SlideShare uma empresa Scribd logo
1 de 16
Baixar para ler offline
Surfacing Critical
Cyber Threats
Through Security
Intelligence
A Reference Model for
IT Security Practitioners
By:
Christopher Petersen
CTO & Co-Founder of LogRhythm
With a Foreword By:
Robert Lentz
Former CISO for the U.S. Department of Defense
Security - intelligence - maturity-model-ciso-whitepaper
Surfacing Critical Cyber Threats Through Security Intelligence	
1 LogRhythm
IN MY 10 years as the CISO for the largest information enterprise in the
world, the U.S. Department of Defense, we realized after numerous
cyber incidents that leadership commitment was severely lacking and that
victim organizations did not possess the tools, processes, staff, or mindset
necessary to detect and respond to advanced intruders. Accordingly,
we developed the Cyber Security Maturity Model to create a long term
strategic commitment and an ability to measure tactical performance
while institutionalizing a risk management culture.
The significant and successful cyber
events of 2014 might well prove to
be the cyber tipping point, where
businesses and governments together
finally acknowledge the fragility of
their enterprises, the grave threat to
national and economic security, and
the need for executive-level oversight.
The LogRhythm Security Intelligence
Maturity Model offers a compelling
framework to help organizations advance
in their journey to combat advanced
cyber attacks while simultaneously
restoring confidence in the Internet.
Robert Lentz
Former CISO for the U.S. Department of Defense
“Harnessing the intelligence
resident on your own network is
absolutely essential in detecting
today’s sophisticated threats.
Unfortunately, too many
organizations are leaving it on
the cutting room floor.”
COL John Burger USA (Ret)
Chief, USCENTCOM Joint Cyber Center
(2012-2014)
Surfacing Critical Cyber Threats Through Security Intelligence	
2 LogRhythm
Introduction
It’s almost quaint and more than a bit naive to
look back on the days when an enterprise felt it
could install a few firewalls and some anti-virus
software and feel confident that the organization
was well defended against cyber threats. Those
days weren’t so long ago, but much has changed
in a few short years.
IT environments have become much more
vulnerable as enterprise mobility, cloud services
and “bring-your-own-everything” have broken
down the defensible perimeter and added layers
of complexity to securing the enterprise. At
the same time, the nature of cyber threats has
changed dramatically. Threat actors are well
organized and well funded, and many of them
are known to be supported by nation states. They
have sophisticated technical skills which allow
these actors to create custom malware for very
specific targets, and they are relentless in pursuit
of their objectives. Moreover, almost anyone with
a malicious intent can purchase malware and
rent botnets on the Dark Web, lowering the bar
for criminal entities, nation states, and terrorists
to use cyber as a weapon of choice towards their
intended purpose.
The reality today is that for most
organizations, if a motivated
adversary wants to penetrate their
network, they will get in.
Many organizations continue to focus their at-
tention on identifying and blocking threats at the
perimeter—or at least what’s left of it. Unfortu-
nately, prevention-centric strategies are failing
and have failed in some of the largest attacks
that have made recent headlines. Attackers
are known to conduct reconnaissance to find a
weakness in the armor. Attempting to prevent
attacks is still important, but organizations must
acknowledge that attacks that are stealthy by
nature can be crafted to get past the preventive
measures.
Cyber attacks now take place on an industrial
scale. The 2015 Global State of Information
Security Survey shows that the compound
annual growth rate (CAGR) of detected security
incidents has increased 66 percent year-
over-year since 2009. (See Figure 1.) Survey
respondents acknowledge detecting a total
number of 42.8 million security incidents in
2014—an increase of 48 percent over incidents
detected in 2013. That’s the equivalent of 117,339
incoming attacks per day, every day, and that’s
only what has been detected and reported.1
One cyber security company recently estimated
that as many as 71 percent of compromises go
undetected.2
Figure 1: The number of detected incidents
keeps growing year after year
3.4
MILLION
2009
9.4
MILLION
2010
22.7
MILLION
2011
24.9
MILLION
2012
28.9
MILLION
2013
42.8
MILLION
2014
TOTAL NUMBER OF
DETECTED INCIDENTS
SECURITY INCIDENTS
GROW 66% CAGR
Source: PwC, The Global State of Information Security Survey 2015
In a relatively short time span, cyber security
has become a major concern for government
agencies, military branches, companies across
every industry, financial institutions, law
enforcement, and many regulators. The World
Economic Forum says the theft of information
and the intentional disruption of online or digital
	1
	PwC, The Global State of Information Security Survey 2015, www.pwc.com/gsiss2015
	2
	Trustwave Holdings, 2014 Trustwave Global Security Report, May 2014
Surfacing Critical Cyber Threats Through Security Intelligence	
3 LogRhythm
processes are among the leading business risks
that organizations face today. Research by BAE
Systems confirms that notion: more than half of
U.S. companies now regard the threat from cyber
attacks as one of their top three business risks.3
The reality today is that for most organizations,
if a motivated adversary wants to penetrate their
network, they will get in. Practically speaking,
organizations have to adopt the mindset of “If
we are not compromised right now, we could
be at any moment.” They must work under the
assumption that the network is untrusted and is
already or soon to be compromised.
A fundamental shift is beginning to take place
in terms of the overall approach enterprises
now have toward delivering cyber security to
the organization. Given the notion that the
computing environment might already be
compromised, CISOs are directing a shift of
processes and priorities toward detecting when
those compromises occur and responding to
them as quickly as possible. They know they can’t
spend all of their resources trying to build and
maintain a seemingly impenetrable fortress that
is now recognized as something that is painfully
impossible to have.
Analyst firms are strongly advocating a
rebalancing of the cyber security budget,
shifting some funds from pure prevention to
detection and response. Neil MacDonald, vice
president, distinguished analyst and Gartner
fellow emeritus at Gartner Inc., wrote, “In
2020, enterprise systems will be in a state of
continuous compromise. They will be unable to
prevent advanced targeted attacks from gaining
a foothold on their systems. Unfortunately, most
enterprise information security spending to
date has focused on prevention, in a misguided
attempt to prevent all attacks.” He adds, “We
believe the majority of information security
spending will shift to support rapid detection and
response capabilities, which are subsequently
linked to protection systems to block further
spread of the attack.” MacDonald’s report
includes a key recommendation: “Invest in your
incident response capabilities. Define and staff
a process to quickly understand the scope and
impact of a detected breach.”4
In 2020, enterprise systems will be in
a state of continuous compromise.
They will be unable to prevent
advanced targeted attacks from
gaining a foothold on their systems.
This is not to suggest that threat prevention
itself is obsolete. On the contrary, organizations
should continue to buttress the network
fortress to protect the IT infrastructure and
the assets within, but they should also accept
that those walls will eventually be scaled by the
cyber equivalent of a marauder. The sooner
the intruder can be detected and a response
initiated, the less likely it is that the mission
of the attack will be successful. Above all,
organizations don’t want the attacker to actually
get to the data and exfiltrate it before they even
know he is there.
	3
	BAE Systems, Business and the Cyber Threat: The Rise of Digital Criminality, February 2014
4	
Neil MacDonald, Gartner, Inc., Prevention is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelli-
gence, 30 May 2013
Surfacing Critical Cyber Threats Through Security Intelligence	
4 LogRhythm
A Time of Great Risk: The Time Between
Compromise and Mitigation
In most organizations today, threat detection is
based on various security sensors that attempt
to look for anomalous behavior or for known
signatures of malicious activity. These sensors
include firewalls, intrusion detection/prevention
systems (IDS/IPS), application gateways, anti-
virus/anti-malware, endpoint protection, and
more. They operate at and provide visibility into
all layers of the IT stack.
These security sensors provide a continuous
stream of threat-related events. In enterprise
organizations, the stream might be better
described as a fire hose that serves events at the
rate of thousands or tens of thousands per hour.
This intense stream of threat data effectively
blinds a security team in a fog of noise. The team
has so much to deal with that it can’t identify the
threats that really matter – let alone respond to
them – in a timely manner.
Two key metrics for measuring the effectiveness
of an organization’s security capabilities are its
Mean-Time-to-Detect™ (MTTD™) and its Mean-
Time-to-Respond™ (MTTR™). The MTTD is the
average amount of time it takes an organization
to identify those threats that could potentially
impact the organization—the ones that present
an actual risk and which require further analysis
and response efforts. The MTTR is the average
amount of time it takes an organization to
fully analyze the threat and mitigate any risk
presented.
Unfortunately, many organizations operate in a
mode where MTTD and MTTR would be measured
in weeks or months. Enterprises whose networks
have been compromised are at high risk during
this time. If they are seeking to reduce their
cyber security risk, they should minimally move
these metrics into hours and days, and ideally to
hours and minutes.
Figure 2: The impact of a breach is directly related to MTTD and MTTR
RISK OF BREACH
MTTDTM
*/MTTRTM
*
DEVASTATING AVOIDED
2015
YEARSMONTHSWEEKSDAYSMINUTESHOURS
The average time it takes to
recognize a threat requiring further
analysis and response efforts
The average time it takes to
respond and ultimately resolve
the incident
*MEAN-TIME-TO-DETECT (MTTD)
*MEAN-TIME-TO-RESPOND (MTTR)
The more time spent detecting and
responding to a threat, the greater
the risk of breach
Surfacing Critical Cyber Threats Through Security Intelligence	
5 LogRhythm
Research data from Trustwave illustrates the
problem. The company looked at evidence
gathered from 691 data breach investigations
spread across industries and the world.
Trustwave learned that 71 percent of compromise
victims did not detect the breach themselves.
Financial institutions, law enforcement agencies
and other third parties are often the first
to suspect that a company has experienced
a security incident. In the breaches in this
particular study, the MTTD was 87 days – nearly
three full months – and the MTTR was a week.
According to Trustwave, self-detection of a
threat can shorten the timeline from detection to
containment from 14 days down to one.5
The Security Intelligence Imperative
The way to bring visibility to the most important
threats while clearing the fog of noise is with
Security Intelligence (SI). Just as Business
Intelligence has helped numerous organizations
clear the fog of too many points of seemingly
extraneous business data to find previously
unknown business opportunities, Security
Intelligence does much the same thing with
threat information, enabling companies to
clearly see the threats that matter. The main
objective of Security Intelligence is to deliver
the right information, at the right time, with the
appropriate context, to significantly decrease the
amount of time it takes to detect and respond
to damaging cyber threats; in other words, to
significantly improve an organization’s MTTD
and MTTR.
The main objective of Security
Intelligence is to deliver the right
information, at the right time,
with the appropriate context, to
significantly decrease the amount of
time it takes
to detect and respond to damaging
cyber threats
There’s no standard definition for Security
Intelligence; it means different things to different
companies. This composite definition helps to get
us on the same page.
Security Intelligence is the ability to capture,
correlate, visualize, and analyze forensic data
in order to develop actionable insight to detect
and mitigate threats that pose real harm to
the organization, and to build a more proactive
defense for the future. Users of Security
