Upload
buiphuc
View
219
Download
0
Embed Size (px)
Citation preview
RSA SECURITY ANALYTICS S E E E V E R Y T H I N G . F E A R N O T H I N G .
V A L E R I O C O L E T T I
R S A A C C O U N T M A N A G E R , P A R T N E R S A L E S
1 7 F E B B R A I O 2 0 1 6
2
At first, there were HACKS Preventative controls filter known attack paths
Evolution of Threat Actors & Detection
Implications
Malicious
Traffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
Corporate Assets
Whitespace Successful HACKS
3
At first, there were HACKS Preventative controls filter known attack paths
Then, ATTACKS Despite increased investment in controls, including SIEM
Evolution of Threat Actors & Detection
Implications
Malicious
Traffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
More Logs
Corporate Assets
S
I
E
M
Blocked
Session
Blocked Session
Blocked
Session
Alert
Whitespace Successful ATTACKS
4
Now, successful ATTACK CAMPAIGNS
target any and all whitespace.
Complete visibility into every process and network sessions is required to
eradicate the attacker opportunity.
Unified platform for advanced threat detection &
investigations,
Evolution of Threat Actors & Detection
Implications
Malicious
Traffic
Firewall
Threat Actors
IDS/IPS
AntiVirus
Logs
Endpoint Visibility
Corporate Assets
Blocked
Session
Blocked Session
Blocked
Session
Alert
Process
Network Visibility Network
Sessions
Se
curi
ty A
na
lyti
cs
6
NetFlow Wide How far intrusion spread Endpoints
Extended Where is infection located
Logs Basic
Connection information
Packets Deep
How you got infected and what
attacker did
The Power Of A Modular Risk-Based Approach
Security Analytics
7
RSA Security Analytics Solution CAPTURE, ENRICH AND ANALYZE DATA FROM ACROSS YOUR NETWORK
Investigation
Compliance Reporting
Endpoint Analysis
Session Reconstruction
Incident Management
Capture Time Data Enrichment
LIVE
LOGS
PACKETS
ENDPOINT
NETFLOW
On
Prem
Cloud
Action Analysis Visibility
LIVE
Threat Intelligence | Rules | Parsers | Feeds | Reports | RSA Research RSA LIVE INTELLIGENCE
Advanced Analytics
ENRICH
8
Integrated Intelligence with RSA Live
Threat Intel | Biz Context
RSA LIVE
Rules | Parsers | DS Models Reports | Feeds
Powered by RSA Research, Incident Response & Engineering
OPERATIONALIZE INTELLIGENCE: Take advantage of what others have already found and apply
against your current and historical data
3 2 1
Gathers advanced threat intelligence and
content
Aggregates & consolidates
data
Automatically distributes
correlation rules, blacklists,
parsers, views, feeds
9
Logs, packets, NetFlow & endpoint together
Compliance & Reporting
Incident Response
Visibility far beyond logs
Event Correlation
375+log & network parsers / event
sources
275+ out-of-the-box correlation rules
Native, prioritized incident triage
Wider SOC management capabilities
90+ report templates Integration with compliance management program
Log & Network Mgmt.
Exceeding SIEM Requirements Out-of-the-Box content
10 10
Correlation across logs, packets, NetFlow and endpoint data - separately or together
Discover attacks missed by other tools
Real-time detection
- Ex. detecting a pdf containing an executable, followed by encrypted traffic to a blacklisted
country
Incident Detection
11
“Standard SIEM” Use Case with RSA Security Analytics
• Compliance
User Activity, Login/Logout, ..
• Security Alert
Failed Login followed by Successful Login, ..
12
“Advanced SIEM” Use Case with RSA Security Analytics
• Threat Intelligence
Malware, Trojan, ..
• Botnet
Internal Infected Workstation, ..
• GeoIP
Source and Destination Country, Suspicious
Country, ..
13
“Advanced SIEM” Use Case with RSA Security Analytics
• Advanced Persistent Threat
Command & Control, Data Exfiltration, ..
14
Prioritized Action
LIVE
Alerts
Investigation
Workflow
GRC
On
Prem
Cloud LOGS
PACKETS
ENDPOINT
NETFLOW
unified incidents & workflow
Native Incident Management
15
Benefits
Detect and analyze before attacks impact the business
Investigate, prioritize, and remediate incidents
Unleash the potential of your existing security team
Evolve existing tools with better visibility & workflow
16
Must be ARMED to quickly
identify and respond to attacks
before they can damage the
business
Constant compromise does not mean constant loss
Security Attacks
are Inevitable
EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.
See Everything. Fear Nothing.