Building an Intelligence-Driven Security Operations Center
-
Upload
emc-academic-alliance -
Category
Technology
-
view
2.350 -
download
3
description
Transcript of Building an Intelligence-Driven Security Operations Center
BUILDING AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER
RSA Technical Brief
KEY POINTS
•Cyberattacksandintrusionsarealmostimpossibletoprevent,giventheopennessof
today’snetworksandthegrowingsophisticationofadvancedthreats.Inresponse,the
practiceofcybersecurityshouldfocusonensuringthatintrusionandcompromisedo
notresultinbusinessdamageorloss.
•Organizationsneedtoshiftmoresecurityresourcesfrompreventingintrusiontoward
rapidthreatdetectionandremediation.
•Improvingthreatdetectionandresponserequiresanintelligence-drivensecurityapproach,
whichhelpsorganizationsuseallavailablesecurity-relatedinformationfrombothinternal
andexternalsourcestodetecthiddenthreatsandevenpredictfutureones.
•Optimizinghowsecuritytechnologies,personnelandprocessesworktogetherispivotal
toscalingsecuritycapabilitiestothemountingrisksposedbyadvancedcyberthreats—
allwhiledeliveringefficiencyandvaluebacktotheorganization.
•Technologyautomationcanhelpanalystsmakethemostoftheirtimebyslashingthe
workloadforclosingroutine,lower-levelincidents.Automationfreesupanalyststo
focusonhigher-priorityrisksaffectingtheorganization’smostcriticalassets.
•Configuringsecurityprocessestoautomaterepetitivetasksandintegraterelated
workflowsispotentiallythemostbeneficialstepthatsecurityoperationscenters(SOCs)
cantaketoboostproductivity,enforcepoliciesandimplementbestpracticesforthreat
detectionandresponse.
•SOCswillneedtobuildcollaborative,cross-disciplinaryteamswithhighlyspecialized
skillsetstocombatadvancedcyberthreats.Thesecurityindustry,however,facesa
seriousshortageofskillsandqualifiedpersonnel.Leveragingthelatesttechnologyfor
time-savingautomationandsupplementingin-housecapabilitieswithoutsourced
expertisecanhelporganizationsmanageskillandresourcegaps.
•Resultsfrombest-in-classsecurityoperationsteamsillustratetheimpactofoptimizing
theinterplayofpeople,processesandtechnologiesinsecurityoperations.Byaligning
behindanintelligence-drivensecurityprogram,leadingorganizationscanachieve
resultssuchasreducingtheaveragetimeforresolvingincidentsbyupto60percent.
February 2013
RSA Technical Brief, February 2013
Contents
LevelingtheThreatLandscapewithBigDataAnalytics....................................................3
AligningPeople,ProcessandTechnologytoScaleSecuritytoThreats..............................4
TechnologyAlignment:BigDataandAutomation.....................................................4
ProcessAlignment:theGreatestProductivityDriver..................................................6
PeopleAlignment:NewSkillsNeeded......................................................................7
Intelligence-drivenSecurityatWork.................................................................................8
ConvergedOrganizationforManagingRiskandSecurity...........................................8
ConvergedInfrastructureforSecurityMonitoringandManagement..........................8
AutomatingtheUseofIntelligenceandIncidentData.......................................9
AutomatingBigDataCollection......................................................................11
AutomatingHost-basedAnalytics...................................................................11
EMCOutcomesinAligningBehindIntelligence-DrivenSecurity...............................12
Appendix:Intelligence-drivenSecuritySolutionsfromRSA............................................13
1GartnerInc.,“ITKeyMetricsData2013:KeyInformationSecurityMeasures:Multiyear”(14Dec.2012),pp.7–10
Perfectioninsecurity—theno-breachgoal—isnotonlyimpossiblebutalsoimpractical.
That’sbecausesophisticatedadversarieshavelearnedtocrafttheirattacktechniquesto
getaroundpreventivesecuritymeasuressuchasantivirus,firewallsandpasswords.
AdversariesalsotakegreatcaretocovertheirtracksandstayhiddenwithinIT
environments,sometimesforweeksorevenmonthsaftergainingentry.Thecomplexityof
mostenterpriseITenvironments,combinedwiththeprevalenceofcloudandmobile
servicesandtheexpandingaccessibilityofenterprisenetworkstooutsideparties,gives
attackersmanyplacestohideandevenmorepointsofpotentialintrusion.
Despiterisingcyberrisksandattacks,securityteamsfacepersistentbudgetandresource
constraintsinprotectingtheorganization’sprizedinformationassets.Securityspending
asapercentageofITspendinghasgonefrom6.0%in2008to5.6%in2012,according
toaGartnerreportthatbenchmarkssecurityexpendituresandstaffing.1Inthesame
report,Gartnerreporteddeclinesinsecurityspendingfrom$636peremployeein2008to
$577peremployeein2012.Thesetrendsindicatethatsecurityteamsmustlearntodo
morewithless.
Mostsecurityspendingisstillinvestedinamultitudeofperimeter-based,prevention-
focusedtoolsthatadvancedcyberattackshavemadelargelyobsolete.Cybersecurity’s
mostpressinggoal,nowandfortheforeseeablefuture,shouldbetopreventbusiness
damageorloss,nottopreventintrusionandcompromise.
Thebestwaytopreventbusinessdamageistodetectandremediatecyberattacks
quickly.Todothis,organizationsshouldallocateagreatershareoftheirsecurity
investmentstoenhancingcapabilitiesinthreatdetectionandresponse.First,theymust
gainfullvisibilityintowhat’shappeningintheirITenvironments.Then,theymustexpand
theirviewtoincludeoutsidethreatintelligence.Organizationswillhavetolearntouse
newtypesofsecuritydata—andmuchmoreofit.