Intelligence will shorten their Mean-Time-to-
Detect and Mean-Time-to-Respond, extend the
value of current security tools, and discover
previously unseen threats through advanced
machine analytics.
When threats are identified, whether via an
enterprise’s vast array of sensors or through
machine analytics, the role of Security
Intelligence is to deliver actionable insight into
potentially damaging threats, with supporting
forensic data and contextually rich intelligence.
Security teams must be able to quickly evaluate
threats to determine the level of risk as well as
whether an incident has occurred. Ensuring that
analysts have as much information as possible
to make good decisions critically enables their
efficiency and decision support processes.
Let’s take a deeper dive into the key sub-
processes that support the full threat
detection and response process. An effective
Security Intelligence platform ideally enables
a streamlined workflow across each of the
processes, delivering automation wherever
possible. If an organization can optimize its
efficiency in performing these critical steps in
the detect/respond cycle, it can reduce its MTTD
and MTTR and, more importantly, reduce its
exposure to risk.
	5
	Trustwave Holdings, 2014 Trustwave Global Security Report, May 2014
Surfacing Critical Cyber Threats Through Security Intelligence	
6 LogRhythm
The End-to-End Threat Detection and Response Lifecycle™
Organizations that strive to seek reductions
in MTTD and MTTR must optimize the end-to-
end threat detection and response lifecycle.
At each stage of the process, and in between,
inefficiencies can exist that can dramatically
impede an organization’s overall effectiveness.
However, organizations that are able to optimize
the effectiveness of their security operations
processes across each stage can realize profound
improvements in MTTD and MTTR.
Threat detection typically begins the moment
a threat is evidenced in forensic data. While
it is true, threats can be identified before
they become active, few organizations have
the proactive threat intelligence and analysis
capabilities to detect threats before they have
begun to engage with the target environment.
When a threat engages with the target
environment, evidence will be left behind.
This evidence will exist in forensic data
that is collected or generated across the
environment. The threat also may be detected
by other security sensors. However, for most
organizations, evidence of these threats gets
lost in the noise. Separating the signal from the
noise is the first step of the end-to-end threat
detection and response process.
The response cycle begins the second a threat
has been qualified as one that could present
risk and requires further investigation. The
cycle ends after a full investigation has been
performed, and if the threat resulted in an
incident, any risk to the organization has been
mitigated. Organizations must collapse this
response cycle from months to minutes if
they are to avoid a damaging breach. Security
Intelligence is the single largest enabler of
collapsing this response cycle via:
•	Centralized, full spectrum visibility around the
threat and associated incident, delivered via
powerful analytic tools
•	Integrated workflows and collaboration
capabilities that expedite the analysis and
response process
•	Automation in support of incident
response processes and the deployment of
countermeasures
Let’s look at each of these process steps and
what they entail.
Figure 3: The end-to-end threat detection and response lifecycle
TIME TO DETECT TIME TO RESPOND
UNIFIED SECURITY INTELLIGENCE PLATFORM
RECOVER
Fully eradicate,
clean up,
report, review,
and adapt.
MITIGATE
Implement
countermeasures
and controls that
mitigate risk
presented by
the threat.
INVESTIGATE
Fully analyze
the threat and
associated risk,
determine if
an incident has
or is occurring.
FORENSIC
DATA
Captured Log &
Machine Data
Generated
Forensic Sensor
Data
Event Data
QUALIFY
Assess threat
and determine
if it may pose
risk and
whether a full
investigation
is required.
DISCOVER
User
Analytics
Machine
Analytics
Surfacing Critical Cyber Threats Through Security Intelligence	
7 LogRhythm
Discover
As the first step in detection, discovery is the
process of identifying those threats that could
present risk; for example, seeing web traffic
coming from a country the organization normally
doesn’t do business with. The traffic could
be communication from a new international
customer, or it could be attack traffic from a
hacker in another country. At this stage, it’s
unknown whether it represents a threat or not.
The discovery process requires extracting those
threats that require further analysis from the
mass of forensic data. There are two principal
types of analytics performed in support of
discovering threats: user analytics and machine
analytics.
User analytics are “person-based.” That is, it’s
the work of individuals who are monitoring
dashboards; manually evaluating trends, patterns
and behaviors; and actively hunting for threats
within the environment. This form of analytics
scales based on the number of trained security
staff an organization can afford to employ.
As the name implies, machine analytics are
“machine-based.” This form of analytics is
delivered via software where captured forensic
and event data is continuously monitored and
analyzed. The primary function of machine
analytics is twofold: first to detect threats that
can only be seen via sophisticated analytic
techniques, and second to prioritize threats
detected by other technologies.
Qualify
Still part of the detection process, qualification
is a critical step and involves further analyzing a
threat to determine if it could present risk. When
qualification is done well, threats representing
risk are quickly identified as requiring additional
analysis or response efforts. When qualification is
done poorly, actual threats are missed, or teams
spend the majority of their time chasing false
positives.
The outcome of the qualification step is
determining whether the discovered threat is a
false positive; doesn’t present risk and can be
ignored; or likely presents risk and should be
further investigated.
Investigate
If the outcome of the qualification process
determines that a threat likely presents risk, the
security team moves into the response process.
It begins with conducting a deep investigation to
understand the risk presented by the threat, and
determining if an incident exists; in other words,
if something bad has actually happened or is in
the process of happening. The outcome of the
investigation step is to conclusively determine
whether the threat presents risk, if an incident
has occurred, and if so, to initiate mitigation
efforts.
Mitigate
By now it has been determined that there is a
threat that presents real risk to the organization,
and something must be done to reduce or
eliminate that risk. The mitigation step is highly
dependent on having sufficient knowledge about
the root cause and impact of the threat as well
as the knowledge and skills to do something
about it. It is a time-sensitive step where security
practitioners will benefit greatly by having
an integrated and centralized view into all
threat related activities, as well as streamlined
cross-organizational collaboration capabilities,
knowledge bases, and automated responses.
Recover
This final step could be considered “cleaning up
the mess.” Recovery involves performing post-
mitigation efforts such as fully eradicating the
threat from the environment, cleaning up any
damage done, performing any required incident/
breach notifications, and performing root cause
analysis to learn from the incident in order to
prevent it from happening again.
How MTTD and MTTR are Calculated
Looking at the five process steps – Discover,
Qualify, Investigate, Mitigate, and Recover – it’s
easy to calculate the critical metrics of MTTD and
MTTR.
MTTD is calculated as the time from when
the threat was first evidenced (collected) in
the environment to when it’s discovered, plus
the time between discovering the threat to
determining its efficacy or dismissing it.
Surfacing Critical Cyber Threats Through Security Intelligence	
8 LogRhythm
MTTR is calculated as the time from when a
threat was qualified to when it was conclusively
determined to present risk or it was dismissed,
plus the time it took to mitigate the risk
presented by the threat to an acceptable level.
The recovery stage, as defined above, isn’t
included in the MTTR metric. The critical
measurement of response is considered to
be the time it takes to determine risk exists
and implement mitigations. The time required
to implement full recovery procedures, while
important, is a less critical metric in terms of
understanding the overall effectiveness of the
security operation towards achieving the most
meaningful risk reduction.
The LogRhythm Security Intelligence Maturity Model™ (SIMM™)
Cyber security is a journey, not a destination.
It takes time and resources to mature any
significant organizational capability, and
achieving significant reductions in MTTD and
MTTR is no different. However, for organizations
determined to reduce their cyber security
risk posture, it is a capability that must be
invested in.
Security Intelligence is the single
most effective investment toward
achieving reduced MTTD and MTTR.
Security Intelligence is the single most effective
investment toward achieving reduced MTTD and
MTTR. The LogRhythm Security Intelligence
Maturity Model (SIMM) is designed to help
organizations assess their current Security
Intelligence capability and associated risk
posture. This model also provides organizations
a roadmap forward as they seek to continue
improving their posture over time.
The model is focused on building and maturing
an organization’s detection and response
capabilities as opposed to simply implementing
more individual security products. However,
technology-based solutions play a critical role
in supporting and enabling the various stages
of the process outlined above. Ideally the
capabilities are delivered via an integrated and
unified platform that supports the end-to-end
threat detection and response process.
The critical capabilities that a Security
Intelligence platform must deliver toward
the goal of becoming impervious to cyber
threats are:
•	Provide centralized, real-time acquisition of
all forensic log and machine data generated
across the complete IT environment
•	Provide sensors that constantly, or on
demand, acquire additional forensic data from
endpoints, servers, and networks, holistically
or targeted to areas of highest risk
•	Uniformly process all acquired data into a
highly classified and contextualized form,
unlocking the intelligence contained in
machine data and optimally preparing for
downstream analytics
•	Deliver state-of-the art machine-based
analytics that can continuously and
automatically surface risks and advanced
threats via:
	–	Access to 100 percent of acquired forensic
data
	–	Application of hybrid analytics techniques
from correlation to behavioral modeling to
machine learning
	–	Intelligent prioritization of threats via
contextual, risk based corroboration
•	Deliver real-time visibility into highest risk
incidents requiring further investigation and
ongoing management by incident responders
•	Deliver powerful search-based analytic tools
that provide responders a 360-degree view
around incidents via centralized access
to forensic data in both raw and a fully
contextualized form
Surfacing Critical Cyber Threats Through Security Intelligence	
9 LogRhythm
•	Deliver optimally orchestrated and automated
incident response capabilities via intelligence
driven, highly integrated workflows
•	Deliver dashboards and reports that provide
upper management key indicators of risk and
active incidents within the environment
The LogRhythm Security Intelligence Maturity
Model, fully detailed in the upcoming table, is
comprised of multiple levels, beginning with
Level 0 where there are essentially no SI
capabilities and the organization is quite exposed
to risk, and progressing to Level 4, with full SI
capabilities that support an extremely resilient
and highly efficient security posture.
As an organization progresses up the maturity
model, its MTTD and MTTR and the associated
timeframe of greatest risk grow smaller as
illustrated in Figure 4.
Figure 4: MTTD and MTTD shrink as Security Intelligence capabilities grow more mature
LEVEL OF SECURITY INTELLIGENCE MATURITY
LENGTHOFTIMETODETECT&
RESPONDTOSECURITYBREACH
LEVEL 0 LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4
2015
YEARSMONTHSWEEKSDAYSMINUTES
EXPOSED
TO THREATS
RESILIENT
TO THREATS
Greater threat resiliency
is achieved at higher
levels of security
intelligence maturity
MTTDTM
MTTRTM
HOURS
Surfacing Critical Cyber Threats Through Security Intelligence	
10 LogRhythm
