prevent major data breaches with threat lifecycle … · 2020-04-29 · lifecycle management ......

© 2017 ISACA. All Rights Reserved

PREVENT MAJOR DATA BREACHES WITH THREAT LIFECYCLE MANAGEMENT Seth Goldhammer, Senior Director of Product Management at LogRhythm

WELCOME

• Audio is streamed over your computer

• Dial in numbers and codes are on the left

To receive your CPE credit:

1. Complete 3 checkpoints

- or -

2. Watch the recorded version from the beginning to the very end

• Don’t forget to take the survey!

Use the Papers tab to find the following:

• PDF Copy of today’s presentation

• CPE job aid

• Have a question for the speaker? Access the Q&A tab

• Technical issues? Access the Help tab

• Questions or suggestions?Visit https://support.isaca.org


2

TODAY’S SPEAKER


3

AGENDA


1. Highlight the Current Threat Pandemic

2. Evaluate Market Approach and Offerings

3. KPIs: Mean Time to Detect and Respond

4. Cyber Attack Lifecycle

5. End to End Threat Lifecycle Management

6. Solution Requirements

4


THE MODERN CYBER THREAT PANDEMIC

5



6

321 Breaches in 2006



7




736 million records were exposed in 2015, compared to 96 million records in 2010

The security industry is facing serious talent and technology shortages


8



3,930 Breaches in 2015


NO END IN SIGHT

9

Motivated Threat Actors

Cyber-crime

Supply Chain

Expanding Attack

SurfaceExpanding

Attack Surface Cyber-crime Supply Chain

Motivated Threat Actors


A NEW SECURITY APPROACH IS REQUIRED

10



11

Prevention-centric approachescan stop common threats



12

However, advanced threats:• Require a broader view to

recognize• Only emerge over time• Get lost in the noise




13

• Big Data analytics to identify advanced threats

• Qualified and prioritized detection, reducing noise

• Incident response workflow orchestration and automation

• Capabilities to prevent high-impact breaches & damaging cyber incidents






14

• Big Data analytics to identify advanced threats

• Qualified and prioritized detection, reducing noise

• Incident response workflow orchestration and automation

• Capabilities to prevent high-impact breaches & damaging cyber incidents

Big Data Analytics can best detect these threats





STRATEGIC SHIFT TO DETECTION AND RESPONSE IS OCCURRING

15

Detection & Response

IT Budgets 2013

Prevention

Sources: Gartner, Shift Cybersecurity Investment to Detection and Response, January 2016; Gartner, Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update, April 2016Note: Excludes security services from estimated overall market spend for enterprise information security



16

By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from 20% in 2015. –Gartner, 2016


IT Budgets 2013

Prevention




17



IT Budgets 2013

Prevention


IT Budgets 2015

Prevention




18



IT Budgets 2013

Prevention


IT Budgets 2015

Prevention

Detection &

Response

Prevention

IT Budgets 2020



FASTER DETECTION & RESPONSE REDUCES RISK

19

Devastating Avoided

Years

Weeks

Days

Hours

Months

Minutes

RISK & IMPACT OF BREACH

MTT

D &

MTT

R



20

In 60% of cases, attackers are able to compromise an

organization within minutes.2015 Verizon Data Break ReportDevastating Avoided

Years

Weeks

Days

Hours

Months

Minutes


MTT

D &

MTT

R



21


organization within minutes.2015 Verizon Data Break Report

205 median number of days that threat groups were present on a

victim’s network before detection.Mandiant M-Trends 2015

Devastating Avoided

Years

Weeks

Days

Hours

Months

Minutes


MTT

D &

MTT

R



22


organization within minutes.2015 Verizon Data Break Report

205 median number of days that threat groups were present on a

victim’s network before detection.Mandiant M-Trends 2015

2,982 days was the longest time to detection observed.