RSA Technical Brief, February 2013
LEVELINGTHETHREATLANDSCAPEWITHBIGDATAANALYTICS
Anewgenerationofsecuritytoolsusesinnovativetechniquestocollectandanalyze
massiveamountsofdata:datafromPCs,mobiledevicesandservers;datafrominternal
networks,includingthecompositionandcontentofnetworkpackets;andthreat
intelligenceaboutattacksonotherorganizationsandthetoolsandmethodsused.In
additiontoanalyzingthesetraditionalinformationsources,“bigdata”securitytoolsalso
caningestinformationfromnon-traditionalsourcessuchasbuildingkeycardscanners,
personnelrecordsandevenMicrosoftOutlook®calendars.Suchdatamaybeused,for
instance,toassessthelegitimacyofremotelog-insbyemployees.
Theheightenedvisibilityprovidedbythebigdatacapabilitiesofnewsecurityanalytics
platformscreateunprecedentedopportunitiestoidentifyanomalies,uncoverevidenceof
hiddenthreatsorevenpredictspecific,imminentattacks.Moredatacreatesaricher,
moregranularview:itpresentsthethreatlandscapeinhighdefinition,asopposedto
grainyblack-and-white.Security-relateddetailscanbeseeninsharperfocusand
irregularitiescanbefoundfaster.Also,becausesecurityanalyticsplatformsintegrate
threatintelligencefromoutsidesources,organizationsseethethreatlandscapeasa
panorama,notjustfromthenarrowapertureoftheirowninternalITenvironments.
Enhancedvisibilitywillleadtoenhancedsecuritycapabilities,vastlyexpandingoptions
forhowsecurityoperationscenters(SOCs)actandrespondtoprospectivethreats.
Technologyadvancementsinbigdataandsecurityanalyticssystemsarebeginningto
deliver“imagineif”capabilities.Theboundsofwhat’simaginablearenowbeing
exploredbysecurityoperationsprofessionalsandbusinessleaderstogether.
Fororganizationsconcernedaboutadvancedcyberthreats,these“imagineif”scenarios
oftenfocusoninjectingbetterintelligenceandcontextintosecuritypractices.For
example,ifweapplynewanalyticapproachestohistoricaldata,whatcouldwelearn?
Whatdothecyberattackswe’veencounteredtellusaboutourbusinessandoperational
risks?Ifweaddnewlogsourcesorexternalintelligencefeedstoourdatawarehouse,
whatpatternscouldwelookforthatwecouldn’tevenimagineseeingbefore?Whattypes
ofintelligencemighthelpushuntdownthreatsfaster?
TheSecurityforBusinessInnovationCouncil,agroupoftopsecurityexecutivesfrom
Global1000enterprises,advisesorganizationstotakeadata-intensiveapproachcalled
“intelligence-drivensecurity”toprotectingcriticalinformationandbusinessassets.2
Intelligence-drivensecuritypracticeshelporganizationsuseallthesecurity-related
informationavailabletothem,bothinternallyandexternally,todetecthiddenthreats
andevenpredictfutureones.Intelligence-drivensecuritycallsfororganizationstoreduce
theirrelianceonperimeterdefensesandsignature-basedscanningtools,whichonly
identifymodesofattackthathavebeenencounteredinthepast.Instead,organizations
shouldlookforsuspiciousactivitiesandpatternsatypicalfortheirenvironment—subtle
indicatorsmuchhardertodetectthanmatchingamalwaresignature.
Implementingintelligence-drivensecuritywillrequireSOCstoexaminetheir
organizationsasaholisticsystemandtobringsecuritytools,processesandpersonnel
intotightalignment.Aligningpeople,processesandtechnologyinandaroundaSOCis
essentialtoscalingsecuritycapabilitiestothemountingrisksposedbyadvancedcyber
threats—andtodoitwithinperennialtimeandbudgetlimitations.
page3
2Forguidanceonimplementingintelligence-drivensecurityprograms,pleasereadtheSecurityforBusiness
InnovationCouncil’sreport“GettingAheadofAdvancedThreats:AchievingIntelligence-drivenInformation
Security”onEMC.com.
RSA Technical Brief, February 2013
ALIGNINGPEOPLE,PROCESSANDTECHNOLOGYTOSCALE SECURITYTOTHREATS
Thecomplexinterplayamongpeople,processandtechnologyinsecurityoperations
makesitchallengingtoadjustanyoneelementwithoutalsoadjustingtheothers.
Harmonizingtools,skillsandmethodologyinsecurityoperationsisessentialtoproviding
defense-in-depthandtoprotectingtheorganization’scriticalinformationassets.
Additionally,perfectingthepeople-process-technologytriadcanunlockoperational
efficienciesbyautomatingroutinetasksandstreamliningworkflows.Theresultisthat
securityanalystswillspendfarlesstimetrackingdowninformationforaninvestigation
orresearchingthestatusofanincident.Instead,theycanfocustheirtimeonenriching
intelligencesources,uncoveringsubtleirregularitiesintheirITenvironmentsthatpointto
seriousproblems,orhuntingdowncovertthreatsfaster.
Puttingtherightmixoftechnologiesinplacethatworkwelltogetheraspartofan
intelligence-drivensecurityprogramcanbechallenging.Nevertheless,thetechnologiesnow
availabletoSOCsmaybethemostmaturepieceinthepeople-process-technologytriad.
Whilenewtoolssuchassecurityanalyticsplatformsholdgreatpromise,they’reonlyas
goodasthepeopleusingthemandtheoperationalbestpracticesputinplacetohelpthe
largerorganizationworkeffectivelyandefficientlytogether.
