RSA IT Security Risk Management Adding Insight to Security RSA Security Summit Amsterdam, The Netherlands May 7, 2014 Alexander van Winden GRC Solutions Consultant

© Copyright 2013 EMC Corporation. All rights reserved.

1

Where is Security Today? Companies have built layer upon layer of security, but is it helping?

Complexity Data Breaches Damage

© Copyright 2013 EMC Corporation. All rights reserved.

2

Lack of Insight [The Noise Factor] We believe that doing the right thing should be obvious but for today's IT security organizations it is too often hidden. Web Vulnerability OS Configuration Patch Management Device Vulnerability Anti-Virus/Malware SEIM/Packets Logical Access IPS/IDS VPNs Firewalls Physical Access

Defense in Depth

8:02 AM – Malware infection on 10.1.2.30 Do we have a compliance issue? 8:30 AM – Voice mail from colleague re: new hacker group 9:00 AM – Meeting with QSA re: last week’s vulnerability scan 11:15 AM – Vulnerability scan on DMZ completed 11:30 AM – Meeting with XYZ department on new application being installed next week Is this a high risk business function? 12:00 PM – Company just like us announced major breach 12:02 PM – CVE-2014-123 just released 1:45 PM – Meeting with audit committee re: security risks 2:00 PM – System outage at Phoenix branch What are the executive concerns? 2:15 PM – Weird(?) network traffic reported by network team 2:53 PM – Malware outbreak on multiple machines Is this a coordinated advanced 3:00 PM – New contractor onboarding attack? 3:20 PM – Present Security awareness training to new employees 4:15 PM – Industry ISAC security conference call 4:32 PM – HR reports social engineering attempt Inappropriate access attempt on top 5:07 PM – Port scan on 192.168.3.45 secret information? 6:07 PM – Security policy meeting 8:02 PM – Malware infection on 10.10.2.32 8:30 PM – Multiple failed login attempts on 192.168.100.23 11:15 PM – Vulnerability scan found 142 critical vulnerabilities Meaningless virus infection? 12:00 AM – Malware infection on 10.2.3.45 12:02 AM – Sun just released a new patch to JRE 5.4.3.2

© Copyright 2013 EMC Corporation. All rights reserved.

Which of these are most important?

3

The New World of Security It will become increasingly difficult to secure infrastructure

We must focus on people, the flow of data and on transactions

© Copyright 2013 EMC Corporation. All rights reserved.

4

We Need to Change our Approach… Improve monitoring and response capabilities. Monitoring

Response

Monitoring

Response

Prevention

Prevention

Defense in Depth Security

Intelligence-Driven Security

© C opyright 2012 EMC C orporation. All rights reserved.

5

Signal Clarity and Amplification We provide solutions that disrupt the noise, bring clarity to the signal to amplify your decisions. Noise Visibility

Visibility + Analysis =

Priority

Priority + Action =

Results

Results + Metrics =

Progress

Analysis

Action

Metrics

© Copyright 2013 EMC Corporation. All rights reserved.

6

IT Security Risk Management …not a single answer but rather a solution leveraging people, process, and technology as a force multiplier. Enables organizations to:

Security Policies

establish business context for security establish security policies and standards

Threat & Vulnerability Management

Security C ompliance

detect and respond to attacks identify and remediate security deficiencies

reducing the risk of today’s security threats; poor, misaligned security practices; and operational security compliance failures.

© Copyright 2013 EMC Corporation. All rights reserved.

Security Strategy

Security Operations

7

Planning Your Journey Layered

point solutions, multiple management consoles, basic reporting

Integrate

Managed

integrated security, expanded visibility, improved analysis/metrics

Manage Gain

Advantaged

fully risk aware, identify opportunity

Make

data sources

known insight & unknown & visibility risks

risk-based decisions

Reactive

Proactive

Intelligent

Maturity © Copyright 2013 EMC Corporation. All rights reserved.

8

IT Security Risk Solutions IT Security Risk Management

Preventative

Responsive

Indicators and Metrics

Scan Results

Remediation Workflow

RSA Archer eGRC

Threat Correlation

Gold Build Images

Measure Outcomes

Incidents & Investigations

Breach Management Crisis Management SOC Management

Responsive

Vulnerability Preventative Risk Management

Foundation Assets IT C ontext Biz C ontext

Regulatory Data

Foundational

Catalogs CVE/CVSS CPE Threat Intel

© Copyright 2013 EMC Corporation. All rights reserved.