The LogRhythm SIMM (see enclosed table) illustrates how increasing and maturing SI capabilities reduce
an organization’s risk posture.
Matrix Security Intelligence Maturity Model™
MTTD
MTTR
LEVEL
1
MINIMALLY
COMPLIANT
WEEKS MONTHS
WEEKS
• Often have a compliance
mandate driving investment or
alternatively have identified a
specific area of their environ-
ment to better protect
• Compliance risks identified via
report review, although risk
exists if reports not reviewed and
processes don’t exist for
managing compliance violations
• Improved visibility into threats
targeting the protected domain,
but still lack the people and
processes to effectively evaluate
and prioritize threats
• No formal incident response
process, still comes down to
individual “heroic” efforts.
However, better enabled to
respond to incidents affecting
the protected environment
• Significantly reduced
compliance risk, however,
depends on the depth of
audit
• Blind to most insider
threats
• Blind to most external
threats
• Blind to APTs
• If have IP of interest to
nation-states or cyber
criminals, likely stolen
• Targeted Log
Management and SIEM
• Targeted Server
Forensics (e.g., File
Integrity Monitoring)
• Minimal, mandated,
compliance oriented
monitoring & response.
MTTD
MTTR
LEVEL
2
SECURELY
COMPLIANT
• Want to move beyond the
minimal “check box” compliance
approach, seeking efficiencies
and improved assurance
• Have recognized are effectively
blind to most threats and want to
see a material improvement
towards detecting and respond-
ing to potential high impact
threats, focused on areas of
highest risk
• Have established formal
processes and assigned
responsibilities for monitoring
high risk alarms
• Have established basic, yet
formal processes for responding
to incidents
• Extremely resilient and
highly efficient
compliance posture
• Seeing insider threats
• Seeing external threats
• Still mostly blind to
APTs, but more likely to
detect indicators and
evidence of
• Much more resilient to
cyber criminals, but still
vulnerable to those
leveraging APT type
capabilities
• Still highly vulnerable to
nation-states
• Holistic Log Management
• Broader, Risk Aligned
Server Forensics
• Targeted environmental
risk characterization
• Targeted Vulnerability
Intelligence
• Targeted Threat
Intelligence
• Targeted Machine
Analytics
• Some monitoring and
response processes
established.
DAYSHOURS
OR
DAYSHOURS
OR
• Prevention oriented mindset.
Have firewalls, A/V, etc.
• Isolated logging based on
technology and functional silos,
but no central logging visibility
• Indicators of threat and
compromise exist, but nobody is
looking and/or they are lost in
the noise
• No formal incident response
process, comes down to
individual “heroic efforts"
• Compliance risk
• Blind to insider threats
• Blind to external threats
• Blind to APTs
• If have IP of interest to
nation-states or cyber
criminals, likely stolen"
• None
MTTD
MTTR
LEVEL
0
BLIND
MONTHS
WEEKS MONTHS
OR
OR
SECURITY INTELLIGENCE
CAPABILITIES
ORGANIZATIONAL
CHARACTERISTICS
RISK
CHARACTERISTICS
Continued on page 11
Surfacing Critical Cyber Threats Through Security Intelligence	
11 LogRhythm
Matrix Security Intelligence Maturity Model continued
• Have recognized are still blind to
many high impact threats that
could cause material harm to the
organization
• Have invested in the
organizational processes and
required people to significantly
improve ability to detect and
respond to all classes of threats
• Have invested in and established
a formal security operations and
incident response capability that
is running effectively with
trained staff
• Have begun to automate incident
response processes and
countermeasures
• Are actively hunting for risk in
the environment via dashboards
and search
• Extremely resilient and
highly efficient compliance
posture
• Seeing and quickly
responding to insider
threats
• Seeing and quickly
responding to external
threats
• Seeing evidence of APTs
early in their lifecycle but
may have trouble
attributing activity to an
actor/intent
• Very resilient to cyber
criminals, even those
leveraging APT type
capabilities
• Still vulnerable to
nation-states, but can
reactively defend against
• Holistic Server Forensics
• Targeted Network
Forensics
• Targeted Endpoint
Forensics
• Multi-vector, commercial
grade, Threat
Intelligence
• Holistic Vulnerability
Intelligence
• Targeted Behavioral
Analytics
• Fully established and
mature monitoring and
response processes
• Functional SOC
established
• Targeted IR
Orchestration and
Automated Response
MTTD
MTTR
HOURS
HOURS
LEVEL
3
VIGILANT
• Are a high value target for
nation-states, cyber terrorists,
and organized crime
• Are continuously being attacked
across all possible vectors:
physical, logical, social
• A disruption of service or breach
is intolerable and represents
organizational failure of the
highest level
• Take a proactive stance towards
threat management, and security
in general
• Invest in best-in-class people,
technology, and processes
• Have eyes on the data, eyes
towards emerging threats, 24/7
• Have automated response
processes and countermeasures
wherever possible
• Extremely resilient and
highly efficient
compliance posture
• Seeing and quickly
responding to all classes
of threats
• Seeing evidence of APTs
early in their lifecycle
and able to manage
their activities
• Can withstand and
defend against the most
extreme nation-state
level adversary
• Holistic Network, Server
and Endpoint Forensics
• Holistic environmental
risk characterization
• Holistic, Multi-Vector
Machine Analytics
• Proactive Threat
Intelligence
• Proactive Vulnerability
Intelligence
• Holistic IR Orchestration
and Automated
Response
• Functional 24 x 7 SOC
• Cyber Range Practice
MTTD
MTTR
LEVEL
4
RESILIENT
MINUTES
MINUTES
SECURITY INTELLIGENCE
CAPABILITIES
ORGANIZATIONAL
CHARACTERISTICS
RISK
CHARACTERISTICS
Surfacing Critical Cyber Threats Through Security Intelligence	
12 LogRhythm
The LogRhythm Unified Platform Approach
LogRhythm’s unified platform approach
(Figure 5) ensures that all the aforementioned
critical capabilities of Security Intelligence are
delivered via an integrated product suite, where
all components are designed to elegantly and
efficiently work as a whole. For organizations
seeking ideal MTTD and MTTR, this is critical.
While the full suite of capabilities will be
leveraged by organizations seeking to reach
higher levels of maturity, customers starting
their journey toward SI maturity can start with
specific products and build on their investment
over time.
Figure 5: The LogRhythm Security Intelligence
Product Suite
LOG MANAGEMENT
SECURITY ANALYTICS
SIEM
NETWORK
FORENSICS
SERVER
FORENSICS
ENDPOINT
FORENSICS
The Principal Benefits of LogRhythm’s Unified Approach
The Principal Benefits of LogRhythm’s
Unified Approach
LogRhythm’s unified SI approach delivers
organizations the technology foundation to
realize a highly efficient security operation
across all stages of the detection and response
process. Only a unified approach ensures that
information, people, and processes are ideally
aligned toward the objective of reducing MTTD
and MTTR. Following are some of the key
principal benefits realized via this approach:
Comprehensive Big Data Analytics
When deployed, LogRhythm has incredible
visibility across the IT environment from a
data acquisition standpoint. This visibility is
leveraged via Security Analytics capabilities to
conclusively detect threats via big data analytics
approaches. Security Analytics delivered
outside an integrated architecture approach
introduces complexity, latency and increased
cost of ownership. These issues often result in
data gaps. LogRhythm has taken an integrated
approach to ensure the Security Analytics
capability has optimal access to all acquired
forensic data, in real-time, with lowest cost of
ownership possible.
Holistic Contextual Analytics
Context is critical in support of effective
analytics and incident response efforts.
Security Information and Event Management
(SIEM) traditionally provides a rich store of
environmental context such as host and network
risk ratings, lists of privileged user accounts,
known vulnerabilities, etc. This context is critical
when trying to effectively surface and qualify
threats requiring highest attention. LogRhythm’s
integrated approach ensures context is
configured once and maintained everywhere.
This greatly helps ensure more accurate
analytics and swifter incident response efforts,
while reducing ongoing total cost of ownership.
Globally Prioritized Threat Management
Detecting threats is the easy part; discovering
those that matter is the hard part. Security
teams need a consolidated view of threats across
their global landscape. Additionally, threats must
be intelligently prioritized so end-user analysis
cycles are spent effectively. LogRhythm’s
comprehensive big data analytics, combined with
holistic context, allows the system to not only
detect a unique class of threats, but to prioritize
those that are detected by LogRhythm and
other technologies, all in a consolidated global
view. This is imperative to achieving low MTTD
and is critically enabled via LogRhythm’s unified
platform approach.
Surfacing Critical Cyber Threats Through Security Intelligence	
13 LogRhythm
Streamlined Incident Response
When threats are discovered, the clock begins
ticking. How fast incident responders can
access relevant forensic data and context
critically impacts the amount of time required
to investigate each threat. As threats are
investigated, a subset will be identified as
incidents requiring a full response. LogRhythm’s
unified approach ensures that forensic data
associated with an incident is readily and
immediately available to responders and
automatic response capabilities.
When forensic data is tightly coupled with
the system responsible for orchestrating and
automating incident response, response times
are exponentially more efficient—especially when
cross organizational workflow is required. To
the contrary, when forensic data is decoupled,
automatic responses become constrained, and
incident responders have to scramble and hunt
through disjointed disparate systems. Cross-
organizational collaboration becomes manual
and slow. All the while, the clock continues to
tick.
Conclusion
As organizations evolve their Security
Intelligence maturity, the realized reduction in
MTTD and MTTR significantly reduces the risk
of experiencing a damaging cyber incident. Of
course, each organization needs to assess for
itself the appropriate level of maturity based on
its own risk tolerances.
As organizations evolve their Security
Intelligence maturity, the realized
reduction in MTTD and MTTR signifi-
cantly reduces the risk of experienc-
ing a damaging cyber incident.
Fortunately, organizations with limited budget
and higher risk tolerances can achieve significant
improvements in capability by moving towards
a Level 2 posture. For organizations with more
cyber security resources and much lower risk
tolerances, moving towards Level 3 or even Level
4 might be appropriate.
LogRhythm’s unified platform approach
and flexible product architecture allow an
organization to adopt and mature capabilities
over time, comfortable in the fact that
subsequent investments will build on previous
steps along the maturity model. LogRhthym’s
goal is to ensure that enterprises have a partner
able to provide the integrated technology
building blocks, and associated services, to most
effectively and efficiently realize their Security
Intelligence objectives so they can best protect
themselves from damaging cyber threats.
About LogRhythm
LogRhythm, the leader in security intelligence
and analytics, empowers organizations around
the globe to rapidly detect, respond to and
neutralize damaging cyber threats. The
company’s patented and award-winning platform
uniquely unifies next-generation SIEM, log
management, network and endpoint forensics,
and advanced security analytics. In addition to
protecting customers from the risks associated
with cyber threats, LogRhythm provides
unparalleled compliance automation and
assurance, and enhanced IT intelligence.
LogRhythm is consistently recognized as a
market leader. The company has been positioned
as a Leader in Gartner’s SIEM Magic Quadrant
report for three consecutive years, named a
“Champion” in Info-Tech Research Group’s 2014-
15 SIEM Vendor Landscape report and ranked
Best-in-Class (No. 1) in DCIG’s 2014-15 SIEM
Appliance Buyer’s Guide. In addition, LogRhythm
has received Frost & Sullivan’s SIEM Global
Market Penetration Leadership Award and been
named a Top Workplace by the Denver Post.
To download or forward the complement to this
paper, The Cyber Threat Risk – Oversight
Guidance for CEOs and Boards, go to:
www.logrhythm.comSIMM-CEO.
LR_SIMM_CISO_01.15
© 2015 LogRhythm, Inc. All trademarks, service marks and trade names
referenced in this material are the property of their respective owners.