Fromconsultingwithhundredsofcustomerorganizations,RSAbelievespeopleand
processareoftenhardertoalignbehindanintelligence-drivensecurityapproachthan
thetechnology.That’sbecausedeveloping,testingandinstitutingnewproceduresfor
managingandrespondingtosecurityincidentstakesspecializedexpertiseandtime.
Italsotakestimeforsecurityoperationspersonneltolearntheirorganization’scritical
businessprocesseswellenoughtodefendthemfromattack.
Optimizingtheinterplayofpeople,processandtechnologywillbedifferentforevery
SOC,dependingontheuniqueconditionsandneedsoftheirorganizations.Regardless,
commonguidelinescanapplytomostSOCsstrivingtoimplementanintelligence-driven
securityapproach.
Technology Alignment: Big Data and Automation
Whenaligningtechnologytoanintelligence-drivensecurityprogram,agoodstarting
pointistotakestockoftheorganization’sexistingsecuritytoolsandinformationassets.
Istheorganizationmakingthemostofwhatithas?Howeffectivearetechnicalassetsin
servingtheirintendedfunctions?
Afteraninitialtechnologyinventorycomesanexplorationofhowsecuritycouldbe
improvedifnewcapabilitieswereadded.Apartfromacquiringnewtools,new
capabilitiescansometimesbederivedbyusingexistingdatainnewways.Capabilities
expansioncouldalsobeamatterofextendingtheSOC’svisibilityintoorganization’s
networks,bothinternalandexternal.Whatadditionalinstrumentationisneededto
monitorremoteoroutsourcedenvironments?Howcouldtechnologiesbeadjustedor
addedtoexpandvisibilityortoprovidevaluablecontextforassessinganincident?
page4
RSA Technical Brief, February 2013
Ingeneral,asSOCsconsiderenhancingtheircapabilities,theyshouldprioritizeinvestments
fulfillingthefollowingtechnologyrequirementsofanintelligence-drivensecurityprogram:
•Scalable analytics enginescapableofqueryingvastvolumesoffast-changingdatain
realtimeacrossvectorssuchasgeography,networkpartitionsanddatabases
•Consolidated warehouse for security datasoallsourcesaremadeavailableforquery
throughoneplace,eitherasaunifiedrepositoryor,morelikely,asacross-indexed
seriesofdatastores
•Centralized management dashboardtoconductandcoordinateincidentinvestigations
andtomanageincidentresponse(e.g.,blockingnetworktraffic,quarantiningsystems
orrequiringadditionalverificationofuseridentity)
•Flexible data architecturethatallowsinformationfrommanysourcesinmanydifferent
formatstobecaptured,indexed,normalized,analyzedandshared
•Automated data normalizationsoanalyticsenginescaningestandworkwithhighly
diversedatatypeswithminimalhumanintervention
•Pattern-based monitoring techniquesthatcontinuouslyexaminehigh-valuesystems
andinformationassetstoidentifythreatsbasedonbehaviorandriskmodels,noton
staticthreatsignatures
•Rich correlation of incident informationsothatdatarelevanttoincidentinvestigations
automaticallypopulatesecuritymanagementconsoles,minimizingtheamountoftime
analystsmustspendcollectinginformationandassessingincidents
•Full network packet captureenablingsecurityanalyststoreconstructsessionsinsufficient
detailtomakesenseofwhathappenedandwhatcorrectiveactionsshouldbetaken
•External threat intelligence servicesthataggregateinformationfrommanytrustworthy,
relevantsourcesandpresenttheminmachine-readableformsthatcanbecorrelated
withandanalyzedalongsideinternaldatawithminimalhumanintervention
•Active countermeasures and controlssuchasrequiringadditionaluserauthentication,
blockingdatatransmissionsorfacilitatinganalysts’decision-makingwhenhigh-risk
activityisdetected
•Integrated compliance management processthatarchiveslong-termsecuritydata
throughadistributedcomputingarchitectureandprovidesbuilt-incompliancereports
foramultitudeofregulatoryregimes
page5
RSA Technical Brief, February 2013
Process Alignment: the Greatest Productivity Driver
Designingsecurityoperationsprocessestoautomaterepetitivetasksandintegrate
relatedworkflowsispotentiallythemostbeneficialthingthatSOCscandotoboost
productivity,enforcepoliciesandimplementbestpracticesforthreatdetectionand
response.That’sbecause,inRSA’sexperience,processistypicallythemostimmature
andinefficientpartofmostSOCs’people-process-technologytriad.
RSArecommendstightintegrationofprocessesandworkflows.Forexample,incident
managementshouldbedirectlylinkedtoincidentresponse,anddatasourcesshouldall
feedintoanintegratedanalyticsandsecuritymanagementplatformsoanalystscansee
everythingthrougha“singlepaneofglass”andderivebetterintelligenceandcontextfor
incidentinvestigations.
Processintegrationeliminatesmanyroutinesteps,suchascopying-and-pastingincident
information,thatgoalongwithmanuallyjoiningdisparatesecurityoperationsworkflows.
Integrationalsoreducesopportunitiesforerror,becauseactivitiesforcomplexprocesses
suchasincidentresponsecanbeprogrammedtofollowadeterministicsequenceof
actionsbasedonbestpractices.Finally,processintegrationcanfacilitatecooperation
amongdifferentpartsofthebusiness—amongaudit,informationsecurityand
compliance,forexample—andhelporganizationscreateaunifiedviewofconditions
andrisksthroughouttheorganization.