CWE CCE UCF

Identity

Login/Logout Repositories Integrations

Focused UIs

Persona Based UI Interactive Charts Searching and Filtering

Workflow Ticketing Exceptions

Reports Notifications

9

Vulnerability Management Today Trying to avoid the vulnerability pit… Pages of results are delivered to Alice, IT Administrator, to fix.

4 The Vulnerability Scanner finds number of issues on IT systems.

3

2

Patches are pushed out or configurations areCarlos, updated to fix CISO, is left wondering: the vulnerabilities. What does this mean for

Patch

5 Issue

risk? Somebusiness patches are What about my most valuable assets? missed, don’t fix the What or happens the threats problem, thereif isn’t change? get to more enough timeC an to Iget protection quickly? them. The vulnerability Are we improving? Do we have will sit the right coverage? unaddressed, possibly forever…

Devices

Vulnerability

1 Vulnerability Scanner

© Copyright 2013 EMC Corporation. All rights reserved.

Brian, IT Security Analyst, runs his vulnerability scanner.

10

What is VRM?

Vulnerability Risk Management allows enterprises to proactively manage IT security risks through the combination of asset business context, actionable threat intelligence, vulnerability assessment results, and comprehensive workflow.

© Copyright 2013 EMC Corporation. All rights reserved.

11

VRM In A Nutshell

CHALLENGES

REQUIRED CAPABILITIES

STEPS

Catalog Assets Create an accurate asset repository Track technical and business context Update with ease Inaccurate and incomplete Lack of a single system of records

VRM

[solution]

Discover Vulnerabilities

Classify Issues

Scan all networks

Identify real issues

Identify all types of vulnerabilities

Assign reliable severity ratings

Scan without affecting IT SLAs

Prioritize issues based on real risk

Addressed by Qualys, McAfee and others

Scan Results + Business Context + Threat Intel

© Copyright 2013 EMC Corporation. All rights reserved.

Address Issues

Track and Report

Identify the right action

Track the real status of issues

Fix/except issues

Generate trend reports, etc.

Manage through workflows

Create dashboards

No Relation Between Technical And Business Data Lack Of Context And Reliable Prioritization Lack Of Flexible Workflows And Automation Ineffective And Time Consuming Reporting

Prioritized = Issues

 Workflow

 Scalability

 KPIs

 Speed

 Reports

 Accuracy

12

Vulnerability Risk Management VRM CISO

IT Security Analyst Vuln. Scan Results (Qualys, McAfee)

VULNERABILITY ANALYTICS

Vuln. Data Pubs (NVD C VE)

INVESTIGATIVE UI ANALYTICS ENGINE

Threat Intelligence (US-C ERT) Asset Taxonomies (NVD C PE)

ARCHER VULNERABILITY RISK MANAGEMENT

Devices Findings Exceptions KPIs

DATA COLLECTOR

Other Asset Data (C SV, C MDB, Etc.)

INTEGRATION WITH GRC REPORTING AND DASHBOARDS

WORKFLOW

Administrator

RSA VRM DATA WAREHOUSE INDEXING NORMALIZATION RAW DATA STORAGE

© Copyright 2013 EMC Corporation. All rights reserved.

13

The Value of VRM IT Security Analyst

IT Administrator

CISO

Asset Discovery and Management Know what you have Issue Prioritization Issue Lifecycle Tracking Do the right thing Exception and SLA Management Dashboards and Reporting Measure and Report KPIs

© Copyright 2013 EMC Corporation. All rights reserved.

Measure effectiveness, not just activity

14

IT Security Risk Solutions

Security Operations Management

Indicators and Metrics

Scan Results Remediation Workflow

Incidents & Investigations

Breach Management

RSA Archer eGRC

Threat Correlation Gold Build Images

Measure Outcomes

Crisis Management SOC Management

Responsive

Preventative

IT Security Risk Management

Foundation Assets IT C ontext Biz C ontext

Regulatory Data

Catalogs CVE/CVSS CPE Threat Intel

© Copyright 2013 EMC Corporation. All rights reserved.

CWE CCE UCF

Identity Login/Logout Repositories Integrations

Focused UIs Persona Based UI Interactive Charts Searching and Filtering

Workflow Ticketing Exceptions

Reports Notifications

15

Centralizing Incident Response Teams

Detect, Investigate and Respond

Specialized Team Reporting to: – CSO/CISO  CIO

Tier 2 A nalyst

Consisting of:

Tier 1 A nalyst A nalysis & Tools Support A nalyst

Threat A nalyst

– People – Process – Technology

SOC Manager

© Copyright 2013 EMC Corporation. All rights reserved.

