Talk from Amit Yoran of EMC/RSA.
Where SOC in the title refers to Security Operations Centre.
Everything is evolving;
– Organisations are evolving and changing rapidly – cloud, BYOD, new systems, new devices, new operating systems, new regulations
– Data is evolving rapidly – explosive data growth, big data
– Threats are evolving rapidly, with actors from petty criminals to organised crime to terrorists to anti-establishment vigilantes (think Anonymous – Hactivists) to nation states.
Existing security systems are ineffective;
– Signature based – from AV to anti-spam to firewalls to IPS tends to look for known things and behaviours (signatures)
– Perimeter orientated – Firewalls, IDS / IP, router security etc. still make up much of the focus. We are becoming more and more porous or boundary-less.
– Compliance driven – often at the expense of ‘real’ security and risk management.
Detection time is poor – many attacks go undetected for far too long. How do we reduce this attacker free time or dwell time?
Focus needs to shift from I will stop breaches to I will be breached and how do we manage this and prevent / minimise damage.
Identified four impediments to change from the current;
– Information deluge – too much information
– Budget dilemma – so much hype and marketing, what do I spend limited budget on?
– Cyber security talent – what talent do I have in my organisation, how do I leverage it, and scale the limited number of very talented peoples reach to work for the whole organisation?
– Macro situational awareness – How are am I of my organisation, and of its wider operating environment?
So what can we do?
SIEM (Security Information and Event Management) has been a good start, but limited ability to deal with the complex, multi-faceted attacks of today. Separating bad from good has become an increasingly difficult problem.
How do we understand what ‘good’ looks like. Much more complex than just is it a valid login, ‘bad’ may be a complex set of apparently authorised transactions, that look very similar to ‘good’ activity.
Traditional SIEM is not enough –
– Cannot detect lateral movement of attacks, or covert characteristics of advanced attack tools
– Cannot fully investigate exfiltration or sabotage of critical data
– Issues with scaling to collect, sort, and analyse large enough data volumes
Need better security analytics!
Incident response lessons learned;
– Stop doing things that provide little value
– Focus on securing the most important material assets to the enterprise and understand their risk exposure from people to processes to systems to data
– Obtain a deeper visibility into what is happening on the network and what is known about the organisation and its users
– Collaborate in real time with others more effectively and gain actionable intelligence
– Measure performance across some established methodology or continuum (success, failure, compliance etc.) – but make them valid and don’t tune behaviour just to do well on the ‘test’!
Security operations require;
– Comprehensive visibility
– Agile analytics
– Actionable intelligence
– Optimise incident management
How do we improve understanding and analytics?
– Security Analytics Warehouse
Scalable, centralised data warehouse for long-term data retention and deep intense analysis.
Visibility of – Logs, network data, raw content, reassembled content, enterprise events, enterprise data, flow, structured and unstructured data, host telemetry…
This must be backed with a powerful analytics engine to enable complex searches and analysis on these varied and large data sets.
This is a step beyond traditional logging / SIEM platforms.
Allows us to move to ‘active defence’ that gives the user ability to take action or automatically remediate common functions. This turns a passive system into an active one, largely using existing infrastructure. In turn this fuels actionable and effective workflows for the SOC.
Interestingly this talk links back to the those on SOA and big data from the service technology symposium, both identify the need to manage and analyse big data in real time or as near to real time as possible. These points highlight how entirely disparate areas, in this case SOA / development and security, can have similar needs and come to the same conclusions. Being able to meet the needs of your systems and application teams as well as your security team may help get your log correlation and analysis project approved. Another reason for understanding your wider business teams and environment!
Also kudos to the presenter for remaining very vendor neutral despite working for RSA / EMC, there were hints of their products, but none mentioned and no sales pitch.