Soumettre la recherche
Mettre en ligne
RSA: Security Analytics Architecture for APT
•
9 j'aime
•
9,798 vues
Lee Wei Yeong
Suivre
RSA: Security Analytics Architecture for APT
Lire moins
Lire la suite
Technologie
Signaler
Partager
Signaler
Partager
1 sur 33
Télécharger maintenant
Télécharger pour lire hors ligne
Recommandé
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
Demetrio Milea
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Rahul Neel Mani
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
Eric Johansen, CISSP
Pivotal Data Lake Architecture & its role in security analytics
Pivotal Data Lake Architecture & its role in security analytics
EMC
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
Priyanka Aash
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
Recommandé
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
Demetrio Milea
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Rahul Neel Mani
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
Eric Johansen, CISSP
Pivotal Data Lake Architecture & its role in security analytics
Pivotal Data Lake Architecture & its role in security analytics
EMC
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
Priyanka Aash
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
Priyanka Aash
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
Hardware Security on Vehicles
Hardware Security on Vehicles
Priyanka Aash
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
Priyanka Aash
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
Dan Morrill
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
Michael Man
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
Sameer Paradia
Advanced persistent threat (apt)
Advanced persistent threat (apt)
mmubashirkhan
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
Journey to the Center of Security Operations
Journey to the Center of Security Operations
♟Sergej Epp
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
Infocyte
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
IT Cyber Security Operations
IT Cyber Security Operations
Napier University
Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
Sameer Thadani
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
Luigi Delgrosso
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
centralohioissa
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Priyanka Aash
From SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
EMC
Next generation security analytics
Next generation security analytics
Christian Have
Contenu connexe
Tendances
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
Priyanka Aash
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
Hardware Security on Vehicles
Hardware Security on Vehicles
Priyanka Aash
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
Priyanka Aash
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
Dan Morrill
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
Michael Man
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
Sameer Paradia
Advanced persistent threat (apt)
Advanced persistent threat (apt)
mmubashirkhan
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
Journey to the Center of Security Operations
Journey to the Center of Security Operations
♟Sergej Epp
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
Infocyte
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
IT Cyber Security Operations
IT Cyber Security Operations
Napier University
Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
Sameer Thadani
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
Luigi Delgrosso
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
centralohioissa
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Priyanka Aash
Tendances
(20)
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
Hardware Security on Vehicles
Hardware Security on Vehicles
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
Advanced persistent threat (apt)
Advanced persistent threat (apt)
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Journey to the Center of Security Operations
Journey to the Center of Security Operations
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
IT Cyber Security Operations
IT Cyber Security Operations
Security operation center (SOC)
Security operation center (SOC)
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
En vedette
From SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
EMC
Next generation security analytics
Next generation security analytics
Christian Have
Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault
RSA Archer
RSA Archer
Modicum
Why we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibility
Recruit Technologies
Be the Hunter
Be the Hunter
Rahul Neel Mani
RSA Secur id for windows
RSA Secur id for windows
arpit06055
The Value of Pervasive Analytics
The Value of Pervasive Analytics
Cloudera, Inc.
