SlideShare une entreprise Scribd logo

RSA: Security Analytics Architecture for APT

Lee Wei Yeong
Lee Wei Yeong

RSA: Security Analytics Architecture for APT

Technologie
1  sur  33
Télécharger pour lire hors ligne
1© Copyright 2011 EMC Corporation. All rights reserved. Security Analytics Architecture for APT Dale Long, Sr. Technology Consultant, RSA Security
2© Copyright 2011 EMC Corporation. All rights reserved. Agenda • APT: Defined • Methodology • APTs are Nasty Because • Evolution • Response • The Challenge of Cleanup • Needed Capabilities • Lessons Learned • Introduction to Security Analytics
3© Copyright 2011 EMC Corporation. All rights reserved. You Down With APT?
4© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threats • Operators behind the threat have: • a full spectrum of intelligence gathering techniques at their disposal. • May include computer intrusion technologies and techniques, but also extend to conventional intelligence gathering techniques such as telephone interception technologies and satellite imaging. • Often combine multiple targeting methods, tools and techniques in order to reach and compromise their target and maintain access to it. • Can use malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials • Can typically access and develop more advanced tools as required.
5© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threats • Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. • Implies that attackers are guided by external entities. • Targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. • In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully.
6© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threats • APTs are a threat because they have both capability and intent. • A level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. • The operators have a specific objective and are skilled, motivated, organized and well funded.
7© Copyright 2011 EMC Corporation. All rights reserved. APTs Key Features 1. Highly-targeted • Tailored to an individual organization 2. Well-researched • Reconnaissance on people and processes 3. Well-funded • Financial backing for intensive, long-term attacks 4. Designed to evade detection • “Low and slow” 5. Multiple vectors • Social engineering, application-layer exploits, zero-day malware, and data exfiltration techniques, etc.
8© Copyright 2011 EMC Corporation. All rights reserved. APT: Methodology Step One: C2 Communication The malware contacts C2 servers for instructions, such as downloading and executing new malware or opening a reverse backdoor — allowing the attacker full access to the compromised system, bypassing firewall restrictions. Step Two: Attack The attacker (through the reverse backdoor) compromises multiple sources of interest, such as database servers, email servers, and file share servers. Step Three: Data Staging The attacker sends data to a staging server. Once the data is set, the attacker then compresses the data (using the rar.exe utility) and password protects it. Step Four: Data Exfiltration The attacker uses malware to send the data through an encrypted tunnel to a malicious external IP address. • The use of “staging servers” to aggregate the data they intend to steal. • Encryption and compression of the data they steal. • Deleting the compressed files they exfiltrated from the “staging server”.
9© Copyright 2011 EMC Corporation. All rights reserved. APTs are Nasty Because • Little opportunity for correlation – Focused, so no community sourced warning based on correlation across victims – Zero-day heavy, so ineffective behavioral pattern or footprint signature correlation – Complex and resilient CnC -> hard to correlate on attack source – CnC Operators change as botnets are transferred by section or by victim. – Low and Slow, so no temporal correlation. Signal to noise ration is low. Touch to compromise ration 1.4. • APT Malware avoids anomaly detection through: – Outbound HTTP connections – Process injection – Service persistence • APT Malware Analysis: – Average File Size: 121.85 KB – Only 10% of APT backdoors were packed – Packing is not as common in Standard APT malware – Packing is common in advanced APT Malware and used by more advanced APT groups • Most Common APT Filenames: – svchost.exe (most common) – iexplore.exe – iprinp.dll – winzf32.dll
10© Copyright 2011 EMC Corporation. All rights reserved. Technical Infrastructure Specialists & Organizations Cash Out The APT Supply Chain: Choose Your Career Path Harvesting Operational Infrastructure Specialists & Organizations Communication Fraud forum / chat room Target Data & User Accounts Tools Hosting Delivery Mules Drops Monetizing
