1. Advanced Security
Solution for Trusted
IT
Gary Lau
Manager, Technology Consultant
Greater China
1

2. The Changing Landscape
2

3. Evolution of Attackers
Petty Organized
criminals crime
Organized, sophisticated
Criminals Unsophisticated supply chains (PII, financial
services, retail)
Nation state PII, government, defense industrial
actors base, IP rich organizations
Anti-establishment
Terrorists vigilantes
Non-state PII, Government, “Hacktivists”
actors critical infrastructure Targets of opportunity
3

4. Evolution of Attack Vectors
Significant impact
on business
bottom line
 Targeted malware  APTs
Damage/Sophisticati
 Hybrid Worms  Coordinated attacks
 Web-application
 Rootkits attacks
 Financial Backdoor
 Botnets
 DoS/DDoS Trojans
 Worms  Spyware
 Spam
 Viruses  Phishing
on
Minor Annoyance
Hobbiest / Script Kiddies Threat Actors Nation States
Petty Criminals Organize Crime
Non-State Actors / Cyber Terrorists
4

5. Anatomy of an Attack
Attacker
Surveillanc Attack
e Target Attack Begins Discovery/
Leap Frog
Analysis Set- Persistenc
Access up System Attacks
Cover-up e
Probe Intrusion Complete Cover-up
Starts
Complete
Maintain foothold
TIME
Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
5

6. Anatomy of a Response
TIME
Physical Monitoring & Containme
Security Controls nt &
Impact Respons
Eradication
Incident e
Threat Attack Analysi
Forecast Reportin Recover
Analysi s
g System y
s Defender
Damage Reactio
Discovery Attack n
Identificati
Identified
on
Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
6

7. Reducing Attacker Free Time
Attacker
Surveillanc Attack
e Target Attack Begins Discovery/
Leap Frog
Analysis Set- Persistenc
Access up System Attacks
Cover-up e
Probe Intrusion Complete Cover-up
Starts
Complete
Maintain foothold
TIME
ATTACKER FREE
TIME
TIME
Need to collapse free time
Physical Monitoring & Containme
Security Controls nt &
Impact Respons
Eradication
Incident e
Threat Attack Analysi
Analysi Forecast Reportin Recover
s
s g System y
Defender Reactio
Discovery Damage
Attack n
Identificati
Identified
on
Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
7

8. Then: Infrastructure-Centric Now: User/Identity-Centric
Public Cloud
Hybrid Cloud
Mobile Apps
SaaS
Static Static Static Dynamic Dynamic Dynamic
Attacks Infrastructure Defenses Attacks Infrastructure Defenses
Generic, Physical, IT- Signature-Based, Targeted Virtual, Analytics &
Code-Based Controlled, Perimeter-Centric Human- User-Centric Risk-Based
Hard Perimeter Centric & Connected
9

9. Advanced Threats
83%
of organizations believe they have
65%
of organizations don’t believe they have
been the victim of an Advanced sufficient resources to prevent
Threats Advanced Threats
91%
of breaches led to data compromise
79%
of breaches took “weeks”
within “days” or less or more to discover
Source: Ponemon Institute Survey Conducted “Growing Risk of Advanced Threats”
Source: Verizon 2011 Data Breach Investigations Report
10

10. Mean Time to Detect (MTTD)
Source: Ponemon Institute
11

11. The Changing Mindset
12

12. Must learn to live in a
state of compromise
Constant compromise does not mean constant loss
13

13. The New Security Model
14

14. Traditional Security is
Unreliable
Signature Perimeter Compliance
-based oriented Driven
15

15. As a result
Organizations are…
poorly unable to responding in a
prepared for detect attacks manner that is
advanced in a timely chaotic and
threats manner uncoordinated
16

16. Effective
Security Systems need to be:
agile contextual risk-
based
17

17. Security must Ensure…
Enterprise
…only the
Admins Users right people
Data Center
Applications
…access
ITaaS Management
CRM ERP BI *** critical
applications &
Information
information
Infrastructure …over an I/F
we trust.
18

18. Disruptive Forces
Enterprise
…only the Mobile
User Access
Admins Users right people Transformation
Data Center
Applications
…access
Advanced
ITaaS Management
CRM ERP BI *** critical Threat Landscape Threats
applications & Transformation
Information
information
Infrastructure …over an I/F Cloud
we trust. Back-end I/F
Transformation
19

19. The New IT Model
Enterprise Clouds
• Scenario Managed Unmanaged
Web
Devices Devices
Admins Users From the Cloud
To DC
Mobile Apps
Data Center
Direct to Apps Direct to Cloud
SaaS
Applications
VPN into DC
ITaaS Management
ITaaS Management
CRM ERP BI ***
PaaS
Information
Private
Cloud
IaaS
Infrastructure
Community
20

20. The Security Stack
ENTERPRISE CONTROL LAYER MANAGEMENT LAYER
IDENTITY ADMIN &
PROVISIONING
IDENTITY
 DEFINE POLICY
Admins Users ACCESS CONTROLS
To DC
 MAP POLICY
GRC
IDENTITY & ACCESS GOVERNANCE
 MEASURE POLICY
Data Center
DLP CONTROLS
INFORMATI
Applications
ON
ENCRYPTION/TOKENIZATION I/F
ITaaS Management
CRM ERP BI ***
OPERATIONS (SOC)
INFORMATION RIGHTS
Information MANAGEMENT
SECURITY
 DETECT Potential Threats
ENDPOINT CONTROLS
INFRASTRU
 INVESTIGATE Attacks
CTURE
Infrastructure NETWORK/MESSAGING CONTROLS  RESPOND to Attacks
APPLICATION CONTROLS
21

