Post on 27-Jun-2018
1 © Copyright 2015 EMC Corporation. All rights reserved.
Herzlich Willkommen !
2 © Copyright 2015 EMC Corporation. All rights reserved.
Security 2.0:
Sicherer Einsatz und
Überwachung von
Mobility und Cloud
Szenarien mit RSA
24. September 2015
Volker Strecke
Tel. 089 93099 140
volker.strecke@arrow.com
rsa@arrowecs.de
3 © Copyright 2015 EMC Corporation. All rights reserved.
Cyber Bedrohungen
Photos: Volker Strecke
Staatlich und wirtschaftlich motivierte Attacken (kritische Infrastrukturen, Verteidigungsbereiche, Finanz Institutionen, Industrie, …)
• Designer Malware gezielt auf End User (Spear Phishing Attacken)
• Verdeckte Netzwerk Angriffe, Beaconing und verschleierter Netzwerk Datenverkehr
• Langsame und schrittweise Daten Exfiltration • Veränderte Verschlüsselungsmethoden
Organisierte kriminelle Gruppen • Einbringen von bösartigen Code in
Verkaufssysteme, Überweisungsprozesse und Geldautomaten
• Infiltration von Datentransfer Systemen in kritischen Infrastrukturen
• Datendiebstahl auf Applikations-, Datenbank-, und Middleware-Ebenen inkl. “persönlicher Informationen” und anderen “Schlüssel-” Eigenschaften
4 © Copyright 2015 EMC Corporation. All rights reserved.
Cyber Angriffe werden komplexer und häufiger
Quelle:
2014 Data-Breach Investigations Report Verizon Risk
Team US Secret Service Dutch High-Tech Crime Unit
Study April 2014
http://www.verizonenterprise.com/DBIR/2014/
83 % aller Unternehmen haben einen Einbruch (Espionage)
erst nach Wochen, Monaten, Jahren oder gar nicht bemerkt !
5 © Copyright 2015 EMC Corporation. All rights reserved.
Cyber Angriffe werden komplexer und häufiger - Zeit
Quelle:
2015 Data-Breach Investigations Report Verizon Risk
Team US Secret Service Dutch High-Tech Crime Unit
Study April 2015
http://www.verizonenterprise.com/DBIR/2015/
6 © Copyright 2015 EMC Corporation. All rights reserved.
Visibility, Analysis, Action in Context of Business & IT Risk
The Solution: Security 2.0 - Intelligence Driven Security
7 © Copyright 2015 EMC Corporation. All rights reserved.
Info
rma
tio
ns-S
ich
erh
eit -
Au
fga
be
n
Advanced Security
Operations Advanced Security
Operations
Aufspüren und Abwehren
von Cyber-Angriffen
Identity & Data
Protection Identity Trust
Management
Verwalten von Zugangs-
Berechtigungen und
Idenditäten
Fraud & Risk
Intelligence Fraud & Risk
Intelligence
Bekämpfen von
Online Fraud und
Cybercrime
Governance, Risk,
& Compliance Governance, Risk,
& Compliance (GRC)
Verstehen und Managen
von Unternehmens-
Risiken
8 © Copyright 2015 EMC Corporation. All rights reserved.
Info
rma
tio
ns-S
ich
erh
eit -
Lö
su
ng
en
Advanced Security
Operations Advanced Security
Operations
• Security Analytics
• ECAT
• VRM
• SecOps
Identity & Data
Protection Identity Trust
Management
• SecurID • Adaptive Authentication
• Via
Fraud & Risk
Intelligence Fraud & Risk
Intelligence
• Web Threat Detection • Cyber Crime Intelligence
• Anti Fraud Services
Governance, Risk,
& Compliance Governance, Risk,
& Compliance (GRC)
• Archer
9 © Copyright 2015 EMC Corporation. All rights reserved.
Cloud On Prem
ANALYTICS
IDENTITY & ACCESS
DATA
Threat Fraud Compliance Identity
GOVERNANCE, RISK, & COMPLIANCE
Intelligence Driven Security in Action
LOGS, PACKETS, NETFLOW, ENDPOINT, ID, VULNS, THREAT (INT & EXT)
10 © Copyright 2015 EMC Corporation. All rights reserved.
