From SIEM to SA: The Path Forward
- 1. From SIEM to Security Analytics The Path Forward Seth Geftic, Product Marketing Manager Steve Garrett, Product Manager © Copyright 2012 EMC Corporation. All rights reserved. 1
- 2. Agenda The Shift From SIEM What is RSA Security Analytics Beyond SIEM: Intelligence Driven Security Intelligence Driven Security In Action © Copyright 2012 EMC Corporation. All rights reserved. 2
- 3. The Shift Away From SIEM © Copyright 2012 EMC Corporation. All rights reserved. 3
- 4. The purpose of SIEM has evolved The original purchase driver behind SIEMs were – Satisfying compliance requirements more easily ▪ Collecting and retaining logs with less operational overhead ▪ Creating compliance reports more easily – Troubleshooting operational problems ▪ Determining root cause of failures Making IDS work better was often a driver too – The security team was deluged with IDS alerts – Many of the IDS rules were crude and fired too often © Copyright 2012 EMC Corporation. All rights reserved. 4
- 5. Why hasn’t SIEM lived up to expectations? Things have become more complex – IT environments have expanded – Hackers have become more sophisticated – IDS has become less and less relevant SIEMs response has been to add more log sources – More diversity of sources (Security Device, OS, Application etc) – Greater volume of sources as the number of critical systems has expanded But this has not solved the problem – SIEM has not been able to scale to the volume required – Its impractical to create correlation rules to detect every complex threat – Many threats no longer even have a footprint in the logs © Copyright 2012 EMC Corporation. All rights reserved. 5
- 6. The result for organizations? Honeymoon period for customers post implementation – Compliance reports run more smoothly – Security teams get at least *some* visibility into activity Disillusionment follows for many pretty soon after – As team matures they start to try extract more value from the data – At this point, performance and correlation limitations come to the fore © Copyright 2012 EMC Corporation. All rights reserved. 6
- 7. Today’s tools need to adapt Today’s tools need to be able to detect and investigate – Lateral movement of threats as they gain foothold – Covert characteristics of attack tools, techniques & procedures – Exfiltration or sabotage of critical data Today’s tools need to be able to scale – To collect and store the volume and diversity of data required – To provide analytic tools to support security work streams – Time to respond is critical in a breach situations – and SIEM often falls short © Copyright 2012 EMC Corporation. All rights reserved. 7
- 8. Security Analytics & The Security Maturity Voyage Visibility and Understanding Network Monitoring & Investigation Traditional SIEM Compliance Advanced Analysis Incident Detection SECURITY ANALYTICS Security Team Sophistication & Skillset © Copyright 2012 EMC Corporation. All rights reserved. 8
- 9. Use Case Needs Grow Compliance + Tier 1 Security (often met with traditional SIEM) – Compliance requirements – Incident detection – Limited investigations Moving Beyond SIEM – Increased visibility – Deep forensics and investigations – Supplement traditional SIEM Advanced Security Operations – Find more sophisticated attacks – Increased “hunting” ability – Conduct complex data analysis for next gen SOC © Copyright 2012 EMC Corporation. All rights reserved. 9
- 10. Today’s Security Requirements Big Data Infrastructure “Need a fast and scalable infrastructure to conduct real time and long term analysis” Comprehensive Visibility “See everything happening in my environment and normalize it” High Powered Analytics Integrated Intelligence “Give me the speed and smarts to detect, investigate and prioritize potential threats” “Help me understand what to look for and what others have discovered” © Copyright 2012 EMC Corporation. All rights reserved. 10
- 11. What is RSA Security Analytics © Copyright 2012 EMC Corporation. All rights reserved. 11
- 12. RSA Security Analytics Unified platform for incident detection, investigations, compliance reporting and advanced security analysis SIEM Log Parsing Compliance Reports Incident Alerts © Copyright 2012 EMC Corporation. All rights reserved. RSA Security Analytics Network Security Monitoring Full Packet Capture Big Data Infrastructure Capture Time Data Comprehensive Visibility Enrichment High Powered Analysis Deep Dive Investigations Intelligence Driven Context 12
- 13. Big data security analytics: RSA Security Analytics architecture LIVE Distributed Data Collection Capture Time Data Enrichment PARSING & METADATA TAGGING PACKETS LIVE LIVE Reporting & Alerting PACKET METADATA LOGS Investigation & Forensics Compliance Malware Analysis Intelligence Feeds LOG METADATA RSA LIVE INTELLIGENCE Incident Response Endpoint Visibility & Analysis Additional Business & IT Context Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions © Copyright 2012 EMC Corporation. All rights reserved. 13
