DETECTE E INVESTIGUE LAS AMENAZAS AVANZADAS
0 likes•188 views
The document outlines the importance of managing digital risk and includes strategies for enhancing threat detection and response across various environments like cloud and endpoints. It emphasizes digital transformation trends such as mobile integration, cloud infrastructure, and big data, while highlighting the necessity for businesses to modernize compliance programs and manage risks associated with advanced cyber threats. RSA provides a unified solution for organizations to detect and respond to evolving threats through various products and services.
![30
ORCHESTRATION & AUTOMATION
Gartner defines security orchestration, automation and response, or SOAR, as
technologies that enable organizations
• ORCHESTATION [to collect security threats data and alerts from different sources, where
incident analysis and triage can be performed leveraging a combination of human and
machine power]
• AUTOMATION [to help define, prioritize and drive standardized incident response activities
according to a standard workflow.]
SOAR tools allow an organization to define incident analysis and response procedures (aka
plays in a security operations playbook) in a digital workflow format, such that a range of
machine-driven activities can be automated.](https://image.slidesharecdn.com/webinar-detecteeinvestiguelasamenazasavanzadas-200626175201/85/DETECTE-E-INVESTIGUE-LAS-AMENAZAS-AVANZADAS-28-320.jpg)
DETECTE E INVESTIGUE LAS AMENAZAS AVANZADAS
- 1. 1 YO SIGO TRABAJANDO EN CASA [email protected] Senior System Engineer Bolivia, Ecuador & Perú
- 2. 3 Internal Use - Confidential MANAGING DIGITAL RISK AMID DISRUPTION Accelerate threat detection and response from the endpoint to the cloud For Security Digital Transformation [email protected] [email protected] Territory Manager NOLA Sr SecurID Account Manager [email protected] [email protected] Channels Mexico, CA, Caribe & NOLA Senior System Engineer Bolivia, Ecuador & Perú
- 7. 8 TRANSFORMACIÓN DIGITAL S O S T E N I B I L I D A D. C R E C I M I E N TO. E F I C I E N C I A . 8 Objetivo: Agrega valor en cada componente del proceso de negocio, de manera coherente a la estrategia general. Tranformación Digital Las cuatro tendencias: “Los móviles no son una plataforma más, sino la primera” La Nube. “Vamos a ser capaces de definir todas nuestras infraestructuras por software” Lo Social. “El negocio quiere integrarse en la vida del usuario y nos afecta” Big data. “En la parte de IAM no sabemos qué hacer, porque definir los controles de acceso va a ser complicado. De ahí que deba haber algún tipo de gestión diferente”.
- 8. 9 Internal Use - Confidential 9 S U P P LY C H A I N S E C U R I T Y O P E R AT I O N S W O R K F O R C E DISRUPTIONDISRUPTIONIoT Robotics Vulnerabilities Phishing Privacy GDPR Cloud
- 9. 10 Internal Use - Confidential 10 S E C U R I T Y O P E R AT I O N S W O R K F O R C E DISRUPTIONDISRUPTION CONTAIN ADAPTASSESSSUSTAIN Address compliance changes Manage risk assessments Address heightened threats Address cloud threats Manage vendor ecosystem (who, what, where, why) Manage continuity efforts Manage vendor disruption (supply chain continuity) Manage identity threats Expand remote workforce securely Ensure proper data access MANAGE PROCESS AUTOMATION RISK MANAGE PROCESS AUTOMATION RISK MITIGATE CYBER ATTACK RISK MITIGATE CYBER ATTACK RISK BUILD BUSINESS RESILIENCY BUILD BUSINESS RESILIENCY SECURE YOUR CLOUD TRANSFORMATION SECURE YOUR CLOUD TRANSFORMATION EVOLVE DATA GOVERNANCE & PRIVACY EVOLVE DATA GOVERNANCE & PRIVACY MANAGE THIRD PARTY RISK MANAGE THIRD PARTY RISK MANAGE DYNAMIC WORKFORCE RISK MANAGE DYNAMIC WORKFORCE RISK MODERNIZE YOUR COMPLIANCE PROGRAM MODERNIZE YOUR COMPLIANCE PROGRAM S U P P LY C H A I N
