31
1 Advanced Security Solution for Trusted IT Gary Lau Manager, Technology Consultant Greater China

101 ab 1530-1600

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: 101 ab 1530-1600

1

Advanced Security Solution for Trusted IT

Gary Lau Manager, Technology Consultant Greater China

Page 2: 101 ab 1530-1600

2

The Changing Landscape

Page 3: 101 ab 1530-1600

3

Evolution of Attackers

Nation state actors

PII, government, defense industrial base, IP rich organizations

Criminals

Petty criminals

Organized crime

Organized, sophisticated supply chains (PII, financial services, retail)

Unsophisticated

Non-state actors

Terrorists Anti-establishment

vigilantes

“Hacktivists” Targets of opportunity

PII, Government, critical infrastructure

Page 4: 101 ab 1530-1600

4

Evolution of Attack Vectors

Dam

age/S

oph

isticati

on

Threat Actors Hobbiest / Script Kiddies

Significant impact

on business

bottom line

Minor Annoyance

Petty Criminals Organize Crime

Nation States

Non-State Actors / Cyber Terrorists

Worms

Viruses

Botnets

Rootkits

DoS/DDoS Spyware

Targeted malware

Hybrid Worms Web-application

attacks

Spam Phishing

Financial Backdoor

Trojans

Coordinated attacks

APTs

Page 5: 101 ab 1530-1600

5

Attack Begins

System Intrusion

Attacker Surveillanc

e

Cover-up Complete

Access Probe

Leap Frog Attacks

Complete

Target Analysis

TIME

Attack Set-up

Discovery/ Persistenc

e

Maintain foothold

Cover-up Starts

Anatomy of an Attack

Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)

Page 6: 101 ab 1530-1600

6

TIME

Attack Forecast

Physical Security

Containment &

Eradication

System Reactio

n Damage

Identification

Recovery

Defender Discovery

Monitoring & Controls

Impact Analysi

s

Response Threat

Analysis

Attack Identified

Incident Reportin

g

Anatomy of a Response

Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)

Page 7: 101 ab 1530-1600

7

Attack Begins

System Intrusion

Attacker Surveillanc

e

Cover-up Complete

Access Probe

Leap Frog Attacks

Complete

Target Analysis

TIME

Attack Set-up

Discovery/ Persistenc

e

Maintain foothold

Cover-up Starts

Attack Forecast

Physical Security

Containment &

Eradication

System Reactio

n Damage

Identification

Recovery

Defender Discovery

Monitoring & Controls

Impact Analysi

s

Response Threat

Analysis

Attack Identified

Incident Reportin

g

Reducing Attacker Free Time

ATTACKER FREE TIME

TIME

Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)

Need to collapse free time

Page 8: 101 ab 1530-1600

9

Then: Infrastructure-Centric

Signature-Based, Perimeter-Centric

Generic, Code-Based

Static Attacks

Static Infrastructure

Static Defenses

Physical, IT-Controlled,

Hard Perimeter

Dynamic Attacks

Analytics & Risk-Based

Dynamic Infrastructure

Dynamic Defenses

Targeted Human-Centric

Virtual, User-Centric & Connected

Now: User/Identity-Centric

Public Cloud

SaaS

Mobile Apps

Hybrid Cloud

Page 9: 101 ab 1530-1600

10

Advanced Threats

of organizations believe they have been the victim of an Advanced

Threats

83% of organizations don’t believe they have

sufficient resources to prevent Advanced Threats

65%

Source: Ponemon Institute Survey Conducted “Growing Risk of Advanced Threats”

of breaches led to data compromise within “days” or less

91% of breaches took “weeks”

or more to discover

79%

Source: Verizon 2011 Data Breach Investigations Report

Page 10: 101 ab 1530-1600

11

Mean Time to Detect (MTTD)

Source: Ponemon Institute

Page 11: 101 ab 1530-1600

12

The Changing Mindset

Page 12: 101 ab 1530-1600

13

Must learn to live in a

state of compromise

Constant compromise does not mean constant loss

Page 13: 101 ab 1530-1600

14

The New Security Model

Page 14: 101 ab 1530-1600

15

Signature-based

Compliance Driven

Perimeter oriented

Traditional Security is

Unreliable

Page 15: 101 ab 1530-1600

16

poorly prepared for advanced threats

As a result

Organizations are…

unable to detect attacks in a timely manner

responding in a manner that is chaotic and uncoordinated

Page 16: 101 ab 1530-1600

17

agile risk-based

contextual

Effective Security Systems need to be:

Page 17: 101 ab 1530-1600

18

Security must Ensure…

…only the right people

…access critical applications & information

…over an I/F we trust.