11© Copyright 2011 EMC Corporation. All rights reserved. The “Community’ of Attackers Criminals Petty criminals Organized crime Organized, sophisticated supply chains (PII, financial services, retail) Unsophisticated Non-state actors Terrorists Anti-establishment vigilantes “Hacktivists” Targets of opportunity PII, Government, critical infrastructure Nation states PII, government, defense industrial base, IP rich organizations
12© Copyright 2011 EMC Corporation. All rights reserved. Advanced Threats 1.0 abc.com def.com 1.2.3.4 Clear-text & custom protocol Clear-text & normal protocol Custom encryption Content Inspection Protocol Anomalies Network Traffic Anomalies Known Bad Endpoints C2 Traffic SSL or other standards based encryption. Custom malware w/ no signature. C2 Traffic (port 80/443) abc.com def.com 1.2.3.4 def.com 3.7.9.1 8.2.3.3 Advanced Threats 2.0 1% of attacks discovered by Anti-Virus, <1% by IDS. (Verizon 2011 DBIR)
13© Copyright 2011 EMC Corporation. All rights reserved. APT: Evolution Intrusion Phase Non-APT (DoS) Obsolete Current Reconnaissance None Scanning, opportunistic OSINT, targeted Weaponization Blast, Stress Layer 4 payload Layer 7 payload Delivery Opportunistic: non-targeted Vulnerable protocol Standard Comm. Prot. Exploit Client-side, Server-side Server-side (svc) Client-side (app) Installation Rapid Sibling infection Plain sight ADS, anti-reversing Command & Ctrl None Custom protocol Protocol compliant Actions on Intent Propagate, Disrupt, Deface Propagate or PII Exfiltrate
14© Copyright 2011 EMC Corporation. All rights reserved. APT: Response Intrusion Phase Detect Deny Disrupt Degrade Deceive Destroy Reconnaissance Web Analytics Firewall ACL Weaponization NIDS NIPS Delivery Vigilant User Proxy Filter In-Line AV Queuing Exploit HIDS Patch DEP Installation HIDS “chroot” Jail AV Command & Ctrl NIDS Firewall ACL NIPS Tarpit DNS Redirect Actions Audit Log Quality of Service Honeypot
15© Copyright 2011 EMC Corporation. All rights reserved. ADVANCED CYBER DEFENSE APPROACH CYBER CYCLE BREACH EXPOSURE TIME “BET” Data Exfiltration Late Detection Threat Vector “Malware” (Undetected) Cyber Kill Chain “Breach Life Cycle” Establish Network Foothold Target Threat Visibility & Mitigation Goal Attack Kill Chain Life Cycle
16© Copyright 2011 EMC Corporation. All rights reserved. APT: The Challenge of Cleanup • Did you get it all? – Cleaning • Do you adequately understand how it happened? – Forensic • Will the exploits work again? – Remediation • Is Damage understood and contained? – Risk Model and Reduction
17© Copyright 2011 EMC Corporation. All rights reserved. APT: Needed Capabilities • Network Visibility • Critical Info Ident and Tracking • IPS Active Blocking • Continuous Monitoring • Cyber Threat Awareness • Attack Ident and Triage • Collaboration • Incident Response • Network Traffic Analysis • Host-Based Forensics • Malware Forensics • Sig and IOC Development • Cyber Threat and Intelligence • Security Infrastructure
18© Copyright 2011 EMC Corporation. All rights reserved. APT: Lessons Learned 1. There are no trivial systems 2. Collect the right info 3. Have a plan 4. User Awareness 5. Be able to look back (forensics) 6. Know thyself (Crown Jewels) 7. Have the right people 8. It takes a village (or an ecosystem) 9. A holistic view is key 10.Get smart(er) with the data you collect
19© Copyright 2011 EMC Corporation. All rights reserved. Introducing Security Analytics
20© Copyright 2011 EMC Corporation. All rights reserved. Today’s Security Requirements Comprehensive Visibility “Analyze everything happening in my infrastructure” Agile Analytics “Enable me to analyze and investigate potential threats in near real time” Actionable Intelligence “Help me identify targets, threats & incidents” Scalable Infrastructure “Need a flexible infrastructure to conduct short term and long term analysis”
21© Copyright 2011 EMC Corporation. All rights reserved. RSA Security Management Compliance Vision Delivering Visibility, Intelligence and Governance
22© Copyright 2011 EMC Corporation. All rights reserved. RSA Security Analytics: Changing The Security Management Status Quo Unified platform for security monitoring, incident investigations and compliance reporting SIEM Compliance Reports Device XMLs Log Parsing Network Security Monitoring High Powered Analytics Big Data Infrastructure Integrated Intelligence RSA Security Analytics Fast & Powerful Analytics Logs & Packets Unified Interface Analytics Warehouse SEE DATA YOU DIDN’T SEE BEFORE, UNDERSTAND DATA YOU DIDN’T EVEN CONSIDER BEFORE
23© Copyright 2011 EMC Corporation. All rights reserved. RSA Security Analytics Architecture Real Time Investigations (hours  days) Metadata, Packets Correlation Long Term Analysis Metadata, Raw Logs, Select Payload