RSA Solution Portfolio
IDENTITY & ACCESS
SecurID – Adaptive Authentication – Via (IMG)
MONITORING & ANALYTICS
Security Analytics – ECAT
Web Threat Detection – Fraud Action – Cyber Crime Intelligence
RSA Research
GOVERNANCE, RISK, & COMPLIANCE
Archer GRC
11 © Copyright 2015 EMC Corporation. All rights reserved.
Monitoring & Analytics Log Management (SIEM)
Network
Packet
Monitoring &
Analysis
Endpoint Threat
Detection Web Session Intelligence
Threat
Intelligence
Services
© Volker Strecke
12 © Copyright 2015 EMC Corporation. All rights reserved.
RSA ECAT
• Signature-less endpoint threat detection
• Deep endpoint visibility & real-time alerting
• Confirm infections quickly & respond with precision
Enterprise Compromise Assessment Tool
Scan
Monitor & Alert
Analyze
Respond
Visibility
Analysis
Action
13 © Copyright 2015 EMC Corporation. All rights reserved.
How RSA ECAT Works
Agent • Endpoints, Servers, VMs
• Windows & Mac OS
• Monitors for suspicious activity
• Scans for full system inventory
• Identify all executables, DLL’s,
drivers, etc.
• Low system impact (2MB on
disk, 10-20MB in memory)
Server
• Analyzes scan data &
flags anomalies
• Maintain repository for
global correlation
• Automatically download
unknown files for
additional analysis
ECAT Server
14 © Copyright 2015 EMC Corporation. All rights reserved.
RSA ECAT Evaluation
https://emcinformation.com/267502/REG/.ashx
15 © Copyright 2015 EMC Corporation. All rights reserved.
RSA Security Analytics
Visibility
Analysis
Action
Be the hunter,
not the hunted
16 © Copyright 2015 EMC Corporation. All rights reserved.
Modular RSA Advanced SOC Solution
As You Grow, The Product Grows With You
NETWORK FORENSICS
SIEM & BEYOND
ENDPOINT THREAT
ANALYSIS
17 © Copyright 2015 EMC Corporation. All rights reserved.
RSA Security Analytics - New Version 10.5.
Expanded Visibility
Improvements in
Investigation
Expanded SIEM
capabilities
Platform Enhancements
New Packaging and Pricing
18 © Copyright 2015 EMC Corporation. All rights reserved.
RSA Security Analytics Architecture Action Analysis Visibility
Security Operations
LIVE Security Operations
Threat Intelligence | Rules | Parsers | Feeds | Reports | RSA Research RSA LIVE
INTELLIGENCE
Capture Time Data
Enrichment
NetFlow
Packets
Logs
Endpoint
LIVE
LIVE
19 © Copyright 2015 EMC Corporation. All rights reserved.
RSA Security Analytics Architecture Action Analysis Visibility
Security Operations
LIVE Security Operations
Threat Intelligence | Rules | Parsers | Feeds | Reports | RSA Research RSA LIVE
INTELLIGENCE
Capture Time Data
Enrichment
NetFlow
Packets
Logs
Endpoint
LIVE
LIVE
3rd Party SIEM
20 © Copyright 2015 EMC Corporation. All rights reserved.
Capture Time Data Enrichment
Inspect every network session & log event for
threat indicators
Most robust metadata
Fastest retrieval & reconstruction
Seconds to respond in a time of crisis
Capture Time Data
Enrichment
LIVE
21 © Copyright 2015 EMC Corporation. All rights reserved.
