner, “Shift Cybersecurity Investment to Detection and Response” (Tirosh & Proctor, 2016) [G00292536]
6. Dell - Internal Use - Confidential
Agenda
• On the Offense: Cybercrime = a modern business model!
• On the Defense: Legacy tools and approaches
• The mandatory shift from prevention ► detection & response
• Innovation in cybersecurity: technology, processes, procedures
• “Business-Driven Security” and the RSA NetWitness Suite
7. Dell - Internal Use - Confidential
The Scrap Value of a Hacked PC
Brian Krebs, “The Scrap Value of a Hacked PC, Revisited” (2012), http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
8. Dell - Internal Use - Confidential
Attack sophistication vs. intruder technical knowledge
CERT Software Engineering Institute (SEI) at Carnegie Mellon University (2011) [via INSA report: http://www.oss-institute.org/storage/documents/Resources/studies/insa_cyber_intelligence_2011.pdf]
9. Dell - Internal Use - Confidential
Attack Surface
• Individual computers (corporate, personal)
• Mobile devices
• Internet of Things (IoT)
• Virtualization
• Cloud computing
10. Dell - Internal Use - Confidential
Cybercrime market: not easy to size, but BIG!
“The black marketcan be more profitable than
the illegal drugtrade:Links to end-users are
more direct, and because w orldwide distribution is
accomplished electronically, the requirements are
negligible. This is because a majority of players,
goods, and services areonline-based and can be
accessed, harnessed, or controlled remotely,
instantaneously. ‘Shipping’ digital goods may only
require an email or dow nload, or a username and
password to a locked site. This enables greater
profitability.”
RAND, “Markets for Cybercrime Tools and Stolen Information:Hackers’ Bazaar” (2014), http://www.rand.org/pubs/research_reports/RR610.html;World Economic Forum, “The Global Risks Report” (2016), https://www.weforum.org/reports/the-global-risks-report-2016/;
RSA, “Current State of Cybercrime” (2016), https://www.rsa.com/en-us/perspectives/resources/2016-current-state-of-cybercrime
"The Internet of Things is a grow ing reality,
introducing new efficiencies as wellas new
vulnerabilities and interconnected
consequences. Recent technological
advances have been beneficial in many
respects, but have also openedthe door
to a growingwave of cyberattacks –
including economic espionage,
cybercrime, and even state-sponsored
exploits – that are increasingly perpetrated
against businesses."
In a six month study, RSA uncovered more
than 500 fraud-dedicated social media
groups aroundthe world with an estimated
total of more than 220,000 members. More
than 60 percent, or approximately 133,000
members, w ere found on Facebook alone.
The types of information openly shared in
socialmedia include live compromised
financialinformation such as credit card
numbers w ith PII and authorization codes,
cybercrime tutorials, malw are and hacking
tools, and cash out and muling services.
11. Dell - Internal Use - Confidential
The industrialization of cybercrime
Specialization
Division of Labor
12. Dell - Internal Use - Confidential
Cybercrime…is a business!
Sophos, “TeslaCrypt ransomware attacks gamers – ‘all your files are belong to us!’” https://nakedsecurity.sophos.com/2015/03/16/teslacrypt-ransomware-attacks-gamers-all-your-files-are-belong-to-us/
13. Dell - Internal Use - Confidential
Different levels of participants in the underground market
RAND, “Markets for Cybercrime Tools and Stolen Information: Hackers’ Bazaar” (2014), http://www.rand.org/pubs/research_reports/RR610.html
14. Dell - Internal Use - Confidential
Everything you might need is available “on the market”
• Web infrastructure & core applications
• Multi-lingual call centers ready to impersonate / support
• Application development tools & technical services
• Rentable cybercrime infrastructure (including ready-to-use botnets)
• Anonymized payment systems (BTC)
• Research & development (zero-day research)
15. Dell - Internal Use - Confidential
Organizations face difficult security challenges
A real scarcity of skilled security analysts
forces enterprises to get creative to combat
threats and protect the enterprise.
GROWING SHORTAGE OF
SKILLED SECURITY STAFF
More endpoints in the enterprise, in the field,
and in the cloud means more potential entry
points for attacks.
A GREATLY EXPANDING
ATTACK SURFACE
The days of simple malware or APTs are
gone. Today’s attacks are targeted, lengthy,
and multifaceted.
MORE SOPHISTICATED
ATTACK CAMPAIGNS
16. Dell - Internal Use - Confidential
So they take preventive steps to protect themselves
Confidential
Data
Endpoints
NGFW IDS / IPS SIEM NGFW
80% of security staff, budget, and activity is generally
dedicated to preventive action
17. Dell - Internal Use - Confidential
But breaches still occur…what’s happening?
Confidential
Data
Endpoints
NGFW IDS / IPS SIEM NGFW
NGAV misses
UNKNOWN,
NEW threat NGFW has no
rule for / against
threat traffic
IPS has no
signature for the
threat packets
SIEM captures
logs, but will it
trigger an alert?
NGFW has no
rule for/against
threat traffic
How big is the compromise?
How long has it been there?
Just how bad is this?
What did the attacker do?
