Transcription
RSA NETWITNESSPLATFORM Andy WaterhouseEMEA Presales DirectorTwitter : @Andy J W1
ORGANIZATIONS FACE DIFFICULT SECURITYCHALLENGESA SHIFTING LANDSCAPERESOURCE SHORTAGESBUSINESS RISK INSIGHTSDifficult to see any and all threats– wherever they reside in amodern IT infrastructureSkilled analysts are in shortsupply, and teams struggle toeffectively combat threatsDifficulty linking security alertswith business context and risk,resulting in a lack of focus on themost important threats2
AT TACKERS TAKE ADVANTAGE OF CHALLENGESTO TURN COMPROMISES INTO BRE chInitial Compromise3rd PartyDetectionSpear PhishingAttackMalwareInstalled82%Communicate toExternal Server(C2)compromised inMINUTESLateralMovementDiscoverCritical Assets99%BreachDetectedDataExfiltrationof exfiltrationoccurred in DAYS64%discovered inMONTHS3
LOGS PROVIDE ONLY LIMITED VISIBILIT YNetFlow Analyzer seeslateral movement butfrom a known userNGFW has norule for/againstthreat trafficNGFWAV/NGAV missesuser downloadingunknown malwareIDS / IPSNGIPS has nosignature to stopthe threat trafficNGFWMalware Tool missesUNKNOWN, NEW threatConfidentialDataNGFW has norule for/againstthreat trafficVMs furtherinhibit visibilityinto threatsVisibility into threats in theCloud is an even biggerchallenge4
AN D TH E FLO O D O F DATA CAN BE O V ERWH EL MIN GThe need forvisibilitydrivesorganizationsto add moredata sourcesSIEM / Logs!But too muchdata fromdisparatesources canobfuscate realthreats!NetFlow Collector / NBAD!!!!!! ! !!! !!Full PCAP / NetworkForensicsEndpoint SecurityData Capture across Cloud!!!!!!!!!!!!!!!!!!!!!!! ! !! !!!!!!!!!!!Manual correlation and analysis makeit NEARLY IMPOSSIBLE to respond intime and prevent breaches5
SECURIT Y TE AMS STRUGGLE TO ASSESS & ACTIs this a real incident?!!!!!!!!!!!!!!!!!!!!!! Did any new processes execute on thetarget?! Were there any communications back to theattacker?!!!!?What’s the scope of the incident? Based on the initial incident, are there othersystems affected?What’s the impact of the incident? What data was exfiltrated?What actions are required to mitigate?6
AN EVOLVED SIEM PL ATFORM THAT PROVIDES CompleteVisibilityVisibility across Endpoints(OS-level), Logs, Networks(Packets), VMs and theCloud – Combined withthreat intelligence andbusiness contextConsumption andtransformation of data intousable threat metadataDetection ofAdvanced AttacksMultiple sets of analytictechniques: Data sciencemodeling and machinelearning; user & entitybehavior analytics (UEBA)Processing of large volumesof threat data for completethreat detectionInsight into theFull Attack ScopeValidation of incidents withEndpoint and Cloudvisibility and analysisOrchestration across yourentire security arsenal toaccelerate incidentresponse and automationEradicationof ThreatsEnable security teams to actand mitigate the full attackbefore it can impact thebusinessAutomated responseOrchestration across entireSOC7
SPEED OF DETECTION & RESPONSE IS CRITICALTHE LONGER THEY ARE IN,THE HIGHER THE RISKAnalyst Time & Skills Req’dRiskTimeDetect Incidents Earlier Before Impact8
THE RSA NE T WITNESS PL ATFORM lligence &Context nACTIONIncidentManagementInvestigationENDPOINTOn ETFLOWRSΛLIVEThreat Intel BusinessRules ParsersReports FeedsContextPowered by RSA Research , Incident Respon se, and Engin eering, plus RSACommu n ity9
RSA NETWITNESS PLATFORMINTELLIGENCE-DRIVEN SOCACCELERATED THREATDETECTION FROM THEENDPOINT TO THE CLOUDFORCE MULTIPLIER FOR SECURITYANALYSTS & INCIDENT RESPONDERSA BUSINESS-DRIVEN SECURITYAPPROACH, PROVIDING BUSINESSCONTEXT10
RSA NETWITNESSUEBADETECT THE UNKNOWN WITH MACHINE LEARNING ANALYTICS11