HTTP Headers
Basic Packet Capture
Attachment
File Fingerprints
Session Size
Country Src/Dst
URL
Hostname
IP Alias Forwarded
Directory
File Packers
Non Standard
Content Type
Ethernet Connection
Embedded Objects
Top Level Domain
Access Criticality
Sql Query
Mac Address Alias
Email Address
Cookie
Browser
Credit Cards
Protocol Fingerprints
Database Name
SSL CA/Subject
URL in Email
Referrer
Language
Crypto Type
PDF/ Flash
Version
Client/Server
Application
User Name
Port
User Agent
IP Src/Dst
Session Characteristics
Deep Network
Forensics
175+ metadata
fields
Capture Time Data Enrichment
22 © Copyright 2015 EMC Corporation. All rights reserved.
SA Live Services
Capture Time Data
Enrichment
LIVE
1 New Event Steaming Analysis (ESA) rules
- This addition to our ESA rule library will help analysts detect potential APT service installation
7 Updates to Event Streaming (ESA) rules
- This will limit noise in customer ESA environments and ensure the most targeted intelligence in our rule library
3 New Application rules
- These additions to our Application rule set allows analysts to detect potential ShadowIT within their environment.
- We also released a rule to detect rogue DHCP servers
1 Update to RSA Security Analytics List
- This made changes to our User Watchlist by IP list
11 New RSA Security Analytics Rules
- These rules are focused on ShadowIT detection and Security Analytics Administration reports
2 New RSA Security Analytics Reports
- These reports are focused on ShadowIT detection and Security Analytics Administration reports
3 New Log parsers
- RSA Via Access
- Evidian
- IBM Mainframe (Top Secret)
60 Updates to Log parsers
- Improves parsing accuracy and supports newer versions of event sources
For a full breakdown of new/updated content released to RSA Live, go here:
Content Announcement
Also, you can view our holistic content library and content request portals here:
RSA Live Content
Content Request Portals
23 © Copyright 2015 EMC Corporation. All rights reserved.
New SA Throughput Licensing and Packaging - Vers. 10.5
• Use Case Driven Packaging
• Metered by Throughput or Endpoints
(ECAT)
• Perpetual & Subscription Terms
available
ECAT - Endpoint Analytics
SA - Network Monitoring & Forensics
SA - Log Monitoring & SIEM
Appliances Storage
24 © Copyright 2015 EMC Corporation. All rights reserved.
RSA Security Analytics - Key Messages
Spot more attacks with complete visibility - from the endpoint to the cloud
Threat Detection & Investigation beyond just logs - This is what SIEM was meant to be
Choose the deployment that is right for you with flexible delivery models
25 © Copyright 2015 EMC Corporation. All rights reserved.
Governance, Risk & Compliance
http://www.emc.com/security/rsa-archer.htm
Solving Your
Risk and
Compliance
Challenges
26 © Copyright 2015 EMC Corporation. All rights reserved.
RSA Archer Fokus Solutions & Integrationen
https://community.emc.com/docs/DOC-27403
• ISMS Foundation
• PCI Compliance
• Unified Compliance Framework (UCF)
• Key & Certificate Management
• Regulatory Change Management
• Legal Matters Management
• Model Risk Management
• Code of Federal Regulations
• Stakeholder Evaluations
• FCPA Solution
• Environmental Health & Safety
• Market Conduct Management
• Anti-Money Laundering
• Privacy Program Management
• WhiteHat Security Sentinel
• Skybox Security Risk Control
• Qualys Guard
• RedSeal Networks
• McAfee Vulnerability Manager
• Veracode Security Review
• Rapid7 Nexpose
• CloudPassage
Solutions Integrations
27 © Copyright 2015 EMC Corporation. All rights reserved.
SOC Use Cases
http://www.emc.com/security/rsa-advanced-security-operations-center/use-cases.htm
28 © Copyright 2015 EMC Corporation. All rights reserved.
http://www.emc.com/security/rsa-advanced-security-operations-center/use-cases.htm
SOC Use Case 1
29 © Copyright 2015 EMC Corporation. All rights reserved.
http://www.emc.com/security/rsa-advanced-security-operations-center/use-cases.htm
SOC Use Case 2
30 © Copyright 2015 EMC Corporation. All rights reserved.
SOC Use Case 3
http://www.emc.com/security/rsa-advanced-security-operations-center/use-cases.htm
31 © Copyright 2015 EMC Corporation. All rights reserved.