Netadminpres
Netadminpres
Simon Bennett
Security analytics
Security analytics
Simon Bennett
Performing network security analytics
Performing network security analytics
DataWorks Summit
Case Study of RSA Data Breach
Case Study of RSA Data Breach
Kunal Sharma
Pruo
Pruo
Gianfranco Tammaro
Proficy Workflow customer presentation Italian
Proficy Workflow customer presentation Italian
Enzo M. Tieghi
Evoluzione del bpm
Evoluzione del bpm
guest1732094
RSA Anatomy of an Attack
RSA Anatomy of an Attack
integritysolutions
僕の考えるAPT開発の常識 ぐだ生 2011/04/09版
僕の考えるAPT開発の常識 ぐだ生 2011/04/09版
Masahiro Wakame
IP&A109 Next-Generation Analytics Architecture for the Year 2020
IP&A109 Next-Generation Analytics Architecture for the Year 2020
Anjan Roy, PMP
Envisioning the Next Generation of Analytics
Envisioning the Next Generation of Analytics
Lora Cecere
A systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archer
Subhajit Bhuiya
En vedette
(20)
From SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
Next generation security analytics
Next generation security analytics
Beginner's Guide to SIEM
Beginner's Guide to SIEM
RSA Archer
RSA Archer
Why we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibility
Be the Hunter
Be the Hunter
RSA Secur id for windows
RSA Secur id for windows
The Value of Pervasive Analytics
The Value of Pervasive Analytics
Netadminpres
Netadminpres
Security analytics
Security analytics
Performing network security analytics
Performing network security analytics
Case Study of RSA Data Breach
Case Study of RSA Data Breach
Pruo
Pruo
Proficy Workflow customer presentation Italian
Proficy Workflow customer presentation Italian
Evoluzione del bpm
Evoluzione del bpm
RSA Anatomy of an Attack
RSA Anatomy of an Attack
僕の考えるAPT開発の常識 ぐだ生 2011/04/09版
僕の考えるAPT開発の常識 ぐだ生 2011/04/09版
IP&A109 Next-Generation Analytics Architecture for the Year 2020
IP&A109 Next-Generation Analytics Architecture for the Year 2020
Envisioning the Next Generation of Analytics
Envisioning the Next Generation of Analytics
A systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archer
Similaire à RSA: Security Analytics Architecture for APT
Iscsp apt
Iscsp apt
Joey Hernandez
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
Simone Onofri
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hacking
Vi Tính Hoàng Nam
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]
Setia Juli Irzal Ismail
PACE-IT: Common Network Security Issues
PACE-IT: Common Network Security Issues
Pace IT at Edmonds Community College
NetWitness
NetWitness
TechBiz Forense Digital
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security Measures
Carl B. Forkner, Ph.D.
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not
MarketingArrowECS_CZ
Crack the Code
Crack the Code
InnoTech
Vapt life cycle
Vapt life cycle
penetration Tester
OSB180: Learn More About Ivanti Endpoint Security
OSB180: Learn More About Ivanti Endpoint Security
Ivanti
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Lancope, Inc.
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewski
Stonesoft
Security and Linux Security
Security and Linux Security
Rizky Ariestiyansyah
Open port vulnerability
Open port vulnerability
Samaresh Debbarma
Managing security threats in today’s enterprise
Managing security threats in today’s enterprise
Quick Heal Technologies Ltd.
APT - Project
APT - Project
Dev Lavaniya
Operational Security Intelligence
Operational Security Intelligence
Splunk
Similaire à RSA: Security Analytics Architecture for APT
(20)
Iscsp apt
Iscsp apt
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hacking
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]
PACE-IT: Common Network Security Issues
PACE-IT: Common Network Security Issues
NetWitness
NetWitness
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security Measures
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not
Crack the Code
Crack the Code
Vapt life cycle
Vapt life cycle
OSB180: Learn More About Ivanti Endpoint Security
OSB180: Learn More About Ivanti Endpoint Security
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewski
Security and Linux Security
Security and Linux Security
Open port vulnerability
Open port vulnerability
Managing security threats in today’s enterprise
Managing security threats in today’s enterprise
APT - Project
APT - Project
Operational Security Intelligence
Operational Security Intelligence
Plus de Lee Wei Yeong
evandrix-SNCK2016
evandrix-SNCK2016
Lee Wei Yeong
CERTIFICATE-OF-COMPLETION
CERTIFICATE-OF-COMPLETION
Lee Wei Yeong
Dive into ROP
Dive into ROP
Lee Wei Yeong
Finding a Way Out
Finding a Way Out
Lee Wei Yeong
Simple made easy
Simple made easy
Lee Wei Yeong
Splat
Splat
Lee Wei Yeong
Plus de Lee Wei Yeong
(6)
evandrix-SNCK2016
evandrix-SNCK2016
CERTIFICATE-OF-COMPLETION
CERTIFICATE-OF-COMPLETION
Dive into ROP
Dive into ROP
Finding a Way Out
Finding a Way Out
Simple made easy
Simple made easy
Splat
Splat
Dernier
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Boston Institute of Analytics
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
SynarionITSolutions
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
The Digital Insurer
Dernier
(20)
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
RSA: Security Analytics Architecture for APT
1.
1© Copyright 2011
EMC Corporation. All rights reserved. Security Analytics Architecture for APT Dale Long, Sr. Technology Consultant, RSA Security
2.
2© Copyright 2011
EMC Corporation. All rights reserved. Agenda • APT: Defined • Methodology • APTs are Nasty Because • Evolution • Response • The Challenge of Cleanup • Needed Capabilities • Lessons Learned • Introduction to Security Analytics
3.
