cover page template...cross-site scripting attacks and more • verified testing against more than...
TRANSCRIPT
COVER PAGETEMPLATE
2
Cybersecurity is harder than it should be…
3
SIEM can be harder than it should be…
If you think this is expensive, look twice, because it really is so.
So many options, that it can be bewildering.
Implementation tedious, support often overlooks known bugs,
interface clunky, non-intuitive.
Starting to show its age. Not keeping up with current
requirements.
Great out of the box for meeting compliance requirements, but
does not scale well.
Needs technical training to take advantage of its capabilities and
reporting.
4
Common Pitfalls
1 Overcoming Common Causes for SIEM Solution Deployment Failures, G00328573, 30 May 2017
Failure to Perform Detailed Planning Before Buying
5
Common Pitfalls
1 Overcoming Common Causes for SIEM Solution Deployment Failures, G00328573, 30 May 2017
5
Failure to Define Scope
6
Common Pitfalls
1 Overcoming Common Causes for SIEM Solution Deployment Failures, G00328573, 30 May 2017
Overly Simplistic Scoping
7
Common Pitfalls
1 Overcoming Common Causes for SIEM Solution Deployment Failures, G00328573, 30 May 2017
Monitoring Noise
8
Common Pitfalls
1 Overcoming Common Causes for SIEM Solution Deployment Failures, G00328573, 30 May 2017
Lack of Sufficient Context
9
Common Pitfalls
1 Overcoming Common Causes for SIEM Solution Deployment Failures, G00328573, 30 May 2017
Insufficient Resources
10
A Real-World Example
• Tool selection (# tools x 5) 1/3 of project time
• Integration effort & maintenance 7business units, 40 offices, 4500 employees
• Local log storage (server and storage requirements)
• Agent deployments, disparate platforms and versions
• Kickoff / design / roll out (three quarters just for log data!)
11
A Real-World Example
• Configuration – noise / tuning, staffing, finally got to 2x/day manual review of alerts
• Staffing • 2 FTE to plan, execute, and manage roll out
• 1 FTE to manage tooling, 2 FTE for monitoring and ops
• 1 FTE for patching and change management• So, so much time spent convincing people to patch…
• 4x to hire security analyst as infrastructure engineer/admin, highest turnover rate (external opportunities, boredom of alert watching) = permanent state of hiring
Never delivered on promise after 2 years of best effort
12
Industry and size no predictor of risk
Attack automation and ‘spray and pray’
Web applications still top target
Threat Landscape Maturity13
Pro-active research become aware of vulnerability in community, disclosed by vendor or from customer data analysis
Research and Intel teams work to understand scope of threat, investigate customer data
Exploit proof of concept code published on dark web or other sites (e.g. ExploitDB)
Customer data manually investigated by research, exploit attempts seen based on POC code
Vulnerability scan data used to identify customers at risk, pro-active out-reach takes place
Telemetry detection content produced, research and content brief SOC
Manual incidents raised to customers affected by the emerging threat by SOC
Full automated,
false positive
tuned incident
content published
1.
2.
3.
4.
5.
6.
7.
8.
14
Recent Emerging Threats
• Drupal REST API Remote Code Execution• February 2019, critical remote code execution vulnerability against Drupal API
• Jenkins Plugins Remote Code Execution• Remote code execution allows web shell deployment
• Blueimp jQuery-File-Upload• Arbitrary file upload vulnerability allows unauthenticated attackers to upload any file to the
victim server
• Authentication Bypass in libssh Leaves Servers Vulnerable• exploited to gain complete control over vulnerable servers enabling attackers to steal
encryption keys and user data, install rootkits and erase logs
• Oracle WebLogic JSP File Upload Vulnerability• Successful exploitation of this vulnerability provides attackers with shell access to the web
server, which is a significant risk of compromise.
15
Attack Surface Penetration
IDENTIFY & RECON
INITIAL ATTACK
COMMAND & CONTROL
DISCOVER & SPREAD
EXTRACT & EXFILTRATE
Manage exposures
Ensure coding best practices
Coding best practices
Application monitoring
Network monitoring
Vulnerability management
Least privilege access
Role-based Access
Network monitoring
Log correlation
Vulnerability management
User lifecycle management
Network monitoring
Log correlation
File integrity monitoring
Application response monitoring
Network monitoring
Least privilege access
Role-based access
16
Introducing a Better Way
A Solution That SIEMlessly Works Across Environments
DETECTDEFEND
COMPLY
ASSESS
VULNERABILITY SCANNING
• Software CVEs• Network Config• Remediation workloads
AUDITING
• AWS Configuration exposures• Auto-discovery, topology
DATA INSPECTION
ANALYTICS LIVE EXPERTS
• Web (HTTP) requests & responses• System logs (Agent)• Network packets (IDS)
In-Line Web Application Firewall (WAF)
• Signatures & rules• Anomaly detection• Machine learning
• 24/7 monitoring• Validation & enrichment• Remediation advise
• PCI-DSS, GDPR, HIPAA, SOX, SOC2, ISO, NIST, and COBIT
• Attestation reporting• Log review & archiving
ActiveWatch™
Connected Devices
Incident Reports
Priority Alerts15 minute SLA
Alerts
App Owners
Dev/Ops Cloud
Security
ACTIVE DEFENSE
A Better Way for Your Peace of Mind: SIEMLess Threat Management™
18
We SIEMlessly Connect The Right Coverage for the Right Resources
Platform Intelligence Experts
Providing you
SIEMless by Design | Lower Total Cost | Always AdvancingAcross Any Environment
• Asset discovery
• Vulnerability scanning
• Cloud configuration checks
• Compliance
• Threat Risk Index
• Remediation guidance
• Prioritization and next steps
• Comprehensive vulnerability library
• 24/7 email and phone support
• PCI Scanning and ASV support
• Service health monitoring
• Threat monitoring and visibility
• Intrusion detection
• Security analytics
• Log collection and monitoring
• Extensive log search capabilities to support investigations
• Event insights and analysis
• Threat frequency, severity, and status intelligence
• Attack prevention capabilities
ActiveWatch Professional • 24/7 SOC with incident
management, escalation, and response support
• Always-on WAF defense against web attacks (e.g. OWASP Top 10, emerging threats, zero-day vulnerabilities)
• Protection from SQL Injection, DoS attacks, URL tampering, cross-site scripting attacks and more
• Verified testing against more than 2.1 million web application attacks
• Advanced detection capabilities to spot and block malicious activity
ActiveWatch Enterprise • Security Posture Review• Incident response
assistance• Threat hunting• Help with tuning strategies,
customized policies, and best practices
ON-PREMISES PUBLIC CLOUD PRIVATECLOUD
19
1. THREAT INTELIn 2013 research of Apache Struts vulnerability, development of signature
2. SECURITY PLATFORMAddition of signature (blocking) starting 2013
3. EXPERT DEFENDERSAble to alert and raise incidents for customers
4. THREAT INTELResearch of new variants, new defenses developed
5. SECURITY PLATFORMHardened defenses deployed in March 2017
6. EXPERT DEFENDERSMarch 6 Alert Logic proactively notifies customers
SIEMless Threat Management in Action: “Headline Risk Avoidance”
ALERT LOGIC CUSTOMERS ALREADY PROTECTED!In May 2017 a major credit rating agency discovers breach. In September 2017 the major credit rating agency publicly discloses breach
Alert Logic customers protectedAlert Logic hardens defenses proactively notifies customers
Alert Logicattack blocking in place
2013 Apache Struts vulnerability
2013 Apache Struts vulnerability
Breach discovered Breach disclosureTotal cost is $439M