Processalignmentsareaclosed-loopfunction.AsSOCsredesign,testandimplement
processes,theytakewhatthey’velearnedtoimprovesubsequentstrategiesand
implementations.Becauseiterationsbreedimprovementandbestpractices,many
organizationsenlistthehelpofoutsideconsultantswhenembarkingonmajorprocess
changesinsecurityoperations.Inherentintheserialnatureofconsultingengagementsis
thecontinualrefinementofbestpractices,andSOCscanbenefitimmediatelyfrom
consultants’experienceindesigningandimplementingsecurityprocessimprovements
forotherorganizations.
InRSA’sexperienceconsultingtohundredsofenterprises,implementinganintelligence-
drivensecurityapproachinvolvesoptimizingtheseprocesses:
•Breach readiness assessmentstogaugetheorganization’scurrentsecuritystateand
increaseoperationalmaturitybydesigning,testingandpracticingbreachmanagement
andresponse
•Cyber threat intelligence processestomodelthreatsandtodevelopbestpracticesand
proceduresforproactivelyidentifyingthreatvectorsandanomaliesinlargevolumes
ofdata
•Incident response and discovery workflowstoimprovevisibilityintoenterprisenetworks
andtominimizetheaveragetimeneededtodetectabreach
•Breach management automationtorefineprocessesandprogramproceduresfora
closed-loopincidenthandlingprocessmarkedbycontinuouslearningandimprovement
•Identity, infrastructure and information controlsfocusingonprivilegedaccount
management,securecommunications,informationrights/dataclassificationand
post-breachremediationandsecurity
page6
RSA Technical Brief, February 2013
People Alignment: New Skills Needed
InasurveyconductedbyEnterpriseStrategyGroup,morethanhalf(55%)ofresponding
organizationssaidtheyplannedtoaddsecurityheadcountin2012,yet83%saiditwas
difficulttorecruitandhiresecurityprofessionals.3Oneofthewaystodealwiththe
skillsshortageintoday’s“domorewithless”financialclimateistoalignprocessand
technologytoreduceanalysts’routineworkloadssoanalystscanfocusonmoreadvanced
tasks.InRSA’sexperience,toolsandprocessautomationcanslashtheworkloadandtime
requirementsforanalystssortingthroughroutine,lower-levelthreats.Inpractice,RSAhas
seenSOCswithfiveanalystsoutperformSOCswith25analyststhroughtoolsandprocess
optimization.
ThetechniquesusedinAPTsandotheradvancedcyberattackscanbesocomplexthatit
takescross-disciplinaryteamswithhighlyspecializedsecurityskillstodetect,dissect
anddisablethethreat.Toaddressadvancedcyberthreats,SOCswillneedtobuild
collaborativeteamscomprisingthefollowingskills,eitherbycultivatingtheexpertise
in-houseorbysupplementingwithoutsourcedexperts:
•Forensics knowledge,especiallyinmethodologiesforcollecting,maintaining,analyzing
andreusinglargerepositoriesofdatafromnetworksandhosts/endpoints
•Proficiency in coding, scripting and protocolstohelpanalyzevulnerabilities,debug
systemsandreversemalware
•Managing threat intelligence,especiallycultivatingandtrackingmultipleexternalintelligence
sourcesandbringingrelevantthreatresearchbackintotheorganizationinausefulway
•Breach management,whichincludescoordinatingtheorganization’sresponsetocrises
andprovidingdisclosurestooutsideparties
•Penetration testing todiscoverpotentialvulnerabilitiesintheITenvironmentresulting
frompoorsystemconfiguration,hardwareorsoftwareflawsoroperationaldeficiencies
•Data analystswhounderstandbusinessrisksandcyber-attacktechniquesinsufficientdepth
todevelopanalyticalmodelsthatdetecthiddenthreatsandevenpredictcyberattacks
Securitypersonnelwillneedtodevelopaninvestigativemindset:seeingtheorganization’s
assetsandvulnerabilitiesastheiradversariesdotoanticipateattacktechniquesanddevise
countermeasures.Analystswillalsohavetohonehuntinginstincts:stalkingadversaries
withintheITenvironment,instrumentingtripwirestodetectattackers’presenceandsetting
trapssuchashoneypotstocatchthem.
InadditiontobuildingtheSOC’stechnicalandinvestigativecapabilities,securityoperations
teamsshouldalsocultivatecommunicationskillswithintheirranks.Developingsoftskills
withintheteamcanhelptheSOCbuildusefullinkagestootherorganizations,whetherit’s
informalinformation-sharingpartnershipswithotherSOCsorfosteringC-suitesupportfor
securityoperationsprograms.
page7
3EnterpriseStrategyGroup,“SecurityManagementandOperations:ChangesontheHorizon”(July2012),pp.19–20
RSA Technical Brief, February 2013
INTELLIGENCE-DRIVENSECURITYATWORK
EMCCorporation’sGlobalSecurityOrganization(GSO)illustratestheimpactofoptimizingthe
interplayofpeople,processesandtechnologiesinsecurityriskmanagement.EMCpractices
continuousimprovementofthetools,skillsandprocessescomprisingitssecurityoperations.
Thecompanyaimstoachieveaholisticviewoftheenterprise–bothphysicalanddigital–to
gainabetterunderstandingofrisktrendsandthreatsthroughoutthecompany.
Converged Organization for Managing Risk and Security
EMChasbuiltaconvergedsecurityorganizationcharacterizedbyclosecollaborationamong
itsInformationSecurity,RiskManagement,CustomerSecurityManagementandCorporate
ProtectionandInvestigationgroups.Bycombiningtheseorganizationsunderasingle
umbrella,EMCisabletoanalyzemetricsandtrendstoachieveaviewofriskthroughoutthe
wholeorganization.Forinstance,iftheCorporateProtectionandInvestigationteam
identifiesrepeatedinstancesofintellectualproperty(IP)theft,theInformationSecurity
groupcanstudythoseinstancestocreatecontrolspreventingfutureIPloss.
