SESSION ID: SDS2-R08
Operationalizing the Three
Principles of Advanced Threat
Detection
ZULFIKAR RAMZAN, PH.D
Chief Technology Officer
RSA
@zulfikar_ramzan
#RSAC
#RSAC
Dealing with Traffic Congestion
Singapore:
Major traffic
congestion pre
1975;
introduced fixed
manual road
pricing
Initial success;
but new
variable
electronic road
pricing program
introduced in
1998
New ERP
program very
successful in
further traffic
reduction. What
explains its
success?
Sunk cost fallacy (behavioral economics): We should make decisions based on future value;
instead our reasoning is overly tainted by past investments. (Relevant to security!)
2
#RSAC
Why Organizations Struggle
Threat actors evolve
Attacks only get better
Groups organized, attacks
unnoticed until it’s too
late
Incidents have increasing
financial impact
There’s too much Noise
Experts are hard to find
Incidents hidden in massive
amount of normal activity
Rate of attacks
overwhelm analysts
Scattered data hurts efficient
investigations, limits agility to
assess complete scope of
incident
Expertise is limited
Keeping abreast of latest
threats is challenging
Why Intrusions Are Successful
Attacks are targeted (e.g., via
repeated use of polymorphism and
metamorphism); Macro-distribution
supplanted by micro-distribution.
#RSAC
Powerful attack toolkits available w/ tiered
pricing, 24x7 customer support. Ecosystem
for buying and selling tools and cybercriminal
services democratizes advanced attacks
#RSAC
Stages of an Attack
Recon
Scanning,
Social
network
analysis
Initial
Entry
Spear phish,
waterhole,
web app vuln
removable
media, CVEs,
0-days
Persist
Privilege
escalation,
finding run
keys,
modifying
scripts
Install
Tools
Web shells,
dropped
secondary
malware
Move
laterally
Pass the
hash, pass
the ticket,
RDP, CVEs,
remote
services
Collect,
Exfil,
Exploit
One or more
hops, drop
zones, data
destruction /
manipulation
#RSAC
Today’s Threats: Where to Focus
1
TARGETED
SPECIFIC OBJECTIVE
System
Intrusion
TIME
Attack
Begins
2
STEALTHY
LOW AND SLOW
3
INTERACTIVE
HUMAN INVOLVEMENT
Cover-Up Discovery Cover-Up
Leap Frog Attacks Complete
Dwell Time
Response Time
Attack Identified
1 Decrease
2 Speed
Dwell Time
Response Time
Response
#RSAC
Three Strategic Pillars
1
Analytics
3
Risk
Identity
2
#RSAC
visibility
is the foundation for mitigating
the risk of today’s threats
If you really want to protect your network, you really have to know your network.
You have to know the devices, the security technologies, and the things inside it.
-Rob Joyce, NSA TAO Chief, Usenix Enigma 2016
#RSAC
Key Visibility Points
Logs
Netflow
Packets
10
Endpoints
Cloud
Identities
#RSAC
Operationalize Visibility Through Analytics
Visibility alone leads to alert fatigue; analytics is necessary for operationalizing visibility
1
Pre-process data – extract metadata and organize into chunks
2
3
4
5
Group alerts since the same campaign can generate multiple alerts
Pivot between different visibility points (e.g., from network to endpoint)
Surface important events through analytics to simplify analyst tasks
Prioritize alerts through asset categorization
11
Identity as a Foundation of Security
identity
#RSAC
is foundational and will matter
even more as the threat
landscape evolves
Security is about ensuring that only the….
right people have access to the...
right resources at the...
right times and use them in…
right ways
Enterprise Identity Crisis
#RSAC
As mobile devices and cloud services proliferate, identity becomes the new perimeter
88% of organizations using cloud services — or are planning to use cloud services in the
near future — have a cloud-first strategy. (Gartner)
Organizations have legacy identity architectures and islands of identity
25% of IT professionals said their orgs have multiple identity repositories, so it’s difficult to
get a complete understanding of user & access privileges. (ESG)
The security team neither designed nor owns the identity infrastructure
23% of IT and cybersecurity professionals say their IAM infrastructure was really built for
user convenience and not strong security. (ESG)
#RSAC
Malware Reality Check
Advanced breaches don’t have to involve
malware: SQL Injection -> Web Shell -> RDP
Advanced breaches can be very simple – e.g.,
credential theft
Every breach involves co-opting of identity
(authentication isn’t the same as identity
assurance)
#RSAC
Identity is More Than Authentication
Governance
Access /
Auth
Lifecycle
Assurance
#RSAC
Physical risk
Financial risk
Operational risk
embrace
and own your risk
Currency fluctuation risk
IT Security risk
Regulatory risk
Supply chain risk
#RSAC
Tying the Pieces Together
CEO / BOARD • CCO • CIO • CISO • CIRC / SOC / IDENTITY TEAM • INDIVIDUAL
At a business level, orgs
want to mitigate risk;
risk is multifaceted
(financial risk, physical
risk, operational risk,
etc.). IT security risk is
the most prominent and
least understood aspect
of organizational risk.
Security is a CEO / Board
discussion, and CISOs &
CIOs must translate lowlevel concepts into the
language of risk.
Assessing IT security
risk requires measuring
your environment,
which requires visibility
& analytics (you can’t
measure if you can’t
see).
◁ BUSINESS
Visibility is
multifaceted; Visibility +
analytics enables
proactive hunting,
attack scoping,
establishing normal
patterns, and identifying
misuse. The most
consequential attack
vector requiring the
deepest visibility, is
identity.
TECHNOLOGY ▷
There is no more
perimeter, just islands
of identity. Security is
fundamentally about
ensuring that only the
right people can access
the right resources at
the right times and do
the right things with it.
Achieving that requires
a robust notion of
identity.
#RSAC
Shift Priorities and Capabilities
Monitoring
15%
Response
5%
Monitoring
33%
Response
33%
Prevention
80%
Prevention
33%
How we spend
How we should
spend
#RSAC
The Revised Operational Roadmap
Security Operations / Governance, Risk, Compliance
Threat Intel
Logs
Netflow
Packets
Endpoint
Cloud
Identity
#RSAC
Application: Short Term
Review your security budget allocation – are you overspending
on prevention relative to detection and response?
Identify what blind spots you have across your IT assets and
whether those blind spots represent critical assets
20
#RSAC
Application: Medium-term
Determine which identity-related use cases you control
Identify, more thoroughly, what assets are the most critical (and
develop a regular cadence for reviewing and prioritizing those
assets)
21
#RSAC
Takeaways
1
Pervasive visibility is foundational for addressing today’s
threats; operationalizing visibility requires analytics
2
A comprehensive identity strategy must be part of your overall
security strategy, with clear lines of ownership and
responsibility
3
Security is becoming recognized as a business problems;
addressing boards and executives requires the language or risk,
which you must embrace and own