Cognitive Adaptive Testing (Analytics-Driven Digital Quality)
Adaptive Security and Incident Response - A Business-Driven Approach
-
Upload
algosec -
Category
Technology
-
view
102 -
download
1
Transcript of Adaptive Security and Incident Response - A Business-Driven Approach
1
ADAPTIVE SECURITY & INCIDENT RESPONSE -A BUSINESS DRIVEN APPROACH
Tony Sequino
Director of Sales, AlgoSec
2
64.5%
22.4%
7.9%
5.3%
Motivation Behind Attacks
Cyber Crime Cyber Epionage Hacktivism Cyber Warfare
February 2017
WE ARE UNDER ATTACK
“Data Breaches Increase 40 Percent in 2016”- Identity Theft Resource Center(ITRC) and CyberScout
“More than 4,000 ransomware attacks have occurred every day since the beginning of 2016 (300% increase compared to 2015)”- Computer Crime and Intellectual Property Section (CCIPS)
3
THREAT LANDSCAPE BACKGROUND
• Advanced Persistent Threat (APT)• Social engineering• Malicious insiders
• Data is being exfiltrated (theft, extortion, espionage)
• Critical services go down• A compromised machine is part of
a DDoS attack network• …
The attackers are already inside the network
What can happen during an attack
4
ADAPTIVE SECURITY & ACTIVE POLICY MANAGEMENT
“… active, preventive, investigative and response capabilities.”
“… context-aware network, endpoint and application security protection platforms”
Neil MacDonald, Peter Firstbrook, Gartner 2016
“Leverage the Security Ecosystem from within the SIEM – Avoid Context Switching”
“Maintain context during investigations”Splunk Partner Information, 2016
5
DIGITAL TRANSFORMATION & ADAPTIVE SECURITY CHALLENGES• Far to much time spent reviewing, planning, approving change
requests
• Skilled Resource Availability
• Expanding Architectures & Environments• Datacenter, Hybrid Cloud, Cloud
• Distributed Data & Services
• Increasing Threat Landscape
• Changing Regulatory Environment
• Increasing Audit, Reporting & Management Requirements
6
Malware Tools
DOES YOUR ENVIRONMENT LOOK LIKE THIS
Log Collection & Analysis
SIEM Solution
Vulnerability Scanner
Applications
Audit &Compliance
Security Policies
Network Estate
7
Malware Tools
Log Collection & Analysis
SIEM Solution
Vulnerability Scanner
Applications
Audit &Compliance
Security Policies
Network Estate
ENTERPRISE SECURITY MODEL
SPHERE OF INFLUENCE
Security strategy influences your company’s business strategy and operations
SPHERE OF OPERATION
Security solution integration improves your organization’s operational posture
SPHERE OF CONTROL
Create and automate a single view of your network estate, traffic, governing policies and applications, aids in aligning security with your business needs and reducing your threat surface
8
BROAD STAKEHOLDER LANDSCAPE
NetworksNetwork
OperationsNetwork
Engineering
Dev OpsInformation & App Security
Audit & Compliance
Risk CISOBusiness
Units
Senior Management
9
DO YOU HAVE SOC (SECURITY OPERATIONS CENTER)?
• Yes• No• We are in the process of building one• I don’t know
POLL
Please vote using the “votes from audience” tab in your BrightTALK panel
10
Network visibility and mappingStatic map (E.G. Visio)
Live map Live mapLive map across on -premise, SDN and cloud
Application to Security mapping None Static (CMDB) Static (CMDB) Live accurate mapping
Policy security posture(Overly permissive/undocumented rules)
Poor Fair Good Excellent
Security change managementManual. Error-prone
Mostly manual.Some errors.
Mostly automated. Few errors
Automated policy pushVirtually error-free
Risk reporting and assessment Manual. CostlySome Automation.Costly
Automated and continuous
Automated and continuous
Network infrastructure auditing Network level Network level Network level Business application level
Alignment between security, network and service delivery teams
Poor Fair Good DevSecOps
THE SECURITY POLICY MANAGEMENT MATURITY MODEL
Level 1
Level 2
Level 3
Level 4
11
Permissive EnvironmentIntroduces business risk
Restrictive Environment Slows response time to the business requests & needs
FINDING THE BALANCE
Where is the sweet spot for your business?
12
BUSINESS-DRIVENSECURITY MANAGEMENT
13
APPROACH FOR BUSINESS SECURITY ALIGNMENT
• Develop a plan which aligns your security strategy with company business strategy & operations
• Crack the Organizational Silos• Open & connected request and communication environment for all
stakeholder organizations
• Connected Networking, Security & Applications teams …
• Automate change & monitoring processes across your network estate
• Create an incident detection & rapid response environment
14
THE SECURITY POLICY MANAGEMENT LIFECYCLE
Decommission redundant firewall rules and
application connectivity
Automatically migrate firewall rules
Zero-touch change management
Automated policy push
Smart validation
Policy monitoring
Enforce security posture
Out-of-the box auditing and compliance reports
Link firewall rules to applications
Policy clean up and optimization
Firewall rule recertification
Translate application connectivity into firewall rules
Assess risk and compliance
Tie cyber attacks and vulnerabilities to business processes
Auto-discover and map application connectivity and security infrastructure
Enable developers to define connectivity programmatically
15
WHY HAVE ALGOSEC AT THE CORE?