Converged Infrastructure for Security Monitoring and Management
Tosupportthisconvergedriskandsecuritystrategy,EMCbuiltastateoftheartCritical
IncidentResponseCenter(CIRC).TheEMCCIRCcombinesworkflowanddatafromacross
theglobalorganizationandcreatesacentralpointformonitoringandenforcingthe
safetyandintegrityofthecompany’sinformationassets.EMC’sCIRCaggregateslogs
frommorethan1,400securitydevicesand250,000endnodesdistributedglobally
across500physicalsites.
WithintheCIRC,ateamofhighlyskilledanalystscontinuouslymonitorEMC’sglobalIT
andsecurityenvironments,respondingtothreatsandvulnerabilitiessuchasmalware
anddataleakagetophysicalsecurityincidentssuchasthreatsofviolenceand
equipmenttheft.Withthissingleintegratedviewoftheglobalenterprise,security
analystscanprovideadviceandguidancetoEMCmanagement–providingacritical
feedbackloopforcontinuouslyimprovingthecompany’ssecurityposture.
TheEMCCIRCisbuiltpredominantlyontechnologiesandbestpracticesdevelopedby
RSA.WhilemanytechnologytoolsareusedwithintheCIRC,attheheartaretheRSA
Archer®GRCplatformandtheRSA®SecurityAnalyticssolution.Thesetwosystems
integratedatafrommanyothertools,providingCIRCpersonnelwithasinglebigdata
repositoryandacentralmanagementconsoleforsecurityanalytics.(SeeFigure1.)
TheintegrationofRSAArcherGRCplatformwithRSASecurityAnalyticsstreamlinesmany
securityoperationsworkflows,helpingtheEMCCIRCaccelerateinvestigationsandreduce
thetimeneededtocloseincidents.
page8
RSA Technical Brief, February 2013
Automating the Use of Intelligence and Incident Data
HundredsofalertsaregeneratedeachdayforreviewbytheEMCCIRC.Beforeanalertis
presentedtosecurityanalystsforinvestigation,RSAArchertechnologyandRSASecurity
Analyticsautomaticallycollectandcorrelatearichvarietyofdatarelatedtotheincident.
Severalprocessesandtechnologieshavebeenengineeredtointegratecontextualdata
andintelligenceintothreatdetectionandresponseprocesses.
page9
Data sources• Contacts (Active Directory)• Facilities (IP Address Management)• Devices (Asset DB)
Generate alerts found through
correlations and analyses
Provides supplemental
data from Archer sources related to the
incident
Compiles enriched incident
data to presentto analyst
• Presents alerts with enriched incident data
• Consolidates all incident data
• Manage the investigation process, creating and tracking incident-related requests
• Track incident resolution
• Maintain detailed incident history and audit trail
• Conduct impact/risk assessments of incidents
• Captures massive volumes of diverse, fast-changing data related to security
• Performs contextual analysis and correlations, pivoting on terabytes of data in real time
• Fuse external threat intelligence with internal data, reducing blind spots
• Archive huge volumes of data for compliance and for forensic analysis
RSA SecurityAnalytics
RSA Archer
SOC analyst
External intelligence feeds• External Threat Feeds• Threat Indicator Portal (for internal IoCs)• RSA FraudAction™ Feed• RSA NetWitness® Live Feeds• RSA CCIS• IP Geo Data
Internal Feeds• Internal data sources• Firewalls• Intrusion Detection Sensors• Intrusion Prevention Systems• Proxies• Web Application Firewalls• Active Directory• Exchange• AAA Servers
• Wireless LAN Controllers• Routers• Anti-virus• Data Loss Prevention (DLP)• Full Network Packets• HR User Data• Logon Data (Active Directory)• End Point IPS Data• Web Logs
Figure 1: Unified Platform for Data Analytics and Security Management
RSA Technical Brief, February 2013
page10
EMC’sCIRChasdevelopedathreatindicatormanagementsystemtoassimilateadvanced-
threatintelligenceartifactsderivedfrompublicandprivateintelligencesources,
intelligencesharingpartnerships,andtheCIRC’sownAdvancedAnalysisandCyberThreat
Intelligencefunctions.Theindicatorsofcompromise(IOCs)inthissystemrunthe
spectrumfromknownhostiledomainsandIPaddressestocommunicationcharacteristics
suchasstringsandelementsofhostileemailmessages,includingemailheaders.
IOCsareclassifiedbyseverityandautomaticallyintegratedintotheRSASecurityAnalytics
platformasacapturefeed,generatingspecificmetadatatags.Forexample,aknown
advanced-threatdomaintaggedinthethreatmanagementsystemwillgeneratea“Severity
1”metadatatag(thehighestpriorityrating)foranyactivitytothatdomainfoundbyRSA
SecurityAnalytics.AlertsforthesemetadatatagsaredesignedtochannelthroughtheRSA
Archersecuritymanagementconsoletofacilitateanearreal-timeresponsebytheCIRC.
Butbeforethealertisevenpresentedtosecurityanalysts,additionaldataelementsthat
canprovidevaluablecontextaboutthethreatareretrievedfromtheCIRC’scentralized
securitydatabase.Thisprovidestheanalystwithallavailableartifactsrelatedtothe
incidentandtothesourceanddestinationendpoints.TheexampleinFigure2illustrates
howthisdataenrichmentprocessandintegratedapproachtoalertingprovidesEMCCIRC
withthedetailsnecessarytorapidlyanalyzeandrespondtocriticalincidents.
