Embed Size (px)
Citation preview
1
Golden Hour
“Time to react !”
2
The challenge…
Detect and remediate threats quickly to
minimize the effect on your organization
Source: Verizon DBIR 2015
Average time to resolution
32 DAYS
Average cost per day
$32,469
Hours Weeks Months
DISCOVERY CONTAINMENTATTACK COMPROMISE
3
Minimize loss by situational awareness
Attack time
Data,
financial,
reputationIrregularity
undetectedAttack
initiated
Breach
impact
Again, detect and remediate threats quickly before the costs
explode in time.
4
Minimize loss by situational awarenessBreach
impact
Attack time
detected
in real time minimal or no loss
verified
irregularity
escalated
✔ threat
mitigated
Attack
initiated
Again, detect and remediate threats quickly before the costs
explode in time. The managed security service detects threats
designed to evade companies defensive capabilities.
5
The value of stolen data
Creditcards and other payment information
the most common stolen data
+ date of birth, billing address and/or U/P
⏏ login credentials payment accounts
⏏ login premium content (online/tv)
Acces to companies⏏
Source: https://blogs.mcafee.com/executive-perspectives/customer-data-worth/#sf15096012 (vision CTO Intel Security Raj Samani)
Personalised data (e-mail and/or zombie pc)
6
Information and exploit trading
7
8
9
10
Minimize loss by situational awareness
“Situational awareness involves being aware of
what is happening in the vicinity to understand
how information, events, and one's own
actions will impact goals and objectives, both
immediately and in the near future.”
11
Minimize loss by situational awareness
Aware: bewust zijn van
Happening: wat er gebeurt
Vicinity: in, van en richting je omgeving
Understand: snappen, kennis hebben
Impact: gevolgen
Immediately: nu, real time, altijd
near future: straks, real time, altijd
12
De ‘Kill Chain’
‘Stappen van een aanvaller’
Attack Scenarios - aanvallen begrijpen om antwoord te bieden
Mitigation Scenarios - juiste security maatregelen gebruiken
Detection scenarios – ‘connecting the dots’
Doorgronden Kill Chain kan tot betere “Security Posture” leiden
Start
Stap 1 Stap 2 Stap 3 Stap 4 Stap 5 Stap 6 Stap 7
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and Control
Act on Objectives
13
14
DearBytes
Managed Security Services
15
16
Business drivers security monitoring
“I don’t know what is going on within my infrastructure, but I should”
“Our customer data is highly confidential”
“Trust is of the utmost importance to our customers”
“We have been hacked / I don’t want to get hacked”
“…ICT business drivers….”
“We are working on our PCI compliancy”
“We are working on our SOX compliancy”
“We are working on our … compliancy”
17
Key objectives SIEM security monitoring
1. Identify threats and detect possible breaches
2.Collect audit logs for security and compliance
3.Conduct investigations and provide evidence
4.Hunt for the needles in the haystack
18
Eyes and ears on your infrastructure
Provides unprecedented insight in the infrastructure and user behavior within your company
What assets are within my organization, what is their status and what are they up against ?
In the past, present and future
Dashboard available for customer–
–
19
‘Be in control’, stages SIEM maturity process
Anticipate
Prevent
Detect
Respond
Correct
20
Productivity gains
Stand-alone solution
Supports also cloud and/or BYOD
Users/ administrators don’t experience production loss in their environment
Provides in-depth knowledge of (bandwidth) usages of the several network segments
Optimize the protective measurements lowering the responsive tasks of system administrators
Able to handle actionable intelligence based on STIX/TAXII
Can generate input for ‘Active Response’
21
(Digital) fraud resilienceness
(pro)actively interact with security administration
Involve MERT quickly and effectively
Forensic readiness by centralized data retention
Providing evidence in case of a court procedure
Connecting dots and filling the gaps between core infrastructural components, security products/ functionality, system data and actionable intel
Holistic approach combining policy-based verification with technology-driven detection
22
R
P
E M
I
Routine
Products
Expertise Manpower
Intelligence
Key elements SOC
23
Expert Security Analysts
Observing your infrastructure 24x7
Available daily, also evening/night/weekend
Four eyes on screen
Log-, system-, network forensic skillset
Latest cyber threat research
Neutral 3rd party
Regular meetings with your personal security analyst to discuss incidents, trends and security highlights
24
25
Building more mature security posture
Optimizing preventive measures and/or
spotting the gaps within to take
appriopriate countermeasures
Defending current security budgets or
creating new ones by analyzing tactical and
stratigical trends
26
Helps compliancy objectives
Having detection controls in place
ticks a box in itself
Centralized tamperproof logvault
Dashboard/ reporting functionality
is used by some customers for
compliancy
27
Incident reporting
Within 30 minutes you are alerted
24x7
Mitigation tactics
Root cause analysis
Involved assets
Technical details
28
Reporting functionality
Summary and recommendations
Actionable reporting of true positives only
General indication about the security level
Incident and event statistics
Trend analysis of most common attacks
Compliancy reports (SOX, PCI, FISMA, GLBA, HIPAA)
29
Questions ?