RSA NETWITNESS UEBADETECT THE UNKNOWNRSA NetWitness UEBA is a purpose-built, big-data ready,user and entity behavior analytics solution integrated as acentral part of the RSA NetWitness Platform.FEWERALERTSHIGHERQUALITYBy leveraging unsupervised statistical anomaly detection andmachine learning, RSA NetWitness UEBA provides Comprehensive detection for unknown threats based onbehaviors at every step of the attack lifecycleWINNINGSTRATEGY Without the need for analyst tuning. Powerful machine-learning engine and breadth of use cases12
RSA NETWITNESS UEBADATAINGESTUNIFIEDMETADATATAXONOMYNATIVE DATA COLLECTION.ENRICHED NSUPERVISED ESINVESTIGATIONALERTCORRELATIONRISK SCORE& PRIORITYINVESTIGATION READY.USE CASEFOCUSED13
WHY RSA NETWITNESS UEBADETECT IDENTITY-BASED ANOMALIES FOR MORE COMPLETE INCIDENT RESPONSEMULTI-TIEREDUNSUPERVISEDMACHINE LEARNINGAUTONOMOUSTUNINGRECURRSIVE PATTERNRECOGNITIONSTANDARD DEVIATIONSSTATISTICALANALYSISNEW OCCURENCESBEHAVIORAL OUTLIERSADVANCEDCORRELATIONDATA AGGREGATION FRAMEWORKMULTIVARIATE ANALYSISSEAMLESS ANOMALYEXPLORATIONROBUST ANDCOMPREHENSIVEADAPTIVE ALERTPRIOTIZATIONSTREAMLINEDINVESTIGATION14
WHY RSA NETWITNESS UEBAUNDER THE HOOD TIME BASEDMODELunix timestamp 1491988104iso 8601 2017-0412T09:08:24 00:00rfc 2822 Wednesday,12-Apr-17 09:08:24 UTCAUTHENTICATION TIME ANOMALYFILE ACCESS TIME ANOMALYAD CHANGE TIME ANOMALYHIGH NUMBER OF FILES ACCESSEDCONTINUOUSMODELcomputers accessed 23failed logons 144Files copied 6544HIGH NUMBER OF AD CHANGESHIGH NUMBER OF FAILED LOGONSSOURCE COMPUTER ANOMALYCATEGORICALMODELapplication outlook.execomputer name pc1country nzFOLDER ACCESS ANOMALYSERVER ACCESS ANOMALYNOISY FEATURE REDUCTIONGLOBALMODELcomputer name pc1failed logons 144files copied 6544RARITY REDUCTIONCERTAINTY REDUCERS15
JUMPSTART INCIDENT INVESTIGATIONFALSE POSITIVES ARE A THING OF THE PAST Natural language indicators (aligned with MITRE ATT&CKframework) Nondeterministic detection approach Innovative Risk Scoring. Dynamic statistical risk scoringmechanism based on indicators clustering and synergy.BEFORE SCENARIO Siloed (and FIFO)Point in time (alert fatigue)ComplexNot-actionable alertsOpen-ended questionsAFTER SCENARIO OUTPUTALERTCORRELATIONRISK SCORE& PRIORITYAggregated & Adaptive. Stitching hundreds ofpoint anomalous indicatorsHigher fidelity. Enable instant pivot and fullattack scope viewOut-of-the-box. No predefinitions nothresholds requiredContext Rich.*HANDS OFF* INNOVATIVE MACHINE LEARNING POWERED ENGINE16
WHY RSA NETWITNESS UEBABECAUSE. USE CASES.command and control (C2) activityCompromised accountlateral movementshared user credentials active directory attackSuspicious accessadvancedmalwareBrute-force attempts Time-relatedsnooping and reconnaissancegeographical location and speedpassword spraydata-transfer-volume and event-source related anomaliesdata theft/exfiltration or data stagingprivileged user account abuseprivilege elevationgeolocation and remote access anomaliesAbnormal system access17
WHY RSA NETWITNESS UEBABECAUSE. USE CASES. AD ATTACK TOP INDICATORSATTACKERRSA NETWITNESSUEBA DETECTBrute force attackto compromise usercredentialsAttacker obtainselevated privilegesHorizontal movement acrossActive Directory to gain morewide-spread access Unusual number of failed logons Logon from a suspicious system Logon at unusual time Logons to multiple accountfrom the same IP addressBackdoor accountcreated in AD, grantedprivileged rights AD account addedto privileged groupCrown jewel theft: allpasswords harvested, userPII data exfiltrated, etc. New AD useraccount created AD account addedto privileged group Abnormal machineaccessed Extraordinary number offiles accessed18
READY TO GO!RSA NETWITNESS USER INTERFACE19
READY TO GO!RSA NETWITNESS USER INTERFACE20
RSA NETWITNESSORCHESTRATORUPLEVEL YOUR SOC21