3© Copyright 2011
EMC Corporation. All rights reserved. You Down With APT?
4.
4© Copyright 2011
EMC Corporation. All rights reserved. Advanced Persistent Threats • Operators behind the threat have: • a full spectrum of intelligence gathering techniques at their disposal. • May include computer intrusion technologies and techniques, but also extend to conventional intelligence gathering techniques such as telephone interception technologies and satellite imaging. • Often combine multiple targeting methods, tools and techniques in order to reach and compromise their target and maintain access to it. • Can use malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials • Can typically access and develop more advanced tools as required.
5.
5© Copyright 2011
EMC Corporation. All rights reserved. Advanced Persistent Threats • Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. • Implies that attackers are guided by external entities. • Targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. • In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully.
6.
6© Copyright 2011
EMC Corporation. All rights reserved. Advanced Persistent Threats • APTs are a threat because they have both capability and intent. • A level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. • The operators have a specific objective and are skilled, motivated, organized and well funded.
7.
7© Copyright 2011
EMC Corporation. All rights reserved. APTs Key Features 1. Highly-targeted • Tailored to an individual organization 2. Well-researched • Reconnaissance on people and processes 3. Well-funded • Financial backing for intensive, long-term attacks 4. Designed to evade detection • “Low and slow” 5. Multiple vectors • Social engineering, application-layer exploits, zero-day malware, and data exfiltration techniques, etc.
8.
8© Copyright 2011
EMC Corporation. All rights reserved. APT: Methodology Step One: C2 Communication The malware contacts C2 servers for instructions, such as downloading and executing new malware or opening a reverse backdoor — allowing the attacker full access to the compromised system, bypassing firewall restrictions. Step Two: Attack The attacker (through the reverse backdoor) compromises multiple sources of interest, such as database servers, email servers, and file share servers. Step Three: Data Staging The attacker sends data to a staging server. Once the data is set, the attacker then compresses the data (using the rar.exe utility) and password protects it. Step Four: Data Exfiltration The attacker uses malware to send the data through an encrypted tunnel to a malicious external IP address. • The use of “staging servers” to aggregate the data they intend to steal. • Encryption and compression of the data they steal. • Deleting the compressed files they exfiltrated from the “staging server”.
9.
9© Copyright 2011
EMC Corporation. All rights reserved. APTs are Nasty Because • Little opportunity for correlation – Focused, so no community sourced warning based on correlation across victims – Zero-day heavy, so ineffective behavioral pattern or footprint signature correlation – Complex and resilient CnC -> hard to correlate on attack source – CnC Operators change as botnets are transferred by section or by victim. – Low and Slow, so no temporal correlation. Signal to noise ration is low. Touch to compromise ration 1.4. • APT Malware avoids anomaly detection through: – Outbound HTTP connections – Process injection – Service persistence • APT Malware Analysis: – Average File Size: 121.85 KB – Only 10% of APT backdoors were packed – Packing is not as common in Standard APT malware – Packing is common in advanced APT Malware and used by more advanced APT groups • Most Common APT Filenames: – svchost.exe (most common) – iexplore.exe – iprinp.dll – winzf32.dll
10.
10© Copyright 2011
EMC Corporation. All rights reserved. Technical Infrastructure Specialists & Organizations Cash Out The APT Supply Chain: Choose Your Career Path Harvesting Operational Infrastructure Specialists & Organizations Communication Fraud forum / chat room Target Data & User Accounts Tools Hosting Delivery Mules Drops Monetizing
11.
11© Copyright 2011
EMC Corporation. All rights reserved. The “Community’ of Attackers Criminals Petty criminals Organized crime Organized, sophisticated supply chains (PII, financial services, retail) Unsophisticated Non-state actors Terrorists Anti-establishment vigilantes “Hacktivists” Targets of opportunity PII, Government, critical infrastructure Nation states PII, government, defense industrial base, IP rich organizations
12.
