PREVENT MAJOR DATA BREACHES WITH THREAT LIFECYCLE MANAGEMENT Seth Goldhammer, Senior Director of Product Management at LogRhythm
WELCOME Audio is streamed over your computer Dial in numbers and codes are on the left To receive your CPE credit: 1. Complete 3 checkpoints - or - 2. Watch the recorded version from the beginning to the very end Don t forget to take the survey! Use the Papers tab to find the following: PDF Copy of today s presentation CPE job aid Have a question for the speaker? Access the Q&A tab Technical issues? Access the Help tab Questions or suggestions? Visit https://support.isaca.org 2
TODAY S SPEAKER 3
AGENDA 1. Highlight the Current Threat Pandemic 2. Evaluate Market Approach and Offerings 3. KPIs: Mean Time to Detect and Respond 4. Cyber Attack Lifecycle 5. End to End Threat Lifecycle Management 6. Solution Requirements 4
THE MODERN CYBER THREAT PANDEMIC 5
THE MODERN CYBER THREAT PANDEMIC 321 Breaches in 2006 6
THE MODERN CYBER THREAT PANDEMIC 953 Breaches in 2010 321 Breaches in 2006 7
THE MODERN CYBER THREAT PANDEMIC 321 Breaches in 2006 953 Breaches in 2010 3,930 Breaches in 2015 736 million records were exposed in 2015, compared to 96 million records in 2010 The security industry is facing serious talent and technology shortages 8
NO END IN SIGHT Motivated Threat Motivated Actors Threat Actors Expanding Expanding Attack Surface Attack Surface Cybercrime Supply Chain Cyber-crime Supply Chain 9
A NEW SECURITY APPROACH IS REQUIRED 10
A NEW SECURITY APPROACH IS REQUIRED Prevention-centric approaches can stop common threats 11
A NEW SECURITY APPROACH IS REQUIRED Prevention-centric approaches can stop common threats However, advanced threats: Require a broader view to recognize Only emerge over time Get lost in the noise 12
A NEW SECURITY APPROACH IS REQUIRED Prevention-centric approaches can stop common threats However, advanced threats: Require a broader view to recognize Only emerge over time Get lost in the noise Big Data analytics to identify advanced threats Qualified and prioritized detection, reducing noise Incident response workflow orchestration and automation Capabilities to prevent highimpact breaches & damaging cyber incidents 13
A NEW SECURITY APPROACH IS REQUIRED Big Data Analytics can best detect these threats Prevention-centric approaches can stop common threats However, advanced threats: Require a broader view to recognize Only emerge over time Get lost in the noise Big Data analytics to identify advanced threats Qualified and prioritized detection, reducing noise Incident response workflow orchestration and automation Capabilities to prevent highimpact breaches & damaging cyber incidents 14
STRATEGIC SHIFT TO DETECTION AND RESPONSE IS OCCURRING IT Budgets 2013 Detection & Response Prevention Sources: Gartner, Shift Cybersecurity Investment to Detection and Response, January 2016; Gartner, Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update, April 2016 Note: Excludes security services from estimated overall market spend for enterprise information security 15
STRATEGIC SHIFT TO DETECTION AND RESPONSE IS OCCURRING IT Budgets 2013 Detection & Response Prevention By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from 20% in 2015. Gartner, 2016 Sources: Gartner, Shift Cybersecurity Investment to Detection and Response, January 2016; Gartner, Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update, April 2016 Note: Excludes security services from estimated overall market spend for enterprise information security 16
STRATEGIC SHIFT TO DETECTION AND RESPONSE IS OCCURRING IT Budgets 2013 Detection & Response IT Budgets 2015 Detection & Response Prevention Prevention By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from 20% in 2015. Gartner, 2016 Sources: Gartner, Shift Cybersecurity Investment to Detection and Response, January 2016; Gartner, Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update, April 2016 Note: Excludes security services from estimated overall market spend for enterprise information security 17
STRATEGIC SHIFT TO DETECTION AND RESPONSE IS OCCURRING IT Budgets 2020 IT Budgets 2013 Detection & Response IT Budgets 2015 Detection & Response Detection & Response Prevention Prevention Prevention By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from 20% in 2015. Gartner, 2016 Sources: Gartner, Shift Cybersecurity Investment to Detection and Response, January 2016; Gartner, Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update, April 2016 Note: Excludes security services from estimated overall market spend for enterprise information security 18