Mais conteúdo relacionado

Mais procurados

Cybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already KnowCybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already Knowjxyz
 
ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA
 
RSA大会2009-2010分析
RSA大会2009-2010分析RSA大会2009-2010分析
RSA大会2009-2010分析Jordan Pan
 
Cybersecurity 2020 the biggest threats to watch out for
Cybersecurity 2020 the biggest threats to watch out forCybersecurity 2020 the biggest threats to watch out for
Cybersecurity 2020 the biggest threats to watch out forCigniti Technologies Ltd
 
Smarter Security - A Practical Guide to Doing More with Less
Smarter Security - A Practical Guide to Doing More with LessSmarter Security - A Practical Guide to Doing More with Less
Smarter Security - A Practical Guide to Doing More with LessOmar Khawaja
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
Netpluz | Protecting your Business with eSentinel | 360° Cyber Security Simpl...
Netpluz | Protecting your Business with eSentinel | 360° Cyber Security Simpl...Netpluz | Protecting your Business with eSentinel | 360° Cyber Security Simpl...
Netpluz | Protecting your Business with eSentinel | 360° Cyber Security Simpl...Netpluz Asia Pte Ltd
 
The Future of Cyber Security
The Future of Cyber SecurityThe Future of Cyber Security
The Future of Cyber SecurityStephen Lahanas
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistMatthew Rosenquist
 
[4YFN]Cyber Security Innovation, an urgent call to cyber heroes SM
[4YFN]Cyber Security Innovation, an urgent call to cyber heroes SM[4YFN]Cyber Security Innovation, an urgent call to cyber heroes SM
[4YFN]Cyber Security Innovation, an urgent call to cyber heroes SMCarlos Valderrama
 
Top Cyber Threat Predictions for 2019
Top Cyber Threat Predictions for 2019Top Cyber Threat Predictions for 2019
Top Cyber Threat Predictions for 2019PECB
 
Top 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and BeyondTop 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and BeyondNandita Nityanandam
 
Intelligent Application Security
Intelligent Application SecurityIntelligent Application Security
Intelligent Application SecurityPriyanka Aash
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware Imperva
 
Network Access Control Market Trends, Technological Analysis and Forecast Rep...
Network Access Control Market Trends, Technological Analysis and Forecast Rep...Network Access Control Market Trends, Technological Analysis and Forecast Rep...
Network Access Control Market Trends, Technological Analysis and Forecast Rep...natjordan6
 

Mais procurados (20)

Cybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already KnowCybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already Know
 
ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017
 
RSA大会2009-2010分析
RSA大会2009-2010分析RSA大会2009-2010分析
RSA大会2009-2010分析
 
Cybersecurity 2020 the biggest threats to watch out for
Cybersecurity 2020 the biggest threats to watch out forCybersecurity 2020 the biggest threats to watch out for
Cybersecurity 2020 the biggest threats to watch out for
 
Smarter Security - A Practical Guide to Doing More with Less
Smarter Security - A Practical Guide to Doing More with LessSmarter Security - A Practical Guide to Doing More with Less
Smarter Security - A Practical Guide to Doing More with Less
 
2019 Cyber Security Trends
2019 Cyber Security Trends2019 Cyber Security Trends
2019 Cyber Security Trends
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
 
Netpluz | Protecting your Business with eSentinel | 360° Cyber Security Simpl...
Netpluz | Protecting your Business with eSentinel | 360° Cyber Security Simpl...Netpluz | Protecting your Business with eSentinel | 360° Cyber Security Simpl...
Netpluz | Protecting your Business with eSentinel | 360° Cyber Security Simpl...
 