21. THE CONTROL LAYER
ENTERPRISE CONTROL LAYER
CONTROL LAYER MANAGEMENT LAYER
IDENTITY ADMIN &
IDENTITY ADMIN &
PROVISIONING
PROVISIONING
IDENTITY
 DEFINE POLICY
Admins Users ACCESS CONTROLS
ACCESS CONTROLS
To DC
 MAP POLICY
GRC
IDENTITY & ACCESS GOVERNANCE
IDENTITY & ACCESS GOVERNANCE
 MEASURE POLICY
Data Center
ENCRYPTION/TOKENIZATION I/F
ENCRYPTION/TOKENIZATION I/F
INFORMATI
Applications
ON
DLP CONTROLS
DLP CONTROLS
ITaaS Management
CRM ERP BI ***
OPERATIONS (SOC)
INFORMATION RIGHTS
INFORMATION RIGHTS
Information MANAGEMENT
MANAGEMENT
SECURITY
 DETECT Potential Threats
ENDPOINT CONTROLS
ENDPOINT CONTROLS
INFRASTRU
 INVESTIGATE Attacks
CTURE
Infrastructure NETWORK/MESSAGING CONTROLS
NETWORK/MESSAGING CONTROLS  RESPOND to Attacks
APPLICATION CONTROLS
APPLICATION CONTROLS
22

22. The Management Layer
ENTERPRISE CONTROL LAYER MANAGEMENT LAYER
MANAGEMENT LAYER
IDENTITY ADMIN &
PROVISIONING
IDENTITY
 DEFINE POLICY
 DEFINE POLICY
Admins Users ACCESS CONTROLS
To DC
 MAP POLICY
 MAP POLICY
GRC
IDENTITY & ACCESS GOVERNANCE
 MEASURE POLICY
 MEASURE POLICY
Data Center
ENCRYPTION/TOKENIZATION I/F
INFORMATI
Applications
ON
DLP CONTROLS
ITaaS Management
CRM ERP BI ***
OPERATIONS (SOC)
INFORMATION RIGHTS
Information MANAGEMENT
SECURITY
 DETECT Potential Threats
 DETECT Potential Threats
ENDPOINT CONTROLS
INFRASTRU
 INVESTIGATE Attacks
 INVESTIGATE Attacks
CTURE
Infrastructure NETWORK/MESSAGING CONTROLS  RESPOND to Attacks
 RESPOND to Attacks
APPLICATION CONTROLS
23

23. Critical Questions
what what is how do I
matters? going on? address it?
Governance Comprehensive Visibility Actionable Intelligence
24

24. Traditional SIEM Is Not Enough
• How do you:
–quickly determine how an attack happened?
–reduce the “attacker free time” in your infrastructure?
–prevent similar future attacks?
...SIEM needs to evolve
Requires network and log data visibility
Requires the fusion of internal & external intelligence
Makes security a Big Data problem
Resisting all attacks is not realistic, reacting fast to mitigate damage is
© Copyright 2011 EMC Corporation. All rights reserved. 25

25. Full Packet Capture is a must
• Full packet capture is necessary to
– Identify malware entering the environment and prioritize actions related to it (a
very common source of advanced threat)
– Track the lateral movement of an attacker once inside the organization, and
– Prove exactly what happened and what data was exfiltrated, whether it was
encrypted or not
If SIEM is to address today's threats then it requires this
information
© Copyright 2011 EMC Corporation. All rights reserved. 26

26. The Next Gen SOC
Comprehensive Agile
Visibility Analytics
“Analyze everything that’s “Enable me to efficiently
happening in my analyze and investigate
infrastructure” potential threats”
Actionable Optimized Incident
Intelligence Management
“Help me identify targets, “Enable me to manage
threats & incidents” these incidents”
27

27. next gen security operations
28

28. Value of RSA Solutions
Traditional Approach RSA’s Approach
GOVERNANCE INTELLIGENCE
GOVERNANCE INTELLIGENCE
VISIBILITY
VISIBILITY
• Discrete products in silos • Transparent data flow between
• Multiple vendors for each products
product • Single vendor – tested integrations
• Manual process to transfer data • Very high operational efficiencies
• High TCO and low efficiency • Lower TCO and faster time to value
29

29. RSA Approach
Manage Business Risk,
GOVERNANCE Policies and Workflows
ADVANCED
Collect, Retain and Analyze Internal
VISIBILITY AND and External Intelligence
ANALYTICS
INTELLIGENT
Rapid Response and Containment
CONTROLS
Cloud Network Mobility
30

30. Meeting our Customers’ Challenges
with RSA Thought Leadership
Manage Risk Prove Secure Access Secure
and Threats Compliance for Increased Virtualization
Throughout Consistently & Mobility & & Cloud
Enterprise Affordably Collaboration Computing
31