Mandiant M-Trends 2015

Devastating Avoided

Years

Weeks

Days

Hours

Months

Minutes


MTT

D &

MTT

R


THE CYBER ATTACK LIFECYCLE

23

Modern threats take their timeand leverage the holistic attack surface



24


Recon. & Planning



25


Recon. & Planning

Initial Compromise



26


Recon. & Planning

Command & Control

Initial Compromise



27


Recon. & Planning

Command & Control

Lateral Movement

Initial Compromise



28


Recon. & Planning

Command & Control

Lateral Movement

Target Attainment

Initial Compromise



29


Recon. & Planning

Command & Control

Lateral Movement

Exfiltration, Corruption, Disruption

Target Attainment

Initial Compromise


END-TO-END THREAT LIFECYCLE MANAGEMENT WORKFLOW

30

TIME TO DETECT TIME TO RESPOND

Forensic Data CollectionSecurity event

data

Log & machine data

Forensic sensor data



31


Forensic Data Collection

Discover

Security event data

Log & machine data


Search analytics

Machine analytics



32



QualifyDiscover

Security event data

Log & machine data


Search analytics

Machine analytics

Assess threat

Determine risk

Is full investigation necessary?



33



InvestigateQualifyDiscover

Security event data

Log & machine data


Search analytics

Machine analytics

Assess threat

Determine risk


Analyze threat

Determine nature and extent of incident



34



InvestigateQualifyDiscover Neutralize

Security event data

Log & machine data


Search analytics

Machine analytics

Assess threat

Determine risk


Analyze threat


Implement counter-

measures

Mitigate threat & associated

risk



35



InvestigateQualifyDiscover RecoverNeutralize

Security event data

Log & machine data


Search analytics

Machine analytics

Assess threat

Determine risk


Analyze threat


Implement counter-

measures

Mitigate threat & associated

risk

Clean up

Report

Review

Adapt


PREPARING LOG DATA FOR ANALYSIS

36

Wireless Access ManagementWeb ServerVirtualizationVPNSwitchStorageRouterRemote AccessPoint of SaleIAMFirewallFile Integrity MonitorEmail SecurityDatabase



37

Wireless Access ManagementWeb ServerVirtualizationVPNSwitchStorageRouterRemote AccessPoint of SaleIAMFirewallFile Integrity MonitorEmail SecurityDatabaseNetwork Monitor SensorsEndpoint Monitor Sensors



38

Wireless Access ManagementWeb ServerVirtualizationVPNSwitchStorageRouterRemote AccessPoint of SaleIAMFirewallFile Integrity MonitorEmail SecurityDatabaseNetwork Monitor SensorsEndpoint Monitor Sensors



39

• Uniform Data Classification

• Uniform Data Structure• Time Normalization

• User Persona• Host Persona• Geolocation• Flow Direction• …more

Network Monitor Sensors

Endpoint Monitor Sensors


Benefits Serves as IT environment abstraction layer Enables generic scenario representation Allows for high-efficacy packaged analytics modules


40

• Uniform Data Classification

• Uniform Data Structure• Time Normalization

• User Persona• Host Persona• Geolocation• Flow Direction• …more

Network Monitor Sensors

Endpoint Monitor Sensors


“Behavior” is not recognized by a single dimension, but the intersection of multiple dimensions each with multiple attributes

KEY CHALLENGES IN BEHAVIORAL ANALYSIS

41

UserIdentityAccessPrivilege

External ContextThreat Intelligence

IP ReputationGeoLocation

ApplicationAccess

TransactionsError

Behavior

EndpointProcessAccess

File ActivityResources

Internal ContextBusiness Value

Asset ClassificationRisk RatingVulnerability

NetworkConnectionDirectionContentVolume

Normal


“Behavior” is not recognized by a single dimension, but the intersection of multiple dimensions each with multiple attributes

Manual discovery of what’s normal is impractical due to the sheer volume of data across multiple types of dimensions.

An unmanageable volume of false positives based on benign anomalies

Significant blind spots / false negatives

Need an automated technology to learn behavioral attributes across multiple dimensions

KEY CHALLENGES IN BEHAVIORAL ANALYSIS

42

UserIdentityAccessPrivilege

External ContextThreat Intelligence

IP ReputationGeoLocation

ApplicationAccess

TransactionsError

Behavior

EndpointProcessAccess

File ActivityResources

Internal ContextBusiness Value

Asset ClassificationRisk RatingVulnerability

NetworkConnectionDirectionContentVolume

Normal


• Machine learning is a subfield of computer science that evolved from the study of pattern recognition and computational learning theory in artificial intelligence.

• Machine learning explores the study and construction of algorithms that can learn from and make predictions on data.

• Such algorithms operate by building a model from example inputs in order to make data-driven predictions or decisions, rather than following strictly static program instructions.

WHAT IS MACHINE LEARNING?

