1 © Copyright 2013 EMC Corporation. All rights reserved.

RSA Archer Security Operations Management (SecOps) RSA, The Security Division of EMC

2 © Copyright 2013 EMC Corporation. All rights reserved.

Security Incidents are Going Unnoticed

Lack of Staff

Too Many False Positive Responses

Too Many Manual Processes

Too Many Non-Integrated Tools

Security Attacks are Sophisticated

* ESG white Paper – “The Big Data Security Analytics is Here”, January 2013

3 © Copyright 2013 EMC Corporation. All rights reserved.

Security Incidents à Data Breach

* Ponemon Institute – “2013 Cost of Data Breach Study: Global Analysis”, Cost of a Data Breach in US

70% Company’s

Value is IP

78% Weeks to Discover

56% Staf f

Shortage

Average Cost of a Data Breach

$5,403,644

$4,104,932

$3,143,048

$2,275,404

$4,823,583

$3,763,299

$2,282,095

$1,321,903

Impact to an Enterprise

Financial

+ Reputational Damage

4 © Copyright 2013 EMC Corporation. All rights reserved.

Centralizing Incident Response Teams

Specialized Team

� Reporting to: –  CSO/CISO à CIO

� Consisting of: –  People –  Process –  Technology

Detect, Investigate and Respond

SOC Manager

Tier 2 Analyst

Analysis & Tools Support Analyst

Tier 1 Analyst

Threat Analyst

5 © Copyright 2013 EMC Corporation. All rights reserved.

Current Challenges SOCs are Event Focused and Reactive

No Centralization of Alerts Lack of Centralized Incident Management

Lack of Context Lack of Process Lack of Best Practices

6 © Copyright 2013 EMC Corporation. All rights reserved.

Shift Handoff

SOC Manager 1

SOC Manager 2

CISO

Finance

Legal

Incident Process

Threat Analysis

Report KPIs

Breach Process

IT Handoff

Centralize Alerts

Measure Efficacy

L1 Analyst

Breach Coordinator HR

IT

L2 Analyst

Threat Analyst

SIEM

DLP

Network Visibility

eFraud

Host Visibility

Complexities of a SOC

7 © Copyright 2013 EMC Corporation. All rights reserved.

Detect & Respond to Security Incidents RSA Reference Architecture

RSA Live Intelligence Threat Intelligence – Rules – Parsers – Alerts – Feeds – Apps – Directory Services – Reports and Custom Actions

SharePoint

File Servers

Databases

NAS/SAN

Endpoints

Enterprise Mgmt.

RSA ECAT

RSA Security Operations

Management

Windows Clients/Servers

Incident Management

Breach Management

SOC Program Management

IT Risk Management

NEW

8 © Copyright 2013 EMC Corporation. All rights reserved.

Incident Management

Breach Management

SOC Program

Management

IT Security Risk

Management

RSA Security Operations Management

Dom

ain

Sec

urity

Ope

ratio

ns

Man

agem

ent

People

Process

Technology Orchestrate &

Manage

Consistent / Predictable Business Process

9 © Copyright 2013 EMC Corporation. All rights reserved.

RSA SecOps

SecOps Marketecture Orchestration / Management of the SOC

Aggregate Alerts to Incidents

Incident Response

Breach Response

SOC Program

Management

Dashboard & Report

RSA Archer Enterprise

Management (Context)

RSA Archer BCM

(Crisis Events)

ALERTS

CONTEXT

Capture & Analyze – Packets, Logs & Threat Feeds

LAUNCH TO SA

10 © Copyright 2013 EMC Corporation. All rights reserved.

Persona Driven Design Customized for the SOC Personas

L1/L2 Analyst

•  Review Incidents •  Collect Data •  Investigate / Escalate •  Forensic Analysis

Incident Coordinator

•  Analyst Mgmt. •  Shift Handover •  Incident Trends

Breach Response

Lead

•  Review Escalations •  Breach Impact Analysis •  Notification Process

SOC Manager/

CISO

•  SOC Visibility •  Access to Dashboards •  Access to Reports •  Measure Effectiveness

11 © Copyright 2013 EMC Corporation. All rights reserved.

New and My Incident Queue

Overall Incident Status

Analyst Focused Dashboard

12 © Copyright 2013 EMC Corporation. All rights reserved.

Contextual Launch to Collect Data

Launch to SA To Collect Additional

Data

13 © Copyright 2013 EMC Corporation. All rights reserved.

New and My Incident Queue

Link to Business Context

Cross-Reference Alerts to Asset Details and Business Context

14 © Copyright 2013 EMC Corporation. All rights reserved.

Incident Coordinator Dashboard

Shift Handover Analyst Workload

Incident Trends

15 © Copyright 2013 EMC Corporation. All rights reserved.

Breach Coordinator Dashboard

Current Breaches, Impact and Records Affected

16 © Copyright 2013 EMC Corporation. All rights reserved.

IT Operations Dashboard

Current Breaches, Impact and Records Affected Findings Addressed by IT Help Desk

17 © Copyright 2013 EMC Corporation. All rights reserved.

SOC Manager / CISO Dashboard

Overall View of Security Operation Center

18 © Copyright 2013 EMC Corporation. All rights reserved.

The Value of SecOps Orchestration and Framework for the SOC

Enable SOC Team to Be More Effective

•  Incident Prioritization •  Workflow to guide IR process •  Response Procedures

Optimize SOC Investments •  Automation •  Monitor KPIs •  Measure Security Controls •  Manage SOC Team

Better Manage IT Security & Business Risk

•  Visibility & Biz Context •  Data Breach Management •  Enterprise Risk

19 © Copyright 2013 EMC Corporation. All rights reserved.

Security Operations Management Deployment Maturity Model

Stage 1 Alerts & Context

•  Business Context •  Define Alerting Rules for Security Monitoring Systems

Stage 2 Incident Response

•  Alert Aggregation •  Investigation / Incident Management Process •  Breach Management Process

Stage 3 Program Management

•  Team / Shift Management •  SOC Readiness, Security Control Efficacy •  KPI Monitoring

Stage 4 Business Risk Management

•  IT Security Risk Management •  Enterprise Risk & BCM

20 © Copyright 2013 EMC Corporation. All rights reserved.

Professional Services Offerings SecOps Program Offerings

•  Early Stage Deployment of SOC −  Strategy, Design, Implement & Operate −  Custom SOW Based on Customer

Requirements

•  Mature SOC Customer −  Technical Implementation - Install,

Integrate & Functional Overview

Incident Response

Breach Response

Reports & Dashboards

GRC Integrations

SOC Program Management

Holistic Solution Portfolio