FASTER DETECTION & RESPONSE REDUCES RISK Years MTTD & MTTR Months Weeks Days Hours Minutes Devastating RISK & IMPACT OF BREACH Avoided 19
FASTER DETECTION & RESPONSE REDUCES RISK Years Months MTTD & MTTR Weeks Days Hours Minutes Devastating RISK & IMPACT OF BREACH Avoided In 60% of cases, attackers are able to compromise an organization within minutes. 2015 Verizon Data Break Report 20
FASTER DETECTION & RESPONSE REDUCES RISK Years Months MTTD & MTTR Weeks Days Hours Minutes Devastating RISK & IMPACT OF BREACH Avoided 205 median number of days that threat groups were present on a victim s network before detection. Mandiant M-Trends 2015 In 60% of cases, attackers are able to compromise an organization within minutes. 2015 Verizon Data Break Report 21
FASTER DETECTION & RESPONSE REDUCES RISK Years 2,982 days was the longest time to detection observed. Months Mandiant M-Trends 2015 MTTD & MTTR Weeks Days Hours Minutes Devastating RISK & IMPACT OF BREACH Avoided 205 median number of days that threat groups were present on a victim s network before detection. Mandiant M-Trends 2015 In 60% of cases, attackers are able to compromise an organization within minutes. 2015 Verizon Data Break Report 22
THE CYBER ATTACK LIFECYCLE Modern threats take their time and leverage the holistic attack surface 23
THE CYBER ATTACK LIFECYCLE Modern threats take their time and leverage the holistic attack surface Recon. & Planning 24
THE CYBER ATTACK LIFECYCLE Modern threats take their time and leverage the holistic attack surface Recon. & Planning Initial Compromise 25
THE CYBER ATTACK LIFECYCLE Modern threats take their time and leverage the holistic attack surface Recon. & Planning Initial Compromise Command & Control 26
THE CYBER ATTACK LIFECYCLE Modern threats take their time and leverage the holistic attack surface Recon. & Planning Initial Compromise Command & Control Lateral Movement 27
THE CYBER ATTACK LIFECYCLE Modern threats take their time and leverage the holistic attack surface Recon. & Planning Initial Compromise Command & Control Lateral Movement Target Attainment 28
THE CYBER ATTACK LIFECYCLE Modern threats take their time and leverage the holistic attack surface Recon. & Planning Initial Compromise Command & Control Lateral Movement Target Attainment Exfiltration, Corruption, Disruption 29
END-TO-END THREAT LIFECYCLE MANAGEMENT WORKFLOW TIME TO DETECT TIME TO RESPOND Forensic Data Collection Security event data Log & machine data Forensic sensor data 30
END-TO-END THREAT LIFECYCLE MANAGEMENT WORKFLOW TIME TO DETECT TIME TO RESPOND Forensic Data Collection Security event data Log & machine data Discover Search analytics Machine analytics Forensic sensor data 31
END-TO-END THREAT LIFECYCLE MANAGEMENT WORKFLOW TIME TO DETECT TIME TO RESPOND Forensic Data Collection Security event data Log & machine data Forensic sensor data Discover Search analytics Machine analytics Qualify Assess threat Determine risk Is full investigation necessary? 32
END-TO-END THREAT LIFECYCLE MANAGEMENT WORKFLOW TIME TO DETECT TIME TO RESPOND Forensic Data Collection Discover Qualify Investigate Security event data Log & machine data Forensic sensor data Search analytics Machine analytics Assess threat Determine risk Is full investigation necessary? Analyze threat Determine nature and extent of incident 33
END-TO-END THREAT LIFECYCLE MANAGEMENT WORKFLOW TIME TO DETECT TIME TO RESPOND Forensic Data Collection Discover Qualify Investigate Neutralize Security event data Log & machine data Forensic sensor data Search analytics Machine analytics Assess threat Determine risk Is full investigation necessary? Analyze threat Determine nature and extent of incident Implement countermeasures Mitigate threat & associated risk 34
END-TO-END THREAT LIFECYCLE MANAGEMENT WORKFLOW TIME TO DETECT TIME TO RESPOND Forensic Data Collection Discover Qualify Investigate Neutralize Recover Security event data Log & machine data Forensic sensor data Search analytics Machine analytics Assess threat Determine risk Is full investigation necessary? Analyze threat Determine nature and extent of incident Implement countermeasures Mitigate threat & associated risk Clean up Report Review Adapt 35
PREPARING LOG DATA FOR ANALYSIS Wireless Access Management Web Server Virtualization VPN Switch Storage Router Remote Access Point of Sale IAM Firewall File Integrity Monitor Email Security Database 36