RSA Solution Portfolio
IDENTITY & ACCESS
SecurID – Adaptive Authentication – Via (IMG)
MONITORING & ANALYTICS
Security Analytics – ECAT
Web Threat Detection – Fraud Action – Cyber Crime Intelligence
RSA Research
GOVERNANCE, RISK, & COMPLIANCE
Archer GRC
32 © Copyright 2015 EMC Corporation. All rights reserved.
• Risk-based
– Prioritize activity and resources appropriately
• Incremental and achievable – New capabilities improve your maturity over
time
• Future proof – Enables response to changes in landscape not
based on adding new products
• Agile – Enables the business to take advantage of new
technology and IT-driven opportunities
Benefits of the Intelligence Driven 2.0 Approach
33 © Copyright 2015 EMC Corporation. All rights reserved.
Advanced Security Operations at Work
EMC Critical Incident Response Center
EMC Critical Incident Response Center, Bedford, MA
• Surveillance of worldwide approx. 500 Subsidiaries, 1400 Security Devices and 250.000 Endpoints
• 5 Data Centers, 500 Applications, 97% virtualized, 7PB of Storage
• RSA Products in use:
• Archer eGRC Platform
• Security Analytics
• Enterprise Compromise Assessment Tool (ECAT)
• enVision SIEM
• Data Loss Prevention, …
• Advanced Analytics build on EMC Pivotal SA
Business Context Visibility Integrated Approach Process Automation
34 © Copyright 2015 EMC Corporation. All rights reserved.
RSA SecurWorld Partner Program 2015 - 2016
• Partners enter the program at this Tier
• Primarily composed of VARs who manage the
Authentication business (more opportunistic)
• Drive RSA’s high growth solutions (ASOC, GRC, IMG)
• Greatest investment in training across full portfolio, particularly
in RSA’s focus products
• Specialize in a smaller number of RSA products, but invest
heavily in those products
• Significant RSA revenue
• Partners that are beginning to progress in the program, having
invested in training and starting to see financial results
Partner Tiers
35 © Copyright 2015 EMC Corporation. All rights reserved.
RSA Partner Central http://www.RSAPartnerCentral.com/
RSA Partner Central is the central hub for all product and
program materials. Here, partners have 24X7 access to a
full range of sales tools, training, and marketing
materials, including datasheets, whitepapers, demo
videos, and campaign kits. This is also where partners can
view details about their company’s standing in
SecurWorld, as well as submit and manage deal
registration opportunities.
RSA Virtual Lab (vLab) http://portal.demoemc.com
The vLab is a hosted demonstration and use case training
system, allowing partners to demonstrate RSA products in
complex real world environments.
Not-for-Resale (NFR) Program
The NFR Program allows Partners to purchase hardware or
software at a deep discount to install within their labs,
allowing them to demo the product internally or with
prospects.
RSA SharedVue http://rsa.sharedvue.net/infocenter/en
RSA SharedVue enables partners to embed compelling RSA product
and solution content on their websites, which is automatically
updated. Content includes lead generators that send prospect
information directly to designated recipients.
SecurCare Online (SCOL) https://knowledge.rsasecurity.com
SCOL is an online express route to technical information, solutions,
and support, including patch downloads and product
documentation. End of Sale and End of Support announcements
are also made here.
Download Central (DLC) http://download.rsasecurity.com/
DLC is where you can download product software and licenses.
Submit a Case http://rsa.force.com/webtocase
Partners can submit a case using this form if experiencing any
technical issues using RSA’s systems
RSA SecurWorld Resources
36 © Copyright 2015 EMC Corporation. All rights reserved.
Achieving Security and Privacy
1.Organization permits the personal use of communication systems •Personally identifiable information should be removed or masked before security analysis. 2. Organization does not permit the personal use of communications systems. •Legitimate use of personal data to secure network and preserve intellectual property. 3. Only data traffic to internal network segments within an organization is monitored. •Applications can limit exposure of personal information Source: http://germany.emc.com/about/news/press/2013/20131014-01.htm http://www.kpmg.de/bescheinigungen/RequestReportLaw.aspx?37823
37 © Copyright 2015 EMC Corporation. All rights reserved.