Figure 2: Automated Enrichment of Event Data
Enriched Event Info(presented through RSA Archer console)
Incident 12345Date: 01 February 2012Severity: 1 Known Hostile C2
Source IP: 10.10.11.11Network Location: AtlantaLog-in time: 01 February 2012 10:05:05Hostname: smithj_pcOwner: John SmithOperating System: Windows 7 Critical Asset: YESFunctional Org: Finance
Destination IP: 201.200.100.10Location: Hac, SerbiaDomain: www.badsite.infoDomain registrant: Mobel SergeiRegister Date:12-Oct-2012
Alert: Attempted SSL Connection to SuspiciousIP Range
Basic Event Info(data enrichment coordinated by RSA Security Analytics)
External data enrichment
Internal data enrichment
Incident 12345Date: 01 February 2012
Alert: AttemptedSSLConnection to suspicious IP range
Source IP: 10.10.11.11Destination IP: 201.200.100.10Domain: badsite.info
Query Domain/IP lookup tools
Registrant: Mobel SergeiRegister Date: 12-Oct-2012Location: Hac, Serbia
Event Generated for Destination IP 201.200.100.10
* Other sources may also be applicable
Query reputation services and malicious
site lookups
Domain: www.badsite.infoSite linked to previous
malicious activities
Event Data Source IP: 10.10.11.11Hostname: smithj_pc
Query DHCP*for Hostname
Hostname Equals“smithj_pc”
Query EmployeeDatabase for
Details for jsmith
Event Data Source IP: 10.10.11.11 Hostname: smithj_pc Username: jsmith Owner: John Smith OS: Windows 7 Last log-in: 01 Feb 2013, 10:05:05
Query for Last User Logged in to “smithj_pc”
Event Data Source IP: 10.10.11.11 Hostname: smithj_pc Username: jsmith Owner: John Smith OS: Windows 7 Last log-in: 01 Feb 2013, 10:05:05Location: AtlantaFunctional Org: Finance
Event DataDestination IP: 201.200.100.10Location: Hac, SerbiaDomain: www.badsite.infoRegistrant: Mobel Sergei�Register Date: 12-Oct-2012
Event Generatedfor Source IP10.10.11.11
RSA Technical Brief, February 2013
page11
TheEMCCIRC’sdataenrichmentandintelligenceintegrationcapabilitieshelpanalysts
focustheireffortsonrapidlyrespondingtothreats,reducingexposuretimetoattacksand
eliminatingthemanualcollectionofadditionaldataelementscorrelatedtoincidents.
Automating Big Data Collection
TraditionalSIEMandmonitoringapplicationsarelimitedintheiradhocqueryand
advancedanalysiscapabilitiesbyarchitectureandperformanceconcerns.EMC’sCIRC
addressesthischallengebystreamingamirrorofalllogeventstoabigdatarepository
thatcollectsapproximately1billionrecordsperdayacross25devicetypes—morethan
900GBofdataperday.Datainthiscentralizedstorehousecanbequeriedbyanalyststo
correlateactivitiestothreats.Forexample,theEMCCIRCusesitsbigdatacapabilitiesfor
basicbehavioralanalysis,suchasdetectionofpotentialbeaconingpatternswithinweb
proxyandfirewalleventlogs.Also,asEMC’sCIRCreceivesnewsecurityintelligence,
historicalactivitypotentiallyrelatedtonewlydiscoveredthreatscanbeanalyzedto
determinewhatdamage,ifany,wasdone.TheprocessingpowerofEMC’sbigdata
platformhasreducedthetimetocollectandmakesenseofsecurityinformation
relatedtoathreatfromseveralhourstominutes,shrinkingexposuretimesignificantly.
Automating Host-based Analytics
Traditionalantivirusandhost-basedIDS/IPSproductsprimarilyrelyonsignaturesto
identifymalware.Yet,signature-basedtechniqueshavebeenoverwhelmedbythegrowth
ofmalwareandentirelybypassedbytargetedattackssuchasAPTsandotheradvanced
threats.Whiletraditionalmalwarescanningtechnologieswillcontinuetohavearoutine
roleasalayerofdefenseindepth,theyalonearesimplynotequaltocombatingtoday’s
moresophisticatedthreats.
Integratingbehavior-basedintelligenceintohostanalysisandremediationhelpsfillthe
gapsleftbysignature-basedtoolssuchasAVandIDS/IPS.EMC’sCIRChasdeployedthe
RSA®EnterpriseCompromiseAssessmentTool(ECAT)tohelpmonitorandprotect
endpointsthatnetworkmonitoringorotherintelligenceresourceshaveidentifiedas
potentiallycompromised.
RSAECAT’sapproachtomalwaredetectionishighlydistinctive.Malwareoftenmodifies
internaloperatingsystemstructurestohideitsactivity.Byvalidatingimportantinternal
kernelandapplicationstructures,RSAECATidentifiesanomaliesthataretypically
generatedbymalwaresuchashooking,kernelobjectmodification,file/process/
registry/communicationhiding,etc.
RSA Technical Brief, February 2013
AsdeployedwithinEMC’sCIRC,ECATprovidesthethreatdetectioncapabilitiesseenin
Figure3,RSAECATatWork.