PREPARING LOG DATA FOR ANALYSIS Wireless Access Management Web Server Virtualization VPN Switch Storage Router Remote Access Point of Sale IAM Firewall File Integrity Monitor Email Security Database Network Monitor Sensors Endpoint Monitor Sensors 37
PREPARING LOG DATA FOR ANALYSIS Wireless Access Management Web Server Virtualization VPN Switch Storage Router Remote Access Point of Sale IAM Firewall File Integrity Monitor Email Security Database Network Monitor Sensors Endpoint Monitor Sensors 38
PREPARING LOG DATA FOR ANALYSIS Uniform Data Classification Uniform Data Structure Time Normalization User Persona Host Persona Geolocation Flow Direction more Network Monitor Sensors Endpoint Monitor Sensors 39
PREPARING LOG DATA FOR ANALYSIS Uniform Data Classification Uniform Data Structure Time Normalization User Persona Host Persona Geolocation Flow Direction more Network Monitor Sensors Endpoint Monitor Sensors Benefits Serves as IT environment abstraction layer Enables generic scenario representation Allows for high-efficacy packaged analytics modules 40
KEY CHALLENGES IN BEHAVIORAL ANALYSIS Network Connection Direction Content Volume User Identity Access Privilege Behavior is not recognized by a single dimension, but the intersection of multiple dimensions each with multiple attributes Internal Context Business Value Asset Classification Risk Rating Vulnerability Endpoint Process Access File Activity Resources Normal Application Access Transactions Error Behavior External Context Threat Intelligence IP Reputation GeoLocation 41
KEY CHALLENGES IN BEHAVIORAL ANALYSIS Internal Context Business Value Asset Classification Risk Rating Vulnerability Network Connection Direction Content Volume Endpoint Process Access File Activity Resources Normal User Identity Access Privilege Application Access Transactions Error Behavior External Context Threat Intelligence IP Reputation GeoLocation Behavior is not recognized by a single dimension, but the intersection of multiple dimensions each with multiple attributes Manual discovery of what s normal is impractical due to the sheer volume of data across multiple types of dimensions. An unmanageable volume of false positives based on benign anomalies Significant blind spots / false negatives Need an automated technology to learn behavioral attributes across multiple dimensions 42
WHAT IS MACHINE LEARNING? Machine learning is a subfield of computer science that evolved from the study of pattern recognition and computational learning theory in artificial intelligence. Machine learning explores the study and construction of algorithms that can learn from and make predictions on data. Such algorithms operate by building a model from example inputs in order to make data-driven predictions or decisions, rather than following strictly static program instructions. 43
WHAT IS MACHINE LEARNING? A core component of learning is the ability to draw generalized conclusions from specific examples = fruit Supervised: Matching inputs and outputs are presented to the algorithm to tune its memory Unsupervised: Algorithm is left to its own devices to tune its memory 44
THE CHALLENGE The security analytics use case presents some unique challenges when applying machine learning Differentiation of anomaly detection vs. security threat detection Injection of domain knowledge required Cost of errors False positives : expensive for security analytics False negatives: failure of security analytics Translation of algorithm output into actionable information Scale and heterogeneity of data Lack of training data makes supervised learning difficult at best 45
FUSION OF ANALYTICS METHODS Behavioral Anomaly Detection Behavioral Analytics Machine learning techniques detecting anomalous activity unseen by pattern/scenario-based detection methods Baselining across months with near-real-time anomaly recognition Provides high-fidelity data to scenario-based analytics identifying and qualifying the highest priority threats Facilitates machine-assisted hunting 46
FUSION OF ANALYTICS METHODS Behavioral Anomaly Detection Scenario- Based Analytics Behavioral Analytics Machine learning techniques detecting anomalous activity unseen by pattern/scenario-based detection methods Baselining across months with near-real-time anomaly recognition Provides high-fidelity data to scenario-based analytics identifying and qualifying the highest priority threats Facilitates machine-assisted hunting Enterprise Threat Qualification Multi-dimensional scenario-based analytics Baselining across weeks with real-time recognition Machine learning via statistical and behavioral baselining Corroboration of anomalous behavior into a qualified threat alert, adding risk and threat context 47
