Continuous Incident Response: The Need for Efficiency
-
Upload
mcafee -
Category
Technology
-
view
2.259 -
download
2
Transcript of Continuous Incident Response: The Need for Efficiency
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin LineLeft Margin Line
.
Top of Content Box Line
Subtitle Line
Title Line
Paul Zimski, Intel Security
Continuous Incident Response
The Need for Efficiency
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin LineLeft Margin Line
.
Security’s Perfect Storm
Fragmented Security Market
Industrialization of Cybercrime
Exponential Attack Surface Growth
There will be 26 smart objects and over 5TB of data for every person on
Earth in 2020 – all 7.6 billion of us Intel / IDC
Up to 50 offerings to assess and secure an environmentIntel Security Linear Budgets
Skillset ShortagesCompliancy & Regulatory
Competitive Pressures
Breaches up 55% year over year70-90% of malware is unique to a single organization
Verizon DBIR 2015 / Intel Security Golden Hour Survey 2015
Business Realities
2
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin LineLeft Margin Line
.
State of Continuous Attack
3
Intel Security : Tackling Attack Detection and Incident Response, 2015
28%
On average, organizations conducted 78 security investigations last year
7828% were the result of targeted attacks
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin LineLeft Margin Line
.
Prepare Compromise ExecuteManeuver
Incident Response – Cyber Resilience
“Pre-Breach” “Post-Breach”
Protect Detect
Correct$ $$$$
44
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin LineLeft Margin Line
.
Security Complexity is Not Scaling
5
Protect CorrectDetect
duration
scop
e
Compromise Within Minutes Unacceptable “Dwell Time” – Days, Weeks, Months
“pre-breach” “post-breach”
Minimal Adversarial Effort
Overwhelmed Security Teams
$$$ Catastrophic Impact $$$
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin LineLeft Margin Line
.
Continuous Incident ResponseApplied integration, automation, and intelligence
Detect - Advanced monitoring identifies anomalous, outlier behavior to perceive low-threshold attacks that would otherwise go unnoticed
Protect - Comprehensive prevention stops the most pervasive attack vectors while also disrupting never-before-seen techniques and payloads
Adapt - Apply insights immediately throughout a collaborative infrastructure
Correct - Facilitated triage and response provides prioritization and fluid investigation
6
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin LineLeft Margin Line
.
Protect
Comprehensive coverage against the most pervasive threat vectors
7
Global, organizational, and 3rd-party applied intelligence
Collaborative infrastructure acts as single adaptive system
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin LineLeft Margin Line
.
Efficient, thorough, automated communications between disparate sensorsConnected Architecture
3rd PartyNetwork DataIdentityEndpoint
Real-Time Messaging Standardized Content Adaptive Workflows
Efficiency in Communication
8
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin LineLeft Margin Line
.
Detect
9
Deep, continuous, and automated visibility
Deviation and correlation-based analytics to isolate low-threshold signals
Threat Intelligence Orchestration to proactively hunt for attack footholds
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin LineLeft Margin Line
.
Automated, Proactive Hunting
10
HistoricDetect if the organization has already been impacted by a newly discovered threat
OngoingAdapt current monitoring and analysis to identify advancing threats
v
IOC Consumption
andDiscovery
Intelligence feedsCountermeasures
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin LineLeft Margin Line
.
Correct
11
Prioritization to pinpoint the most critical incidents and apply limited resources accordingly
Fluid investigation with advanced pivot, drilldown and real time detection & response
Automated and real time response for immediate actions without operational friction
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin LineLeft Margin Line
.
Workflow Automation A Series of Un-integrated Events
12
IOC 1IOC 2IOC 3IOC 4
Web Gateway Email GatewayNGFW NIPS
Endpoints
Analyze payload
Hunt historic events
Isolate and remediate previously compromised systems
Network & Gateway Sandbox SIEM
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin LineLeft Margin Line
.
Web Gateway Email GatewayNGFW NSP
Adaptive Learning and response Compressing Incident Duration
13
DXL Ecosystem
Network & Gateway
Network and endpoints adapt
Sandbox
ESM
Continuous monitoring
and proactive hunting:
C2 communicationbeaconing exfiltration
access-violations lateral movement
SIEM
Endpoints
Payload is analyzed
Previously breached systems are isolated and remediated
IOC 1IOC 2IOC 3IOC 4
New IOC intelligence pinpoints historic breaches
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin LineLeft Margin Line
.
Business and Security Outcomes
14
MinimizedDwell Time
Protect Detect
Delayed Progression
Correct
duration
scop
e
Significant Adversarial Effort
Optimized Security Teams
$ Minimized Impact $
“pre-breach” “post-breach”
Improved Disruption
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin LineLeft Margin Line
.