12© Copyright 2011
EMC Corporation. All rights reserved. Advanced Threats 1.0 abc.com def.com 1.2.3.4 Clear-text & custom protocol Clear-text & normal protocol Custom encryption Content Inspection Protocol Anomalies Network Traffic Anomalies Known Bad Endpoints C2 Traffic SSL or other standards based encryption. Custom malware w/ no signature. C2 Traffic (port 80/443) abc.com def.com 1.2.3.4 def.com 3.7.9.1 8.2.3.3 Advanced Threats 2.0 1% of attacks discovered by Anti-Virus, <1% by IDS. (Verizon 2011 DBIR)
13.
13© Copyright 2011
EMC Corporation. All rights reserved. APT: Evolution Intrusion Phase Non-APT (DoS) Obsolete Current Reconnaissance None Scanning, opportunistic OSINT, targeted Weaponization Blast, Stress Layer 4 payload Layer 7 payload Delivery Opportunistic: non-targeted Vulnerable protocol Standard Comm. Prot. Exploit Client-side, Server-side Server-side (svc) Client-side (app) Installation Rapid Sibling infection Plain sight ADS, anti-reversing Command & Ctrl None Custom protocol Protocol compliant Actions on Intent Propagate, Disrupt, Deface Propagate or PII Exfiltrate
14.
14© Copyright 2011
EMC Corporation. All rights reserved. APT: Response Intrusion Phase Detect Deny Disrupt Degrade Deceive Destroy Reconnaissance Web Analytics Firewall ACL Weaponization NIDS NIPS Delivery Vigilant User Proxy Filter In-Line AV Queuing Exploit HIDS Patch DEP Installation HIDS “chroot” Jail AV Command & Ctrl NIDS Firewall ACL NIPS Tarpit DNS Redirect Actions Audit Log Quality of Service Honeypot
15.
15© Copyright 2011
EMC Corporation. All rights reserved. ADVANCED CYBER DEFENSE APPROACH CYBER CYCLE BREACH EXPOSURE TIME “BET” Data Exfiltration Late Detection Threat Vector “Malware” (Undetected) Cyber Kill Chain “Breach Life Cycle” Establish Network Foothold Target Threat Visibility & Mitigation Goal Attack Kill Chain Life Cycle
16.
16© Copyright 2011
EMC Corporation. All rights reserved. APT: The Challenge of Cleanup • Did you get it all? – Cleaning • Do you adequately understand how it happened? – Forensic • Will the exploits work again? – Remediation • Is Damage understood and contained? – Risk Model and Reduction
17.
17© Copyright 2011
EMC Corporation. All rights reserved. APT: Needed Capabilities • Network Visibility • Critical Info Ident and Tracking • IPS Active Blocking • Continuous Monitoring • Cyber Threat Awareness • Attack Ident and Triage • Collaboration • Incident Response • Network Traffic Analysis • Host-Based Forensics • Malware Forensics • Sig and IOC Development • Cyber Threat and Intelligence • Security Infrastructure
18.
18© Copyright 2011
EMC Corporation. All rights reserved. APT: Lessons Learned 1. There are no trivial systems 2. Collect the right info 3. Have a plan 4. User Awareness 5. Be able to look back (forensics) 6. Know thyself (Crown Jewels) 7. Have the right people 8. It takes a village (or an ecosystem) 9. A holistic view is key 10.Get smart(er) with the data you collect
19.
19© Copyright 2011
EMC Corporation. All rights reserved. Introducing Security Analytics
20.
20© Copyright 2011
EMC Corporation. All rights reserved. Today’s Security Requirements Comprehensive Visibility “Analyze everything happening in my infrastructure” Agile Analytics “Enable me to analyze and investigate potential threats in near real time” Actionable Intelligence “Help me identify targets, threats & incidents” Scalable Infrastructure “Need a flexible infrastructure to conduct short term and long term analysis”
21.
21© Copyright 2011
EMC Corporation. All rights reserved. RSA Security Management Compliance Vision Delivering Visibility, Intelligence and Governance
22.
22© Copyright 2011
EMC Corporation. All rights reserved. RSA Security Analytics: Changing The Security Management Status Quo Unified platform for security monitoring, incident investigations and compliance reporting SIEM Compliance Reports Device XMLs Log Parsing Network Security Monitoring High Powered Analytics Big Data Infrastructure Integrated Intelligence RSA Security Analytics Fast & Powerful Analytics Logs & Packets Unified Interface Analytics Warehouse SEE DATA YOU DIDN’T SEE BEFORE, UNDERSTAND DATA YOU DIDN’T EVEN CONSIDER BEFORE
23.
