101 ab 1530-1600
-
date post
21-Oct-2014 -
Category
Documents
-
view
312 -
download
3
description
Transcript of 101 ab 1530-1600
1
Advanced Security Solution for Trusted IT
Gary Lau Manager, Technology Consultant Greater China
2
The Changing Landscape
3
Evolution of Attackers
Nation state actors
PII, government, defense industrial base, IP rich organizations
Criminals
Petty criminals
Organized crime
Organized, sophisticated supply chains (PII, financial services, retail)
Unsophisticated
Non-state actors
Terrorists Anti-establishment
vigilantes
“Hacktivists” Targets of opportunity
PII, Government, critical infrastructure
4
Evolution of Attack Vectors
Dam
age/S
oph
isticati
on
Threat Actors Hobbiest / Script Kiddies
Significant impact
on business
bottom line
Minor Annoyance
Petty Criminals Organize Crime
Nation States
Non-State Actors / Cyber Terrorists
Worms
Viruses
Botnets
Rootkits
DoS/DDoS Spyware
Targeted malware
Hybrid Worms Web-application
attacks
Spam Phishing
Financial Backdoor
Trojans
Coordinated attacks
APTs
5
Attack Begins
System Intrusion
Attacker Surveillanc
e
Cover-up Complete
Access Probe
Leap Frog Attacks
Complete
Target Analysis
TIME
Attack Set-up
Discovery/ Persistenc
e
Maintain foothold
Cover-up Starts
Anatomy of an Attack
Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
6
TIME
Attack Forecast
Physical Security
Containment &
Eradication
System Reactio
n Damage
Identification
Recovery
Defender Discovery
Monitoring & Controls
Impact Analysi
s
Response Threat
Analysis
Attack Identified
Incident Reportin
g
Anatomy of a Response
Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
7
Attack Begins
System Intrusion
Attacker Surveillanc
e
Cover-up Complete
Access Probe
Leap Frog Attacks
Complete
Target Analysis
TIME
Attack Set-up
Discovery/ Persistenc
e
Maintain foothold
Cover-up Starts
Attack Forecast
Physical Security
Containment &
Eradication
System Reactio
n Damage
Identification
Recovery
Defender Discovery
Monitoring & Controls
Impact Analysi
s
Response Threat
Analysis
Attack Identified
Incident Reportin
g
Reducing Attacker Free Time
ATTACKER FREE TIME
TIME
Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
Need to collapse free time
9
Then: Infrastructure-Centric
Signature-Based, Perimeter-Centric
Generic, Code-Based
Static Attacks
Static Infrastructure
Static Defenses
Physical, IT-Controlled,
Hard Perimeter
Dynamic Attacks
Analytics & Risk-Based
Dynamic Infrastructure
Dynamic Defenses
Targeted Human-Centric
Virtual, User-Centric & Connected
Now: User/Identity-Centric
Public Cloud
SaaS
Mobile Apps
Hybrid Cloud
10
Advanced Threats
of organizations believe they have been the victim of an Advanced
Threats
83% of organizations don’t believe they have
sufficient resources to prevent Advanced Threats
65%
Source: Ponemon Institute Survey Conducted “Growing Risk of Advanced Threats”
of breaches led to data compromise within “days” or less
91% of breaches took “weeks”
or more to discover
79%
Source: Verizon 2011 Data Breach Investigations Report
11
Mean Time to Detect (MTTD)
Source: Ponemon Institute
12
The Changing Mindset
13
Must learn to live in a
state of compromise
Constant compromise does not mean constant loss
14
The New Security Model
15
Signature-based
Compliance Driven
Perimeter oriented
Traditional Security is
Unreliable
16
poorly prepared for advanced threats
As a result
Organizations are…
unable to detect attacks in a timely manner
responding in a manner that is chaotic and uncoordinated
17
agile risk-based
contextual
Effective Security Systems need to be:
18
Security must Ensure…
…only the right people
…access critical applications & information
…over an I/F we trust.
ITaaS
Man
ag
em
en
t Enterprise
Data Center
Infrastructure
CRM ERP BI ***
Applications
Information
Admins Users
19
Disruptive Forces
…only the right people
…access critical applications & information
…over an I/F we trust.
