prevent major data breaches with threat lifecycle … · 2020-04-29 · lifecycle management ......
TRANSCRIPT
© 2017 ISACA. All Rights Reserved
PREVENT MAJOR DATA BREACHES WITH THREAT LIFECYCLE MANAGEMENT Seth Goldhammer, Senior Director of Product Management at LogRhythm
WELCOME
• Audio is streamed over your computer
• Dial in numbers and codes are on the left
To receive your CPE credit:
1. Complete 3 checkpoints
- or -
2. Watch the recorded version from the beginning to the very end
• Don’t forget to take the survey!
Use the Papers tab to find the following:
• PDF Copy of today’s presentation
• CPE job aid
• Have a question for the speaker? Access the Q&A tab
• Technical issues? Access the Help tab
• Questions or suggestions?Visit https://support.isaca.org
© 2017 ISACA. All Rights Reserved
2
TODAY’S SPEAKER
© 2017 ISACA. All Rights Reserved
3
AGENDA
© 2017 ISACA. All Rights Reserved
1. Highlight the Current Threat Pandemic
2. Evaluate Market Approach and Offerings
3. KPIs: Mean Time to Detect and Respond
4. Cyber Attack Lifecycle
5. End to End Threat Lifecycle Management
6. Solution Requirements
4
© 2017 ISACA. All Rights Reserved
THE MODERN CYBER THREAT PANDEMIC
5
© 2017 ISACA. All Rights Reserved
THE MODERN CYBER THREAT PANDEMIC
6
321 Breaches in 2006
© 2017 ISACA. All Rights Reserved
THE MODERN CYBER THREAT PANDEMIC
7
321 Breaches in 2006
953 Breaches in 2010
© 2017 ISACA. All Rights Reserved
736 million records were exposed in 2015, compared to 96 million records in 2010
The security industry is facing serious talent and technology shortages
THE MODERN CYBER THREAT PANDEMIC
8
321 Breaches in 2006
953 Breaches in 2010
3,930 Breaches in 2015
© 2017 ISACA. All Rights Reserved
NO END IN SIGHT
9
Motivated Threat Actors
Cyber-crime
Supply Chain
Expanding Attack
SurfaceExpanding
Attack Surface Cyber-crime Supply Chain
Motivated Threat Actors
© 2017 ISACA. All Rights Reserved
A NEW SECURITY APPROACH IS REQUIRED
10
© 2017 ISACA. All Rights Reserved
A NEW SECURITY APPROACH IS REQUIRED
11
Prevention-centric approachescan stop common threats
© 2017 ISACA. All Rights Reserved
A NEW SECURITY APPROACH IS REQUIRED
12
However, advanced threats:• Require a broader view to
recognize• Only emerge over time• Get lost in the noise
Prevention-centric approachescan stop common threats
© 2017 ISACA. All Rights Reserved
A NEW SECURITY APPROACH IS REQUIRED
13
• Big Data analytics to identify advanced threats
• Qualified and prioritized detection, reducing noise
• Incident response workflow orchestration and automation
• Capabilities to prevent high-impact breaches & damaging cyber incidents
However, advanced threats:• Require a broader view to
recognize• Only emerge over time• Get lost in the noise
Prevention-centric approachescan stop common threats
© 2017 ISACA. All Rights Reserved
A NEW SECURITY APPROACH IS REQUIRED
14
• Big Data analytics to identify advanced threats
• Qualified and prioritized detection, reducing noise
• Incident response workflow orchestration and automation
• Capabilities to prevent high-impact breaches & damaging cyber incidents
Big Data Analytics can best detect these threats
However, advanced threats:• Require a broader view to
recognize• Only emerge over time• Get lost in the noise
Prevention-centric approachescan stop common threats
© 2017 ISACA. All Rights Reserved
STRATEGIC SHIFT TO DETECTION AND RESPONSE IS OCCURRING
15
Detection & Response
IT Budgets 2013
Prevention
Sources: Gartner, Shift Cybersecurity Investment to Detection and Response, January 2016; Gartner, Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update, April 2016Note: Excludes security services from estimated overall market spend for enterprise information security
© 2017 ISACA. All Rights Reserved
STRATEGIC SHIFT TO DETECTION AND RESPONSE IS OCCURRING
16
By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from 20% in 2015. –Gartner, 2016
Detection & Response
IT Budgets 2013
Prevention
Sources: Gartner, Shift Cybersecurity Investment to Detection and Response, January 2016; Gartner, Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update, April 2016Note: Excludes security services from estimated overall market spend for enterprise information security
© 2017 ISACA. All Rights Reserved
STRATEGIC SHIFT TO DETECTION AND RESPONSE IS OCCURRING
17
By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from 20% in 2015. –Gartner, 2016
Detection & Response