ITaaS

Man

ag

em

en

t Enterprise

Data Center

Infrastructure

CRM ERP BI ***

Applications

Information

Admins Users

Page 18: 101 ab 1530-1600

19

Disruptive Forces

…only the right people

…access critical applications & information

…over an I/F we trust.

User Access Transformation

Threat Landscape Transformation

Back-end I/F Transformation

ITaaS

Man

ag

em

en

t Enterprise

CRM ERP BI ***

Data Center

Applications

Infrastructure

Information

Admins Users

Mobile

Advanced

Threats

Cloud

Page 19: 101 ab 1530-1600

20

ITaaS

Man

ag

em

en

t

Clouds

SaaS

PaaS

IaaS

Community

Mobile Apps

The New IT Model

• Scenario Web

Direct to Cloud

Unmanaged Devices

Managed Devices

ITaaS

Man

ag

em

en

t

Enterprise

CRM ERP BI ***

Data Center

Applications

Infrastructure

Information

To D

C Admins Users

Direct to Apps

VPN into DC

From the Cloud

Private Cloud

Page 20: 101 ab 1530-1600

21

DEFINE POLICY

MAP POLICY

MEASURE POLICY

GR

C

DETECT Potential Threats

INVESTIGATE Attacks

RESPOND to Attacks SE

CU

RIT

Y

OP

ER

AT

IO

NS

(S

OC

)

IDENTITY ADMIN & PROVISIONING

ACCESS CONTROLS

IDENTITY & ACCESS GOVERNANCE

ID

EN

TIT

Y

ENDPOINT CONTROLS

NETWORK/MESSAGING CONTROLS

APPLICATION CONTROLS IN

FR

AS

TR

UC

TU

RE

DLP CONTROLS

ENCRYPTION/TOKENIZATION I/F

INFORMATION RIGHTS MANAGEMENT

IN

FO

RM

AT

IO

N

The Security Stack CONTROL LAYER MANAGEMENT LAYER

ITaaS

Man

ag

em

en

t ENTERPRISE

CRM ERP BI ***

Data Center

Applications

Infrastructure

Information

To D

C Admins Users

Page 21: 101 ab 1530-1600

22

THE CONTROL LAYER CONTROL LAYER

IDENTITY ADMIN & PROVISIONING

ACCESS CONTROLS

IDENTITY & ACCESS GOVERNANCE

ID

EN

TIT

Y

ENDPOINT CONTROLS

NETWORK/MESSAGING CONTROLS

APPLICATION CONTROLS IN

FR

AS

TR

UC

TU

RE

ENCRYPTION/TOKENIZATION I/F

DLP CONTROLS

INFORMATION RIGHTS MANAGEMENT

IN

FO

RM

AT

IO

N

MANAGEMENT LAYER

DEFINE POLICY

MAP POLICY

MEASURE POLICY

GR

C

DETECT Potential Threats

INVESTIGATE Attacks

RESPOND to Attacks SE

CU

RIT

Y

OP

ER

AT

IO

NS

(S

OC

)