24© Copyright 2011 EMC Corporation. All rights reserved. What Makes Security Analytics Different? • Big Data Infrastructure • Fast & Scalable • Logs & Packets • Security data warehouse plus proven NetWitness infrastructure • High Powered Analytics • The speed and smarts to detect, investigate & understand advanced threats • Comprehensive visibility to see everything happening in an environment • Short term & long term analytics plus compliance • Removes the hay vs. digging for needles • Integrated Intelligence • Intelligence from the global security community and RSA FirstWatch fused with your organization’s data • Understand what to look for and utilize what others have already found The only security management solution that has both speed & smarts
25© Copyright 2011 EMC Corporation. All rights reserved. Big Data Infrastructure • Single platform for capturing and analyzing large amounts of network and log data • Distributed, “scale-out” architecture • Unique architecture to support both “speed” and “smarts” for threat analysis • Security data warehouse for long term analytics & compliance • Proven NetWitness infrastructure of short term analytics and investigations
26© Copyright 2011 EMC Corporation. All rights reserved. High Powered Analytics • Eliminates blind spots to achieve comprehensive visibility across the enterprise • Real-time and “after-the-fact” investigations • Uses the industry’s most comprehensive and easily understandable analytical workbench • Proven, patented analytics applies business context to security investigations • Automates the generation of compliance reports and supports long term forensic analysis
27© Copyright 2011 EMC Corporation. All rights reserved. Full Network Visibility Network traffic Logs • Gain full visibility into your network including both logs and packets • Discover advanced threats missed by traditional security approaches • Completely reconstruct network sessions for real time analysis and investigation • Capture all data from the network to the application layer • Perform detailed session analysis – regardless of port or protocol
28© Copyright 2011 EMC Corporation. All rights reserved. Network traffic Logs • Both network packet capture and log collection. • Patented methods of network capture, processing, data extraction and service/protocol identification • Consolidates disparate sources • Instantly analyzes massive data sets Single Platform for Network Packet and Log Data Collection
29© Copyright 2012 EMC Corporation. All rights reserved. Reimagining what SIEM can do: Removing hay vs. digging for needles All Network Traffic & Logs Downloads of executables Type does not match extension ! Terabytes of data – 100% of total Thousands of data points – 5% of total Hundreds of data points – 0.2% of total Create alerts to/from critical assets A few dozen alerts
30© Copyright 2011 EMC Corporation. All rights reserved. Integrated Intelligence How Do I Know What To Look For? Gathers advanced threat intelligence and content from the global security community & RSA FirstWatch ® Aggregates & consolidates the most pertinent information and fuses it with your organization's data Automatically distributes correlation rules, blacklists, parsers, views, feeds   Operationalize Intelligence: Take advantage of what others have already found and apply against your current and historical data
31© Copyright 2011 EMC Corporation. All rights reserved. • Fuses open source, commercial, and confidential threat and fraud intelligence with an organization’s live and recorded network traffic Security Analytics Live Content
32© Copyright 2011 EMC Corporation. All rights reserved. RSA FirstWatch® • RSA ‘s elite, highly trained global threat research & intelligence team – Heritage dating back to the late 1990s featuring a ‘who’s who’ of researchers – Backgrounds in government, military, financial services and information technology • Focused on threats unknown to the security community – Malicious code & content analysis – Threat research & ecosystem analysis – Profiling threat actors • Research operationalized automatically via RSA Live Providing RSA Security Analytics customers covert tactical and strategic threat intelligence on advanced threats & actors
33© Copyright 2011 EMC Corporation. All rights reserved. RSA Security Analytics Results • Reduce risk by compressing attacker free time – Continuous analysis of terabytes of security data through big data architecture, reducing the threat analysis time from days to minutes • Level the playing field with adversaries – Incorporate operationalized intelligence to defend with confidence • Elevate the security team to another level of effectiveness – Increase teams’ collective skill by gaining analytical firepower – Investigate more rapidly, centralize information, automate alerts and reports • Meet compliance requirements

