1. intelligent information securityANITIAN 2014.10

2. intelligent information securityANITIAN Overview Intent Describe the origins of the security analytics market Define the security analytics and its elements Provide insight into how to adopt, implement and use security analytics Outline The Game is On Introducing Security Analytics Elementary Inside Security Analytics I Will Burn You Deploying Security Analytics 3. intelligent information securityANITIAN Speaker: Andrew Plato President / CEO of Anitian 20 years of experience in IT & security Completed thousands of security assessments & projects Discovered SQL injection attack tactic in 1995 Helped develop first in-line IPS engine (BlackICE) Co-developed RiskNow - Rapid Risk Assessment approach Championed movement toward practical, pragmatic information security solutions 4. intelligent information securityANITIAN Mission: Build great security leaders. Vision: Security makes the world a better place. Security is necessary for innovation and growth We practice scientific methods of analysis Services we offer: Compliance (PCI, HIPAA, etc.) Penetration testing Risk Assessment Technology integration Staffing & recruiting Research & analysis ANITIAN 5. intelligent information securityANITIAN Premises & Assumptions This is a very new market We do not sell these products, no financial stake here Our data comes from 6 months of research and interviews with SA companies conducted in Q1-Q2 2014 RSA BlueCoat Cylance CounterTack ThreatStream CrowdStrike Symantec ThreatMetrics Fortinet Palo Alto Networks FireEye Damballa 6. intelligent information securityANITIAN NGFW VS UTM THE GAME IS ON INTRODUCING SECURITY ANALYTICS 7. intelligent information securityANITIAN 2014.10 THE WORLD IS FULL OF OBVIOUS THINGS WHICH NOBODY BY ANY CHANCE EVER OBSERVES. - SHERLOCK HOLMES 8. intelligent information securityANITIAN We Know the Problem It is easy to hack systems It is extremely difficult to detect attacks The data are gigantic No human can ever expect to stay on top of this Security technologies are failing to keep up 9. intelligent information securityANITIAN The Failure of AV Current AV is profoundly bad at detecting emerging threats Most AVs can only manage about 95% effective That 5% remaining is huge Symantecs own VP admitted that AV is dead! 10. intelligent information securityANITIAN The Failure of SIEM Big data Big complexity Most SIEM deployments are strictly to satisfy compliance requirements Immense barriers to operationalization 11. intelligent information securityANITIAN Failure of Incident Response Verizon Data Breach Report - 2014 12. intelligent information securityANITIAN Failure of Incident Response Third parties are increasingly notifying organizations of their breach Nobody is watching the data, because there is too much of it Alerts go ignored, because there are too many of them Data is unavailable when there is a breach, because systems were never configured correctly 13. intelligent information securityANITIAN We Need a Digital Sherlock Holmes Threat intelligence that tells us about the latest attacks Data analysis, that can differentiate an attack from noise Big data cruncher, that finds the needle in the haystack Incident handler that can piece together the crime Force multiplier that empowers security teams with intelligence (derived from data) Arent they all that way? Their SIEM; it's so placid, straight- forward, barely used. 14. intelligent information securityANITIAN ELEMENTARY INSIDE SECURITY ANALYTICS 15. intelligent information securityANITIAN What is Security Analytics? + Threat Intelligence + SIEM/Log Data + Network Protection + Endpoint Protection + Incident Tools = SECURITY ANALYTICS well, sort of 16. intelligent information securityANITIAN Threat Intelligence (TI) All SA products have some kind of threat intelligence Catalog of known bad actors Host / IP reputation System behavior File combinations Statistical computations Source is diverse: honeypots, install-base, crowd-sourced Must be able to update itself rapidly TI contextualizes security data Threat intelligence itself is not security analytics 17. intelligent information securityANITIAN Threat Intelligence Players Dedicated TI Products Threat Stream CrowdStrike Cyveillance iSIGHT In a sense, almost everybody is in this business 18. intelligent information securityANITIAN Behavior Analyzers / Breach Detection (BA) Analyze the behavior of systems, files, or a network to determine if there is malicious activity Uses threat intelligence to be more accurate Network or host-based Sandboxing is the most common core technology Behavior heuristics is growing in popularity Access to data is the constraining factor BA is not DLP, and DLP is not BA 19. intelligent information securityANITIAN Sandboxing Example Source: Palo Alto Networks 20. intelligent information securityANITIAN Network-Based Breach Detection Players Market Leaders FireEye SourceFire / Cisco Damballa Innovative Challengers Palo Alto Networks Fidelis Fortinet Trend Micro Blue Coat Hexis CrowdStrike Uncompetitive Ahn Labs Web Root McAfee 21. intelligent information securityANITIAN Host-Based Breach Detection Players Market Leaders SourceFire / Cisco Bit9 Innovative Challengers Palo Alto Networks Cylance CounterTack CrowdStrike Blue Coat Questionable Ahn Labs McAfee Symantec 22. intelligent information securityANITIAN Data Analyzers Crunch data to find evidence of an attack Evolution of SIEM correlations Log + network + vulnerability data Use threat intelligence to correlate events Needs a lot of data to work Storage and processing power are the constraining factors here 23. intelligent information securityANITIAN Data Analyzers Market Leaders RSA IBM Q1 Labs Blue Coat (Solera) Innovative Challengers RazorThreat Arbor Networks Tripwire Questionable Juniper Splunk McAfee 24. intelligent information securityANITIAN Convergence? True Security Analytics will happen when these technologies