1

ADAPTIVE SECURITY & INCIDENT RESPONSE -A BUSINESS DRIVEN APPROACH

Tony Sequino

Director of Sales, AlgoSec

2

64.5%

22.4%

7.9%

5.3%

Motivation Behind Attacks

Cyber Crime Cyber Epionage Hacktivism Cyber Warfare

February 2017

WE ARE UNDER ATTACK

“Data Breaches Increase 40 Percent in 2016”- Identity Theft Resource Center(ITRC) and CyberScout

“More than 4,000 ransomware attacks have occurred every day since the beginning of 2016 (300% increase compared to 2015)”- Computer Crime and Intellectual Property Section (CCIPS)

3

THREAT LANDSCAPE BACKGROUND

• Advanced Persistent Threat (APT)• Social engineering• Malicious insiders

• Data is being exfiltrated (theft, extortion, espionage)

• Critical services go down• A compromised machine is part of

a DDoS attack network• …

The attackers are already inside the network

What can happen during an attack

4

ADAPTIVE SECURITY & ACTIVE POLICY MANAGEMENT

“… active, preventive, investigative and response capabilities.”

“… context-aware network, endpoint and application security protection platforms”

Neil MacDonald, Peter Firstbrook, Gartner 2016

“Leverage the Security Ecosystem from within the SIEM – Avoid Context Switching”

“Maintain context during investigations”Splunk Partner Information, 2016

5

DIGITAL TRANSFORMATION & ADAPTIVE SECURITY CHALLENGES• Far to much time spent reviewing, planning, approving change

requests

• Skilled Resource Availability

• Expanding Architectures & Environments• Datacenter, Hybrid Cloud, Cloud

• Distributed Data & Services

• Increasing Threat Landscape

• Changing Regulatory Environment

• Increasing Audit, Reporting & Management Requirements

6

Malware Tools

DOES YOUR ENVIRONMENT LOOK LIKE THIS

Log Collection & Analysis

SIEM Solution

Vulnerability Scanner

Applications

Audit &Compliance

Security Policies

Network Estate

7

Malware Tools

Log Collection & Analysis

SIEM Solution

Vulnerability Scanner

Applications

Audit &Compliance

Security Policies

Network Estate

ENTERPRISE SECURITY MODEL

SPHERE OF INFLUENCE

Security strategy influences your company’s business strategy and operations

SPHERE OF OPERATION

Security solution integration improves your organization’s operational posture

SPHERE OF CONTROL

Create and automate a single view of your network estate, traffic, governing policies and applications, aids in aligning security with your business needs and reducing your threat surface

8

BROAD STAKEHOLDER LANDSCAPE

NetworksNetwork

OperationsNetwork

Engineering

Dev OpsInformation & App Security

Audit & Compliance

Risk CISOBusiness

Units

Senior Management

9

DO YOU HAVE SOC (SECURITY OPERATIONS CENTER)?

• Yes• No• We are in the process of building one• I don’t know

POLL

Please vote using the “votes from audience” tab in your BrightTALK panel

10

Network visibility and mappingStatic map (E.G. Visio)

Live map Live mapLive map across on -premise, SDN and cloud

Application to Security mapping None Static (CMDB) Static (CMDB) Live accurate mapping

Policy security posture(Overly permissive/undocumented rules)

Poor Fair Good Excellent

Security change managementManual. Error-prone

Mostly manual.Some errors.

Mostly automated. Few errors

Automated policy pushVirtually error-free

Risk reporting and assessment Manual. CostlySome Automation.Costly

Automated and continuous

Automated and continuous

Network infrastructure auditing Network level Network level Network level Business application level

Alignment between security, network and service delivery teams

Poor Fair Good DevSecOps

THE SECURITY POLICY MANAGEMENT MATURITY MODEL

Level 1

Level 2

Level 3

Level 4

11

Permissive EnvironmentIntroduces business risk

Restrictive Environment Slows response time to the business requests & needs

FINDING THE BALANCE

Where is the sweet spot for your business?

12

BUSINESS-DRIVENSECURITY MANAGEMENT

13

APPROACH FOR BUSINESS SECURITY ALIGNMENT

• Develop a plan which aligns your security strategy with company business strategy & operations

• Crack the Organizational Silos• Open & connected request and communication environment for all

stakeholder organizations

• Connected Networking, Security & Applications teams …

• Automate change & monitoring processes across your network estate

• Create an incident detection & rapid response environment

14

THE SECURITY POLICY MANAGEMENT LIFECYCLE

Decommission redundant firewall rules and

application connectivity

Automatically migrate firewall rules

Zero-touch change management

Automated policy push

Smart validation

Policy monitoring

Enforce security posture

Out-of-the box auditing and compliance reports

Link firewall rules to applications

Policy clean up and optimization

Firewall rule recertification

Translate application connectivity into firewall rules

Assess risk and compliance

Tie cyber attacks and vulnerabilities to business processes

Auto-discover and map application connectivity and security infrastructure

Enable developers to define connectivity programmatically

15

WHY HAVE ALGOSEC AT THE CORE?