The Future of Cyber Security
The Future of Cyber SecurityThe Future of Cyber Security
The Future of Cyber Security
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
 
IE_ERS_CyberAnalysisReport
IE_ERS_CyberAnalysisReportIE_ERS_CyberAnalysisReport
IE_ERS_CyberAnalysisReport
 
[4YFN]Cyber Security Innovation, an urgent call to cyber heroes SM
[4YFN]Cyber Security Innovation, an urgent call to cyber heroes SM[4YFN]Cyber Security Innovation, an urgent call to cyber heroes SM
[4YFN]Cyber Security Innovation, an urgent call to cyber heroes SM
 
Top Cyber Threat Predictions for 2019
Top Cyber Threat Predictions for 2019Top Cyber Threat Predictions for 2019
Top Cyber Threat Predictions for 2019
 
The State of Ransomware 2020
The State of Ransomware 2020The State of Ransomware 2020
The State of Ransomware 2020
 
Top 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and BeyondTop 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and Beyond
 
Intelligent Application Security
Intelligent Application SecurityIntelligent Application Security
Intelligent Application Security
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
Digital Threat Landscape
Digital Threat LandscapeDigital Threat Landscape
Digital Threat Landscape
 
Network Access Control Market Trends, Technological Analysis and Forecast Rep...
Network Access Control Market Trends, Technological Analysis and Forecast Rep...Network Access Control Market Trends, Technological Analysis and Forecast Rep...
Network Access Control Market Trends, Technological Analysis and Forecast Rep...
 

Semelhante a Security - intelligence - maturity-model-ciso-whitepaper

PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018Panda Security
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeNishantSisodiya
 
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Booz Allen Hamilton
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEMJoseph DeFever
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRBill Besse
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2Adela Cocic
 
European Cyber Security Perspectives 2016
European Cyber Security Perspectives 2016European Cyber Security Perspectives 2016
European Cyber Security Perspectives 2016Omer Coskun
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firmsJake Weaver
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
The Protocol Of Operations Of Bank Solutions Essay
The Protocol Of Operations Of Bank Solutions EssayThe Protocol Of Operations Of Bank Solutions Essay
The Protocol Of Operations Of Bank Solutions EssayVeronica Garcia
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Erik Ginalick
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threatsReadWrite
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
Cyber Security small
Cyber Security smallCyber Security small
Cyber Security smallHenry Worth
 

Semelhante a Security - intelligence - maturity-model-ciso-whitepaper (20)

PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Get Prepared
Get PreparedGet Prepared
Get Prepared
 
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
 
Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 security
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for Cybersecurity
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEM
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
European Cyber Security Perspectives 2016
European Cyber Security Perspectives 2016European Cyber Security Perspectives 2016
European Cyber Security Perspectives 2016
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firms
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
The Protocol Of Operations Of Bank Solutions Essay
The Protocol Of Operations Of Bank Solutions EssayThe Protocol Of Operations Of Bank Solutions Essay
The Protocol Of Operations Of Bank Solutions Essay
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threats
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
 
Cyber Security small
Cyber Security smallCyber Security small
Cyber Security small
 

Mais de CMR WORLD TECH

Cyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project PresentationCyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project PresentationCMR WORLD TECH
 
Cpq basics bycesaribeiro
Cpq basics bycesaribeiroCpq basics bycesaribeiro
Cpq basics bycesaribeiroCMR WORLD TECH
 
Questoes processautomation
Questoes processautomationQuestoes processautomation
Questoes processautomationCMR WORLD TECH
 
Aws migration-whitepaper-en
Aws migration-whitepaper-enAws migration-whitepaper-en
Aws migration-whitepaper-enCMR WORLD TECH
 
Delivery readness for pick season and higth volume
Delivery readness for pick season and higth volumeDelivery readness for pick season and higth volume
Delivery readness for pick season and higth volumeCMR WORLD TECH
 
Why digital-will-become-the-primary-channel-for-b2 b-engagement
Why digital-will-become-the-primary-channel-for-b2 b-engagementWhy digital-will-become-the-primary-channel-for-b2 b-engagement
Why digital-will-become-the-primary-channel-for-b2 b-engagementCMR WORLD TECH
 
Transcript Micrsosft Java Azure
Transcript Micrsosft Java Azure Transcript Micrsosft Java Azure
Transcript Micrsosft Java Azure CMR WORLD TECH
 
Buisiness UK Trading Marketing Finance
Buisiness UK Trading Marketing Finance Buisiness UK Trading Marketing Finance
Buisiness UK Trading Marketing Finance CMR WORLD TECH
 
Hyperledger arch wg_paper_1_consensus
Hyperledger arch wg_paper_1_consensusHyperledger arch wg_paper_1_consensus
Hyperledger arch wg_paper_1_consensusCMR WORLD TECH
 
Apexand visualforcearchitecture
Apexand visualforcearchitectureApexand visualforcearchitecture
Apexand visualforcearchitectureCMR WORLD TECH
 
Trailblazers guide-to-apps
Trailblazers guide-to-appsTrailblazers guide-to-apps
Trailblazers guide-to-appsCMR WORLD TECH
 
Berkeley program on_data_science___analytics_1
Berkeley program on_data_science___analytics_1Berkeley program on_data_science___analytics_1
Berkeley program on_data_science___analytics_1CMR WORLD TECH
 
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_CMR WORLD TECH
 
Salesforce voice-and-tone
Salesforce voice-and-toneSalesforce voice-and-tone
Salesforce voice-and-toneCMR WORLD TECH
 

Mais de CMR WORLD TECH (20)

Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project PresentationCyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project Presentation
 
CPQ Básico
CPQ BásicoCPQ Básico
CPQ Básico
 
Cpq basics bycesaribeiro
Cpq basics bycesaribeiroCpq basics bycesaribeiro
Cpq basics bycesaribeiro
 
Apexbasic
ApexbasicApexbasic
Apexbasic
 
Questoes processautomation
Questoes processautomationQuestoes processautomation
Questoes processautomation
 
Process automationppt
Process automationpptProcess automationppt
Process automationppt
 
Transcript mva.cesar
Transcript mva.cesarTranscript mva.cesar
Transcript mva.cesar
 
Aws migration-whitepaper-en
Aws migration-whitepaper-enAws migration-whitepaper-en
Aws migration-whitepaper-en
 
Delivery readness for pick season and higth volume
Delivery readness for pick season and higth volumeDelivery readness for pick season and higth volume
Delivery readness for pick season and higth volume
 
Why digital-will-become-the-primary-channel-for-b2 b-engagement
Why digital-will-become-the-primary-channel-for-b2 b-engagementWhy digital-will-become-the-primary-channel-for-b2 b-engagement
Why digital-will-become-the-primary-channel-for-b2 b-engagement
 
Transcript Micrsosft Java Azure
Transcript Micrsosft Java Azure Transcript Micrsosft Java Azure
Transcript Micrsosft Java Azure
 
Buisiness UK Trading Marketing Finance
Buisiness UK Trading Marketing Finance Buisiness UK Trading Marketing Finance
Buisiness UK Trading Marketing Finance
 
Hyperledger arch wg_paper_1_consensus
Hyperledger arch wg_paper_1_consensusHyperledger arch wg_paper_1_consensus
Hyperledger arch wg_paper_1_consensus
 
Master lob-e-book
Master lob-e-bookMaster lob-e-book
Master lob-e-book
 
Apexand visualforcearchitecture
Apexand visualforcearchitectureApexand visualforcearchitecture
Apexand visualforcearchitecture
 
Trailblazers guide-to-apps
Trailblazers guide-to-appsTrailblazers guide-to-apps
Trailblazers guide-to-apps
 
Berkeley program on_data_science___analytics_1
Berkeley program on_data_science___analytics_1Berkeley program on_data_science___analytics_1
Berkeley program on_data_science___analytics_1
 
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
 
Salesforce voice-and-tone
Salesforce voice-and-toneSalesforce voice-and-tone
Salesforce voice-and-tone
 

Último

Mapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptxMapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptxVenkatasubramani13
 
Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...PrithaVashisht1
 
5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best Practices5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best PracticesDataArchiva
 
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptxTINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptxDwiAyuSitiHartinah
 
Optimal Decision Making - Cost Reduction in Logistics
Optimal Decision Making - Cost Reduction in LogisticsOptimal Decision Making - Cost Reduction in Logistics
Optimal Decision Making - Cost Reduction in LogisticsThinkInnovation
 
Master's Thesis - Data Science - Presentation
Master's Thesis - Data Science - PresentationMaster's Thesis - Data Science - Presentation
Master's Thesis - Data Science - PresentationGiorgio Carbone
 
The Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayerThe Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayerPavel Šabatka
 
Virtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product IntroductionVirtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product Introductionsanjaymuralee1
 
ChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics InfrastructureChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics Infrastructuresonikadigital1
 
Rock Songs common codes and conventions.pptx
Rock Songs common codes and conventions.pptxRock Songs common codes and conventions.pptx
Rock Songs common codes and conventions.pptxFinatron037
 
Strategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for ClarityStrategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for ClarityAggregage
 
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024Guido X Jansen
 
CCS336-Cloud-Services-Management-Lecture-Notes-1.pptx
CCS336-Cloud-Services-Management-Lecture-Notes-1.pptxCCS336-Cloud-Services-Management-Lecture-Notes-1.pptx
CCS336-Cloud-Services-Management-Lecture-Notes-1.pptxdhiyaneswaranv1
 
CI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual interventionCI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual interventionajayrajaganeshkayala
 
Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023Vladislav Solodkiy
 
How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?sonikadigital1
 

Último (16)

Mapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptxMapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptx
 
Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...
 
