From SIEM to SA: The Path Forward

1 © Copyright 2012 EMC Corporation. All rights reserved.

From SIEM to Security Analytics

The Path Forward

Seth Geftic, Product Marketing Manager

Steve Garrett, Product Manager


Agenda

The Shift From SIEM

What is RSA Security Analytics

Beyond SIEM: Intelligence Driven Security

Intelligence Driven Security In Action


The Shift Away From SIEM


The purpose of SIEM has evolved

The original purchase driver behind SIEMs were – Satisfying compliance requirements more easily

▪ Collecting and retaining logs with less operational overhead

▪ Creating compliance reports more easily

– Troubleshooting operational problems ▪ Determining root cause of failures

Making IDS work better was often a driver too – The security team was deluged with IDS alerts

– Many of the IDS rules were crude and fired too often


Why hasn’t SIEM lived up to expectations?

Things have become more complex – IT environments have expanded – Hackers have become more sophisticated – IDS has become less and less relevant

SIEMs response has been to add more log sources – More diversity of sources (Security Device, OS, Application

etc) – Greater volume of sources as the number of critical

systems has expanded

But this has not solved the problem – SIEM has not been able to scale to the volume required – Its impractical to create correlation rules to detect every

complex threat – Many threats no longer even have a footprint in the logs


The result for organizations?

Honeymoon period for customers post implementation

– Compliance reports run more smoothly

– Security teams get at least *some* visibility into activity

Disillusionment follows for many pretty soon after

– As team matures they start to try extract more value from the data

– At this point, performance and correlation limitations come to the fore


Today’s tools need to adapt

Today’s tools need to be able to detect and investigate

– Lateral movement of threats as they gain foothold

– Covert characteristics of attack tools, techniques & procedures

– Exfiltration or sabotage of critical data

Today’s tools need to be able to scale – To collect and store the volume and diversity of data

required

– To provide analytic tools to support security work streams

– Time to respond is critical in a breach situations – and SIEM often falls short


Security Analytics & The Security Maturity Voyage

Incident Detection

Network Monitoring & Investigation

Security Team Sophistication

& Skillset

Visibility and

Understanding

Compliance

SECURITY ANALYTICS

Advanced Analysis

Traditional SIEM


Use Case Needs Grow

Compliance + Tier 1 Security (often met with traditional SIEM)

– Compliance requirements

– Incident detection

– Limited investigations

Moving Beyond SIEM

– Increased visibility

– Deep forensics and investigations

– Supplement traditional SIEM

Advanced Security Operations

– Find more sophisticated attacks

– Increased “hunting” ability

– Conduct complex data analysis for next gen SOC


Comprehensive Visibility

“See everything happening in my environment and

normalize it”

High Powered Analytics

“Give me the speed and smarts to detect,

investigate and prioritize potential threats”

Big Data Infrastructure

“Need a fast and scalable infrastructure to

conduct real time and long term analysis”

Today’s Security Requirements

Integrated Intelligence “Help me understand what to look for and

what others have discovered”


What is RSA Security Analytics


RSA Security Analytics Unified platform for incident detection, investigations, compliance reporting and advanced security analysis

SIEM Log Parsing

Compliance Reports Incident Alerts

Network Security Monitoring

Full Packet Capture Capture Time Data

Enrichment Deep Dive Investigations

RSA Security Analytics

Big Data Infrastructure Comprehensive Visibility High Powered Analysis

Intelligence Driven Context


Incident Response

Endpoint Visibility

& Analysis

Additional Business & IT Context

Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions RSA LIVE

INTELLIGENCE

Capture Time Data

Enrichment

PACKET METADATA

Distributed Data

Collection

PACKETS

LIVE

LIVE

LIVE

PARSING & METADATA TAGGING

LOGS

LOG METADATA

Reporting & Alerting

Investigation & Forensics

Compliance

Malware Analysis

Intelligence Feeds

Big data security analytics: RSA Security Analytics architecture


RSA Security Analytics “SIEM-like” deployment

Incident Response

Endpoint Visibility

& Analysis

Additional Business & IT Context

Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions RSA LIVE

INTELLIGENCE

Capture Time Data

Enrichment

LIVE


LOGS

LIVE

LIVE

Reporting & Alerting


Compliance

Malware Analysis

Intelligence Feeds

Distributed Data

Collection

LOGS LOG

METADATA


Capture Time Data

Enrichment

PACKET METADATA

Distributed Data

Collection

PACKETS

LIVE LIVE


LOGS

LIVE

Alerting


Malware Analysis

Intel Feeds

3rd Party SIEM

Collection Investigations

Alerts

Alert Triage

Compliance & Reporting

RSA Security Analytics with a traditional SIEM


What Makes SA Different?