IT Budgets 2013
Prevention
Detection & Response
IT Budgets 2015
Prevention
Sources: Gartner, Shift Cybersecurity Investment to Detection and Response, January 2016; Gartner, Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update, April 2016Note: Excludes security services from estimated overall market spend for enterprise information security
© 2017 ISACA. All Rights Reserved
STRATEGIC SHIFT TO DETECTION AND RESPONSE IS OCCURRING
18
By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from 20% in 2015. –Gartner, 2016
Detection & Response
IT Budgets 2013
Prevention
Detection & Response
IT Budgets 2015
Prevention
Detection &
Response
Prevention
IT Budgets 2020
Sources: Gartner, Shift Cybersecurity Investment to Detection and Response, January 2016; Gartner, Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update, April 2016Note: Excludes security services from estimated overall market spend for enterprise information security
© 2017 ISACA. All Rights Reserved
FASTER DETECTION & RESPONSE REDUCES RISK
19
Devastating Avoided
Years
Weeks
Days
Hours
Months
Minutes
RISK & IMPACT OF BREACH
MTT
D &
MTT
R
© 2017 ISACA. All Rights Reserved
FASTER DETECTION & RESPONSE REDUCES RISK
20
In 60% of cases, attackers are able to compromise an
organization within minutes.2015 Verizon Data Break ReportDevastating Avoided
Years
Weeks
Days
Hours
Months
Minutes
RISK & IMPACT OF BREACH
MTT
D &
MTT
R
© 2017 ISACA. All Rights Reserved
FASTER DETECTION & RESPONSE REDUCES RISK
21
In 60% of cases, attackers are able to compromise an
organization within minutes.2015 Verizon Data Break Report
205 median number of days that threat groups were present on a
victim’s network before detection.Mandiant M-Trends 2015
Devastating Avoided
Years
Weeks
Days
Hours
Months
Minutes
RISK & IMPACT OF BREACH
MTT
D &
MTT
R
© 2017 ISACA. All Rights Reserved
FASTER DETECTION & RESPONSE REDUCES RISK
22
In 60% of cases, attackers are able to compromise an
organization within minutes.2015 Verizon Data Break Report
205 median number of days that threat groups were present on a
victim’s network before detection.Mandiant M-Trends 2015
2,982 days was the longest time to detection observed.
Mandiant M-Trends 2015
Devastating Avoided
Years
Weeks
Days
Hours
Months
Minutes
RISK & IMPACT OF BREACH
MTT
D &
MTT
R
© 2017 ISACA. All Rights Reserved
THE CYBER ATTACK LIFECYCLE
23
Modern threats take their timeand leverage the holistic attack surface
© 2017 ISACA. All Rights Reserved
THE CYBER ATTACK LIFECYCLE
24
Modern threats take their timeand leverage the holistic attack surface
Recon. & Planning
© 2017 ISACA. All Rights Reserved
THE CYBER ATTACK LIFECYCLE
25
Modern threats take their timeand leverage the holistic attack surface
Recon. & Planning
Initial Compromise
© 2017 ISACA. All Rights Reserved
THE CYBER ATTACK LIFECYCLE
26
Modern threats take their timeand leverage the holistic attack surface
Recon. & Planning
Command & Control
Initial Compromise
© 2017 ISACA. All Rights Reserved
THE CYBER ATTACK LIFECYCLE
27
Modern threats take their timeand leverage the holistic attack surface
Recon. & Planning
Command & Control
Lateral Movement
Initial Compromise
© 2017 ISACA. All Rights Reserved
THE CYBER ATTACK LIFECYCLE
28
Modern threats take their timeand leverage the holistic attack surface
Recon. & Planning
Command & Control
Lateral Movement
Target Attainment
Initial Compromise
© 2017 ISACA. All Rights Reserved
THE CYBER ATTACK LIFECYCLE
29
Modern threats take their timeand leverage the holistic attack surface
Recon. & Planning
Command & Control
Lateral Movement
Exfiltration, Corruption, Disruption
Target Attainment
Initial Compromise
© 2017 ISACA. All Rights Reserved
END-TO-END THREAT LIFECYCLE MANAGEMENT WORKFLOW
30
TIME TO DETECT TIME TO RESPOND
Forensic Data CollectionSecurity event
data
Log & machine data
Forensic sensor data
© 2017 ISACA. All Rights Reserved
END-TO-END THREAT LIFECYCLE MANAGEMENT WORKFLOW
31
TIME TO DETECT TIME TO RESPOND
Forensic Data Collection
Discover
Security event data
Log & machine data
Forensic sensor data
Search analytics
Machine analytics
© 2017 ISACA. All Rights Reserved
END-TO-END THREAT LIFECYCLE MANAGEMENT WORKFLOW
32
TIME TO DETECT TIME TO RESPOND
Forensic Data Collection
QualifyDiscover
Security event data
Log & machine data
Forensic sensor data
Search analytics
Machine analytics
Assess threat
Determine risk
Is full investigation necessary?