EXPEDITING RESPONSE Goal: Expedite forensic analysis by creating a work area that allows users to analyze multiple datasets related to a common ongoing investigation 48
EXPEDITING RESPONSE Goal: Expedite forensic analysis by creating a work area that allows users to analyze multiple datasets related to a common ongoing investigation Incident Detection Begins with an alarm, event, or log 49
EXPEDITING RESPONSE Goal: Expedite forensic analysis by creating a work area that allows users to analyze multiple datasets related to a common ongoing investigation Case Creation Cases must be created instantly from any view. Access should be explicit and communication controlled. 50
EXPEDITING RESPONSE Goal: Expedite forensic analysis by creating a work area that allows users to analyze multiple datasets related to a common ongoing investigation Incident Response Cases should always be accessible, enabling information from alarms, log or audit data, files, PCAPs, etc., to be quickly added and annotated. 51
EXPEDITING RESPONSE Goal: Expedite forensic analysis by creating a work area that allows users to analyze multiple datasets related to a common ongoing investigation Collaboration + Automation Pre identify escalation paths by incident type, employ smart eyeballs, automate mundane tasks, add quick approval processes for countermeasures. 52
EXPEDITING RESPONSE Goal: Expedite forensic analysis by creating a work area that allows users to analyze multiple datasets related to a common ongoing investigation Incident Resolution Detailed history of the case, including relevant evidence and workflows for long-term IR management. 53
THIS APPROACH IS NOT EFFECTIVE Log Management SIEM Endpoint Monitoring & Forensics Security Analytics Security Automation & Orchestration Network Behavioral Analytics 54
THIS APPROACH IS NOT EFFECTIVE 55
OBSTACLES TO FASTER DETECTION & RESPONSE 56
OBSTACLES TO FASTER DETECTION & RESPONSE Alarm Fatigue 57
OBSTACLES TO FASTER DETECTION & RESPONSE Alarm Fatigue Swivel Chair Analysis 58
OBSTACLES TO FASTER DETECTION & RESPONSE Alarm Fatigue Swivel Chair Analysis Forensic Data Silos 59
OBSTACLES TO FASTER DETECTION & RESPONSE Alarm Fatigue Swivel Chair Analysis Forensic Data Silos Fragmented Workflow 60
OBSTACLES TO FASTER DETECTION & RESPONSE Alarm Fatigue Swivel Chair Analysis Forensic Data Silos Fragmented Workflow Lack of Automation 61
SOLUTION REQUIREMENTS TIME TO DETECT TIME TO RESPOND Forensic Data Collection Discover Qualify Investigate Neutralize Recover 62
SOLUTION REQUIREMENTS TIME TO DETECT TIME TO RESPOND Forensic Data Collection Discover Qualify Investigate Neutralize Recover Unified Platform Supporting End-to-End Workflow 63
SOLUTION REQUIREMENTS TIME TO DETECT TIME TO RESPOND Forensic Data Collection Discover Qualify Investigate Neutralize Recover Unified Platform Supporting End-to-End Workflow Holistic Visibility 64
SOLUTION REQUIREMENTS TIME TO DETECT TIME TO RESPOND Forensic Data Collection Discover Qualify Investigate Neutralize Recover Unified Platform Supporting End-to-End Workflow Holistic Visibility Search and Machine-Based Analytics Enabled by Data Processing 65
SOLUTION REQUIREMENTS TIME TO DETECT TIME TO RESPOND Forensic Data Collection Discover Qualify Investigate Neutralize Recover Unified Platform Supporting End-to-End Workflow Holistic Visibility Search and Machine-Based Analytics Enabled by Data Processing Scenario and Machine Learning Analytics 66
SOLUTION REQUIREMENTS TIME TO DETECT TIME TO RESPOND Forensic Data Collection Discover Qualify Investigate Neutralize Recover Unified Platform Supporting End-to-End Workflow Holistic Visibility Search and Machine-Based Analytics Enabled by Data Processing Scenario and Machine Learning Analytics Embedded Security Automation and Orchestration 67
THANK YOU 68
Questions? 69
THIS TRAINING CONTENT ( CONTENT ) IS PROVIDED TO YOU WITHOUT WARRANTY, AS IS AND WITH ALL FAULTS. ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NON- INFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED. YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF THE CONTENT WILL ASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE APPROPRIATE PROCEDURES, TESTS, OR CONTROLS. Copyright 2017 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise). 70
THANK YOU FOR ATTENDING THIS WEBINAR