Single platform for log & network security monitoring

Capture time data enrichment

Superior event stream & on-request analysis

Incorporates business and IT data, incident response & endpoint visibility

Operationalizes threat intelligence

Security platform where compliance is an outcome, not the other way around


Beyond SIEM – Intelligence Driven Security


What is Intelligence Driven Security?

The process of using all the security-related information available, both internally and externally, to detect hidden threats and even predict future ones.

It is knowledge that enables an organization to make informed risk decisions and take action.


Meet the Adversary: Mr. X

Mr. X

Persona Mission in Life Tactics Primary Data Source(s)

Cyber Criminal, Government sponsored or non-state actor

Exfiltrate any and all data available by creating threat surface specialized for a given target.

Malicious Code, Social Media, Phishing, Spear Phishing

Must Have: Facebook, LinkedIn, Malware Note: Average price of a zero-day exploit generated by the criminal underground is $25.

Combination of Waterhole Attacks with Zero Day Exploits (non-profits and think tanks) – Targeting users who visit very specific websites

– Latest IE 0-day attack focused on a specific non-profit site

– Downloaded and executed shellcode directly from memory, never hit disk

– Dropped non-persistent (Aurora) 9002 RAT

Multiple attack groups on the same victim, steady evolution of adversary backdoors

NO slowdown in attack operations, very specific targeting of intelligence based on attacker taskings (Lawsuits, Key Personnel, C-Suite, M/A activity)

Email Exfiltration – MAPI tool, Theft of Lotus Notes Email

Continued heavy use of Windows Service DLLs, some signed

Mr. X has been busy:


Mr. X – How Does he do it?

A: Web App Vulnerability

B: Drop Webshells or Trojan Backdoor

D: Pass The Hash

F: Gain Access to Trade Secrets

G: Upload Stolen Data to Staging Server

E: Seize Domain Admin Credentials

H: Transmit Stolen Data

IDS SIEM SA

A

B

C

D

E

F

G

H

C: Command and Control

Ability to Detect

Yes Yes – Full Visibility with Logs and Packets with Threat Intelligence Possible

No

Your Network


Intelligence Driven Security with Security Analytics

RSA Live Threat Intelligence May Have Identified Risk of the Transfer as a Starting Point for Investigation

B: Drop Webshells or Trojan Backdoor

A: Web App Vulnerability



Traversing Your Infrastructure

Mr. X use a variety of techniques to communicate while traversing your infrastructure which Security Analytics can detect and parse

– Named Pipes commonly abused (\pipe\hello is NOT from Microsoft) – Abuse of the Windows Task Scheduler over SMB connections via NET USE, allowing

command shell capabilities with SYSTEM privelidges

C: Command and Control

D: Pass The Hash

E: Seize Domain Admin Credentials

F: Gain Access to Trade Secrets


Security Analytics combines Log Data with Packet Data for Deep Visibility



Your Network

RSA Live Threat Intelligence May Have Identified Risk of the Transfer based on Remote Host or Outbound Protocol Anomalies ( such as self-signed certs)

– Security Analytics will flag these sessions as suspicious and identify where the data travelled

– Event reconstruction may be possible

H: Transmit Stolen Data



Anyone see this Movie?