WHAT IS ORCHESTRATION AND AUTOMATION ?Gartner defines security orchestration, automation and response, or SOAR, as technologiesthat enable organizations ORCHESTATION [to collect security threats data and alerts from different sources, whereincident analysis and triage can be performed leveraging a combination of human andmachine power] AUTOMATION [to help define, prioritize and drive standardized incident response activitiesaccording to a standard workflow.]SOAR tools allow an organization to define incident analysis and response procedures (akaplays in a security operations playbook) in a digital workflow format, such that a range ofmachine-driven activities can be automated.22
RSA NETWITNESS ORCHESTRATORAUTOMATE THE KNOWN. DETECT THE UNKNOWN. Comprehensive security operation and automation technology thatcombines full case management, intelligent automation and orchestration, and collaborative investigations. leveraging playbook-driven automated response actions, and machinelearning powered insights for quicker resolution and better SOC efficiency.RSA NetWitness Orchestrator acts as the connective tissue not only for theRSA NetWitness Platform, but extends across a SOC’s entire securityarsenal.23
WHY RSA NETWITNESS ORCHESTRATORORCHESTRATION. LEVERAGE EXISTING INVESTMENTS.CASE MANAGEMENTSIEMDATA ONALINTEGRATIONOOTB NETWORK& KFORENSICS 160 Technology partners interoperability's with morethan 1000 bi-directional (push, pull) action types Open and extensible platform Apps built in Python and Javascript Connectors: SQL, SSH, WMI, RESTful API, HTTPS, SOAP24
WHY RSA NETWITNESS ORCHESTRATORCASE MANAGEMENT. BREAKING DOWN MANAGEMENTADVANCED SEARCHIP. USER. DOMAIN.HASH. ENDPOINT. CUSTOMIZED VIEWSPER INCIDENT TYPERELATED INCIDENTSEVIDENCE BOARDLOG. PCAP. MFT.MEMORY. AUDIT. DASHBOARD &REPORTSAUTO-DOCUMENTATION25
WHY RSA NETWITNESS ORCHESTRATORPLAYBOOK-DRIVEN RELATION“BACKCOLORING”THREATINTELMATCH Visual playbooksrepresentation and contextoutputs and errors Review live playbook runs Avoid scripting for parsing,filtering and much more Ability to customize andcreate new technologyintegrations & playbooks Aggregate playbook findingsfor quick review26
WHY RSA NETWITNESS ORCHESTRATORMACHINE LEARNINGSECURITY COMMANDS& ARGUMENTSFREQUENCYANALYSTACTIONSANALYST LOADMANUAL ENTOWNERSHIPAUTOMATED PLAYBOOKRECOMMENDATIONSEXTRACTING DUPLICATEINCIDENTS27
RSA NETWITNESSPLATFORM 11.128
WHAT’S NEW IN RSA NETWITNESS 11.11Introduction of RSA NetWitness Endpoint Insights2 Dynamic Log Visibility Log visibility from new applications and systems New innovative “dynamic parsing” technology enablesorganizations to instantly parse new log data sources andimmediately access critical security data 34Free endpoint context to accelerate threat detection & responseDelivers timely insights into endpoint hosts via scansSimplifies Microsoft Windows Logs collectionAvailable free to RSA NetWitness customersEnables the high fidelity detection of user- and entity-basedthreats through a set of bundled UEBA content packsCorrelate multiple data sources and identify anomalous orsuspicious user behaviorHigh Confidence Detection of Threatswith New UEBA Content Streamlined Security Managementand Reduced Process Complexity Continued innovation and improvements to help drivegreater efficiencies for analysts of all skill and experiencelevels.29
QUESTIONS?30
THANK YOU !Andy WaterhouseEMEA Presales DirectorTwitter : @Andy J W31
NetFlow Analyzer sees lateral movement but from a known user NGFW has no rule for/against threat traffic . LIVE Investigation Compliance Reporting Endpoint Analysis Session Reconstruction Incident Management ACTION Orchestration and Automation PACKETS LOGS NETFLOW ENDPOINT. 10 RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION FROM THE .