© 2017 ISACA. All Rights Reserved
END-TO-END THREAT LIFECYCLE MANAGEMENT WORKFLOW
33
TIME TO DETECT TIME TO RESPOND
Forensic Data Collection
InvestigateQualifyDiscover
Security event data
Log & machine data
Forensic sensor data
Search analytics
Machine analytics
Assess threat
Determine risk
Is full investigation necessary?
Analyze threat
Determine nature and extent of incident
© 2017 ISACA. All Rights Reserved
END-TO-END THREAT LIFECYCLE MANAGEMENT WORKFLOW
34
TIME TO DETECT TIME TO RESPOND
Forensic Data Collection
InvestigateQualifyDiscover Neutralize
Security event data
Log & machine data
Forensic sensor data
Search analytics
Machine analytics
Assess threat
Determine risk
Is full investigation necessary?
Analyze threat
Determine nature and extent of incident
Implement counter-
measures
Mitigate threat & associated
risk
© 2017 ISACA. All Rights Reserved
END-TO-END THREAT LIFECYCLE MANAGEMENT WORKFLOW
35
TIME TO DETECT TIME TO RESPOND
Forensic Data Collection
InvestigateQualifyDiscover RecoverNeutralize
Security event data
Log & machine data
Forensic sensor data
Search analytics
Machine analytics
Assess threat
Determine risk
Is full investigation necessary?
Analyze threat
Determine nature and extent of incident
Implement counter-
measures
Mitigate threat & associated
risk
Clean up
Report
Review
Adapt
© 2017 ISACA. All Rights Reserved
PREPARING LOG DATA FOR ANALYSIS
36
Wireless Access ManagementWeb ServerVirtualizationVPNSwitchStorageRouterRemote AccessPoint of SaleIAMFirewallFile Integrity MonitorEmail SecurityDatabase
© 2017 ISACA. All Rights Reserved
PREPARING LOG DATA FOR ANALYSIS
37
Wireless Access ManagementWeb ServerVirtualizationVPNSwitchStorageRouterRemote AccessPoint of SaleIAMFirewallFile Integrity MonitorEmail SecurityDatabaseNetwork Monitor SensorsEndpoint Monitor Sensors
© 2017 ISACA. All Rights Reserved
PREPARING LOG DATA FOR ANALYSIS
38
Wireless Access ManagementWeb ServerVirtualizationVPNSwitchStorageRouterRemote AccessPoint of SaleIAMFirewallFile Integrity MonitorEmail SecurityDatabaseNetwork Monitor SensorsEndpoint Monitor Sensors
© 2017 ISACA. All Rights Reserved
PREPARING LOG DATA FOR ANALYSIS
39
• Uniform Data Classification
• Uniform Data Structure• Time Normalization
• User Persona• Host Persona• Geolocation• Flow Direction• …more
Network Monitor Sensors
Endpoint Monitor Sensors
© 2017 ISACA. All Rights Reserved
Benefits Serves as IT environment abstraction layer Enables generic scenario representation Allows for high-efficacy packaged analytics modules
PREPARING LOG DATA FOR ANALYSIS
40
• Uniform Data Classification
• Uniform Data Structure• Time Normalization
• User Persona• Host Persona• Geolocation• Flow Direction• …more
Network Monitor Sensors
Endpoint Monitor Sensors
© 2017 ISACA. All Rights Reserved
“Behavior” is not recognized by a single dimension, but the intersection of multiple dimensions each with multiple attributes
KEY CHALLENGES IN BEHAVIORAL ANALYSIS
41
UserIdentityAccessPrivilege
External ContextThreat Intelligence
IP ReputationGeoLocation
ApplicationAccess
TransactionsError
Behavior
EndpointProcessAccess
File ActivityResources
Internal ContextBusiness Value
Asset ClassificationRisk RatingVulnerability
NetworkConnectionDirectionContentVolume
Normal
© 2017 ISACA. All Rights Reserved
“Behavior” is not recognized by a single dimension, but the intersection of multiple dimensions each with multiple attributes
Manual discovery of what’s normal is impractical due to the sheer volume of data across multiple types of dimensions.