fully converge into a common platform / framework BlueCoat, IBM and RSA are all close PAN and Splunk could also get there (they should merge) Seriously, what is wrong with McAfee and Symantec? Others rely on SIEMs to do the data analysis side 25. intelligent information securityANITIAN Positive Impressions BlueCoat Innovative, converged platform IBM / QRadar Close to fully converged platform Palo Alto Networks On the verge of a converged platform CounterTack Very cool technology, but small company Cylance Amazingly simple and effective Cisco / Sourcefire Strong platform and Cisco has not screwed it up (yet) 26. intelligent information securityANITIAN Negative Impressions RSA EMC is hard shopping the company Products are good, but cumbersome and expensive Inconsistent performance and execution Marketing is non-stop FUD, fear, and fanaticism FireEye So arrogant, much froth, NSS labs pwned Mandiant acquisition was brilliant, execution was dumb Malware is specifically written to avoid FireEye detection 27. intelligent information securityANITIAN Watch for Acqusitions Watch for these companies to get acquired: RSA Cylance Damballa FireEye CrowdStrike Potential Acquirers? IBM Palo Alto Networks Splunk Cisco Fortinet 28. intelligent information securityANITIAN Incident Response Tools Many of these products can feed an incident response program (IRP) None of them can stand alone Data is extremely valuable in an incident Prerequisites Solid incident response plan / program Storage of data long enough to actually response Real, live humans looking at the data Organizational ability to handle incidents 29. intelligent information securityANITIAN I WILL BURN YOU DEPLOYING SECURITY ANALYTICS 30. intelligent information securityANITIAN Do You Need Security Analytics? We need it for regulatory compliance No you dont We dont know what we dont know and security analytics may just deepen that hole. We are worried about APT, state sponsored attacks You need a lot of other technologies first Focus on behavior based products Our SIEM/IPS/DLP/AV cant protect us Neither can security analytics, really We must stop the hackers! Security analytics cannot always stop things Many organizations refuse to configure for autoblocking 31. intelligent information securityANITIAN Are You Mature Enough to Handle Security Analytics? If you want SA to work, you must already have mastered: Firewalls / UTM / NGFW IDS/IPS Web filtering Application control Endpoint AV Vulnerability management Patching SIEM Data loss prevention (maybe) 32. intelligent information securityANITIAN Where Does the Threat Intelligence Come From? Research team Variable Crowd sourced Good idea but usually weak Honeypots Meh Install-base Good Experience Best Third party Fine Insane monk in Vanatu Could know the future? No black-box arguments here, make the vendor explain it 33. intelligent information securityANITIAN Do You Have the Resources? Security Analytics is at least as complex (if not more so) than SIEM You need analysts: 0-500 hosts: 1 half-time analyst 500-2500 hosts: 1 full-time analyst 2500-7500 hosts: 2 full-time analysts 7500-15000 hosts: 3 full-time analysts 15000+: analysis team Outsourcing SA is very difficult Very few talented analysts who can do this work If you cannot invest in the people, do not purchase the technology 34. intelligent information securityANITIAN Do I Need a SIEM? Do you already have a SIEM? Do you need one? Will the technology integrate with it? What is the long term support? Hate your SIEM now? SA will make you hate it even more. How do you get data out of the platform? 35. intelligent information securityANITIAN Hardware Requirements? You will need boxes everywhere you want to capture data Thats a lot of boxes! Virtual platforms help, but these are CPU and network intensive devices SA is very expensive to implement Minimum investment is $150K and up 36. intelligent information securityANITIAN Storage Requirements? How much storage does it need? Triple whatever number the VAR/vendor tells you Log data uses up about 1/10th what network captures do Store at least 30 days worth You need way more storage than you think: Log + Network Captures 1 gig network, 1 month of storage = 500TB (minimum) 10 gig, 1 month = 5 petabytes (5000 TB) Log data only 1TB per 500 hosts, per month 37. intelligent information securityANITIAN Use Cases You Need to See Vendor should be able to show you these use cases Behavior Analyzer / Breach Detection Malware identification and blocking Reporting and alerting Integration with network / hosts False positive tuning Updating Data Analyzers Querying and analysis Walk through attack data Incident response Reporting & alerting 38. intelligent information securityANITIAN Acquiring Security Analytics 1. Make sure you have the resources 2. Master your SIEM 3. Build an Incident Response Plan (IRP) 4. Strengthen your mobile / BYOD platform 5. Implement network-based breach detection capabilities 6. Augment outbound web filtering / proxy 7. Integrate threat intelligence into your SIEM 8. Upgrade / Augment endpoint detection capabilities 9. Start storing full-packet captures (consider converged platform) 10. Update your IRP for the new technologies 39. intelligent information securityANITIAN Final Thoughts Security Analytics is a messy, formative market It is only for high-maturity organizations It is expensive, really, really expensive It will not replace UTM/NGFW, IPS, endpoint AV Make sure you have really solid requirements You must make these operational to get value out of them Dont buy them if you cant invest in the personnel to manage them Remember, the VARs and vendors lie about performance and accuracy 40. intelligent information securityANITIAN QUESTIONS ? ? 41. intelligent information securityANITIAN Thank You EMAIL: andrew.plato@anitian.com WEB: anitian.com TWITTER: @andrewplato @AnitianSecurity BLOG: blog.anitian.com SLIDES: http://bit.ly/anitian CALL: 888-ANITIAN