Need to be more agile , efficient and aligned with the dynamic changes of the business
clean up policies and reduce risk of misconfigurations
Dynamic view of your network estate
Infrastructure-independent for business agility
Applications run the business…Business Driven Security needs application visibility
16
THE ALGOSEC ECOSYSTEM
Integrate
Business Process
For a complete list of supported devices visit www.algosec.com
Manage
17
THE ALGOSEC ECOSYSTEM
For a complete list of supported devices visit www.algosec.com
CONTROL
OPERATION
INFLUENCE
OPERATION
18
THE ALGOSEC SECURITY MANAGEMENT SOLUTION
BusinessFlow FireFlow
FirewallAnalyzer
19
THE ALGOSEC ECOSYSTEM
Integrate
Business Process
For a complete list of supported devices visit www.algosec.com
Manage
Supports a broad set of devices and environments
20
Single pane of glass for managing and analyzing network security policies
ALGOSEC FIREWALL ANALYZER
Topology map and traffic simulation
Firewall rule optimization and cleanup
Network segmentation enforcement
Baseline configuration compliance
Audit-ready compliance reports
Risk assessment
21
FIREWALL ANALYZER REPORT
22
ALGOSEC FIREFLOWProcess firewall changes in minutes, not days.
Proactively mitigate risk and enforce compliance.
Security policy workflow automation
Topology analysis and optimal rule design
SLA tracking and complete audit trail
Integration with ticketing systems
Change validation and reconciliation
Proactive risk and compliance verification
Automated policy push & scheduling
23
THE ALGOSEC ECOSYSTEM
Integrate
Business Process
For a complete list of supported devices visit www.algosec.com
Manage
Robust API set for application integration
24
Discover and provision business application connectivity.
Manage risk from the business perspective.
ALGOSEC BUSINESSFLOW
Connectivity discovery and mapping
Request changes at the application level
Secure application decommissioning
Business-centric risk analysis
Impact assessment to avoid outages
Rapid datacenter and cloud migration
25
APPLICATION RULE ASSOCIATION
• Viewers of a device's policy can now justify the existence of traffic rules, within the context of the application they support
• The users will be able to see a list of supported applications per rule and to drill down directly from the policy view to the application’s dashboard in BusinessFlow
• Clear visibility into the impact of a rule removal/rule modification
• Easily find Rules that do not support any application
Visibility into Supported Applications by Each Rule
26
ALGOSEC BUSINESS FLOW
27
BUSINESS FLOW RISK ANALYSIS
Vulnerability scanner data can be imported and combined with out of the box & customer defined risk definitions.
28
BUSINESS FLOW VULNERABILITIES
Drill down to individual servers and associated rules for the application to identify specific vulnerabilities & risks
29
SIEM/INCIDENT RESPONSE INTEGRATION
• Gain visibility into the severity of security events by showing the applications exposed to each attacked server
• Immediate threat path analysis by displaying the exposure of the attacked server to the Internet
• Isolate the attacked server with a click of a button
• Supports both QRadar and Splunk
Applications, Network Map and Automation
30
SIEM/INCIDENT RESPONSEAN INTEGRATED APPROACH
31
DO YOU UNDERTAKE ACTIVE INCIDENT RESPONSE?
• Yes• No• I don’t know
POLL
Please vote using the “votes from audience” tab in your BrightTALK panel
32
Algosec Plugin
Allows the response to be done within a single context or container
33
Identify
34
AlgoSec Plugin adds an action menu for all IP address fields
Identify & Analyze effected applications and paths
35
Identify effected application & contacts
Determine if:• It is a critical business process• Set priority for response• Who to notify• Next steps …
36
A traffic simulation is generated for the impacted application and/or system(s)
Traffic is partially allowedWhat is accessible?
Devices that are allowing traffic are identified
Dynamic representation of the pathCan it reach the internet? – YesCan data be lost? – YesCan other systems or regions be impacted? - ?
Initiate Query
37
10.3.3.3
Check traffic from impacted system to sensitive zone(s)
What can impacted system reach?• Is it a stepping stone?• Can critical data be accessed?• Can business operations be disrupted?• What are the reporting requirements?• What is the regulatory impact?
Some traffic allowed
Devices Allowing Traffic
38
Take Action
39
Initiate & track Algosec change request to isolate
impacted server
40
Execute change to isolate the compromised server
from the network
Algosec Change Request
All devices allowing traffic are identified
and change request(s) created
41
INCIDENT RESPONSE IN CONTEXT
Identify Analyze Notify Take Action
RemediateCapture Actions for Reporting
Final Report
01 02 03 04
05 06 07
42
SUMMARY
• Stakeholder breadth requires open and rapid communications
• Build a plan that supports the needs of the business
• Dynamic traffic simulation streamlines responses to requests and aids in identification of problems and exposures
• Structured change automation eliminates errors and improves communication
• Regular monitoring and reporting ensures environment health
• Mapping applications to flows and ownership improves the change process, intragroup communications and issue response/resolution
• Application integration provides rapid identification and response to issues
43
MORE RESOURCES
www.algosec.com/resources
WHITEPAPERS
VIDEO
DATASHEET