Recommandé

The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseRahul Neel Mani
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
 
Pivotal Data Lake Architecture & its role in security analytics
Pivotal Data Lake Architecture & its role in security analyticsPivotal Data Lake Architecture & its role in security analytics
Pivotal Data Lake Architecture & its role in security analyticsEMC
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & ForensicsPriyanka Aash
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 

Recommandé

The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseRahul Neel Mani
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
 
Pivotal Data Lake Architecture & its role in security analytics
Pivotal Data Lake Architecture & its role in security analyticsPivotal Data Lake Architecture & its role in security analytics
Pivotal Data Lake Architecture & its role in security analyticsEMC
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & ForensicsPriyanka Aash
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerSameer Paradia
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations♟Sergej Epp
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectioninfoLock Technologies
 
IT Cyber Security Operations
IT Cyber Security OperationsIT Cyber Security Operations
IT Cyber Security OperationsNapier University
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analyticsChristian Have
 

Contenu connexe

Tendances

Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerSameer Paradia
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations♟Sergej Epp
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectioninfoLock Technologies
 
IT Cyber Security Operations
IT Cyber Security OperationsIT Cyber Security Operations
IT Cyber Security OperationsNapier University
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
 

Tendances (20)

Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
 
IT Cyber Security Operations
IT Cyber Security OperationsIT Cyber Security Operations
IT Cyber Security Operations
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
 

En vedette

From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analyticsChristian Have
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
RSA Archer
RSA ArcherRSA Archer
RSA ArcherModicum
 
Why we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibilityWhy we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibilityRecruit Technologies
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windowsarpit06055
 
The Value of Pervasive Analytics
The Value of Pervasive AnalyticsThe Value of Pervasive Analytics
The Value of Pervasive AnalyticsCloudera, Inc.
 
Performing network security analytics
Performing network security analyticsPerforming network security analytics
Performing network security analyticsDataWorks Summit
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data BreachKunal Sharma
 
Proficy Workflow customer presentation Italian
Proficy Workflow customer presentation Italian Proficy Workflow customer presentation Italian
Proficy Workflow customer presentation Italian Enzo M. Tieghi
 
Evoluzione del bpm
Evoluzione del bpmEvoluzione del bpm
Evoluzione del bpmguest1732094
 
僕の考えるAPT開発の常識 ぐだ生 2011/04/09版
僕の考えるAPT開発の常識 ぐだ生 2011/04/09版僕の考えるAPT開発の常識 ぐだ生 2011/04/09版
僕の考えるAPT開発の常識 ぐだ生 2011/04/09版Masahiro Wakame
 
IP&A109 Next-Generation Analytics Architecture for the Year 2020
IP&A109 Next-Generation Analytics Architecture for the Year 2020IP&A109 Next-Generation Analytics Architecture for the Year 2020
IP&A109 Next-Generation Analytics Architecture for the Year 2020Anjan Roy, PMP
 
Envisioning the Next Generation of Analytics
Envisioning the Next Generation of AnalyticsEnvisioning the Next Generation of Analytics
Envisioning the Next Generation of AnalyticsLora Cecere
 
A systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerA systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerSubhajit Bhuiya
 

En vedette (20)

From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analytics
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
RSA Archer
RSA ArcherRSA Archer
RSA Archer
 
Why we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibilityWhy we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibility
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windows
 
The Value of Pervasive Analytics
The Value of Pervasive AnalyticsThe Value of Pervasive Analytics
The Value of Pervasive Analytics
 
Netadminpres
NetadminpresNetadminpres
Netadminpres
 
Security analytics
Security analyticsSecurity analytics
Security analytics
 
Performing network security analytics
Performing network security analyticsPerforming network security analytics
Performing network security analytics
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data Breach
 