- 10. 12 Internal Use - Confidential 12 DIGITAL TRANSFORMATION VISIBILITY ACTION INSIGHT D I G I TA L R IS K MA N A G EME NT RISK MANAGEMENT IT SECURITY
- 11. 13 Internal Use - Confidential 13 Understand & Respond to Cyber-Threats Evolve Security & Risk Manage Complex Regulatory Landscape MANAGE DYNAMIC WORKFORCE RISK MANAGE PROCESS AUTOMATION RISK SECURE YOUR CLOUD TRANSFORMATION MODERNIZE YOUR COMPLIANCE PROGRAM BUILD BUSINESS RESILIENCY MANAGE THIRD PARTY RISK EVOLVE DATA GOVERNANCE & PRIVACY MITIGATE CYBER ATTACK RISK DIGITAL RISK MANAGEMENT
- 12. 14 Internal Use - Confidential RSA PORTAFOLIO Single, Unified Solution To Detect And Respond To Evolving Threats Netwitness Logs Netwitness Network Netwitness Endpoint Netwitness Cyber Incident and Breach Response Netwitness User and Entity Behavior Analytics Netwitness Orchestrator Accelerate Business While You Mitigate Identity Risk SecurID – Authentication Manager SecurID Access – MFA Identity Governance & Lifecycle Centralized Cross Channel Fraud For Unified Detection And Mitigation Fraud Action Adaptive Authentication Adaptive Authentication for Ecommerce Proven Business Risk Management Suite To Confidently IT Security & Risk Enterprise & Operational Risk 3rd Party Governance Business Resiliency Public Sector Audit Management Regulatory & Corporate Compliance
- 13. 15 Internal Use - Confidential Fraud Prevention & Mitigation Identity Management Risk Management Identify, Monitor, Detection, Prevention, Respond, Restore? IT SECURITY JOURNEY
- 14. 16 Internal Use - Confidential WHAT IS YOUR MANTRA IN IT SECURITY?
- 15. 17 ATTACKERS TAKE ADVANTAGE OF CHALLENGES TO TURN COMPROMISES INTO BREACHES Minutes Hours Days Weeks Months Breach Detected Breach Detected 3rd Party Detection compromised in MINUTES82% of exfiltration occurred in DAYS99% discovered in MONTHS64% Spear Phishing Attack Malware Installed Initial Compromise Communicate to External Server (C2) Breach Lateral Movement Discover Critical Assets Data Exfiltration
- 16. 18 TRADITIONAL METHODS WON’T PROTECT YOU “Traditional defense-in-depth components are still necessary, but are no longer sufficient in protecting against advanced targeted attacks and advanced malware” – Gartner Source: Gartner’s “Five Styles of Advanced Threat Defense” Network Traffic Analysis Style 1 Payload Analysis Style 3 Endpoint Behavior Analysis Style 4 Network Forensics Style 2 Endpoint Forensics Style 5 Where to Look Network Payload Endpoint Time SIEM NBA – NTA - NFA EDR
- 17. 19 VPN
- 18. 20 EVOLUTION OF THREAT ACTORS & DETECTION IMPLICATIONS Firewall IDS/IPS Antivirus Antimalware Correlacionador SIEM CAPA DE SEGURIDAD TRADICIONAL Visibilidad delaRED Visibilidad delTERMINAL Tecnologías Operacionales Tecnologías de información INFORMACION OBJETIVO INFRAESTRUCTURA CAPA DE SEGURIDAD AVANZADA ESPACIOBLANCO NOVIGILADO ATACANTES
- 19. 21 Detect Respond Network RSA NetWitness Endpoint Logs Orchestration Endpoint Logs Network RSA Advanced Cyber Defense RSA Incident Response RSA Professional Services Threat Intelligence (Live) RSA ADVANCED SOC SOLUTIONS
- 20. 22 METADATA It’s the story behind the data x.x.x.x 10.0.0.1 TCP/80 10.0.0.1 y.y.y.y UDP/53 China Web Server Tor Node HTTP Post no Get Base64 Encoded Payload Encrypted Zip File Apache runs PowerShell Command line with Zip Password Payload is FTP Logs Threat Intel Network Endpoint In a single interface, at capture time
- 21. 23 RSA NETWITNESS UEBA BEHAVIOURAL ANALYTICS SMART Alerts around specific use cases- e.g. Data exfiltration Context around detected risks- which user, what time / activity? Investigation of each detected alert anomaly RSA NETWITNESS LOGS BEHAVIORAL ANALYTICS UNIQUE UNSUPERVISED 3 STAGE MACHINE LEARNING OUTCOME