5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best Practices5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best Practices
 
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptxTINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
 
Optimal Decision Making - Cost Reduction in Logistics
Optimal Decision Making - Cost Reduction in LogisticsOptimal Decision Making - Cost Reduction in Logistics
Optimal Decision Making - Cost Reduction in Logistics
 
Master's Thesis - Data Science - Presentation
Master's Thesis - Data Science - PresentationMaster's Thesis - Data Science - Presentation
Master's Thesis - Data Science - Presentation
 
The Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayerThe Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayer
 
Virtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product IntroductionVirtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product Introduction
 
ChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics InfrastructureChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics Infrastructure
 
Rock Songs common codes and conventions.pptx
Rock Songs common codes and conventions.pptxRock Songs common codes and conventions.pptx
Rock Songs common codes and conventions.pptx
 
Strategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for ClarityStrategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
 
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
 
CCS336-Cloud-Services-Management-Lecture-Notes-1.pptx
CCS336-Cloud-Services-Management-Lecture-Notes-1.pptxCCS336-Cloud-Services-Management-Lecture-Notes-1.pptx
CCS336-Cloud-Services-Management-Lecture-Notes-1.pptx
 
CI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual interventionCI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual intervention
 
Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023
 
How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?
 

Security - intelligence - maturity-model-ciso-whitepaper

  • 1. Surfacing Critical Cyber Threats Through Security Intelligence A Reference Model for IT Security Practitioners By: Christopher Petersen CTO & Co-Founder of LogRhythm With a Foreword By: Robert Lentz Former CISO for the U.S. Department of Defense
  • 3. Surfacing Critical Cyber Threats Through Security Intelligence 1 LogRhythm IN MY 10 years as the CISO for the largest information enterprise in the world, the U.S. Department of Defense, we realized after numerous cyber incidents that leadership commitment was severely lacking and that victim organizations did not possess the tools, processes, staff, or mindset necessary to detect and respond to advanced intruders. Accordingly, we developed the Cyber Security Maturity Model to create a long term strategic commitment and an ability to measure tactical performance while institutionalizing a risk management culture. The significant and successful cyber events of 2014 might well prove to be the cyber tipping point, where businesses and governments together finally acknowledge the fragility of their enterprises, the grave threat to national and economic security, and the need for executive-level oversight. The LogRhythm Security Intelligence Maturity Model offers a compelling framework to help organizations advance in their journey to combat advanced cyber attacks while simultaneously restoring confidence in the Internet. Robert Lentz Former CISO for the U.S. Department of Defense “Harnessing the intelligence resident on your own network is absolutely essential in detecting today’s sophisticated threats. Unfortunately, too many organizations are leaving it on the cutting room floor.” COL John Burger USA (Ret) Chief, USCENTCOM Joint Cyber Center (2012-2014)
  • 4. Surfacing Critical Cyber Threats Through Security Intelligence 2 LogRhythm Introduction It’s almost quaint and more than a bit naive to look back on the days when an enterprise felt it could install a few firewalls and some anti-virus software and feel confident that the organization was well defended against cyber threats. Those days weren’t so long ago, but much has changed in a few short years. IT environments have become much more vulnerable as enterprise mobility, cloud services and “bring-your-own-everything” have broken down the defensible perimeter and added layers of complexity to securing the enterprise. At the same time, the nature of cyber threats has changed dramatically. Threat actors are well organized and well funded, and many of them are known to be supported by nation states. They have sophisticated technical skills which allow these actors to create custom malware for very specific targets, and they are relentless in pursuit of their objectives. Moreover, almost anyone with a malicious intent can purchase malware and rent botnets on the Dark Web, lowering the bar for criminal entities, nation states, and terrorists to use cyber as a weapon of choice towards their intended purpose. The reality today is that for most organizations, if a motivated adversary wants to penetrate their network, they will get in. Many organizations continue to focus their at- tention on identifying and blocking threats at the perimeter—or at least what’s left of it. Unfortu- nately, prevention-centric strategies are failing and have failed in some of the largest attacks that have made recent headlines. Attackers are known to conduct reconnaissance to find a weakness in the armor. Attempting to prevent attacks is still important, but organizations must acknowledge that attacks that are stealthy by nature can be crafted to get past the preventive measures. Cyber attacks now take place on an industrial scale. The 2015 Global State of Information Security Survey shows that the compound annual growth rate (CAGR) of detected security incidents has increased 66 percent year- over-year since 2009. (See Figure 1.) Survey respondents acknowledge detecting a total number of 42.8 million security incidents in 2014—an increase of 48 percent over incidents detected in 2013. That’s the equivalent of 117,339 incoming attacks per day, every day, and that’s only what has been detected and reported.1 One cyber security company recently estimated that as many as 71 percent of compromises go undetected.2 Figure 1: The number of detected incidents keeps growing year after year 3.4 MILLION 2009 9.4 MILLION 2010 22.7 MILLION 2011 24.9 MILLION 2012 28.9 MILLION 2013 42.8 MILLION 2014 TOTAL NUMBER OF DETECTED INCIDENTS SECURITY INCIDENTS GROW 66% CAGR Source: PwC, The Global State of Information Security Survey 2015 In a relatively short time span, cyber security has become a major concern for government agencies, military branches, companies across every industry, financial institutions, law enforcement, and many regulators. The World Economic Forum says the theft of information and the intentional disruption of online or digital 1 PwC, The Global State of Information Security Survey 2015, www.pwc.com/gsiss2015 2 Trustwave Holdings, 2014 Trustwave Global Security Report, May 2014
  • 5. Surfacing Critical Cyber Threats Through Security Intelligence 3 LogRhythm processes are among the leading business risks that organizations face today. Research by BAE Systems confirms that notion: more than half of U.S. companies now regard the threat from cyber attacks as one of their top three business risks.3 The reality today is that for most organizations, if a motivated adversary wants to penetrate their network, they will get in. Practically speaking, organizations have to adopt the mindset of “If we are not compromised right now, we could be at any moment.” They must work under the assumption that the network is untrusted and is already or soon to be compromised. A fundamental shift is beginning to take place in terms of the overall approach enterprises now have toward delivering cyber security to the organization. Given the notion that the computing environment might already be compromised, CISOs are directing a shift of processes and priorities toward detecting when those compromises occur and responding to them as quickly as possible. They know they can’t spend all of their resources trying to build and maintain a seemingly impenetrable fortress that is now recognized as something that is painfully impossible to have. Analyst firms are strongly advocating a rebalancing of the cyber security budget, shifting some funds from pure prevention to detection and response. Neil MacDonald, vice president, distinguished analyst and Gartner fellow emeritus at Gartner Inc., wrote, “In 2020, enterprise systems will be in a state of continuous compromise. They will be unable to prevent advanced targeted attacks from gaining a foothold on their systems. Unfortunately, most enterprise information security spending to date has focused on prevention, in a misguided attempt to prevent all attacks.” He adds, “We believe the majority of information security spending will shift to support rapid detection and response capabilities, which are subsequently linked to protection systems to block further spread of the attack.” MacDonald’s report includes a key recommendation: “Invest in your incident response capabilities. Define and staff a process to quickly understand the scope and impact of a detected breach.”4 In 2020, enterprise systems will be in a state of continuous compromise. They will be unable to prevent advanced targeted attacks from gaining a foothold on their systems. This is not to suggest that threat prevention itself is obsolete. On the contrary, organizations should continue to buttress the network fortress to protect the IT infrastructure and the assets within, but they should also accept that those walls will eventually be scaled by the cyber equivalent of a marauder. The sooner the intruder can be detected and a response initiated, the less likely it is that the mission of the attack will be successful. Above all, organizations don’t want the attacker to actually get to the data and exfiltrate it before they even know he is there. 3 BAE Systems, Business and the Cyber Threat: The Rise of Digital Criminality, February 2014 4 Neil MacDonald, Gartner, Inc., Prevention is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelli- gence, 30 May 2013
  • 6. Surfacing Critical Cyber Threats Through Security Intelligence 4 LogRhythm A Time of Great Risk: The Time Between Compromise and Mitigation In most organizations today, threat detection is based on various security sensors that attempt to look for anomalous behavior or for known signatures of malicious activity. These sensors include firewalls, intrusion detection/prevention systems (IDS/IPS), application gateways, anti- virus/anti-malware, endpoint protection, and more. They operate at and provide visibility into all layers of the IT stack. These security sensors provide a continuous stream of threat-related events. In enterprise organizations, the stream might be better described as a fire hose that serves events at the rate of thousands or tens of thousands per hour. This intense stream of threat data effectively blinds a security team in a fog of noise. The team has so much to deal with that it can’t identify the threats that really matter – let alone respond to them – in a timely manner. Two key metrics for measuring the effectiveness of an organization’s security capabilities are its Mean-Time-to-Detect™ (MTTD™) and its Mean- Time-to-Respond™ (MTTR™). The MTTD is the average amount of time it takes an organization to identify those threats that could potentially impact the organization—the ones that present an actual risk and which require further analysis and response efforts. The MTTR is the average amount of time it takes an organization to fully analyze the threat and mitigate any risk presented. Unfortunately, many organizations operate in a mode where MTTD and MTTR would be measured in weeks or months. Enterprises whose networks have been compromised are at high risk during this time. If they are seeking to reduce their cyber security risk, they should minimally move these metrics into hours and days, and ideally to hours and minutes. Figure 2: The impact of a breach is directly related to MTTD and MTTR RISK OF BREACH MTTDTM */MTTRTM * DEVASTATING AVOIDED 2015 YEARSMONTHSWEEKSDAYSMINUTESHOURS The average time it takes to recognize a threat requiring further analysis and response efforts The average time it takes to respond and ultimately resolve the incident *MEAN-TIME-TO-DETECT (MTTD) *MEAN-TIME-TO-RESPOND (MTTR) The more time spent detecting and responding to a threat, the greater the risk of breach