Pruo
PruoPruo
Pruo
 
Proficy Workflow customer presentation Italian
Proficy Workflow customer presentation Italian Proficy Workflow customer presentation Italian
Proficy Workflow customer presentation Italian
 
Evoluzione del bpm
Evoluzione del bpmEvoluzione del bpm
Evoluzione del bpm
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
 
僕の考えるAPT開発の常識 ぐだ生 2011/04/09版
僕の考えるAPT開発の常識 ぐだ生 2011/04/09版僕の考えるAPT開発の常識 ぐだ生 2011/04/09版
僕の考えるAPT開発の常識 ぐだ生 2011/04/09版
 
IP&A109 Next-Generation Analytics Architecture for the Year 2020
IP&A109 Next-Generation Analytics Architecture for the Year 2020IP&A109 Next-Generation Analytics Architecture for the Year 2020
IP&A109 Next-Generation Analytics Architecture for the Year 2020
 
Envisioning the Next Generation of Analytics
Envisioning the Next Generation of AnalyticsEnvisioning the Next Generation of Analytics
Envisioning the Next Generation of Analytics
 
A systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerA systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archer
 

Similaire à RSA: Security Analytics Architecture for APT

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingVi Tính Hoàng Nam
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Setia Juli Irzal Ismail
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresCarl B. Forkner, Ph.D.
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not MarketingArrowECS_CZ
 
Crack the Code
Crack the CodeCrack the Code
Crack the CodeInnoTech
 
OSB180: Learn More About Ivanti Endpoint Security
OSB180: Learn More About Ivanti Endpoint SecurityOSB180: Learn More About Ivanti Endpoint Security
OSB180: Learn More About Ivanti Endpoint SecurityIvanti
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiStonesoft
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 

Similaire à RSA: Security Analytics Architecture for APT (20)

Iscsp apt
Iscsp aptIscsp apt
Iscsp apt
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hacking
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]
 
PACE-IT: Common Network Security Issues
PACE-IT: Common Network Security IssuesPACE-IT: Common Network Security Issues
PACE-IT: Common Network Security Issues
 
NetWitness
NetWitnessNetWitness
NetWitness
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security Measures
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
OSB180: Learn More About Ivanti Endpoint Security
OSB180: Learn More About Ivanti Endpoint SecurityOSB180: Learn More About Ivanti Endpoint Security
OSB180: Learn More About Ivanti Endpoint Security
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewski
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Open port vulnerability
Open port vulnerabilityOpen port vulnerability
Open port vulnerability
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 
APT - Project
APT - Project APT - Project
APT - Project
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 

Plus de Lee Wei Yeong

CERTIFICATE-OF-COMPLETION
CERTIFICATE-OF-COMPLETIONCERTIFICATE-OF-COMPLETION
CERTIFICATE-OF-COMPLETIONLee Wei Yeong
 

Plus de Lee Wei Yeong (6)