Event Stream Analysis: Intelligence Driven Security in Action


Intelligence Driven Security with Security Analytics – Event Stream Analysis

• Full Visibility – Log Data and Packet

Data normalized into Meta Data

– Additional Context may be added into ESA from other business systems

18k EPS

24k EPS

2 GB/s

LIVE

LIVE

LIVE

Additional Context

Concentrator

ESA

Log Decoder

Concentrator Log Decoder

Concentrator Packet Decoder


Intelligence Driven Security with Security Analytics – Event Stream Analysis • Leverage the power of ESA’s Correlation Engine to Create Dynamic Risk

Categorization using Context Windows

• Suspicious Internal Hosts IP List based on Packet Analysis and RSA Live Threat Intel

• As an example, any host running a named pipe such as “\pipe\hello”

• Entries age out after preconfigured time (8 hours for instance)

Suspicious Internal IP

DYN

AMIC

CO

NTE

XT Suspicious Internal IP

10.221.32.12 161.169.207.15 .. ..

• Critical Asset List may come from Feed File or CSV file which provides Business Context

• Entries can be configured to be static and not age out

• Suspicious Host Alias List based on Packet Analysis and RSA Live Threat Intel

• Entries age out after preconfigured time (12 hours for instance)

Ssl-irc.scumware.org Mirror.wikileaks.info Updatekernal.com …

Suspicious Host Alias

DYN

AMIC

CO

NTE

XT

10.100.32.10 10.100.32.104

Critical Asset List

STAT

IC

CON

TEXT


Intelligence Driven Security with Security Analytics – Event Stream Analysis • When one of the Suspicious Hosts attempts to login on one of the Critical Assets, you

may deem this as an elevation of Risk, and choose to add the IP address of the Host to a new list

• Elevated Risk Internal IP List based on Log Data from Domain Controller

• ESA determines that a host in the Suspicious Host IP list attempted to login to a host in the Critical Asset List

• ESA places this IP address into the Elevated Risk Internal IP list, which can be configured to age out after a preconfigured time

• Context Window can be referenced with the Incoming Event Streams and used to make a more intelligent decision to fire an Alert

Suspicious Internal IP Elevated Risk Internal IP 10.221.32.12 161.169.207.15 .. ..

DYN

AMIC

CO

NTE

XT

If A->B->C AND the Host IP address is included in the Elevated Risk Context Window, then tell me about it!”


RSA Security Analytics

• Cornerstone in the Security Operations journey

• Flexible platform that grows with your needs – Compliance incident detection investigation

and forensics advanced analysis

– From logs packets or packets logs

• Security platform where compliance is a byproduct, not the other way around


RSA Advanced Cyber Defense Services

• Strategy & Roadmap

Current strategy review and

recommendations for desired

future state

• Incident Response

Rapid breach response service

and SLA-based retainer

• NextGen Security Operations

SOC/CIRC evolution and security

program transformations; moving

from reactive to proactive

A portfolio of services to help you achieve security operations excellence

www.rsa.im/ACDpractice


RSA Advanced Cyber Defense Training

• Focus on proven

methodologies for

operating and

managing a

CIRC/SOC

• Hands-on labs

designed around

real-world use cases

and teamwork in a

CIRC/SOC

• Delivered by highly

experienced RSA

Security Practitioners

A comprehensive learning path for security analysts

www.emc.com/rsa-training


Create alerts to/from critical assets A few dozen alerts

Terabytes of data 100% of total

Thousands of data points 5% of total

Hundreds of data points 0.2% of total

Reimagining Security Analysis: Removing Hay vs. Digging For Needles

All Network Traffic & Logs

Downloads of executables

Type does not match extension

!


Integrated Intelligence Know What To Look For

Automatically distributes

correlation rules, blacklists, parsers,

views, feeds

OPERATIONALIZE INTELLIGENCE: Take advantage of what others have already found and apply

against your current and historical data

RSA LIVE INTELLIGENCE SYSTEM Threat Intelligence – Rules – Parsers – Alerts – Feeds – Apps – Directory Services – Reports and Custom Actions

3

Aggregates & consolidates data

2

Gathers advanced threat intelligence

and content

1


SA vs. SIEM

Attack Step Traditional

SIEM RSA Security

Analytics

Alert for access over non-standard port No Yes

Recreate activity of suspect IP address across environment

No Yes

Show user activity across AD and VPN Yes Yes

Alert for different credentials used for AD and VP

Yes Yes

Reconstruct exfiltrated data No Yes

From SIEM to SA: The Path Forward

Technology

web app vulnerability

transmit stolen data

upload stolen data

intelligence driven security

network security monitoring

critical asset list

rsa security analytics

capture time data