  • 7. Surfacing Critical Cyber Threats Through Security Intelligence 5 LogRhythm Research data from Trustwave illustrates the problem. The company looked at evidence gathered from 691 data breach investigations spread across industries and the world. Trustwave learned that 71 percent of compromise victims did not detect the breach themselves. Financial institutions, law enforcement agencies and other third parties are often the first to suspect that a company has experienced a security incident. In the breaches in this particular study, the MTTD was 87 days – nearly three full months – and the MTTR was a week. According to Trustwave, self-detection of a threat can shorten the timeline from detection to containment from 14 days down to one.5 The Security Intelligence Imperative The way to bring visibility to the most important threats while clearing the fog of noise is with Security Intelligence (SI). Just as Business Intelligence has helped numerous organizations clear the fog of too many points of seemingly extraneous business data to find previously unknown business opportunities, Security Intelligence does much the same thing with threat information, enabling companies to clearly see the threats that matter. The main objective of Security Intelligence is to deliver the right information, at the right time, with the appropriate context, to significantly decrease the amount of time it takes to detect and respond to damaging cyber threats; in other words, to significantly improve an organization’s MTTD and MTTR. The main objective of Security Intelligence is to deliver the right information, at the right time, with the appropriate context, to significantly decrease the amount of time it takes to detect and respond to damaging cyber threats There’s no standard definition for Security Intelligence; it means different things to different companies. This composite definition helps to get us on the same page. Security Intelligence is the ability to capture, correlate, visualize, and analyze forensic data in order to develop actionable insight to detect and mitigate threats that pose real harm to the organization, and to build a more proactive defense for the future. Users of Security Intelligence will shorten their Mean-Time-to- Detect and Mean-Time-to-Respond, extend the value of current security tools, and discover previously unseen threats through advanced machine analytics. When threats are identified, whether via an enterprise’s vast array of sensors or through machine analytics, the role of Security Intelligence is to deliver actionable insight into potentially damaging threats, with supporting forensic data and contextually rich intelligence. Security teams must be able to quickly evaluate threats to determine the level of risk as well as whether an incident has occurred. Ensuring that analysts have as much information as possible to make good decisions critically enables their efficiency and decision support processes. Let’s take a deeper dive into the key sub- processes that support the full threat detection and response process. An effective Security Intelligence platform ideally enables a streamlined workflow across each of the processes, delivering automation wherever possible. If an organization can optimize its efficiency in performing these critical steps in the detect/respond cycle, it can reduce its MTTD and MTTR and, more importantly, reduce its exposure to risk. 5 Trustwave Holdings, 2014 Trustwave Global Security Report, May 2014
  • 8. Surfacing Critical Cyber Threats Through Security Intelligence 6 LogRhythm The End-to-End Threat Detection and Response Lifecycle™ Organizations that strive to seek reductions in MTTD and MTTR must optimize the end-to- end threat detection and response lifecycle. At each stage of the process, and in between, inefficiencies can exist that can dramatically impede an organization’s overall effectiveness. However, organizations that are able to optimize the effectiveness of their security operations processes across each stage can realize profound improvements in MTTD and MTTR. Threat detection typically begins the moment a threat is evidenced in forensic data. While it is true, threats can be identified before they become active, few organizations have the proactive threat intelligence and analysis capabilities to detect threats before they have begun to engage with the target environment. When a threat engages with the target environment, evidence will be left behind. This evidence will exist in forensic data that is collected or generated across the environment. The threat also may be detected by other security sensors. However, for most organizations, evidence of these threats gets lost in the noise. Separating the signal from the noise is the first step of the end-to-end threat detection and response process. The response cycle begins the second a threat has been qualified as one that could present risk and requires further investigation. The cycle ends after a full investigation has been performed, and if the threat resulted in an incident, any risk to the organization has been mitigated. Organizations must collapse this response cycle from months to minutes if they are to avoid a damaging breach. Security Intelligence is the single largest enabler of collapsing this response cycle via: • Centralized, full spectrum visibility around the threat and associated incident, delivered via powerful analytic tools • Integrated workflows and collaboration capabilities that expedite the analysis and response process • Automation in support of incident response processes and the deployment of countermeasures Let’s look at each of these process steps and what they entail. Figure 3: The end-to-end threat detection and response lifecycle TIME TO DETECT TIME TO RESPOND UNIFIED SECURITY INTELLIGENCE PLATFORM RECOVER Fully eradicate, clean up, report, review, and adapt. MITIGATE Implement countermeasures and controls that mitigate risk presented by the threat. INVESTIGATE Fully analyze the threat and associated risk, determine if an incident has or is occurring. FORENSIC DATA Captured Log & Machine Data Generated Forensic Sensor Data Event Data QUALIFY Assess threat and determine if it may pose risk and whether a full investigation is required. DISCOVER User Analytics Machine Analytics
  • 9. Surfacing Critical Cyber Threats Through Security Intelligence 7 LogRhythm Discover As the first step in detection, discovery is the process of identifying those threats that could present risk; for example, seeing web traffic coming from a country the organization normally doesn’t do business with. The traffic could be communication from a new international customer, or it could be attack traffic from a hacker in another country. At this stage, it’s unknown whether it represents a threat or not. The discovery process requires extracting those threats that require further analysis from the mass of forensic data. There are two principal types of analytics performed in support of discovering threats: user analytics and machine analytics. User analytics are “person-based.” That is, it’s the work of individuals who are monitoring dashboards; manually evaluating trends, patterns and behaviors; and actively hunting for threats within the environment. This form of analytics scales based on the number of trained security staff an organization can afford to employ. As the name implies, machine analytics are “machine-based.” This form of analytics is delivered via software where captured forensic and event data is continuously monitored and analyzed. The primary function of machine analytics is twofold: first to detect threats that can only be seen via sophisticated analytic techniques, and second to prioritize threats detected by other technologies. Qualify Still part of the detection process, qualification is a critical step and involves further analyzing a threat to determine if it could present risk. When qualification is done well, threats representing risk are quickly identified as requiring additional analysis or response efforts. When qualification is done poorly, actual threats are missed, or teams spend the majority of their time chasing false positives. The outcome of the qualification step is determining whether the discovered threat is a false positive; doesn’t present risk and can be ignored; or likely presents risk and should be further investigated. Investigate If the outcome of the qualification process determines that a threat likely presents risk, the security team moves into the response process. It begins with conducting a deep investigation to understand the risk presented by the threat, and determining if an incident exists; in other words, if something bad has actually happened or is in the process of happening. The outcome of the investigation step is to conclusively determine whether the threat presents risk, if an incident has occurred, and if so, to initiate mitigation efforts. Mitigate By now it has been determined that there is a threat that presents real risk to the organization, and something must be done to reduce or eliminate that risk. The mitigation step is highly dependent on having sufficient knowledge about the root cause and impact of the threat as well as the knowledge and skills to do something about it. It is a time-sensitive step where security practitioners will benefit greatly by having an integrated and centralized view into all threat related activities, as well as streamlined cross-organizational collaboration capabilities, knowledge bases, and automated responses. Recover This final step could be considered “cleaning up the mess.” Recovery involves performing post- mitigation efforts such as fully eradicating the threat from the environment, cleaning up any damage done, performing any required incident/ breach notifications, and performing root cause analysis to learn from the incident in order to prevent it from happening again. How MTTD and MTTR are Calculated Looking at the five process steps – Discover, Qualify, Investigate, Mitigate, and Recover – it’s easy to calculate the critical metrics of MTTD and MTTR. MTTD is calculated as the time from when the threat was first evidenced (collected) in the environment to when it’s discovered, plus the time between discovering the threat to determining its efficacy or dismissing it.