evandrix-SNCK2016
evandrix-SNCK2016evandrix-SNCK2016
evandrix-SNCK2016
 
CERTIFICATE-OF-COMPLETION
CERTIFICATE-OF-COMPLETIONCERTIFICATE-OF-COMPLETION
CERTIFICATE-OF-COMPLETION
 
Dive into ROP
Dive into ROPDive into ROP
Dive into ROP
 
Finding a Way Out
Finding a Way OutFinding a Way Out
Finding a Way Out
 
Simple made easy
Simple made easySimple made easy
Simple made easy
 
Splat
SplatSplat
Splat
 

Dernier

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 

Dernier (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 

RSA: Security Analytics Architecture for APT

  • 1. 1© Copyright 2011 EMC Corporation. All rights reserved. Security Analytics Architecture for APT Dale Long, Sr. Technology Consultant, RSA Security
  • 2. 2© Copyright 2011 EMC Corporation. All rights reserved. Agenda • APT: Defined • Methodology • APTs are Nasty Because • Evolution • Response • The Challenge of Cleanup • Needed Capabilities • Lessons Learned • Introduction to Security Analytics
  • 3. 3© Copyright 2011 EMC Corporation. All rights reserved. You Down With APT?
  • 4. 4© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threats • Operators behind the threat have: • a full spectrum of intelligence gathering techniques at their disposal. • May include computer intrusion technologies and techniques, but also extend to conventional intelligence gathering techniques such as telephone interception technologies and satellite imaging. • Often combine multiple targeting methods, tools and techniques in order to reach and compromise their target and maintain access to it. • Can use malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials • Can typically access and develop more advanced tools as required.
  • 5. 5© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threats • Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. • Implies that attackers are guided by external entities. • Targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. • In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully.
  • 6. 6© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threats • APTs are a threat because they have both capability and intent. • A level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. • The operators have a specific objective and are skilled, motivated, organized and well funded.
  • 7. 7© Copyright 2011 EMC Corporation. All rights reserved. APTs Key Features 1. Highly-targeted • Tailored to an individual organization 2. Well-researched • Reconnaissance on people and processes 3. Well-funded • Financial backing for intensive, long-term attacks 4. Designed to evade detection • “Low and slow” 5. Multiple vectors • Social engineering, application-layer exploits, zero-day malware, and data exfiltration techniques, etc.
  • 8. 8© Copyright 2011 EMC Corporation. All rights reserved. APT: Methodology Step One: C2 Communication The malware contacts C2 servers for instructions, such as downloading and executing new malware or opening a reverse backdoor — allowing the attacker full access to the compromised system, bypassing firewall restrictions. Step Two: Attack The attacker (through the reverse backdoor) compromises multiple sources of interest, such as database servers, email servers, and file share servers. Step Three: Data Staging The attacker sends data to a staging server. Once the data is set, the attacker then compresses the data (using the rar.exe utility) and password protects it. Step Four: Data Exfiltration The attacker uses malware to send the data through an encrypted tunnel to a malicious external IP address. • The use of “staging servers” to aggregate the data they intend to steal. • Encryption and compression of the data they steal. • Deleting the compressed files they exfiltrated from the “staging server”.
  • 9. 9© Copyright 2011 EMC Corporation. All rights reserved. APTs are Nasty Because • Little opportunity for correlation – Focused, so no community sourced warning based on correlation across victims – Zero-day heavy, so ineffective behavioral pattern or footprint signature correlation – Complex and resilient CnC -> hard to correlate on attack source – CnC Operators change as botnets are transferred by section or by victim. – Low and Slow, so no temporal correlation. Signal to noise ration is low. Touch to compromise ration 1.4. • APT Malware avoids anomaly detection through: – Outbound HTTP connections – Process injection – Service persistence • APT Malware Analysis: – Average File Size: 121.85 KB – Only 10% of APT backdoors were packed – Packing is not as common in Standard APT malware – Packing is common in advanced APT Malware and used by more advanced APT groups • Most Common APT Filenames: – svchost.exe (most common) – iexplore.exe – iprinp.dll – winzf32.dll
  • 10. 10© Copyright 2011 EMC Corporation. All rights reserved. Technical Infrastructure Specialists & Organizations Cash Out The APT Supply Chain: Choose Your Career Path Harvesting Operational Infrastructure Specialists & Organizations Communication Fraud forum / chat room Target Data & User Accounts Tools Hosting Delivery Mules Drops Monetizing