ITaaS

Man

ag

em

en

t ENTERPRISE

CRM ERP BI ***

Data Center

Applications

Infrastructure

Information

To D

C Admins Users

CONTROL LAYER

IDENTITY ADMIN & PROVISIONING

ACCESS CONTROLS

IDENTITY & ACCESS GOVERNANCE

ID

EN

TIT

Y

ENDPOINT CONTROLS

NETWORK/MESSAGING CONTROLS

APPLICATION CONTROLS IN

FR

AS

TR

UC

TU

RE

ENCRYPTION/TOKENIZATION I/F

DLP CONTROLS

INFORMATION RIGHTS MANAGEMENT

IN

FO

RM

AT

IO

N

Page 22: 101 ab 1530-1600

23

The Management Layer

CONTROL LAYER

IDENTITY ADMIN & PROVISIONING

ACCESS CONTROLS

IDENTITY & ACCESS GOVERNANCE

ID

EN

TIT

Y

ENDPOINT CONTROLS

NETWORK/MESSAGING CONTROLS

APPLICATION CONTROLS IN

FR

AS

TR

UC

TU

RE

ENCRYPTION/TOKENIZATION I/F

DLP CONTROLS

INFORMATION RIGHTS MANAGEMENT

IN

FO

RM

AT

IO

N

MANAGEMENT LAYER

DEFINE POLICY

MAP POLICY

MEASURE POLICY

GR

C

DETECT Potential Threats

INVESTIGATE Attacks

RESPOND to Attacks SE

CU

RIT

Y

OP

ER

AT

IO

NS

(S

OC

)

ITaaS

Man

ag

em

en

t ENTERPRISE

CRM ERP BI ***

Data Center

Applications

Infrastructure

Information

To D

C Admins Users

MANAGEMENT LAYER

DEFINE POLICY

MAP POLICY

MEASURE POLICY

GR

C

DETECT Potential Threats

INVESTIGATE Attacks

RESPOND to Attacks SE

CU

RITY

O

PE

RA

TIO

NS

(S

OC

)

Page 23: 101 ab 1530-1600

24

Critical Questions

Comprehensive Visibility Actionable Intelligence Governance

what matters?

what is going on?

how do I address it?

Page 24: 101 ab 1530-1600

25 © Copyright 2011 EMC Corporation. All rights reserved.

Traditional SIEM Is Not Enough

...SIEM needs to evolve

• How do you:

–quickly determine how an attack happened?

–reduce the “attacker free time” in your infrastructure?

–prevent similar future attacks?

Requires network and log data visibility

Requires the fusion of internal & external intelligence

Makes security a Big Data problem

Resisting all attacks is not realistic, reacting fast to mitigate damage is

Page 25: 101 ab 1530-1600

26 © Copyright 2011 EMC Corporation. All rights reserved.

Full Packet Capture is a must

• Full packet capture is necessary to – Identify malware entering the environment and prioritize actions related to it (a

very common source of advanced threat)

– Track the lateral movement of an attacker once inside the organization, and

– Prove exactly what happened and what data was exfiltrated, whether it was encrypted or not

If SIEM is to address today's threats then it requires this information

Page 26: 101 ab 1530-1600

27

The Next Gen SOC

Agile Analytics

“Enable me to efficiently analyze and investigate potential threats”

Optimized Incident Management

“Enable me to manage these incidents”

Actionable Intelligence

“Help me identify targets, threats & incidents”

Comprehensive Visibility

“Analyze everything that’s happening in my infrastructure”

Page 27: 101 ab 1530-1600

28

next gen security operations

Page 28: 101 ab 1530-1600

29

Value of RSA Solutions

GOVERNANCE

VISIBILITY

INTELLIGENCE GOVERNANCE INTELLIGENCE

VISIBILITY

Traditional Approach RSA’s Approach

• Discrete products in silos

• Multiple vendors for each product

• Manual process to transfer data

• High TCO and low efficiency

• Transparent data flow between products

• Single vendor – tested integrations

• Very high operational efficiencies

• Lower TCO and faster time to value

Page 29: 101 ab 1530-1600

30

RSA Approach

GOVERNANCE

INTELLIGENT CONTROLS

ADVANCED VISIBILITY AND ANALYTICS

Cloud Mobility Network

Rapid Response and Containment

Collect, Retain and Analyze Internal and External Intelligence

Manage Business Risk, Policies and Workflows

Page 30: 101 ab 1530-1600

31

Meeting our Customers’ Challenges with RSA Thought Leadership

Prove Compliance

Consistently & Affordably

Secure Virtualization

& Cloud Computing

Secure Access for Increased

Mobility & Collaboration

Manage Risk and Threats Throughout Enterprise

Page 31: 101 ab 1530-1600