- 22. 24 ANALYZING LOGON ACTIVITY - EXAMPLE 3,009 Indicators 56 Alerts 37 High Risk Users 1.6B~Logon Events 7 Indicators Abnormal Logon Time Abnormal Source Computer Abnormal Destination Computer Multiple Successful Authentication Multiple Failed Authentications Multiple Source Computers Multiple Destination Computers Windows Logons (4624) 2 Months 5,000 AD users 1 Input Source Interactive Logons 4 Alerts Brute Force Authentication Non-Standard Hours User Login to Abnormal Computer User Logins to Multiple Hosts
- 23. 25 CONNECTING THE DOTS. LITERALLY. EFFECTIVE ANOMALY DETECTION IN ACTION User: Randall S. Anderson Raw events Threat Indicators Correlated alert with scoring
- 24. 26 CONNECTING THE DOTS. LITERALLY. EFFECTIVE ANOMALY DETECTION IN ACTION User: Randall S. Anderson Raw events Threat Indicators Correlated alert with scoring
- 25. 27 CONNECTING THE DOTS. LITERALLY. EFFECTIVE ANOMALY DETECTION IN ACTION User: Randall S. Anderson Raw events Threat Indicators Correlated alerts with scoring Alert Score = 15
- 26. 28CONFIDENTIAL VISUALIZING HOW UEBA WORKS WITH EXISTING RSA NETWITNESS LOGS Data from Existing RSA NetWitness Deployment Creates baseline of normal behavior UEBA Monitors Indicators / Continues to Collect Data Indicator 1 Indicator 2 Indicator 3 Indicator 4 Anomalies DetectedAnomalies Grouped Together Uniqueness: High Severity: High
- 27. 29CONFIDENTIAL SUPERVISED VS. UNSUPERVISED MACHINE LEARNING Supervised Machine Learning Item Attribute 1 Attribute 2 Large Red Medium Red Small Red Large Green Medium Green Small Green Large Blue Medium Blue Small Blue Large Yellow Medium Yellow Small Yellow ? Administrator has to label data types The system tries to decide what to do based on learned labels when data comes in
- 28. 30 ORCHESTRATION & AUTOMATION Gartner defines security orchestration, automation and response, or SOAR, as technologies that enable organizations • ORCHESTATION [to collect security threats data and alerts from different sources, where incident analysis and triage can be performed leveraging a combination of human and machine power] • AUTOMATION [to help define, prioritize and drive standardized incident response activities according to a standard workflow.] SOAR tools allow an organization to define incident analysis and response procedures (aka plays in a security operations playbook) in a digital workflow format, such that a range of machine-driven activities can be automated.
- 29. 31 RSA NETWITNESS ORCHESTATOR AUTHENTICATION DATA ENRICHMENT VULNERABILITY SIEM THREAT INTEL NETWORK FORENSICS ANALYTICS BYOI CASE MANAGEMENT ALERTS /INCIDENTS COLLABORATIONUSER/ENTITY RESPONSE ACTION MACHINE LEARNING CASE MANAGEMENT AUTOMATED PLAYBOOKS
- 30. 32 EMPOWER ANALYSTS WITH RISK & AUTOMATIONRSA NetWitness v11 Respond enables Essential Incident Management actions for a SOC RSA NetWitness Orchestrator enables Advanced Incident Orchestration & Automation Needs RSA Archer Cyber Incident & Breach Response enables a Business response to declared Security Incidents
- 31. 45 Internal Use - Confidential 45 INNOVATION TRUST LEADERSHIP ECOSYSTEM IoT Robotics Vulnerabilities Corporate Governance Privacy GDPR Cloud Digital BusinessRegulatory Change Hackers & Malware Encryption Authentication Fraud Risk Engine SIEM/SOAR Integrated Risk Management 35+ years 12,500+ customers 50M+ identities 2B consumers 94% of the Fortune 500 Recognized leadership by analyst firms Industry leading events and thought leadership Expertise, guided by proven frameworks 700+ practitioners 400+ global partners 1100+ product integrations Robust customer community WHY RSA