RSA IT Security Risk Management Adding Insight to Security RSA Security Summit Amsterdam, The Netherlands May 7, 2014 Alexander van Winden GRC Solutions Consultant
© Copyright 2013 EMC Corporation. All rights reserved.
1
Where is Security Today? Companies have built layer upon layer of security, but is it helping?
Complexity Data Breaches Damage
© Copyright 2013 EMC Corporation. All rights reserved.
2
Lack of Insight [The Noise Factor] We believe that doing the right thing should be obvious but for today's IT security organizations it is too often hidden. Web Vulnerability OS Configuration Patch Management Device Vulnerability Anti-Virus/Malware SEIM/Packets Logical Access IPS/IDS VPNs Firewalls Physical Access
Defense in Depth
8:02 AM – Malware infection on 10.1.2.30 Do we have a compliance issue? 8:30 AM – Voice mail from colleague re: new hacker group 9:00 AM – Meeting with QSA re: last week’s vulnerability scan 11:15 AM – Vulnerability scan on DMZ completed 11:30 AM – Meeting with XYZ department on new application being installed next week Is this a high risk business function? 12:00 PM – Company just like us announced major breach 12:02 PM – CVE-2014-123 just released 1:45 PM – Meeting with audit committee re: security risks 2:00 PM – System outage at Phoenix branch What are the executive concerns? 2:15 PM – Weird(?) network traffic reported by network team 2:53 PM – Malware outbreak on multiple machines Is this a coordinated advanced 3:00 PM – New contractor onboarding attack? 3:20 PM – Present Security awareness training to new employees 4:15 PM – Industry ISAC security conference call 4:32 PM – HR reports social engineering attempt Inappropriate access attempt on top 5:07 PM – Port scan on 192.168.3.45 secret information? 6:07 PM – Security policy meeting 8:02 PM – Malware infection on 10.10.2.32 8:30 PM – Multiple failed login attempts on 192.168.100.23 11:15 PM – Vulnerability scan found 142 critical vulnerabilities Meaningless virus infection? 12:00 AM – Malware infection on 10.2.3.45 12:02 AM – Sun just released a new patch to JRE 5.4.3.2
© Copyright 2013 EMC Corporation. All rights reserved.
Which of these are most important?
3
The New World of Security It will become increasingly difficult to secure infrastructure
We must focus on people, the flow of data and on transactions
© Copyright 2013 EMC Corporation. All rights reserved.
4
We Need to Change our Approach… Improve monitoring and response capabilities. Monitoring
Response
Monitoring
Response
Prevention
Prevention
Defense in Depth Security
Intelligence-Driven Security
© C opyright 2012 EMC C orporation. All rights reserved.
5
Signal Clarity and Amplification We provide solutions that disrupt the noise, bring clarity to the signal to amplify your decisions. Noise Visibility
Visibility + Analysis =
Priority
Priority + Action =
Results
Results + Metrics =
Progress
Analysis
Action
Metrics
© Copyright 2013 EMC Corporation. All rights reserved.
6
IT Security Risk Management …not a single answer but rather a solution leveraging people, process, and technology as a force multiplier. Enables organizations to:
Security Policies
establish business context for security establish security policies and standards
Threat & Vulnerability Management
Security C ompliance
detect and respond to attacks identify and remediate security deficiencies
reducing the risk of today’s security threats; poor, misaligned security practices; and operational security compliance failures.
© Copyright 2013 EMC Corporation. All rights reserved.
Security Strategy
Security Operations
7
Planning Your Journey Layered
point solutions, multiple management consoles, basic reporting
Integrate
Managed
integrated security, expanded visibility, improved analysis/metrics
Manage Gain
Advantaged
fully risk aware, identify opportunity
Make
data sources
known insight & unknown & visibility risks
risk-based decisions
Reactive
Proactive
Intelligent
Maturity © Copyright 2013 EMC Corporation. All rights reserved.
8
IT Security Risk Solutions IT Security Risk Management
Preventative
Responsive
Indicators and Metrics
Scan Results
Remediation Workflow
RSA Archer eGRC
Threat Correlation
Gold Build Images
Measure Outcomes
Incidents & Investigations
Breach Management Crisis Management SOC Management
Responsive
Vulnerability Preventative Risk Management
Foundation Assets IT C ontext Biz C ontext
Regulatory Data
Foundational
Catalogs CVE/CVSS CPE Threat Intel
© Copyright 2013 EMC Corporation. All rights reserved.
