SECURITY ANALYTICS: WHAT NOW?

Transcription

1 SECURITY ANALYTICS: WHAT NOW? (or How To Cut Through The Noise) Ross Sonnabend, VP Operations 2015 Interset Software Inc Interset Software Inc. 1

2 Hi. I m Ross. VP, Product & Operations, focused on customer success Previously: Accenture, Sony, Warner Bros., Disney, Fox, Paramount Experience: Large System Deployment Program Management Project Management Product Management Sales Engineering Business to Technology Translation 2015 Interset Software Inc. 2

3 RSA 2016: Everyone s SCREAMING the Same Thing 2015 Interset Software Inc. 3

4 Security Analytics: What Is It? Security Analytics UEBA Network Security Analytics: Connecting data sources, adding automation & intelligence Reduce white noise & false positives Find real threats with greater accuracy Overcomes incomplete data sets, disconnected technologies By 2016, 40% of enterprises will actively analyze at least 10 terabytes of data for information security intelligence, up from less than 3% in 2011 Neil McDonald, Gartner 2015 Interset Software Inc. 4

5 Do I Need Security Analytics? Incident/Threat Detection The Event Noise Barrier Security Orchestration Structured Data AD/LDAP Connectors Endpoints SIEM IP Repository Connectors False positives Unmanaged accounts Security gaps Identify and mitigate threats Event and overload risk in a coordinate, Control failures timely Resource and constraints effective manner. Missed clues Weak policies Complexity Blind spots Security Operations Investigation Remediation IT Operations System impact Operational risk Investigators Data theft Root cause analysis Human Resources Employee involved Leaver theft Watch list Legal Corporate risk Legal actions 2015 Interset Software Inc. 5

6 Before You Buy: Who Are We? Customer Profile A Customer Profile B Customer Profile C Very Large Enterprise, Well Resourced Large security organization Embrace security orchestration Cyber hunters Invested in big data Data Scientists Broad set of use cases Prefers custom/semi-custom solution Large Enterprise, Fair Resources Typical security organization Some stovepipes remain in security Want to be cyber hunters, can t Planning for big data in future MSSP embraced in some cases Broad set of use cases Prefer more off the shelf solution, some customization Mid-Size Enterprise, Scarce Resources Small security organization Limited security investment Automation is key, not hunting Big data is not an option MSSP is reality Limited Use Cases Plug and Play is the only way 2015 Interset Software Inc. 6

7 Before You Buy: What Path Is Right For You? Customer Profile A Customer Profile B Customer Profile C Option 1 On Premise Data Lake Option 3 Cloud Data Lake Leverage off the shelf analytics Custom data sources and models Investigate threats, automate control response Write custom apps on top of data lake Broad partnership ecosystem Ability to process 1TB+ data per day Leverage off the shelf analytics Investigate threats automate response Ability to process 1TB+ data per month 2015 Interset Software Inc. 7

8 What Features Should I Be Looking For? Proactively identify threats from both insiders and outsiders Cutting-edge Multi-dimensional entities Wizard based cyber-hunting Automated workflow enablement Advanced Multiple data set correlations, single threat views Hybrid batch and real-time processing Leverages unsupervised & semi-supervised machine learning Plain language UI & reporting Basic Support for multiple data sets: directories, repositories, security tools Prioritizes threats Integrates with your security environment Does not require some rules/thresholds 2015 Interset Software Inc. 8

9 How Do I PoC/Pilot a Security Analytics Solution? POC Focus: Analytics Validation Pilot Deployment Identify Use Case Have Data Set Ready Measure Time To Value Validate Results Operationalize - Environment - Process 2015 Interset Software Inc. 9

10 Case Study: Successful POC/Pilot in Healthcare POC Focus: Analytics Validation Pilot Deployment Identify Use Case Have Data Set Ready Measure Time To Value Validate Results Operationalize - Environment - Process Insider Threat (Employee Data Theft) Endpoint - 6 Hours to deploy - 12 days to baseline normalcy - Day 18 found first threat - POC lasted 6 weeks 2015 Interset Software Inc. 10

11 What Does A Successful Implementation Look Like? Infrastructure Deployment Data Ingestion Analytical Results System Tuning Expand Deployment Feedback 2015 Interset Software Inc. 11

12 Case Study: Implementation Case Study: 4 Days Implementation 2 Days 30 Days + 8 Months Hybrid Cloud Model Initial Data Class Machine Learning Next Steps Data Gateway onsite AWS Cloud Backend Integration Points SIEM Ticketing System Endpoint via SIEM Active Directory Models converged in 12 days Tuning analytics - IT Admins - Certain knowledge workers Analytics - Average 11 high risk events/week Application Repositories - EHR monitoring - Most negligence (remediation training) - Leaving employee - Fraud case 2015 Interset Software Inc. 12

13 How Do We Measure Success? Time to Value Trust In Results TCO Operational Integration 2015 Interset Software Inc. 13

14 How Do We Measure Success? Deployment to actionable results 42 Days First Threat Detected 32 Days - Leaving employee Process Improvement - Incident response - HIPAA compliance - Employee remediation training 2015 Interset Software Inc. 14

15 Wrap Up Have a perspective on what the solution should be Assess what your company can really accomplish Select specific Use Case Measure Time to Value and TCO Start small, then go big Interset Software Inc. 15

16 THANK YOU 2015 Interset Software Inc. 16