This talk covered three agenda items, with an obvious focus on RSA Security Analytics.
1. Why / how security investments need to shift
2. Building a SoC
3. Demo of the tool
Obviously I wont be capturing the Demo here, but below are my notes from this presentation;
Advanced threats are different… Often following a similar set of steps;
- System intrusion – Attack begins – Cover-up discovery leap frog attacks – cover up complete, with the following characteristics;
How to defend;
- decrease dwell time (time from successful breach until discovery)
- speed response time (speed with which attacks are detected, and then remediated once discovered)
Relatively new attack discovered / named last year - ‘Waterholing’ – sit by the waterhole knowing prey will come to them – malicious users take over a site, knowing their targets are likely to visit it and trust it – then wait for them to arrive – malware etc. then delivered to users of the site.
Massive % of security spend currently on prevention, not detection..
71% of organisations have some sort of SoC (wider survey 66%) most have plans to have one. The question did cover from just some analysts who do investigations right through full on SoC capabilities.
SoC – level 1 adds, moves and changes, device health etc.
CIRC – manage security incidents, investigate suspicious behaviours, vulnerability analysis, threat management etc.
CIRC – even the specialists need to specialise!!
CIRCs can / should comprise the below 4 areas of responsibility. Note, a person can have multiple roles, doesn’t need to be 4 people or more for smaller organisation1 – 4 suggested Tiers / areas of responsibility
- Front line – initial investigations, containment, triage, 24*7 etc
- Advanced tools, tactics and analysis – reverse engineering, host and network forensics, Cause and origin determination
- Analysis and tools support – Optimising the CIRC tools and processes; Integration, Content development, Reporting, Alert and Rule creation
- Cyber Threat Intelligence – understand the wider environment, analyse threat feeds, awareness of criminal / activist organisations etc.
EMC example – 1046 employees received a clear phishing email about fake wire transfers, 17 clicked on the link, 2 even clicked on the are you sure warning from the EMC gateway! This sort of investigation should take minutes.. Does it for your organisation?
The maturity Journey – Control – Compliance – IT Risk – Business Risk
- Your business needs to be moving from at least compliance to IT risk for levels 3 and 4 of the SoC to make sense.
- Business, then IT risk SHOULD drive your security program and strategy. Compliance is a byproduct of good security.
- MSSP (Managed Security Service Provider) - Make CIRC function more complete and affordable
- What does it make sense to outsource from the CIRC functions?
- Start with Tier 1, second most likely threat intelligence (as this can be somewhat stand alone, and an MSSP likely already has good contacts and threat intelligence they can share)
- Tiers 3 and 4 can be, but these are harder and likely require in depth expertise and knowledge about the internal operation of the organisation.
To assist this organisations need;
- Comprehensive visibility
- view, collect and analyse everything
- Agile analytics
- efficient analysis and instigation of potential issues
- Actionable intelligence
- understand ‘normal’ aid identification and investigation of anomalies. Make data machine readable
- Optimised incident management
RSA Security Analytics is designed to meet these needs. Well there had to be some product focus as it’s an RSA presentation..
- However, where does this fit into the overall business?
- Can it be used by the wider business in order to offer a business wide solution to log management and analytics?
RSA response – Data is stored in Hadoop style storage so you can write tools to query it. But no there are no plans for them to provide any ops style dashboards and functionality that could be used by the wider IT team and the business. For me this is a massive gap given the current market for log correlation and analysis type tools. There is no way a business should want two of these solutions in place with logs shipped to both and all the associated licensing and management that goes with it. Having two tools also leads to a potential situation where all logs may not get to the security tool and therefore you’ll miss potential threats.
So back to the talk;
RSA Security Analytics provides both a combination of both real time and longer term analytical abilities;
- real time example – analysing data on the wire for attacks and suspicious behaviour
- longer term – log on from two different locations – analyse distance between locations and time between logons
Threat intelligence from feeds and incorporating business context.
- Look at all the data, use intelligence to narrow it down to provide a low number of real and useful alerts.
Security analytics demo;
- Has full data set, can drill down to specific IP addresses, and the behaviour between it and others, identifies hacker tools etc.
- Integrates with RSA threat feed etc.
- Identifies high risk file types, windows cli commands etc.
- Keeps suspicious IP address list from top suspicious IP list.
- Can make network data back into the real data – e.g. can view emails as the email with cc etc, can view text files and images this looks a bit like man in the middle stuff – recompiles the actual conversation / traffic.
- Currently a detective / investigative system.
5 take aways things you could do;
- Analyse current / goal security spend by prevention, detection and response.
- Honestly assess your organisations security maturity.
- Expand / build-out SoC/CIRC via on-premise or MSSP (or on premise MSSP).
- Invest in breach readiness processes.
- Evaluate your security tooling – is it too perimeter / signature based? Does it align with your security strategy and desired posture?
Overall this was a useful talk with quite a few good points and outside of the demo relatively little product and marketing talk.
I am however very disappointed that RSA are intent on keeping Security Analytics 100% focussed on security only. It’s undoubtedly a good product in this space, but there are other products now that appear to offer similar levels of functionality in this space while also being genuinely good products across ops / application support / business users etc. and also being potentially more flexible and extensible. Take a look at both Splunk and LogRythm.