RSA Archer Security Operations Management...
Transcript of RSA Archer Security Operations Management...
1 © Copyright 2013 EMC Corporation. All rights reserved.
RSA Archer Security Operations Management (SecOps) RSA, The Security Division of EMC
2 © Copyright 2013 EMC Corporation. All rights reserved.
Security Incidents are Going Unnoticed
Lack of Staff
Too Many False Positive Responses
Too Many Manual Processes
Too Many Non-Integrated Tools
Security Attacks are Sophisticated
* ESG white Paper – “The Big Data Security Analytics is Here”, January 2013
3 © Copyright 2013 EMC Corporation. All rights reserved.
Security Incidents à Data Breach
* Ponemon Institute – “2013 Cost of Data Breach Study: Global Analysis”, Cost of a Data Breach in US
70% Company’s
Value is IP
78% Weeks to Discover
56% Staf f
Shortage
Average Cost of a Data Breach
$5,403,644
$4,104,932
$3,143,048
$2,275,404
$4,823,583
$3,763,299
$2,282,095
$1,321,903
Impact to an Enterprise
Financial
+ Reputational Damage
4 © Copyright 2013 EMC Corporation. All rights reserved.
Centralizing Incident Response Teams
Specialized Team
� Reporting to: – CSO/CISO à CIO
� Consisting of: – People – Process – Technology
Detect, Investigate and Respond
SOC Manager
Tier 2 Analyst
Analysis & Tools Support Analyst
Tier 1 Analyst
Threat Analyst
5 © Copyright 2013 EMC Corporation. All rights reserved.
Current Challenges SOCs are Event Focused and Reactive
No Centralization of Alerts Lack of Centralized Incident Management
Lack of Context Lack of Process Lack of Best Practices
6 © Copyright 2013 EMC Corporation. All rights reserved.
Shift Handoff
SOC Manager 1
SOC Manager 2
CISO
Finance
Legal
Incident Process
Threat Analysis
Report KPIs
Breach Process
IT Handoff
Centralize Alerts
Measure Efficacy
L1 Analyst
Breach Coordinator HR
IT
L2 Analyst
Threat Analyst
SIEM
DLP
Network Visibility
eFraud
Host Visibility
Complexities of a SOC
7 © Copyright 2013 EMC Corporation. All rights reserved.
Detect & Respond to Security Incidents RSA Reference Architecture
RSA Live Intelligence Threat Intelligence – Rules – Parsers – Alerts – Feeds – Apps – Directory Services – Reports and Custom Actions
SharePoint
File Servers
Databases
NAS/SAN
Endpoints
Enterprise Mgmt.
RSA ECAT
RSA Security Operations
Management
Windows Clients/Servers
Incident Management
Breach Management
SOC Program Management
IT Risk Management
NEW
8 © Copyright 2013 EMC Corporation. All rights reserved.
Incident Management
Breach Management
SOC Program
Management
IT Security Risk
Management
RSA Security Operations Management
Dom
ain
Sec
urity
Ope
ratio
ns
Man
agem
ent
People
Process
Technology Orchestrate &
Manage
Consistent / Predictable Business Process
9 © Copyright 2013 EMC Corporation. All rights reserved.
RSA SecOps
SecOps Marketecture Orchestration / Management of the SOC
Aggregate Alerts to Incidents
Incident Response
Breach Response
SOC Program
Management
Dashboard & Report
RSA Archer Enterprise
Management (Context)
RSA Archer BCM
(Crisis Events)
ALERTS
CONTEXT
Capture & Analyze – Packets, Logs & Threat Feeds
LAUNCH TO SA
10 © Copyright 2013 EMC Corporation. All rights reserved.
Persona Driven Design Customized for the SOC Personas
L1/L2 Analyst
• Review Incidents • Collect Data • Investigate / Escalate • Forensic Analysis
Incident Coordinator
• Analyst Mgmt. • Shift Handover • Incident Trends
Breach Response
Lead
• Review Escalations • Breach Impact Analysis • Notification Process
SOC Manager/
CISO
• SOC Visibility • Access to Dashboards • Access to Reports • Measure Effectiveness
11 © Copyright 2013 EMC Corporation. All rights reserved.
New and My Incident Queue
Overall Incident Status
Analyst Focused Dashboard
12 © Copyright 2013 EMC Corporation. All rights reserved.
Contextual Launch to Collect Data
Launch to SA To Collect Additional
Data
13 © Copyright 2013 EMC Corporation. All rights reserved.
New and My Incident Queue
Link to Business Context
Cross-Reference Alerts to Asset Details and Business Context
14 © Copyright 2013 EMC Corporation. All rights reserved.
Incident Coordinator Dashboard
Shift Handover Analyst Workload
Incident Trends
15 © Copyright 2013 EMC Corporation. All rights reserved.
Breach Coordinator Dashboard
Current Breaches, Impact and Records Affected
16 © Copyright 2013 EMC Corporation. All rights reserved.
IT Operations Dashboard
Current Breaches, Impact and Records Affected Findings Addressed by IT Help Desk
17 © Copyright 2013 EMC Corporation. All rights reserved.
SOC Manager / CISO Dashboard
Overall View of Security Operation Center
18 © Copyright 2013 EMC Corporation. All rights reserved.
The Value of SecOps Orchestration and Framework for the SOC
Enable SOC Team to Be More Effective
• Incident Prioritization • Workflow to guide IR process • Response Procedures
Optimize SOC Investments • Automation • Monitor KPIs • Measure Security Controls • Manage SOC Team
Better Manage IT Security & Business Risk
• Visibility & Biz Context • Data Breach Management • Enterprise Risk
19 © Copyright 2013 EMC Corporation. All rights reserved.
Security Operations Management Deployment Maturity Model
Stage 1 Alerts & Context
• Business Context • Define Alerting Rules for Security Monitoring Systems
Stage 2 Incident Response
• Alert Aggregation • Investigation / Incident Management Process • Breach Management Process
Stage 3 Program Management
• Team / Shift Management • SOC Readiness, Security Control Efficacy • KPI Monitoring
Stage 4 Business Risk Management
• IT Security Risk Management • Enterprise Risk & BCM
20 © Copyright 2013 EMC Corporation. All rights reserved.
Professional Services Offerings SecOps Program Offerings
• Early Stage Deployment of SOC − Strategy, Design, Implement & Operate − Custom SOW Based on Customer
Requirements
• Mature SOC Customer − Technical Implementation - Install,
Integrate & Functional Overview
Incident Response
Breach Response
Reports & Dashboards
GRC Integrations
SOC Program Management
Holistic Solution Portfolio