Cyber Threats Trends
http://www.rsaconference.com/
2015 Top Trends („Word Cloud“)
38 © Copyright 2015 EMC Corporation. All rights reserved.
Cyber Threats Trends
http://www.rsaconference.com/
2015 Top Trends
Big Takeaway 1: “Internet of Things” gets the spotlight
Big Takeaway 2: “STIX” and “TAXII” get traction
Big Takeaway 3: “Compliance” getting run under the bus
Big Takeaway 4: “Human Element” becoming mature
Big Takeaway 5: “Cloud” and “Mobile” becoming ubiquitous
STIX = Structured Threat Information eXpression
TAXII = Trusted Automated eXchange of Indicator Information
39 © Copyright 2015 EMC Corporation. All rights reserved.
Cyber Threats Trends - RSA Conference 2015
http://www.rsaconference.com/
40 © Copyright 2015 EMC Corporation. All rights reserved.
Cyber Threats Trends - RSA Conference 2015
http://www.rsaconference.com/
41 © Copyright 2015 EMC Corporation. All rights reserved.
Cyber Threats Trends - RSA Conference 2015
http://www.rsaconference.com/
http://www.rsaconference.com/media/escaping-securitys-dark-ages San Francisco 21. April 2015 Amit Yoran, President RSA
42 © Copyright 2015 EMC Corporation. All rights reserved.
Based on the breaches of the past couple of years, it’s obvious that the way our industry has been doing security isn’t working. The
adversary continues to get through even “next generation" defenses and what’s worse, too often they do so undetected for months or even
years. As the perimeter continues to dissolve under the onslaught of mobile and cloud technologies, enterprises need to realize that the
game has changed and that the only way to escape today’s vicious cycle of prevention and remediation is to change our mindset toward
security operations.
Cyber Threats Trends - RSA Conference 2015 APAC
http://www.rsaconference.com/
http://www.rsaconference.com/media/the-game-has-changed Singapore 22. July 2015
The Game has changed
Amit Yoran, President RSA
43 © Copyright 2015 EMC Corporation. All rights reserved.
Wissen - Entscheiden - Tun
• Identifizierung, Klassifizierung Ihrer sensiblen Daten
• Userzugriffsregeln
• Export / Import
• Schwachstellen
• Analysen, Reports
Risikobetrachtungen
Sensibilisierung, Kommunikation
Handlungspläne
Schutz - Erkennen von Bedrohungen - Analysieren - Beheben
Aktivitäten: ….
Gehen Sie skalierbar vor !
44 © Copyright 2015 EMC Corporation. All rights reserved.
RSA - Webcasts and Online Demos:
Informationen und Registrierung:
http://www.emc.com/campaign/global/rsa/rsa-webcast.htm
https://emcinformation.com/347002/SI/.ashx
https://community.emc.com/community/connect/rsaxchange/netwitness
RSA - Community Events:
https://community.emc.com/docs/DOC-46457
45 © Copyright 2015 EMC Corporation. All rights reserved.
RSA - Communities:
https://community.emc.com/community/by-category/security
46 © Copyright 2015 EMC Corporation. All rights reserved.
Aktivitäten: ….
RSA / Arrow ECS - Webcasts und
Workshops:
Informationen und Registrierung:
http://www.arrowecs.de/events.html
RSA Evaluierungen: auf Anfrage
RSA Produkt Infos:
http://www.emc.com/security/index.htm
Rückfragen: rsa@arrowecs.de
http://education.arrowecs.de/portfolio/rsa_security.cfm
RSA / Arrow ECS - Trainings:
47 © Copyright 2015 EMC Corporation. All rights reserved.
Aktivitäten: ….
Partner as trusted advisor Customer
rsa@arrowecs.de
EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.
Volker Strecke
Tel. 089 93099 140
rsa@arrowecs.de
Viel Erfolg !