16

SOC Challenges Today Event focused and reactive with no centralization of alerts or incident management…

Lack of Context

© Copyright 2013 EMC Corporation. All rights reserved.

Lack of Best Practices

Lack of Process

17

Complexities of a SOC SIEM

Incident Process

L2 Analyst

Threat Analysis

L1 Analyst

Threat Analyst SOC Manager 1

Centralize Alerts

Breach C oordinator

SOC Manager 2

Host Visibility

C ISO Breach Process

HR

Shift Handoff Report KPIs IT

Legal

Network Visibility

Measure Efficacy

Finance IT Handoff

eFraud

DLP

© Copyright 2013 EMC Corporation. All rights reserved.

18

What is SecOps?

Domain

Consistent, predictable business process

Process

Security Operations Management

People

Incident Management

© Copyright 2013 EMC Corporation. All rights reserved.

Orchestrate & Manage Breach Management

Technology

SOC Program Management

IT Security Risk Management

19

Security Operations Management

RSA SecOps

CONTEXT Incident Response

ALERTS LAUNCH TO SA

Capture & Analyze – Packets, Logs & Threat Feeds

© Copyright 2013 EMC Corporation. All rights reserved.

Aggregate Alerts to Incidents

SOC Program Management

RSA Archer Enterprise Management (Context)

Breach Response

Dashboard & Report

RSA Archer BCM (Crisis Events)

20

The Value of SecOps CISO

IT Security Analyst

Incident Coordinator

Enable SOC/IR Analysts to Be More Effective

Incident Prioritization Visibility & Biz Context Workflow to guide IR process Threat Intelligence Response Procedures

Optimize SOC Investments

Automation Monitor KPIs Identify gaps & improve Measure Security Controls Manage SOC Team

Manage IT Security & Business Risk

Data Breach Management Enterprise Risk Vendor Risk Compliance Risk … and more

© Copyright 2013 EMC Corporation. All rights reserved.

21

Back up slides SecOps

© Copyright 2013 EMC Corporation. All rights reserved.

23

Analyst Focused Dashboard New and My Incident Queue

Overall Incident Status © Copyright 2013 EMC Corporation. All rights reserved.

24

Contextual Launch to Collect Data

Launch to SA To Collect Additional Data

© Copyright 2013 EMC Corporation. All rights reserved.

25

Link to Business Context New and My Incident Queue

Cross-Reference Alerts to Asset Details and Business Context

© Copyright 2013 EMC Corporation. All rights reserved.

26

Incident Coordinator Dashboard Shift Handover

Analyst Workload

Incident Trends © Copyright 2013 EMC Corporation. All rights reserved.

27

Breach Coordinator Dashboard Current Breaches, Impact and Records Affected

© Copyright 2013 EMC Corporation. All rights reserved.

28

IT Operations Dashboard Findings Addressed by ITand Help Desk Affected Current Breaches, Impact Records

© Copyright 2013 EMC Corporation. All rights reserved.

29

SOC Manager / CISO Dashboard Overall View of Security Operation Center

© Copyright 2013 EMC Corporation. All rights reserved.

30

Back up slides VRM

© Copyright 2013 EMC Corporation. All rights reserved.

31

VRM – Vulnerability Analytics Brian’s, IT Security Analyst, dashboard

Track Issues

Brian focuses on what is important

Are all my devices scanned? Is remediation time as per SLA?

© Copyright 2013 EMC Corporation. All rights reserved.

Are issues handled on time? Facebook style timeline to check overall operational health

32

Devices, Vulnerabilities & Issues Single system of record

   

How many devices do I have? Which ones are business critical? How do I discover new devices? Brian, now has the full information.

1 Assets have

business context from Archer, CMDBs, et c. 2 Brian easily lists high severity active issues

1

3 Investigates

vulnerability, impa cted device & related issues 4 Assigns Ticket

2

4 3

© Copyright 2013 EMC Corporation. All rights reserved.

3

33

VRM – Issue Workflow

1

3

2

1

Manage Tickets

2

Assign Workflows

3

Grant Exception

4

Get Approval

4

© Copyright 2013 EMC Corporation. All rights reserved.

34

VRM – Management Dashboard

1

2

3

1

Assess Security Risk

© Copyright 2013 EMC Corporation. All rights reserved.

2

Check KPIs

3

Compare operational efficiency

35

Key Performance Indicators (KPIs) Assess operational efficiency

1

Does this group have more staff or better tools?

2

What changes can be applied to improve this group’s performance?

2

1

© Copyright 2013 EMC Corporation. All rights reserved.

36