An unmanageable volume of false positives based on benign anomalies
Significant blind spots / false negatives
Need an automated technology to learn behavioral attributes across multiple dimensions
KEY CHALLENGES IN BEHAVIORAL ANALYSIS
42
UserIdentityAccessPrivilege
External ContextThreat Intelligence
IP ReputationGeoLocation
ApplicationAccess
TransactionsError
Behavior
EndpointProcessAccess
File ActivityResources
Internal ContextBusiness Value
Asset ClassificationRisk RatingVulnerability
NetworkConnectionDirectionContentVolume
Normal
© 2017 ISACA. All Rights Reserved
• Machine learning is a subfield of computer science that evolved from the study of pattern recognition and computational learning theory in artificial intelligence.
• Machine learning explores the study and construction of algorithms that can learn from and make predictions on data.
• Such algorithms operate by building a model from example inputs in order to make data-driven predictions or decisions, rather than following strictly static program instructions.
WHAT IS MACHINE LEARNING?
43
© 2017 ISACA. All Rights Reserved
• A core component of learning is the ability to draw generalized conclusions from specific examples
• Supervised: Matching inputs and outputs are presented to the algorithm to “tune” its memory
• Unsupervised: Algorithm is left to its own devices to “tune” its memory
WHAT IS MACHINE LEARNING?
44
= fruit
© 2017 ISACA. All Rights Reserved
The security analytics use case presents some unique challenges when applying machine learning
• Differentiation of anomaly detection vs. security threat detection
• Injection of domain knowledge required
• Cost of errorsFalse positives : expensive for security analyticsFalse negatives: failure of security analytics
• Translation of algorithm output into actionable information
• Scale and heterogeneity of data
• Lack of training data makes supervised learning difficult at best
THE CHALLENGE
45
© 2017 ISACA. All Rights Reserved
Behavioral Analytics• Machine learning techniques detecting anomalous activity unseen by
pattern/scenario-based detection methods
• Baselining across months with near-real-time anomaly recognition
• Provides high-fidelity data to scenario-based analytics identifying and qualifying the highest priority threats
• Facilitates machine-assisted hunting
FUSION OF ANALYTICS METHODS
46
Behavioral Anomaly Detection
© 2017 ISACA. All Rights Reserved
Behavioral Analytics• Machine learning techniques detecting anomalous activity unseen by
pattern/scenario-based detection methods
• Baselining across months with near-real-time anomaly recognition
• Provides high-fidelity data to scenario-based analytics identifying and qualifying the highest priority threats
• Facilitates machine-assisted hunting
Enterprise Threat Qualification• Multi-dimensional scenario-based analytics
• Baselining across weeks with real-time recognition
• Machine learning via statistical and behavioral baselining
• Corroboration of anomalous behavior into a qualified threat alert, adding risk and threat context
FUSION OF ANALYTICS METHODS
47
Scenario-Based
Analytics
Behavioral Anomaly Detection
© 2017 ISACA. All Rights Reserved
EXPEDITING RESPONSE
48
Goal: Expedite forensic analysis by creating a work area that allows users to analyze multiple datasets related to a common ongoing investigation
© 2017 ISACA. All Rights Reserved
EXPEDITING RESPONSE
49
Goal: Expedite forensic analysis by creating a work area that allows users to analyze multiple datasets related to a common ongoing investigation
Incident DetectionBegins with an
alarm, event, or log
© 2017 ISACA. All Rights Reserved
EXPEDITING RESPONSE
50
Goal: Expedite forensic analysis by creating a work area that allows users to analyze multiple datasets related to a common ongoing investigation
Case CreationCases must be created instantly from any view.
Access should be explicit and communication
controlled.
© 2017 ISACA. All Rights Reserved
EXPEDITING RESPONSE
51
Goal: Expedite forensic analysis by creating a work area that allows users to analyze multiple datasets related to a common ongoing investigation
Incident ResponseCases should always be
accessible, enabling information from alarms, log or audit data, files,
PCAPs, etc., to be quickly added and annotated.
© 2017 ISACA. All Rights Reserved
EXPEDITING RESPONSE
52
Goal: Expedite forensic analysis by creating a work area that allows users to analyze multiple datasets related to a common ongoing investigation
Collaboration + AutomationPre identify escalation paths
by incident type, employ smart “eyeballs, automate mundane tasks, add quick
approval processes for countermeasures.