User Access Transformation
Threat Landscape Transformation
Back-end I/F Transformation
ITaaS
Man
ag
em
en
t Enterprise
CRM ERP BI ***
Data Center
Applications
Infrastructure
Information
Admins Users
Mobile
Advanced
Threats
Cloud
20
ITaaS
Man
ag
em
en
t
Clouds
SaaS
PaaS
IaaS
Community
Mobile Apps
The New IT Model
• Scenario Web
Direct to Cloud
Unmanaged Devices
Managed Devices
ITaaS
Man
ag
em
en
t
Enterprise
CRM ERP BI ***
Data Center
Applications
Infrastructure
Information
To D
C Admins Users
Direct to Apps
VPN into DC
From the Cloud
Private Cloud
21
DEFINE POLICY
MAP POLICY
MEASURE POLICY
GR
C
DETECT Potential Threats
INVESTIGATE Attacks
RESPOND to Attacks SE
CU
RIT
Y
OP
ER
AT
IO
NS
(S
OC
)
IDENTITY ADMIN & PROVISIONING
ACCESS CONTROLS
IDENTITY & ACCESS GOVERNANCE
ID
EN
TIT
Y
ENDPOINT CONTROLS
NETWORK/MESSAGING CONTROLS
APPLICATION CONTROLS IN
FR
AS
TR
UC
TU
RE
DLP CONTROLS
ENCRYPTION/TOKENIZATION I/F
INFORMATION RIGHTS MANAGEMENT
IN
FO
RM
AT
IO
N
The Security Stack CONTROL LAYER MANAGEMENT LAYER
ITaaS
Man
ag
em
en
t ENTERPRISE
CRM ERP BI ***
Data Center
Applications
Infrastructure
Information
To D
C Admins Users
22
THE CONTROL LAYER CONTROL LAYER
IDENTITY ADMIN & PROVISIONING
ACCESS CONTROLS
IDENTITY & ACCESS GOVERNANCE
ID
EN
TIT
Y
ENDPOINT CONTROLS
NETWORK/MESSAGING CONTROLS
APPLICATION CONTROLS IN
FR
AS
TR
UC
TU
RE
ENCRYPTION/TOKENIZATION I/F
DLP CONTROLS
INFORMATION RIGHTS MANAGEMENT
IN
FO
RM
AT
IO
N
MANAGEMENT LAYER
DEFINE POLICY
MAP POLICY
MEASURE POLICY
GR
C
DETECT Potential Threats
INVESTIGATE Attacks
RESPOND to Attacks SE
CU
RIT
Y
OP
ER
AT
IO
NS
(S
OC
)
ITaaS
Man
ag
em
en
t ENTERPRISE
CRM ERP BI ***
Data Center
Applications
Infrastructure
Information
To D
C Admins Users
CONTROL LAYER
IDENTITY ADMIN & PROVISIONING
ACCESS CONTROLS
IDENTITY & ACCESS GOVERNANCE
ID
EN
TIT
Y
ENDPOINT CONTROLS
NETWORK/MESSAGING CONTROLS
APPLICATION CONTROLS IN
FR
AS
TR
UC
TU
RE
ENCRYPTION/TOKENIZATION I/F
DLP CONTROLS
INFORMATION RIGHTS MANAGEMENT
IN
FO
RM
AT
IO
N
23
The Management Layer
CONTROL LAYER
IDENTITY ADMIN & PROVISIONING
ACCESS CONTROLS
IDENTITY & ACCESS GOVERNANCE
ID
EN
TIT
Y
ENDPOINT CONTROLS
NETWORK/MESSAGING CONTROLS
APPLICATION CONTROLS IN
FR
AS
TR
UC
TU
RE
ENCRYPTION/TOKENIZATION I/F
DLP CONTROLS
INFORMATION RIGHTS MANAGEMENT
IN
FO
RM
AT
IO
N
MANAGEMENT LAYER
DEFINE POLICY
MAP POLICY
MEASURE POLICY
GR
C
DETECT Potential Threats
INVESTIGATE Attacks
RESPOND to Attacks SE
CU
RIT
Y
OP
ER
AT
IO
NS
(S
OC
)
ITaaS
Man
ag
em
en
t ENTERPRISE
CRM ERP BI ***
Data Center
Applications
Infrastructure
Information
To D
C Admins Users
MANAGEMENT LAYER
DEFINE POLICY
MAP POLICY
MEASURE POLICY
GR
C
DETECT Potential Threats
INVESTIGATE Attacks
RESPOND to Attacks SE
CU
RITY
O
PE
RA
TIO
NS
(S
OC
)
24
Critical Questions
Comprehensive Visibility Actionable Intelligence Governance
what matters?
what is going on?
how do I address it?
25 © Copyright 2011 EMC Corporation. All rights reserved.
Traditional SIEM Is Not Enough
...SIEM needs to evolve
• How do you:
–quickly determine how an attack happened?
–reduce the “attacker free time” in your infrastructure?
–prevent similar future attacks?
Requires network and log data visibility
Requires the fusion of internal & external intelligence
Makes security a Big Data problem
Resisting all attacks is not realistic, reacting fast to mitigate damage is
26 © Copyright 2011 EMC Corporation. All rights reserved.
Full Packet Capture is a must
• Full packet capture is necessary to – Identify malware entering the environment and prioritize actions related to it (a
very common source of advanced threat)
– Track the lateral movement of an attacker once inside the organization, and
– Prove exactly what happened and what data was exfiltrated, whether it was encrypted or not
If SIEM is to address today's threats then it requires this information
27
The Next Gen SOC
Agile Analytics
“Enable me to efficiently analyze and investigate potential threats”
Optimized Incident Management
“Enable me to manage these incidents”
Actionable Intelligence
“Help me identify targets, threats & incidents”
Comprehensive Visibility
“Analyze everything that’s happening in my infrastructure”
28
next gen security operations
29
Value of RSA Solutions
GOVERNANCE
VISIBILITY
INTELLIGENCE GOVERNANCE INTELLIGENCE
VISIBILITY
Traditional Approach RSA’s Approach
• Discrete products in silos
• Multiple vendors for each product
• Manual process to transfer data
• High TCO and low efficiency
• Transparent data flow between products
• Single vendor – tested integrations
• Very high operational efficiencies
• Lower TCO and faster time to value
30
RSA Approach
GOVERNANCE
INTELLIGENT CONTROLS
ADVANCED VISIBILITY AND ANALYTICS
Cloud Mobility Network
Rapid Response and Containment
Collect, Retain and Analyze Internal and External Intelligence
Manage Business Risk, Policies and Workflows
31
Meeting our Customers’ Challenges with RSA Thought Leadership
Prove Compliance
Consistently & Affordably
Secure Virtualization
& Cloud Computing
Secure Access for Increased
Mobility & Collaboration
Manage Risk and Threats Throughout Enterprise