Continuous Incident Response: The Need for Efficiency

Title Line

Subtitle Line

Top of Content Box Line

Top of Footer Line

Left Margin Line Right Margin Line

Top of Footer Line


Subtitle Line

Title Line

Right Margin LineLeft Margin Line

.


Subtitle Line

Title Line

Paul Zimski, Intel Security

 Continuous Incident Response

The Need for Efficiency

Title Line

Subtitle Line


Top of Footer Line


Top of Footer Line


Subtitle Line

Title Line


.

Security’s Perfect Storm

Fragmented Security Market

Industrialization of Cybercrime

Exponential Attack Surface Growth

There will be 26 smart objects and over 5TB of data for every person on

Earth in 2020 – all 7.6 billion of us Intel / IDC

Up to 50 offerings to assess and secure an environmentIntel Security Linear Budgets

Skillset ShortagesCompliancy & Regulatory

Competitive Pressures

Breaches up 55% year over year70-90% of malware is unique to a single organization

Verizon DBIR 2015 / Intel Security Golden Hour Survey 2015

Business Realities

2

Title Line

Subtitle Line


Top of Footer Line


Top of Footer Line


Subtitle Line

Title Line


.

State of Continuous Attack

3

Intel Security : Tackling Attack Detection and Incident Response, 2015

28%

On average, organizations conducted 78 security investigations last year

7828% were the result of targeted attacks

Title Line

Subtitle Line


Top of Footer Line


Top of Footer Line


Subtitle Line

Title Line


.

Prepare Compromise ExecuteManeuver

Incident Response – Cyber Resilience

“Pre-Breach” “Post-Breach”

Protect Detect

Correct$ $$$$

44

Title Line

Subtitle Line


Top of Footer Line


Top of Footer Line


Subtitle Line

Title Line


.

Security Complexity is Not Scaling

5

Protect CorrectDetect

duration

scop

e

Compromise Within Minutes Unacceptable “Dwell Time” – Days, Weeks, Months

“pre-breach” “post-breach”

Minimal Adversarial Effort

Overwhelmed Security Teams

$$$ Catastrophic Impact $$$

Title Line

Subtitle Line


Top of Footer Line


Top of Footer Line


Subtitle Line

Title Line


.

Continuous Incident ResponseApplied integration, automation, and intelligence

Detect - Advanced monitoring identifies anomalous, outlier behavior to perceive low-threshold attacks that would otherwise go unnoticed

Protect - Comprehensive prevention stops the most pervasive attack vectors while also disrupting never-before-seen techniques and payloads

Adapt - Apply insights immediately throughout a collaborative infrastructure

Correct - Facilitated triage and response provides prioritization and fluid investigation

6

Title Line

Subtitle Line


Top of Footer Line


Top of Footer Line


Subtitle Line

Title Line


.

Protect

Comprehensive coverage against the most pervasive threat vectors

7

Global, organizational, and 3rd-party applied intelligence

Collaborative infrastructure acts as single adaptive system

Title Line

Subtitle Line


Top of Footer Line


Top of Footer Line


Subtitle Line

Title Line


.

Efficient, thorough, automated communications between disparate sensorsConnected Architecture

3rd PartyNetwork DataIdentityEndpoint

Real-Time Messaging Standardized Content Adaptive Workflows

Efficiency in Communication

8

Title Line

Subtitle Line


Top of Footer Line


Top of Footer Line


Subtitle Line

Title Line


.

Detect

9

Deep, continuous, and automated visibility

Deviation and correlation-based analytics to isolate low-threshold signals

Threat Intelligence Orchestration to proactively hunt for attack footholds

Title Line

Subtitle Line


Top of Footer Line


Top of Footer Line


Subtitle Line

Title Line


.

Automated, Proactive Hunting

10

HistoricDetect if the organization has already been impacted by a newly discovered threat

OngoingAdapt current monitoring and analysis to identify advancing threats

v

IOC Consumption

andDiscovery

Intelligence feedsCountermeasures

Title Line

Subtitle Line


Top of Footer Line


Top of Footer Line


Subtitle Line

Title Line


.

Correct

11

Prioritization to pinpoint the most critical incidents and apply limited resources accordingly

Fluid investigation with advanced pivot, drilldown and real time detection & response

Automated and real time response for immediate actions without operational friction

Title Line

Subtitle Line


Top of Footer Line


Top of Footer Line


Subtitle Line

Title Line


.

Workflow Automation A Series of Un-integrated Events

12

IOC 1IOC 2IOC 3IOC 4

Web Gateway Email GatewayNGFW NIPS

Endpoints

Analyze payload

Hunt historic events

Isolate and remediate previously compromised systems

Network & Gateway Sandbox SIEM

Title Line

Subtitle Line


Top of Footer Line


Top of Footer Line


Subtitle Line

Title Line


.

Web Gateway Email GatewayNGFW NSP

Adaptive Learning and response Compressing Incident Duration

13

DXL Ecosystem

Network & Gateway

Network and endpoints adapt

Sandbox

ESM

Continuous monitoring

and proactive hunting:

C2 communicationbeaconing exfiltration

access-violations lateral movement

SIEM

Endpoints

Payload is analyzed

Previously breached systems are isolated and remediated

IOC 1IOC 2IOC 3IOC 4

New IOC intelligence pinpoints historic breaches

Title Line

Subtitle Line


Top of Footer Line


Top of Footer Line


Subtitle Line

Title Line


.

Business and Security Outcomes

14

MinimizedDwell Time

Protect Detect

Delayed Progression

Correct

duration

scop

e

Significant Adversarial Effort

Optimized Security Teams

$ Minimized Impact $

“pre-breach” “post-breach”

Improved Disruption

Title Line

Subtitle Line


Top of Footer Line


Top of Footer Line


Subtitle Line

Title Line


.

Continuous Incident Response: The Need for Efficiency

Technology

Transcript of Continuous Incident Response: The Need for Efficiency