Need to be more agile , efficient and aligned with the dynamic changes of the business

clean up policies and reduce risk of misconfigurations

Dynamic view of your network estate

Infrastructure-independent for business agility

Applications run the business…Business Driven Security needs application visibility

16

THE ALGOSEC ECOSYSTEM

Integrate

Business Process

For a complete list of supported devices visit www.algosec.com

Manage

17

THE ALGOSEC ECOSYSTEM

For a complete list of supported devices visit www.algosec.com

CONTROL

OPERATION

INFLUENCE

OPERATION

18

THE ALGOSEC SECURITY MANAGEMENT SOLUTION

BusinessFlow FireFlow

FirewallAnalyzer

19

THE ALGOSEC ECOSYSTEM

Integrate

Business Process

For a complete list of supported devices visit www.algosec.com

Manage

Supports a broad set of devices and environments

20

Single pane of glass for managing and analyzing network security policies

ALGOSEC FIREWALL ANALYZER

Topology map and traffic simulation

Firewall rule optimization and cleanup

Network segmentation enforcement

Baseline configuration compliance

Audit-ready compliance reports

Risk assessment

21

FIREWALL ANALYZER REPORT

22

ALGOSEC FIREFLOWProcess firewall changes in minutes, not days.

Proactively mitigate risk and enforce compliance.

Security policy workflow automation

Topology analysis and optimal rule design

SLA tracking and complete audit trail

Integration with ticketing systems

Change validation and reconciliation

Proactive risk and compliance verification

Automated policy push & scheduling

23

THE ALGOSEC ECOSYSTEM

Integrate

Business Process

For a complete list of supported devices visit www.algosec.com

Manage

Robust API set for application integration

24

Discover and provision business application connectivity.

Manage risk from the business perspective.

ALGOSEC BUSINESSFLOW

Connectivity discovery and mapping

Request changes at the application level

Secure application decommissioning

Business-centric risk analysis

Impact assessment to avoid outages

Rapid datacenter and cloud migration

25

APPLICATION RULE ASSOCIATION

• Viewers of a device's policy can now justify the existence of traffic rules, within the context of the application they support

• The users will be able to see a list of supported applications per rule and to drill down directly from the policy view to the application’s dashboard in BusinessFlow

• Clear visibility into the impact of a rule removal/rule modification

• Easily find Rules that do not support any application

Visibility into Supported Applications by Each Rule

26

ALGOSEC BUSINESS FLOW

27

BUSINESS FLOW RISK ANALYSIS

Vulnerability scanner data can be imported and combined with out of the box & customer defined risk definitions.

28

BUSINESS FLOW VULNERABILITIES

Drill down to individual servers and associated rules for the application to identify specific vulnerabilities & risks

29

SIEM/INCIDENT RESPONSE INTEGRATION

• Gain visibility into the severity of security events by showing the applications exposed to each attacked server

• Immediate threat path analysis by displaying the exposure of the attacked server to the Internet

• Isolate the attacked server with a click of a button

• Supports both QRadar and Splunk

Applications, Network Map and Automation

30

SIEM/INCIDENT RESPONSEAN INTEGRATED APPROACH

31

DO YOU UNDERTAKE ACTIVE INCIDENT RESPONSE?

• Yes• No• I don’t know

POLL

Please vote using the “votes from audience” tab in your BrightTALK panel

32

Algosec Plugin

Allows the response to be done within a single context or container

33

Identify

34

AlgoSec Plugin adds an action menu for all IP address fields

Identify & Analyze effected applications and paths

35

Identify effected application & contacts

Determine if:• It is a critical business process• Set priority for response• Who to notify• Next steps …

36

A traffic simulation is generated for the impacted application and/or system(s)

Traffic is partially allowedWhat is accessible?

Devices that are allowing traffic are identified

Dynamic representation of the pathCan it reach the internet? – YesCan data be lost? – YesCan other systems or regions be impacted? - ?

Initiate Query

37

10.3.3.3

Check traffic from impacted system to sensitive zone(s)

What can impacted system reach?• Is it a stepping stone?• Can critical data be accessed?• Can business operations be disrupted?• What are the reporting requirements?• What is the regulatory impact?

Some traffic allowed

Devices Allowing Traffic

38

Take Action

39

Initiate & track Algosec change request to isolate

impacted server

40

Execute change to isolate the compromised server

from the network

Algosec Change Request

All devices allowing traffic are identified

and change request(s) created

41

INCIDENT RESPONSE IN CONTEXT

Identify Analyze Notify Take Action

RemediateCapture Actions for Reporting

Final Report

01 02 03 04

05 06 07

42

SUMMARY

• Stakeholder breadth requires open and rapid communications

• Build a plan that supports the needs of the business

• Dynamic traffic simulation streamlines responses to requests and aids in identification of problems and exposures

• Structured change automation eliminates errors and improves communication

• Regular monitoring and reporting ensures environment health

• Mapping applications to flows and ownership improves the change process, intragroup communications and issue response/resolution

• Application integration provides rapid identification and response to issues

43

MORE RESOURCES

www.algosec.com/resources

WHITEPAPERS

VIDEO

DATASHEET

44

THANK YOU!

Questions

tony.sequino@algosec.com917-734-6695