Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Integrated ActiveCyber Defense
Reducing Your Risk of Compromise Through Integrated & Automated Active Cyber Defense
2
“We think it [the future of Cybersecurity] lies in leveraging automation and integration to be able to detect and
mitigate Cybersecurity risk in real time.”
3
Our Moderators Today
Pat ArvidsonDirector for Defending DoD
Networks and Mission AssuranceOSD, Office of the Principal
Cyber Advisor
(Moderator)
Pat ArvidsonDirector for Defending DoD
Networks and Mission AssuranceOSD, Office of the Principal
Cyber Advisor
(Moderator)
Russell GlennDirector, Cybersecurity
ACD IntegrationKEYW Corp.
(Moderator)
Russell GlennDirector, Cybersecurity
ACD IntegrationKEYW Corp.
(Moderator)
4
Our Panelists TodayTravis Rosiek
Federal CTO FireEye
(Panelist)
Travis Rosiek
Federal CTO FireEye
(Panelist)
Chris Fedde
PresidentHexis Cyber Solutions
(Panelist)
Chris Fedde
PresidentHexis Cyber Solutions
(Panelist)
Ryan Gillis
Vice President, Cybersecurity Strategy and Global Policy
Palo Alto Networks
(Panelist)
Ryan Gillis
Vice President, Cybersecurity Strategy and Global Policy
Palo Alto Networks
(Panelist)
John Stoner
Federal Security StrategistSplunk
(Panelist)
John Stoner
Federal Security StrategistSplunk
(Panelist)
State of Cyber Defense
5
State of Cyber Defense
6
Cyber Network Defenders Overwhelmed– Burdened under “fog of alerts”– Unable to focus on APT/Nation State attacks
Cyber Network Defenders Need– Tools/processes that automatically handle basic threats (80%)– Enables operators to hunt advanced threats with enriched threat intel– Leveraging policy driven automation is not a new idea
Ex: Automated System Lock out, Anti-virus
SHORTSTOP Architecture
7
L3L3 Mission ThreadsMission Threads
L4L4 AnalyticsAnalytics
L2L2 IntegrationIntegration
L1L1 NGFWNGFW Heuristic/SandboxHeuristic/Sandbox ERDERD ComplianceCompliance
Incident Response Story
8
Current Incident Response– Threat Incident Occurs– Incident response team responds– Incident analysis occurs from logs and existing data– Threat is identified and damage assessment and Cleanup
occurs
So what if we created Automated Incident Response?– What would it look like….
Integrated Approach + Logical Architecture
9
The SHORTSTOP layered approach to cyber security leverages the traditional military strategy of the decision cycle – Observe, Orient, Decide, and Act (OODA) – applying it to all major threat vectors.
Sensor Threat Feeds
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
Next Generation
FirewallHeuristic / Sandbox
EndpointRemediation
DeviceCompliance
Sensor Analytics
Integration, Data Enrichment / Splunk
Mission Threads, Mission Effects
Sensor Analytics
Sensor Analytics
Sensor Analytics
SHORTSTOP System Analytics
SHORTSTOP Reference Architecture
10
SHORTSTOP is provided as a turn-key system, or reference design, to deploy best-in-class cyber defense:– Central management/threat aggregation layer for threat correlation– Course Of Action development based on enterprise environment and
threat posture– Commercial security technologies to address all major threat vectors– Detection and Heuristics at the perimeter, internal/external networks,
and the endpoint.– Continuous, automated, policy-driven response to confirmed threats
SHORTSTOP Reference Architecture
11
Architecture Components Perimeter
– Inbound network IOC detection. On demand threat blocking. Network
– Internal network IOC detection, primarily sandboxing or threat replay technology, detecting advanced IOC.
Endpoint– Detect malicious activity and outbound threats emanating from host.
Verify network threats existence on the endpoint.– Apply policy driven countermeasures to remove the threat.
Command/Control/Orchestration/Integration– Correlate sensors and IOCs from Endpoint and Network. Provide
common visibility of threat. Automate response to the threat at the endpoint and network layer.`
Initial Deployment
SHORTSTOP Benefits to Enterprise Security
12
Reduce incident response times through policy driven automation: Confirm host infections, increase detection effectiveness and reduce false positives. Automate response actions with HawkEye G’s policy based response capabilities to
more rapidly and efficiently contain and remove threats at machine speeds. Coordinate threat identification and tool integration with Splunk as the integration layer to
automatically respond to threats
Cyber Situational Awareness: Improve visibility through a unified solution architecture that combines detection at all
layers of the enterprise into common visual representation with Splunk and HawkEye G
Increase Blue/Hunt capabilities: Provide additional analytic and hunting capabilities by leveraging Splunk to collect,
synthesize, and enrich all threat indicators from HawkEye G, Palo Alto Networks, and FireEye.
SHORTSTOP Benefits to Operations
13
Operators: Increase capability of existing work force by leveraging automated technology Improve efficiency of incident response (Decrease onsite hunting, automate common threat
response, correlate threats to prioritize alerts)
Tools: Integrate with existing tools and investments Ease of integration of new tools and capabilities Coordination of sensor data improves threat identification, incident response, and hunting Custom development for analytics and COAs still enabled
Processes: Simplify operational processes for operators Lower barrier for entry for trained forces