Spo2 w23 a
- 2. The Information Arms Race 2 OLD ATTACKS NEW ATTACKS • Amateurs • Noisy • Curious/mischievous • Script driven • Untargeted • Professionals • Stealthy • For profit/intentional damage • Professionally developed • Targeted
- 5. Incident Response Lifecycle 5 Reduced Frequency Minimize Scope of Impact Faster Remediation ID the Root Attack
- 6. Security Management Chaos • Console hopping • Manual investigation • Waiting for answers • Waiting for updates • Missing what’s important February 25, 20136
- 7. Shortening the Process • Intelligent recognition of threats – Rich context, risk based analysis • Real-time active inspection of system state – Moving from spreadsheets and phone calls to real-time queries • Respond with precision – Automate key steps and surgically addressing threat February 25, 20137
- 8. 8 Security Connected Getting There CAN?How?
- 9. Security Maturity Model OPTIMIZED (~4% of IT Budget on Security) REACTIVE (~3% of IT Budget on Security) COMPLIANT/PROACTIVE (~8% of IT Budget on Security) TCO (CapEx + OpEx) SECURITY POSTURE SECURITY OPTIMIZATION Security Connected9
- 10. Connected, Intelligent, Real Time February 25, 2013 10 Bridge Silos Security Operations Security Analytics Endpoint Vulnerability Management Network Real Time Action Operations Analytics Threat Intelligence Data User Application Application
- 11. LEARN QUICKLY Turn billions of “so what” events into Actionable Information via context, content and advanced analytics MOVE FAST Performance in all areas – insertion, enrichment, queries, dashboards, analytics – is essential ACT DECISIVELY Understand common scenarios, automate steps, streamline processes Security Analytics Needs
- 12. External IP 1 External IP 2 HTTP File Download Missing Something? Verdict Misconfiguration Verdict: USER ERROR Access Denied February : File Share Access March: UDP ! Internal Services January : Email Sent
- 13. Quarantine File, add Tag—Investigate Laptop (ePO/DLP) System Owner in Dev. Mgrs. Access to Core IP IP File Downloaded— Name and Extension Changed ! Set Server and Laptop Security to High (ePO/Endpoin t) Run Scan (MVM) Quarantine Actor (NSP) Quarantine: Source and Destination External IP 1 External IP 2 HTTP File Download Bad Actor! Communication with North Korea ! Activity Outside the Norm ! Acting with Context UNUSUAL PACKET SIZE Access Denied Core IP Internal ServicesFebruary : File Share Access March: UDP ! January : Email Sent
- 14. Intelligent Integration Example Dynamic Enrichment GTI Endpoint & SIA Alerts & Policy Enforcement ePO Network Alerts & Quarantine NSP Asset Inventory & On-demand scan MVM ADM FW DLP MWG MEG MAM NTBA DAM ESM
- 15. Consolidating Operations Host IPS Agent Systems Management Agent Audit Agent Antivirus Agent Encryption NAC DLP Agent EVERY SOLUTION HAS AN AGENT EVERY AGENT HAS A CONSOLE EVERY CONSOLE REQUIRES A SERVER EVERY SERVER REQUIRES AN OS/DB EVERY OS/DB REQUIRES PEOPLE, MAINTENANCE, PATCHING WHERE DOES IT END? 15 Security Connected
- 16. Non-Optimized Optimized Unknown Threat Common Security Use Cases Non-Optimized Optimized Consumerization of IT Non-Optimized Optimized Advanced Persistent Threats Non-Optimized Optimized Continuous Compliance Non-Optimized Optimized Data Protection Non-Optimized Optimized Next Generation Network Security Manual Scans Log Analysis Managed Systems Analysis ! Un- managed Systems Exposed Risk Existing Counter- measures IPS FW AV Priority Next Steps Protection Status Vulnerable Systems IPS AV Patch/ Updates IPS FW AV Policy Config IPS FW AV Contact Vendor IPS FW AV Monitor Ops Team Ops Team Contact Vendor Policy Config Patch ! Recomm- endations Situational Awareness Monitor 16 Security Connected
- 17. Streamlining Security Management February 25, 201317 AUTOMATIC, INTELLIGENT, CONNECTED • Drastically shorten time to respond and improve visibility • Actionable intelligence through contextual SIEM • The answers you need….Now