Aftercompromisedhostsandprocesseshavebeenconfirmed,EMC’sanalystscandefine
thescopeofthethreatwithasingleactionandfrombehindasinglepaneofglass,as
RSAECATidentifiesallotherhostsharboringthesamemaliciousfileorprocess.Security
analystscanquicklyusetheECATMachineSuspectLevelscoretoevaluatetheprobability
ofcompromise:ahighscoreindicatesproblems,whilealowscoreindicatesahostis
probablyclean.Whilealowscoredoesnotguaranteeacleanmachine,thescoring
systemneverthelesshelpsprioritizeinvestigativeworkflows,resultinginfaster
containmentandremediationforlarger-scale,moreseriousthreats.
RSAECAThasenabledEMC’sCIRCtosignificantlyreducehostanalysistimeandto
containmuchoftheworkloadformalwareanalysisandvalidationtotheearliertriage
stageofEMC’sthreatdetectionprocess,whichishandledbyEMC’smorejuniorsecurity
analysts.EMCestimatesRSAECATsavesitsCIRCapproximately30analysthoursper
high-priorityincident.
EMC Outcomes in Aligning Behind Intelligence-Driven Security
Byaligningpeople,processandtechnologybehindanintelligence-drivensecurity
program,theEMCCIRCestimatesithasslashedtheaveragetimeforclosingincidentsby
upto60percent.
Technologyandprocessintegrationaccountsformuchoftheefficiencygain.Iteliminates
manytime-consumingtasksformanuallygatheringincident-relatedinformationandhas
evenautomatedaspectsofthreatdetection,asseeninEMC’suseofRSASecurity
AnalyticsandRSAECAT.
Theautomationcreatedbytechnologyandprocessintegrationhashelpedscaleupthe
CIRC’sthreatdetectionandresponsecapabilities,freeingupanalyststodevotemoreof
theirtimetohigher-priorityincidents.Analystscanexaminealldataavailableon
prospectivethreatsthroughthecentralizedRSAArchersecuritymanagementconsole,
acceleratinganalysisanddecision-making.
Theintegrationofsecuritytechnologiesandworkflows,combinedwithEMC’s
convergenceofvariousrisk-andsecurity-relatedfunctionsunderasingleorganizational
umbrella,hashelpedEMCmountafaster,moreefficientandcompleteresponseto
attacks.This,inturn,hasgreatlyreducedEMC’sexposuretimetothreatsandempowers
EMC—withits53,500employees—tooperatewithgreaterconfidenceinthedigitalworld.
RSA thanks Mike Gagne, Chris Harrington, Jim Lugabihl, Jeff Hale, Jason Rader, Garrett
Schubert and Peter Tran for contributing their time and expertise to the development of
this technical brief.
Figure 3: RSA ECAT Automates
Detection of Host-based Threats
page12
Performs an inventory of every executable, DLL and
driver in the machine
Checks for internal structures and system anomalies indicating
malware activity
Sends the collected information to a central server for processing,
comparing results with a clean baseline system
Flags abnormal behaviors and correlates them
across the entireenvironment
Sends unknown files toa server for scanning
using OPSWAT Metascan Antivirus
Identifies known good files using digital
signature validationand the Bit9 GSR
Generates a Machine Suspect Level Score
summarizing the probability of compromise
for affected hosts
After a network alert fires, RSA ECATis installed on suspicious hosts.
!
RSA Technical Brief, February 2013
APPENDIX:INTELLIGENCE-DRIVEN SECURITYSOLUTIONSFROMRSA
RSA® Advanced Cyber Defense Practiceprovidesaholisticrangeofsolutionstohelp
clientsprotecttheirorganizationalmission,driveoperationalefficienciesandevolve
withadynamicthreatenvironment.Targetedattacksoftenfocusonthetheftof
criticalassetsanddataandutilizetechniquesthatbypasstraditionaldefenses.RSA
helpsorganizationsenhancetheirexistingsecuritycapabilitiesandimplement
countermeasuresdesignedtopreventcyberadversariesfromachievingtheir
objectives.ServicesofferedbyRSAincludegapanalysis,maturitymodeling,cyber
threatintelligence,infrastructurehardeningandsecurityoperationsdevelopment
andautomation.RSA’sNextGenSOCsolutionisdesignedtohelporganizations
convergetheirtechnicalandoperationalcapabilitiesintoaunifiedsecurityprogram
thatalignswithriskmanagementprioritiesandbusinessobjectives.RSAemphasizes
thepreventivemeasuresrequiredtoprotecttheorganizationwhilealsoproviding
incidentresponseandremediationservicestoreducebreachexposuretimeandto
mitigateattacks.
RSA Archer® GRC Suiteisamarket-leadingsolutionformanagingenterprise
governance,riskandcompliance(GRC).Itprovidesaflexible,collaborativeplatform
tomanageenterpriserisks,automatebusinessprocesses,demonstratecompliance
andgainvisibilityintoexposuresandgapsacrosstheorganization.TheRSAArcher
GRCplatformisdesignedtodrawdatafromawidevarietyofsystemstoserveasa
centralrepositoryforrisk-,compliance-andsecurity-relatedinformation.TheRSA
ArcherThreatManagementsolutionisanearly-warningsystemfortrackingthreats.
TheRSAArcherIncidentManagementsolutionhelpsorganizationsescalate
problems,tracktheprogressofinvestigationsandcoordinateproblemresolution.
Theplatform’sabilitytointegrateinformationonsecurityalertsandthreats,togather
andpresentmetricsabouttheeffectivenessofsecuritycontrolsandprocessesand
toanalyzecontextualinformationaboutthesecurityandbusinessenvironmenthelps
createactionable,real-timeintelligenceacrosstheenterprise.