CWE CCE UCF
Identity
Login/Logout Repositories Integrations
Focused UIs
Persona Based UI Interactive Charts Searching and Filtering
Workflow Ticketing Exceptions
Reports Notifications
9
Vulnerability Management Today Trying to avoid the vulnerability pit… Pages of results are delivered to Alice, IT Administrator, to fix.
4 The Vulnerability Scanner finds number of issues on IT systems.
3
2
Patches are pushed out or configurations areCarlos, updated to fix CISO, is left wondering: the vulnerabilities. What does this mean for
Patch
5 Issue
risk? Somebusiness patches are What about my most valuable assets? missed, don’t fix the What or happens the threats problem, thereif isn’t change? get to more enough timeC an to Iget protection quickly? them. The vulnerability Are we improving? Do we have will sit the right coverage? unaddressed, possibly forever…
Devices
Vulnerability
1 Vulnerability Scanner
© Copyright 2013 EMC Corporation. All rights reserved.
Brian, IT Security Analyst, runs his vulnerability scanner.
10
What is VRM?
Vulnerability Risk Management allows enterprises to proactively manage IT security risks through the combination of asset business context, actionable threat intelligence, vulnerability assessment results, and comprehensive workflow.
© Copyright 2013 EMC Corporation. All rights reserved.
11
VRM In A Nutshell
CHALLENGES
REQUIRED CAPABILITIES
STEPS
Catalog Assets Create an accurate asset repository Track technical and business context Update with ease Inaccurate and incomplete Lack of a single system of records
VRM
[solution]
Discover Vulnerabilities
Classify Issues
Scan all networks
Identify real issues
Identify all types of vulnerabilities
Assign reliable severity ratings
Scan without affecting IT SLAs
Prioritize issues based on real risk
Addressed by Qualys, McAfee and others
Scan Results + Business Context + Threat Intel
© Copyright 2013 EMC Corporation. All rights reserved.
Address Issues
Track and Report
Identify the right action
Track the real status of issues
Fix/except issues
Generate trend reports, etc.
Manage through workflows
Create dashboards
No Relation Between Technical And Business Data Lack Of Context And Reliable Prioritization Lack Of Flexible Workflows And Automation Ineffective And Time Consuming Reporting
Prioritized = Issues
Workflow
Scalability
KPIs
Speed
Reports
Accuracy
12
Vulnerability Risk Management VRM CISO
IT Security Analyst Vuln. Scan Results (Qualys, McAfee)
VULNERABILITY ANALYTICS
Vuln. Data Pubs (NVD C VE)
INVESTIGATIVE UI ANALYTICS ENGINE
Threat Intelligence (US-C ERT) Asset Taxonomies (NVD C PE)
ARCHER VULNERABILITY RISK MANAGEMENT
Devices Findings Exceptions KPIs
DATA COLLECTOR
Other Asset Data (C SV, C MDB, Etc.)
INTEGRATION WITH GRC REPORTING AND DASHBOARDS
WORKFLOW
Administrator
RSA VRM DATA WAREHOUSE INDEXING NORMALIZATION RAW DATA STORAGE
© Copyright 2013 EMC Corporation. All rights reserved.
13
The Value of VRM IT Security Analyst
IT Administrator
CISO
Asset Discovery and Management Know what you have Issue Prioritization Issue Lifecycle Tracking Do the right thing Exception and SLA Management Dashboards and Reporting Measure and Report KPIs
© Copyright 2013 EMC Corporation. All rights reserved.
Measure effectiveness, not just activity
14
IT Security Risk Solutions
Security Operations Management
Indicators and Metrics
Scan Results Remediation Workflow
Incidents & Investigations
Breach Management
RSA Archer eGRC
Threat Correlation Gold Build Images
Measure Outcomes
Crisis Management SOC Management
Responsive
Preventative
IT Security Risk Management
Foundation Assets IT C ontext Biz C ontext
Regulatory Data
Catalogs CVE/CVSS CPE Threat Intel
© Copyright 2013 EMC Corporation. All rights reserved.
CWE CCE UCF
Identity Login/Logout Repositories Integrations
Focused UIs Persona Based UI Interactive Charts Searching and Filtering
Workflow Ticketing Exceptions
Reports Notifications
15
Centralizing Incident Response Teams
Detect, Investigate and Respond
Specialized Team Reporting to: – CSO/CISO CIO
Tier 2 A nalyst
Consisting of:
Tier 1 A nalyst A nalysis & Tools Support A nalyst
Threat A nalyst
– People – Process – Technology
SOC Manager
© Copyright 2013 EMC Corporation. All rights reserved.