  • 11. 11© Copyright 2011 EMC Corporation. All rights reserved. The “Community’ of Attackers Criminals Petty criminals Organized crime Organized, sophisticated supply chains (PII, financial services, retail) Unsophisticated Non-state actors Terrorists Anti-establishment vigilantes “Hacktivists” Targets of opportunity PII, Government, critical infrastructure Nation states PII, government, defense industrial base, IP rich organizations
  • 12. 12© Copyright 2011 EMC Corporation. All rights reserved. Advanced Threats 1.0 abc.com def.com 1.2.3.4 Clear-text & custom protocol Clear-text & normal protocol Custom encryption Content Inspection Protocol Anomalies Network Traffic Anomalies Known Bad Endpoints C2 Traffic SSL or other standards based encryption. Custom malware w/ no signature. C2 Traffic (port 80/443) abc.com def.com 1.2.3.4 def.com 3.7.9.1 8.2.3.3 Advanced Threats 2.0 1% of attacks discovered by Anti-Virus, <1% by IDS. (Verizon 2011 DBIR)
  • 13. 13© Copyright 2011 EMC Corporation. All rights reserved. APT: Evolution Intrusion Phase Non-APT (DoS) Obsolete Current Reconnaissance None Scanning, opportunistic OSINT, targeted Weaponization Blast, Stress Layer 4 payload Layer 7 payload Delivery Opportunistic: non-targeted Vulnerable protocol Standard Comm. Prot. Exploit Client-side, Server-side Server-side (svc) Client-side (app) Installation Rapid Sibling infection Plain sight ADS, anti-reversing Command & Ctrl None Custom protocol Protocol compliant Actions on Intent Propagate, Disrupt, Deface Propagate or PII Exfiltrate
  • 14. 14© Copyright 2011 EMC Corporation. All rights reserved. APT: Response Intrusion Phase Detect Deny Disrupt Degrade Deceive Destroy Reconnaissance Web Analytics Firewall ACL Weaponization NIDS NIPS Delivery Vigilant User Proxy Filter In-Line AV Queuing Exploit HIDS Patch DEP Installation HIDS “chroot” Jail AV Command & Ctrl NIDS Firewall ACL NIPS Tarpit DNS Redirect Actions Audit Log Quality of Service Honeypot
  • 15. 15© Copyright 2011 EMC Corporation. All rights reserved. ADVANCED CYBER DEFENSE APPROACH CYBER CYCLE BREACH EXPOSURE TIME “BET” Data Exfiltration Late Detection Threat Vector “Malware” (Undetected) Cyber Kill Chain “Breach Life Cycle” Establish Network Foothold Target Threat Visibility & Mitigation Goal Attack Kill Chain Life Cycle
  • 16. 16© Copyright 2011 EMC Corporation. All rights reserved. APT: The Challenge of Cleanup • Did you get it all? – Cleaning • Do you adequately understand how it happened? – Forensic • Will the exploits work again? – Remediation • Is Damage understood and contained? – Risk Model and Reduction
  • 17. 17© Copyright 2011 EMC Corporation. All rights reserved. APT: Needed Capabilities • Network Visibility • Critical Info Ident and Tracking • IPS Active Blocking • Continuous Monitoring • Cyber Threat Awareness • Attack Ident and Triage • Collaboration • Incident Response • Network Traffic Analysis • Host-Based Forensics • Malware Forensics • Sig and IOC Development • Cyber Threat and Intelligence • Security Infrastructure
  • 18. 18© Copyright 2011 EMC Corporation. All rights reserved. APT: Lessons Learned 1. There are no trivial systems 2. Collect the right info 3. Have a plan 4. User Awareness 5. Be able to look back (forensics) 6. Know thyself (Crown Jewels) 7. Have the right people 8. It takes a village (or an ecosystem) 9. A holistic view is key 10.Get smart(er) with the data you collect
  • 19. 19© Copyright 2011 EMC Corporation. All rights reserved. Introducing Security Analytics
  • 20. 20© Copyright 2011 EMC Corporation. All rights reserved. Today’s Security Requirements Comprehensive Visibility “Analyze everything happening in my infrastructure” Agile Analytics “Enable me to analyze and investigate potential threats in near real time” Actionable Intelligence “Help me identify targets, threats & incidents” Scalable Infrastructure “Need a flexible infrastructure to conduct short term and long term analysis”
  • 21. 21© Copyright 2011 EMC Corporation. All rights reserved. RSA Security Management Compliance Vision Delivering Visibility, Intelligence and Governance
  • 22. 22© Copyright 2011 EMC Corporation. All rights reserved. RSA Security Analytics: Changing The Security Management Status Quo Unified platform for security monitoring, incident investigations and compliance reporting SIEM Compliance Reports Device XMLs Log Parsing Network Security Monitoring High Powered Analytics Big Data Infrastructure Integrated Intelligence RSA Security Analytics Fast & Powerful Analytics Logs & Packets Unified Interface Analytics Warehouse SEE DATA YOU DIDN’T SEE BEFORE, UNDERSTAND DATA YOU DIDN’T EVEN CONSIDER BEFORE
  • 23. 23© Copyright 2011 EMC Corporation. All rights reserved. RSA Security Analytics Architecture Real Time Investigations (hours  days) Metadata, Packets Correlation Long Term Analysis Metadata, Raw Logs, Select Payload