43


• A core component of learning is the ability to draw generalized conclusions from specific examples

• Supervised: Matching inputs and outputs are presented to the algorithm to “tune” its memory

• Unsupervised: Algorithm is left to its own devices to “tune” its memory

WHAT IS MACHINE LEARNING?

44

= fruit


The security analytics use case presents some unique challenges when applying machine learning

• Differentiation of anomaly detection vs. security threat detection

• Injection of domain knowledge required

• Cost of errorsFalse positives : expensive for security analyticsFalse negatives: failure of security analytics

• Translation of algorithm output into actionable information

• Scale and heterogeneity of data

• Lack of training data makes supervised learning difficult at best

THE CHALLENGE

45


Behavioral Analytics• Machine learning techniques detecting anomalous activity unseen by

pattern/scenario-based detection methods

• Baselining across months with near-real-time anomaly recognition

• Provides high-fidelity data to scenario-based analytics identifying and qualifying the highest priority threats

• Facilitates machine-assisted hunting

FUSION OF ANALYTICS METHODS

46

Behavioral Anomaly Detection


Behavioral Analytics• Machine learning techniques detecting anomalous activity unseen by

pattern/scenario-based detection methods

• Baselining across months with near-real-time anomaly recognition

• Provides high-fidelity data to scenario-based analytics identifying and qualifying the highest priority threats

• Facilitates machine-assisted hunting

Enterprise Threat Qualification• Multi-dimensional scenario-based analytics

• Baselining across weeks with real-time recognition

• Machine learning via statistical and behavioral baselining

• Corroboration of anomalous behavior into a qualified threat alert, adding risk and threat context

FUSION OF ANALYTICS METHODS

47

Scenario-Based

Analytics

Behavioral Anomaly Detection


EXPEDITING RESPONSE

48

Goal: Expedite forensic analysis by creating a work area that allows users to analyze multiple datasets related to a common ongoing investigation


EXPEDITING RESPONSE

49


Incident DetectionBegins with an

alarm, event, or log


EXPEDITING RESPONSE

50


Case CreationCases must be created instantly from any view.

Access should be explicit and communication

controlled.


EXPEDITING RESPONSE

51


Incident ResponseCases should always be

accessible, enabling information from alarms, log or audit data, files,

PCAPs, etc., to be quickly added and annotated.


EXPEDITING RESPONSE

52


Collaboration + AutomationPre identify escalation paths

by incident type, employ smart “eyeballs, automate mundane tasks, add quick

approval processes for countermeasures.


EXPEDITING RESPONSE

53


Incident ResolutionDetailed history of the

case, including relevant evidence and workflows for long-term IR management.


THIS APPROACH IS NOT EFFECTIVE

54

Log Management SIEM

Endpoint Monitoring & Forensics

Security Analytics Security Automation & Orchestration Network

Behavioral Analytics


THIS APPROACH IS NOT EFFECTIVE

55


OBSTACLES TO FASTER DETECTION & RESPONSE

56



57

Alarm Fatigue



58

Alarm Fatigue

Swivel Chair Analysis



59

Alarm Fatigue


Forensic Data Silos



60

Alarm Fatigue


Forensic Data Silos

Fragmented Workflow



61

Alarm Fatigue


Forensic Data Silos

Fragmented Workflow

Lack of Automation


SOLUTION REQUIREMENTS

62


InvestigateQualifyDiscover Neutralize RecoverForensic Data Collection



63



Unified Platform Supporting End-to-End Workflow

Neutralize RecoverForensic Data Collection



64



Holistic Visibility





65

Search and Machine-Based Analytics Enabled by Data Processing



Holistic Visibility





66




Holistic Visibility


Scenario and Machine Learning Analytics




67




Holistic Visibility

Embedded Security Automation and Orchestration


Scenario and Machine Learning Analytics



THANK YOU

68

Questions?


69

THIS TRAINING CONTENT (“CONTENT”) IS PROVIDED TO YOU WITHOUT WARRANTY, “AS IS” AND “WITH ALL FAULTS.” ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NON-INFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED.YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF THE CONTENT WILL ASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE APPROPRIATE PROCEDURES, TESTS, OR CONTROLS.

Copyright © 2017 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).


70


THANK YOUFOR ATTENDING THIS WEBINAR

prevent major data breaches with threat lifecycle … · 2020-04-29 · lifecycle management ......

Documents