- 14. RSA Security Analytics “SIEM-like” deployment LIVE Distributed Data Collection Capture Time Data Enrichment PARSING & METADATA TAGGING LOGS LOGS LOG METADATA LIVE LIVE Reporting & Alerting Investigation & Forensics Compliance Malware Analysis Intelligence Feeds RSA LIVE INTELLIGENCE Incident Response Endpoint Visibility & Analysis Additional Business & IT Context Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions © Copyright 2012 EMC Corporation. All rights reserved. 14
- 15. RSA Security Analytics with a traditional SIEM LIVE LIVE Distributed Data Collection LIVE PARSING & Capture METADATA TAGGING Time Data Enrichment Alerting PACKETS PACKET METADATA 3rd Party SIEM Collection LOGS © Copyright 2012 EMC Corporation. All rights reserved. Investigation & Forensics Malware Analysis Intel Feeds Alerts Alert Triage Investigations Compliance & Reporting 15
- 16. What Makes SA Different? Single platform for log & network security monitoring Capture time data enrichment Superior event stream & on-request analysis Incorporates business and IT data, incident response & endpoint visibility Operationalizes threat intelligence Security platform where compliance is an outcome, not the other way around © Copyright 2012 EMC Corporation. All rights reserved. 16
- 17. Beyond SIEM – Intelligence Driven Security © Copyright 2012 EMC Corporation. All rights reserved. 17
- 18. What is Intelligence Driven Security? The process of using all the security-related information available, both internally and externally, to detect hidden threats and even predict future ones. It is knowledge that enables an organization to make informed risk decisions and take action. © Copyright 2012 EMC Corporation. All rights reserved. 18
- 19. Meet the Adversary: Mr. X Persona Mission in Life Tactics Primary Data Source(s) Cyber Criminal, Government sponsored or non-state actor Exfiltrate any and all data available by creating threat surface specialized for a given target. Malicious Code, Social Media, Phishing, Spear Phishing Must Have: Facebook, LinkedIn, Malware Mr. X Note: Average price of a zeroday exploit generated by the criminal underground is $25. Mr. X has been busy: Combination of Waterhole Attacks with Zero Day Exploits (non-profits and think tanks) – – – – Targeting users who visit very specific websites Latest IE 0-day attack focused on a specific non-profit site Downloaded and executed shellcode directly from memory, never hit disk Dropped non-persistent (Aurora) 9002 RAT Multiple attack groups on the same victim, steady evolution of adversary backdoors NO slowdown in attack operations, very specific targeting of intelligence based on attacker taskings (Lawsuits, Key Personnel, C-Suite, M/A activity) Email Exfiltration – MAPI tool, Theft of Lotus Notes Email Continued heavy use of Windows Service DLLs, some signed © Copyright 2012 EMC Corporation. All rights reserved. 19
- 20. Mr. X – How Does he do it? Ability to Detect Your Network A: Web App Vulnerability B: Drop Webshells or Trojan Backdoor D: Pass The Hash C: Command and Control IDS SIEM SA A B C D E: Seize Domain Admin Credentials E F G H: Transmit Stolen Data F: Gain Access to Trade Secrets G: Upload Stolen Data to Staging Server © Copyright 2012 EMC Corporation. All rights reserved. H Yes Possible Yes – Full Visibility with Logs and Packets with Threat Intelligence No 20
- 21. Intelligence Driven Security with Security Analytics A: Web App Vulnerability B: Drop Webshells or Trojan Backdoor RSA Live Threat Intelligence May Have Identified Risk of the Transfer as a Starting Point for Investigation © Copyright 2012 EMC Corporation. All rights reserved. 21
- 22. Intelligence Driven Security with Security Analytics C: Command and Control Traversing Your Infrastructure D: Pass The Hash E: Seize Domain Admin Credentials F: Gain Access to Trade Secrets G: Upload Stolen Data to Staging Server Mr. X use a variety of techniques to communicate while traversing your infrastructure which Security Analytics can detect and parse – Named Pipes commonly abused (pipehello is NOT from Microsoft) – Abuse of the Windows Task Scheduler over SMB connections via NET USE, allowing command shell capabilities with SYSTEM privelidges Security Analytics combines Log Data with Packet Data for Deep Visibility © Copyright 2012 EMC Corporation. All rights reserved. 22
- 23. Intelligence Driven Security with Security Analytics H: Transmit Stolen Data Your Network G: Upload Stolen Data to Staging Server RSA Live Threat Intelligence May Have Identified Risk of the Transfer based on Remote Host or Outbound Protocol Anomalies ( such as self-signed certs) – – Security Analytics will flag these sessions as suspicious and identify where the data travelled Event reconstruction may be possible © Copyright 2012 EMC Corporation. All rights reserved. 23
- 24. Anyone see this Movie? © Copyright 2011 EMC Corporation. All rights reserved. 24
- 25. Event Stream Analysis: Intelligence Driven Security in Action © Copyright 2011 EMC Corporation. All rights reserved. 25