  • 24. 24© Copyright 2011 EMC Corporation. All rights reserved. What Makes Security Analytics Different? • Big Data Infrastructure • Fast & Scalable • Logs & Packets • Security data warehouse plus proven NetWitness infrastructure • High Powered Analytics • The speed and smarts to detect, investigate & understand advanced threats • Comprehensive visibility to see everything happening in an environment • Short term & long term analytics plus compliance • Removes the hay vs. digging for needles • Integrated Intelligence • Intelligence from the global security community and RSA FirstWatch fused with your organization’s data • Understand what to look for and utilize what others have already found The only security management solution that has both speed & smarts
  • 25. 25© Copyright 2011 EMC Corporation. All rights reserved. Big Data Infrastructure • Single platform for capturing and analyzing large amounts of network and log data • Distributed, “scale-out” architecture • Unique architecture to support both “speed” and “smarts” for threat analysis • Security data warehouse for long term analytics & compliance • Proven NetWitness infrastructure of short term analytics and investigations
  • 26. 26© Copyright 2011 EMC Corporation. All rights reserved. High Powered Analytics • Eliminates blind spots to achieve comprehensive visibility across the enterprise • Real-time and “after-the-fact” investigations • Uses the industry’s most comprehensive and easily understandable analytical workbench • Proven, patented analytics applies business context to security investigations • Automates the generation of compliance reports and supports long term forensic analysis
  • 27. 27© Copyright 2011 EMC Corporation. All rights reserved. Full Network Visibility Network traffic Logs • Gain full visibility into your network including both logs and packets • Discover advanced threats missed by traditional security approaches • Completely reconstruct network sessions for real time analysis and investigation • Capture all data from the network to the application layer • Perform detailed session analysis – regardless of port or protocol
  • 28. 28© Copyright 2011 EMC Corporation. All rights reserved. Network traffic Logs • Both network packet capture and log collection. • Patented methods of network capture, processing, data extraction and service/protocol identification • Consolidates disparate sources • Instantly analyzes massive data sets Single Platform for Network Packet and Log Data Collection
  • 29. 29© Copyright 2012 EMC Corporation. All rights reserved. Reimagining what SIEM can do: Removing hay vs. digging for needles All Network Traffic & Logs Downloads of executables Type does not match extension ! Terabytes of data – 100% of total Thousands of data points – 5% of total Hundreds of data points – 0.2% of total Create alerts to/from critical assets A few dozen alerts
  • 30. 30© Copyright 2011 EMC Corporation. All rights reserved. Integrated Intelligence How Do I Know What To Look For? Gathers advanced threat intelligence and content from the global security community & RSA FirstWatch ® Aggregates & consolidates the most pertinent information and fuses it with your organization's data Automatically distributes correlation rules, blacklists, parsers, views, feeds   Operationalize Intelligence: Take advantage of what others have already found and apply against your current and historical data
  • 31. 31© Copyright 2011 EMC Corporation. All rights reserved. • Fuses open source, commercial, and confidential threat and fraud intelligence with an organization’s live and recorded network traffic Security Analytics Live Content
  • 32. 32© Copyright 2011 EMC Corporation. All rights reserved. RSA FirstWatch® • RSA ‘s elite, highly trained global threat research & intelligence team – Heritage dating back to the late 1990s featuring a ‘who’s who’ of researchers – Backgrounds in government, military, financial services and information technology • Focused on threats unknown to the security community – Malicious code & content analysis – Threat research & ecosystem analysis – Profiling threat actors • Research operationalized automatically via RSA Live Providing RSA Security Analytics customers covert tactical and strategic threat intelligence on advanced threats & actors
  • 33. 33© Copyright 2011 EMC Corporation. All rights reserved. RSA Security Analytics Results • Reduce risk by compressing attacker free time – Continuous analysis of terabytes of security data through big data architecture, reducing the threat analysis time from days to minutes • Level the playing field with adversaries – Incorporate operationalized intelligence to defend with confidence • Elevate the security team to another level of effectiveness – Increase teams’ collective skill by gaining analytical firepower – Investigate more rapidly, centralize information, automate alerts and reports • Meet compliance requirements