Missing the little things rapidly adds up to one
bigger problem
18. Dell - Internal Use - Confidential
Account lockouts
Failed user access attempts
Web shell deletions
Buffer overflows
SQL injections
Cross-site scripting
Denial-of-service
IDS/IPS events
Incident-level fixes
S E C U R I T Y D E T A I L
How bad is it?
Who was it?
How did they get in?
What information was taken?
What are the legal implications?
Is it under control?
What are the damages?
What do we tell people?
B U S I N E S S R I S K
19. Dell - Internal Use - Confidential
Why does the gap exist?
Lack of context &
ability to prioritizeAlert fatigue
Multiple disconnected
point solutions
SECURITY EXCLUSION SECURITY INCLUSION BUSINESS / IT
RISK MANAGEMENT
FW
A/V
IDS / IPS
SIEM
NGFW
SANDBOX
GW 2FA
ACCESS
MGMT
PROV
SSO
PAM
FEDERATION
GRC
SPREADSHEETS
VULN
MGMT
CMDB
20. Dell - Internal Use - Confidential
Moving from purely prevention ► monitoring & response
21. Dell - Internal Use - Confidential
A more balanced approach is needed!
Today’s
investment mix
Prevention
Response
Monitoring
Prevention
Response
Ideal mix
Monitoring
22. Dell - Internal Use - Confidential
Organizing the innovations
Preventive Detective Investigative Response
24. Dell - Internal Use - Confidential
The coming maturation of the cyberinsurance industry
Innovation: Preventive
• ~$3.25B annual premiums
– Dominated by AIG, ACE, Chubb, Zurich, and Beazley Group
CIAB, “Cyber Insurance Market Watch Survey’” (2016), https://www.ciab.com/uploadedFiles/Resources/Cyber_Survey/2ndCyberMarketWatch_ExecutiveSummary_FINAL.pdf;
Insurance Journal, “Where Cyber Insurance Underwriting Stands Today” (2015), http://www.insurancejournal.com/news/national/2015/06/12/371591.htm
NIST’s Cybersecurity Framework (CSF)
25. Dell - Internal Use - Confidential
Increase visibility and situational awareness by leveraging more data – not just logs
Innovation: Detective
Logs Full Network Traffic Endpoint/Host
Secondary Sources Primary Sources & Context
Events
IDS
Asset Information Threat Intelligence
26. Dell - Internal Use - Confidential
Behavioral analytics (UBA / UEBA) versus static rules
Innovation: Detective
LEADING INDICATORS OF A PLANNED C2 (COMMAND AND CONTROL) EXPLOIT
Beaconing
Behavior
Rare Domains
Rare
User Agents
Missing
Referrers
Domain Age
(Whois)
• Real-time Analytics
– Data Science algorithms
– Scores on multiple C2 behavior indicators
– Uses streaming HTTP activity
• Low False Positives
– Learns from ongoing and historical activity
– Supervised whitelisting option
27. Dell - Internal Use - Confidential
Humans are great anomaly detectors…people catch people!
Innovation: Detective
28. Dell - Internal Use - Confidential
Increasing visibility via public cloud security APIs
Innovation: Detective / Investigative
AWS CloudTrail MicrosoftAzure
Management API
29. Dell - Internal Use - Confidential
Speed & scope of sharing of community-oriented threat intelligence
Innovation: Detective / Investigative
• InformationSharing and Analysis Center (ISAC)model
31. Dell - Internal Use - Confidential
RSA is very active innovating across all of these areas
Preventive Detective Investigative Response
• Authentication capabilities incorporating software tokens &
biometrics (more secure and more convenient)
• Collaborating with cyber-insurance underwriters to mitigate risk
• Behavior-based analytics for smarter detection
• Tooling for human hunters
• Creating & consuming community threat intelligence
• Providing a set of products & services to build SOCs
• Security monitoring technology = comprehensive visibility
– Logs/event, network traffic, endpoint, threat intelligence,
public cloud APIs…
32. Dell - Internal Use - Confidential
Under attack: your data, your endpoints, your network
34. Dell - Internal Use - Confidential
Business-Driven Security
C O N T E X T U A L I N T E L L I G E N C E
C O N T E X T U A L I N T E L L I G E N C E
S EC U R I T Y
EX C L U S I O N
S EC U R I T Y
I N C L U S I O NA N A L Y T I C S
O R C H E S T R A T I O N & R E S P O N S E
P O W E R &
S P E E D
O F I N S I G H T
R I G H T
P I C T U R E
R I G H T
A C T I O N S
B U S I N E S S
C O N T E X T
R S A
S E C U R I D
S U I T E
R S A C Y B E R
A N A L Y T I C S
P L A T FO R M
R S A
N ET W I T N ES S
S U I T E
R S A A R C H E R S U I T E
R S A
FRAUD & RISK INTELLIGENCE
S U I T E
35. PORTFOLIO
Respond in minutes, not months N E T W I T N ESS
S U I T E
Reimagine your identity strategy S E C U R I D
S U I T E
Take command of risk A R C H E R
S U I T E
Take command of your
evolving security posture
R I S K &
C YB E R S E C U R I T Y
P R A C T I C E
Expose cybercriminals,
protect customers
FRAUD & RISK
INTELLIGENCE SUITE