© 2017 ISACA. All Rights Reserved
EXPEDITING RESPONSE
53
Goal: Expedite forensic analysis by creating a work area that allows users to analyze multiple datasets related to a common ongoing investigation
Incident ResolutionDetailed history of the
case, including relevant evidence and workflows for long-term IR management.
© 2017 ISACA. All Rights Reserved
THIS APPROACH IS NOT EFFECTIVE
54
Log Management SIEM
Endpoint Monitoring & Forensics
Security Analytics Security Automation & Orchestration Network
Behavioral Analytics
© 2017 ISACA. All Rights Reserved
THIS APPROACH IS NOT EFFECTIVE
55
© 2017 ISACA. All Rights Reserved
OBSTACLES TO FASTER DETECTION & RESPONSE
56
© 2017 ISACA. All Rights Reserved
OBSTACLES TO FASTER DETECTION & RESPONSE
57
Alarm Fatigue
© 2017 ISACA. All Rights Reserved
OBSTACLES TO FASTER DETECTION & RESPONSE
58
Alarm Fatigue
Swivel Chair Analysis
© 2017 ISACA. All Rights Reserved
OBSTACLES TO FASTER DETECTION & RESPONSE
59
Alarm Fatigue
Swivel Chair Analysis
Forensic Data Silos
© 2017 ISACA. All Rights Reserved
OBSTACLES TO FASTER DETECTION & RESPONSE
60
Alarm Fatigue
Swivel Chair Analysis
Forensic Data Silos
Fragmented Workflow
© 2017 ISACA. All Rights Reserved
OBSTACLES TO FASTER DETECTION & RESPONSE
61
Alarm Fatigue
Swivel Chair Analysis
Forensic Data Silos
Fragmented Workflow
Lack of Automation
© 2017 ISACA. All Rights Reserved
SOLUTION REQUIREMENTS
62
TIME TO DETECT TIME TO RESPOND
InvestigateQualifyDiscover Neutralize RecoverForensic Data Collection
© 2017 ISACA. All Rights Reserved
SOLUTION REQUIREMENTS
63
TIME TO DETECT TIME TO RESPOND
InvestigateQualifyDiscover
Unified Platform Supporting End-to-End Workflow
Neutralize RecoverForensic Data Collection
© 2017 ISACA. All Rights Reserved
SOLUTION REQUIREMENTS
64
TIME TO DETECT TIME TO RESPOND
InvestigateQualifyDiscover
Holistic Visibility
Unified Platform Supporting End-to-End Workflow
Neutralize RecoverForensic Data Collection
© 2017 ISACA. All Rights Reserved
SOLUTION REQUIREMENTS
65
Search and Machine-Based Analytics Enabled by Data Processing
TIME TO DETECT TIME TO RESPOND
InvestigateQualifyDiscover
Holistic Visibility
Unified Platform Supporting End-to-End Workflow
Neutralize RecoverForensic Data Collection
© 2017 ISACA. All Rights Reserved
SOLUTION REQUIREMENTS
66
Search and Machine-Based Analytics Enabled by Data Processing
TIME TO DETECT TIME TO RESPOND
InvestigateQualifyDiscover
Holistic Visibility
Unified Platform Supporting End-to-End Workflow
Scenario and Machine Learning Analytics
Neutralize RecoverForensic Data Collection
© 2017 ISACA. All Rights Reserved
SOLUTION REQUIREMENTS
67
Search and Machine-Based Analytics Enabled by Data Processing
TIME TO DETECT TIME TO RESPOND
InvestigateQualifyDiscover
Holistic Visibility
Embedded Security Automation and Orchestration
Unified Platform Supporting End-to-End Workflow
Scenario and Machine Learning Analytics
Neutralize RecoverForensic Data Collection
© 2017 ISACA. All Rights Reserved
THANK YOU
68
Questions?
© 2017 ISACA. All Rights Reserved
69
THIS TRAINING CONTENT (“CONTENT”) IS PROVIDED TO YOU WITHOUT WARRANTY, “AS IS” AND “WITH ALL FAULTS.” ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NON-INFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED.YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF THE CONTENT WILL ASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE APPROPRIATE PROCEDURES, TESTS, OR CONTROLS.
Copyright © 2017 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
© 2017 ISACA. All Rights Reserved
70
© 2017 ISACA. All Rights Reserved
THANK YOUFOR ATTENDING THIS WEBINAR