23© Copyright 2011
EMC Corporation. All rights reserved. RSA Security Analytics Architecture Real Time Investigations (hours days) Metadata, Packets Correlation Long Term Analysis Metadata, Raw Logs, Select Payload
24.
24© Copyright 2011
EMC Corporation. All rights reserved. What Makes Security Analytics Different? • Big Data Infrastructure • Fast & Scalable • Logs & Packets • Security data warehouse plus proven NetWitness infrastructure • High Powered Analytics • The speed and smarts to detect, investigate & understand advanced threats • Comprehensive visibility to see everything happening in an environment • Short term & long term analytics plus compliance • Removes the hay vs. digging for needles • Integrated Intelligence • Intelligence from the global security community and RSA FirstWatch fused with your organization’s data • Understand what to look for and utilize what others have already found The only security management solution that has both speed & smarts
25.
25© Copyright 2011
EMC Corporation. All rights reserved. Big Data Infrastructure • Single platform for capturing and analyzing large amounts of network and log data • Distributed, “scale-out” architecture • Unique architecture to support both “speed” and “smarts” for threat analysis • Security data warehouse for long term analytics & compliance • Proven NetWitness infrastructure of short term analytics and investigations
26.
26© Copyright 2011
EMC Corporation. All rights reserved. High Powered Analytics • Eliminates blind spots to achieve comprehensive visibility across the enterprise • Real-time and “after-the-fact” investigations • Uses the industry’s most comprehensive and easily understandable analytical workbench • Proven, patented analytics applies business context to security investigations • Automates the generation of compliance reports and supports long term forensic analysis
27.
27© Copyright 2011
EMC Corporation. All rights reserved. Full Network Visibility Network traffic Logs • Gain full visibility into your network including both logs and packets • Discover advanced threats missed by traditional security approaches • Completely reconstruct network sessions for real time analysis and investigation • Capture all data from the network to the application layer • Perform detailed session analysis – regardless of port or protocol
28.
28© Copyright 2011
EMC Corporation. All rights reserved. Network traffic Logs • Both network packet capture and log collection. • Patented methods of network capture, processing, data extraction and service/protocol identification • Consolidates disparate sources • Instantly analyzes massive data sets Single Platform for Network Packet and Log Data Collection
29.
29© Copyright 2012
EMC Corporation. All rights reserved. Reimagining what SIEM can do: Removing hay vs. digging for needles All Network Traffic & Logs Downloads of executables Type does not match extension ! Terabytes of data – 100% of total Thousands of data points – 5% of total Hundreds of data points – 0.2% of total Create alerts to/from critical assets A few dozen alerts
30.
30© Copyright 2011
EMC Corporation. All rights reserved. Integrated Intelligence How Do I Know What To Look For? Gathers advanced threat intelligence and content from the global security community & RSA FirstWatch ® Aggregates & consolidates the most pertinent information and fuses it with your organization's data Automatically distributes correlation rules, blacklists, parsers, views, feeds Operationalize Intelligence: Take advantage of what others have already found and apply against your current and historical data
31.
31© Copyright 2011
EMC Corporation. All rights reserved. • Fuses open source, commercial, and confidential threat and fraud intelligence with an organization’s live and recorded network traffic Security Analytics Live Content
32.
32© Copyright 2011
EMC Corporation. All rights reserved. RSA FirstWatch® • RSA ‘s elite, highly trained global threat research & intelligence team – Heritage dating back to the late 1990s featuring a ‘who’s who’ of researchers – Backgrounds in government, military, financial services and information technology • Focused on threats unknown to the security community – Malicious code & content analysis – Threat research & ecosystem analysis – Profiling threat actors • Research operationalized automatically via RSA Live Providing RSA Security Analytics customers covert tactical and strategic threat intelligence on advanced threats & actors
33.
33© Copyright 2011
EMC Corporation. All rights reserved. RSA Security Analytics Results • Reduce risk by compressing attacker free time – Continuous analysis of terabytes of security data through big data architecture, reducing the threat analysis time from days to minutes • Level the playing field with adversaries – Incorporate operationalized intelligence to defend with confidence • Elevate the security team to another level of effectiveness – Increase teams’ collective skill by gaining analytical firepower – Investigate more rapidly, centralize information, automate alerts and reports • Meet compliance requirements
Télécharger maintenant