- 26. Intelligence Driven Security with Security Analytics – Event Stream Analysis Log Decoder Concentrator 18k EPS • Full Visibility LIVE Log Decoder Concentrator ESA 24k EPS – Log Data and Packet Data normalized into Meta Data – Additional Context may be added into ESA from other business systems LIVE Packet Decoder Concentrator 2 GB/s Additional Context LIVE © Copyright 2011 EMC Corporation. All rights reserved. 26
- 27. Intelligence Driven Security with Security Analytics – Event Stream Analysis STATIC CONTEXT DYNAMIC CONTEXT DYNAMIC CONTEXT • Leverage the power of ESA’s Correlation Engine to Create Dynamic Risk Categorization using Context Windows Suspicious Internal IP Suspicious Internal IP 10.221.32.12 161.169.207.15 .. .. Suspicious Host Alias Ssl-irc.scumware.org Mirror.wikileaks.info Updatekernal.com … Critical Asset List 10.100.32.10 10.100.32.104 © Copyright 2011 EMC Corporation. All rights reserved. • Suspicious Internal Hosts IP List based on Packet Analysis and RSA Live Threat Intel • As an example, any host running a named pipe such as “pipehello” • Entries age out after preconfigured time (8 hours for instance) • Suspicious Host Alias List based on Packet Analysis and RSA Live Threat Intel • Entries age out after preconfigured time (12 hours for instance) • Critical Asset List may come from Feed File or CSV file which provides Business Context • Entries can be configured to be static and not age out 27
- 28. Intelligence Driven Security with Security Analytics – Event Stream Analysis • When one of the Suspicious Hosts attempts to login on one of the Critical Assets, you may deem this as an elevation of Risk, and choose to add the IP address of the Host to a new list DYNAMIC CONTEXT • Elevated Risk Internal IP List based on Log Data from Domain Controller Suspicious Internal IP Elevated Risk Internal IP 10.221.32.12 161.169.207.15 .. .. If A->B->C AND the Host IP address is included in the Elevated Risk Context Window, then tell me about it!” © Copyright 2011 EMC Corporation. All rights reserved. • ESA determines that a host in the Suspicious Host IP list attempted to login to a host in the Critical Asset List • ESA places this IP address into the Elevated Risk Internal IP list, which can be configured to age out after a preconfigured time • Context Window can be referenced with the Incoming Event Streams and used to make a more intelligent decision to fire an Alert 28
- 29. RSA Security Analytics • Cornerstone in the Security Operations journey • Flexible platform that grows with your needs – Compliance incident detection investigation and forensics advanced analysis – From logs packets or packets logs • Security platform where compliance is a byproduct, not the other way around © Copyright 2011 EMC Corporation. All rights reserved. 29
- 30. RSA Advanced Cyber Defense Services A portfolio of services to help you achieve security operations excellence • Strategy & Roadmap Current strategy review and recommendations for desired future state • Incident Response Rapid breach response service and SLA-based retainer • NextGen Security Operations SOC/CIRC evolution and security program transformations; moving from reactive to proactive www.rsa.im/ACDpractice © Copyright 2013 EMC Corporation. All rights reserved. 30
- 31. RSA Advanced Cyber Defense Training A comprehensive learning path for security analysts • Focus on proven methodologies for operating and managing a CIRC/SOC • Hands-on labs designed around real-world use cases and teamwork in a CIRC/SOC • Delivered by highly experienced RSA Security Practitioners www.emc.com/rsa-training © Copyright 2013 EMC Corporation. All rights reserved. 31
- 33. Reimagining Security Analysis: Removing Hay vs. Digging For Needles All Network Traffic & Logs Terabytes of data 100% of total Downloads of executables Thousands of data points 5% of total Type does not match extension Hundreds of data points 0.2% of total ! © Copyright 2011 EMC Corporation. All rights reserved. Create alerts to/from critical assets A few dozen alerts 33
- 34. Integrated Intelligence Know What To Look For RSA LIVE INTELLIGENCE SYSTEM Threat Intelligence – Rules – Parsers – Alerts – Feeds – Apps – Directory Services – Reports and Custom Actions 1 2 Gathers advanced threat intelligence and content 3 Aggregates & consolidates data Automatically distributes correlation rules, blacklists, parsers, views, feeds OPERATIONALIZE INTELLIGENCE: Take advantage of what others have already found and apply against your current and historical data © Copyright 2011 EMC Corporation. All rights reserved. 34
- 35. SA vs. SIEM Attack Step Traditional SIEM RSA Security Analytics Alert for access over non-standard port No Yes Recreate activity of suspect IP address across environment No Yes Show user activity across AD and VPN Yes Yes Alert for different credentials used for AD and VP Yes Yes Reconstruct exfiltrated data No Yes © Copyright 2011 EMC Corporation. All rights reserved. 35