16
SOC Challenges Today Event focused and reactive with no centralization of alerts or incident management…
Lack of Context
© Copyright 2013 EMC Corporation. All rights reserved.
Lack of Best Practices
Lack of Process
17
Complexities of a SOC SIEM
Incident Process
L2 Analyst
Threat Analysis
L1 Analyst
Threat Analyst SOC Manager 1
Centralize Alerts
Breach C oordinator
SOC Manager 2
Host Visibility
C ISO Breach Process
HR
Shift Handoff Report KPIs IT
Legal
Network Visibility
Measure Efficacy
Finance IT Handoff
eFraud
DLP
© Copyright 2013 EMC Corporation. All rights reserved.
18
What is SecOps?
Domain
Consistent, predictable business process
Process
Security Operations Management
People
Incident Management
© Copyright 2013 EMC Corporation. All rights reserved.
Orchestrate & Manage Breach Management
Technology
SOC Program Management
IT Security Risk Management
19
Security Operations Management
RSA SecOps
CONTEXT Incident Response
ALERTS LAUNCH TO SA
Capture & Analyze – Packets, Logs & Threat Feeds
© Copyright 2013 EMC Corporation. All rights reserved.
Aggregate Alerts to Incidents
SOC Program Management
RSA Archer Enterprise Management (Context)
Breach Response
Dashboard & Report
RSA Archer BCM (Crisis Events)
20
The Value of SecOps CISO
IT Security Analyst
Incident Coordinator
Enable SOC/IR Analysts to Be More Effective
Incident Prioritization Visibility & Biz Context Workflow to guide IR process Threat Intelligence Response Procedures
Optimize SOC Investments
Automation Monitor KPIs Identify gaps & improve Measure Security Controls Manage SOC Team
Manage IT Security & Business Risk
Data Breach Management Enterprise Risk Vendor Risk Compliance Risk … and more
© Copyright 2013 EMC Corporation. All rights reserved.
21
Back up slides SecOps
© Copyright 2013 EMC Corporation. All rights reserved.
23
Analyst Focused Dashboard New and My Incident Queue
Overall Incident Status © Copyright 2013 EMC Corporation. All rights reserved.
24
Contextual Launch to Collect Data
Launch to SA To Collect Additional Data
© Copyright 2013 EMC Corporation. All rights reserved.
25
Link to Business Context New and My Incident Queue
Cross-Reference Alerts to Asset Details and Business Context
© Copyright 2013 EMC Corporation. All rights reserved.
26
Incident Coordinator Dashboard Shift Handover
Analyst Workload
Incident Trends © Copyright 2013 EMC Corporation. All rights reserved.
27
Breach Coordinator Dashboard Current Breaches, Impact and Records Affected
© Copyright 2013 EMC Corporation. All rights reserved.
28
IT Operations Dashboard Findings Addressed by ITand Help Desk Affected Current Breaches, Impact Records
© Copyright 2013 EMC Corporation. All rights reserved.
29
SOC Manager / CISO Dashboard Overall View of Security Operation Center
© Copyright 2013 EMC Corporation. All rights reserved.
30
Back up slides VRM
© Copyright 2013 EMC Corporation. All rights reserved.
31
VRM – Vulnerability Analytics Brian’s, IT Security Analyst, dashboard
Track Issues
Brian focuses on what is important
Are all my devices scanned? Is remediation time as per SLA?
© Copyright 2013 EMC Corporation. All rights reserved.
Are issues handled on time? Facebook style timeline to check overall operational health
32
Devices, Vulnerabilities & Issues Single system of record
How many devices do I have? Which ones are business critical? How do I discover new devices? Brian, now has the full information.
1 Assets have
business context from Archer, CMDBs, et c. 2 Brian easily lists high severity active issues
1
3 Investigates
vulnerability, impa cted device & related issues 4 Assigns Ticket
2
4 3
© Copyright 2013 EMC Corporation. All rights reserved.
3
33
VRM – Issue Workflow
1
3
2
1
Manage Tickets
2
Assign Workflows
3
Grant Exception
4
Get Approval
4
© Copyright 2013 EMC Corporation. All rights reserved.
34
VRM – Management Dashboard
1
2
3
1
Assess Security Risk
© Copyright 2013 EMC Corporation. All rights reserved.
2
Check KPIs
3
Compare operational efficiency
35
Key Performance Indicators (KPIs) Assess operational efficiency
1
Does this group have more staff or better tools?
2
What changes can be applied to improve this group’s performance?
2
1
© Copyright 2013 EMC Corporation. All rights reserved.
36