RSA® Cybercrime Intelligence (CCI)isaserviceprovidinginformationaboutcorporate
assetscompromisedbymalware,includingcorporatemachines,networkresources,
accesscredentials,businessdataandemailcorrespondence.CCImonitors
undergroundcybercrimetouncovercompromisedcorporatedatathathaveleaked
intothewild.Theservicereportstoclientsanydatarelatedtotheirorganizations
recovereddirectlyfrommalwarelogfiles,includingemployeecredentials,email
accounts,IPaddressesofinfectedmachinesandcompromiseddomains.Going
beyondmalware,CCIscansopensourceintelligence(OSINT),reportinginformation
backtoclientsonemployeecredentials,corporateemailaddressesandd0xingdata
thathavebeentracedinthewildandcompromisedbyhackersorfraudsters.CCIalso
reportsdetailsonemailcontent,IPaddressesandcompromisedcreditcardnumbers
belongingtothecorporationoritsemployeesthatarebeingsharedand/orsoldby
cybercriminalsinclosed,deep-webcommunities.Inaddition,CCIoffers
organizationsinsightintomalware-infectedonlineresourcesviadailyblacklistfeeds.
ThesefeedsexposeIPaddressesandresourceseitherpresentlyhostingorlikelyto
hostmaliciouscontent,allowinginformationsecuritystafftotakepreemptive
measurestomitigaterisks.
page13
RSA Technical Brief, February 2013
RSA® Data Loss Prevention (DLP) Suiteisbuilttoalertorganizationsofsensitive
dataactivitythatissuspiciousorviolatesorganizationalpolicy.DLPalsoexecutes
first-lineremediationfunctions,suchasblockingthetransmissionofsensitivedata,
orquarantining,deleting,movingorapplyingrightsmanagementtodocumentsthat
containprivatedata.RSADLPsuiteiseasytointegratewiththeRSAArchersecurity
managementconsoleandtheRSASecurityAnalyticsplatform,providing
organizationswithavaluabledatafeedforalertingandwithimprovedlayered
defenses.
RSA® Education Servicesprovidetrainingcoursesoninformationsecuritygearedto
ITstaff,softwaredevelopers,securityprofessionalsandanorganization’sgeneral
employees.Coursescombinetheory,technologyandscenario-basedexercisesto
engageparticipantsinactivelearning.Thecurrentcurriculumcoverstopicssuchas
malwareanalysisandcyberthreatintelligence.RSAEducationServicesalsooffersa
workshoponaddressingadvancedthreatssuchasAPTs.Coursesaredesignedto
deliverthemaximumamountofinformationintheshortestperiodtominimizestaff
downtime.
RSA® Enterprise Compromise Assessment Tool (ECAT)isanenterprisethreat
detectionandresponsesolutiondesignedtomonitorandprotectITenvironments
fromundesirablesoftwareandthemostelusivemalware—includingdeeplyhidden
rootkits,advancedpersistentthreats(APTs)andunidentifiedviruses.RSAECAT
automatesthedetectionofanomalieswithincomputerapplicationsandmemory
withoutrelyingonvirussignatures.Insteadofanalyzingmalwaresamplestocreate
signatures,RSAECATestablishesabaselineofanomaliesfrom“knowngood”
applications,filteringoutbackgroundnoisetouncovermaliciousactivityin
compromisedmachines.TheRSAECATconsolepresentsacentralizedviewof
activitiesoccurringwithinacomputer’smemory,whichcanbeusedtoquickly
identifymalware,regardlessofwhetherasignatureexistsorifthemalwarehas
beenseenbefore.Onceasinglemaliciousanomalyisidentified,RSAECATcanscan
acrossthousandsofmachinestoidentifyotherendpointsthathavebeen
compromisedorareatrisk.
RSA® Security Analyticsisdesignedtoprovidesecurityorganizationswiththe
situationalawarenessneededtodealwiththeirmostpressingsecurityissues.By
analyzingnetworktrafficandlogeventdata,theRSASecurityAnalyticssystem
helpsorganizationsgainacomprehensiveviewoftheirITenvironment,enabling
securityanalyststodetectthreatsquickly,investigateandprioritizethem,make
remediationdecisions,takeactionandautomaticallygeneratereports.TheRSA
SecurityAnalyticssolution’sdistributeddataarchitecturecollects,analyzes,and
archivesmassivevolumesofdata–oftenhundredsofterabytesandbeyond–at
veryhighspeedusingmultiplemodesofanalysis.TheRSASecurityAnalytics
platformalsoingeststhreatintelligenceaboutthelatesttools,techniquesand
proceduresinusebytheattackercommunitytoalertorganizationstopotential
threatsthatareactiveintheirenterprise.
page14
RSA Technical Brief, February 2013
page15
Thispageintentionallyleftblank.
EMC2, EMC, the EMC logo, RSA, Archer, FraudAction, NetWitness and the RSA logo are registered trademarks or
trademarks of EMC Corporation in the United States and other countries. Microsoft and Outlook are registered
trademarks of Microsoft. All other products or services mentioned are trademarks of their respective companies.
© Copyright 2013 EMC Corporation. All rights reserved.
179827-H11533-ASOC_BRF_0213
ABOUT RSA
RSA, The Security Division of EMC, is the premier provider of security, risk and
compliance management solutions for business acceleration. RSA helps the world’s
leading organizations solve their most complex and sensitive security challenges.
These challenges include managing organizational risk, safeguarding mobile access
and collaboration, proving compliance, and securing virtual and cloud environments.
Combining business-critical controls in identity assurance, encryption & key
management, SIEM, data loss prevention, continuous network monitoring, and fraud
protection with industry leading GRC capabilities and robust consulting services, RSA
brings visibility and trust to millions of user identities, the transactions that they
perform and the data that is generated. For more information, please visit www.RSA.
com and www.EMC.com.
www.rsa.com
RSA Technical Brief, February 2013