  • 10. Surfacing Critical Cyber Threats Through Security Intelligence 8 LogRhythm MTTR is calculated as the time from when a threat was qualified to when it was conclusively determined to present risk or it was dismissed, plus the time it took to mitigate the risk presented by the threat to an acceptable level. The recovery stage, as defined above, isn’t included in the MTTR metric. The critical measurement of response is considered to be the time it takes to determine risk exists and implement mitigations. The time required to implement full recovery procedures, while important, is a less critical metric in terms of understanding the overall effectiveness of the security operation towards achieving the most meaningful risk reduction. The LogRhythm Security Intelligence Maturity Model™ (SIMM™) Cyber security is a journey, not a destination. It takes time and resources to mature any significant organizational capability, and achieving significant reductions in MTTD and MTTR is no different. However, for organizations determined to reduce their cyber security risk posture, it is a capability that must be invested in. Security Intelligence is the single most effective investment toward achieving reduced MTTD and MTTR. Security Intelligence is the single most effective investment toward achieving reduced MTTD and MTTR. The LogRhythm Security Intelligence Maturity Model (SIMM) is designed to help organizations assess their current Security Intelligence capability and associated risk posture. This model also provides organizations a roadmap forward as they seek to continue improving their posture over time. The model is focused on building and maturing an organization’s detection and response capabilities as opposed to simply implementing more individual security products. However, technology-based solutions play a critical role in supporting and enabling the various stages of the process outlined above. Ideally the capabilities are delivered via an integrated and unified platform that supports the end-to-end threat detection and response process. The critical capabilities that a Security Intelligence platform must deliver toward the goal of becoming impervious to cyber threats are: • Provide centralized, real-time acquisition of all forensic log and machine data generated across the complete IT environment • Provide sensors that constantly, or on demand, acquire additional forensic data from endpoints, servers, and networks, holistically or targeted to areas of highest risk • Uniformly process all acquired data into a highly classified and contextualized form, unlocking the intelligence contained in machine data and optimally preparing for downstream analytics • Deliver state-of-the art machine-based analytics that can continuously and automatically surface risks and advanced threats via: – Access to 100 percent of acquired forensic data – Application of hybrid analytics techniques from correlation to behavioral modeling to machine learning – Intelligent prioritization of threats via contextual, risk based corroboration • Deliver real-time visibility into highest risk incidents requiring further investigation and ongoing management by incident responders • Deliver powerful search-based analytic tools that provide responders a 360-degree view around incidents via centralized access to forensic data in both raw and a fully contextualized form
  • 11. Surfacing Critical Cyber Threats Through Security Intelligence 9 LogRhythm • Deliver optimally orchestrated and automated incident response capabilities via intelligence driven, highly integrated workflows • Deliver dashboards and reports that provide upper management key indicators of risk and active incidents within the environment The LogRhythm Security Intelligence Maturity Model, fully detailed in the upcoming table, is comprised of multiple levels, beginning with Level 0 where there are essentially no SI capabilities and the organization is quite exposed to risk, and progressing to Level 4, with full SI capabilities that support an extremely resilient and highly efficient security posture. As an organization progresses up the maturity model, its MTTD and MTTR and the associated timeframe of greatest risk grow smaller as illustrated in Figure 4. Figure 4: MTTD and MTTD shrink as Security Intelligence capabilities grow more mature LEVEL OF SECURITY INTELLIGENCE MATURITY LENGTHOFTIMETODETECT& RESPONDTOSECURITYBREACH LEVEL 0 LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 2015 YEARSMONTHSWEEKSDAYSMINUTES EXPOSED TO THREATS RESILIENT TO THREATS Greater threat resiliency is achieved at higher levels of security intelligence maturity MTTDTM MTTRTM HOURS
  • 12. Surfacing Critical Cyber Threats Through Security Intelligence 10 LogRhythm The LogRhythm SIMM (see enclosed table) illustrates how increasing and maturing SI capabilities reduce an organization’s risk posture. Matrix Security Intelligence Maturity Model™ MTTD MTTR LEVEL 1 MINIMALLY COMPLIANT WEEKS MONTHS WEEKS • Often have a compliance mandate driving investment or alternatively have identified a specific area of their environ- ment to better protect • Compliance risks identified via report review, although risk exists if reports not reviewed and processes don’t exist for managing compliance violations • Improved visibility into threats targeting the protected domain, but still lack the people and processes to effectively evaluate and prioritize threats • No formal incident response process, still comes down to individual “heroic” efforts. However, better enabled to respond to incidents affecting the protected environment • Significantly reduced compliance risk, however, depends on the depth of audit • Blind to most insider threats • Blind to most external threats • Blind to APTs • If have IP of interest to nation-states or cyber criminals, likely stolen • Targeted Log Management and SIEM • Targeted Server Forensics (e.g., File Integrity Monitoring) • Minimal, mandated, compliance oriented monitoring & response. MTTD MTTR LEVEL 2 SECURELY COMPLIANT • Want to move beyond the minimal “check box” compliance approach, seeking efficiencies and improved assurance • Have recognized are effectively blind to most threats and want to see a material improvement towards detecting and respond- ing to potential high impact threats, focused on areas of highest risk • Have established formal processes and assigned responsibilities for monitoring high risk alarms • Have established basic, yet formal processes for responding to incidents • Extremely resilient and highly efficient compliance posture • Seeing insider threats • Seeing external threats • Still mostly blind to APTs, but more likely to detect indicators and evidence of • Much more resilient to cyber criminals, but still vulnerable to those leveraging APT type capabilities • Still highly vulnerable to nation-states • Holistic Log Management • Broader, Risk Aligned Server Forensics • Targeted environmental risk characterization • Targeted Vulnerability Intelligence • Targeted Threat Intelligence • Targeted Machine Analytics • Some monitoring and response processes established. DAYSHOURS OR DAYSHOURS OR • Prevention oriented mindset. Have firewalls, A/V, etc. • Isolated logging based on technology and functional silos, but no central logging visibility • Indicators of threat and compromise exist, but nobody is looking and/or they are lost in the noise • No formal incident response process, comes down to individual “heroic efforts" • Compliance risk • Blind to insider threats • Blind to external threats • Blind to APTs • If have IP of interest to nation-states or cyber criminals, likely stolen" • None MTTD MTTR LEVEL 0 BLIND MONTHS WEEKS MONTHS OR OR SECURITY INTELLIGENCE CAPABILITIES ORGANIZATIONAL CHARACTERISTICS RISK CHARACTERISTICS Continued on page 11
  • 13. Surfacing Critical Cyber Threats Through Security Intelligence 11 LogRhythm Matrix Security Intelligence Maturity Model continued • Have recognized are still blind to many high impact threats that could cause material harm to the organization • Have invested in the organizational processes and required people to significantly improve ability to detect and respond to all classes of threats • Have invested in and established a formal security operations and incident response capability that is running effectively with trained staff • Have begun to automate incident response processes and countermeasures • Are actively hunting for risk in the environment via dashboards and search • Extremely resilient and highly efficient compliance posture • Seeing and quickly responding to insider threats • Seeing and quickly responding to external threats • Seeing evidence of APTs early in their lifecycle but may have trouble attributing activity to an actor/intent • Very resilient to cyber criminals, even those leveraging APT type capabilities • Still vulnerable to nation-states, but can reactively defend against • Holistic Server Forensics • Targeted Network Forensics • Targeted Endpoint Forensics • Multi-vector, commercial grade, Threat Intelligence • Holistic Vulnerability Intelligence • Targeted Behavioral Analytics • Fully established and mature monitoring and response processes • Functional SOC established • Targeted IR Orchestration and Automated Response MTTD MTTR HOURS HOURS LEVEL 3 VIGILANT • Are a high value target for nation-states, cyber terrorists, and organized crime • Are continuously being attacked across all possible vectors: physical, logical, social • A disruption of service or breach is intolerable and represents organizational failure of the highest level • Take a proactive stance towards threat management, and security in general • Invest in best-in-class people, technology, and processes • Have eyes on the data, eyes towards emerging threats, 24/7 • Have automated response processes and countermeasures wherever possible • Extremely resilient and highly efficient compliance posture • Seeing and quickly responding to all classes of threats • Seeing evidence of APTs early in their lifecycle and able to manage their activities • Can withstand and defend against the most extreme nation-state level adversary • Holistic Network, Server and Endpoint Forensics • Holistic environmental risk characterization • Holistic, Multi-Vector Machine Analytics • Proactive Threat Intelligence • Proactive Vulnerability Intelligence • Holistic IR Orchestration and Automated Response • Functional 24 x 7 SOC • Cyber Range Practice MTTD MTTR LEVEL 4 RESILIENT MINUTES MINUTES SECURITY INTELLIGENCE CAPABILITIES ORGANIZATIONAL CHARACTERISTICS RISK CHARACTERISTICS
  • 14. Surfacing Critical Cyber Threats Through Security Intelligence 12 LogRhythm The LogRhythm Unified Platform Approach LogRhythm’s unified platform approach (Figure 5) ensures that all the aforementioned critical capabilities of Security Intelligence are delivered via an integrated product suite, where all components are designed to elegantly and efficiently work as a whole. For organizations seeking ideal MTTD and MTTR, this is critical. While the full suite of capabilities will be leveraged by organizations seeking to reach higher levels of maturity, customers starting their journey toward SI maturity can start with specific products and build on their investment over time. Figure 5: The LogRhythm Security Intelligence Product Suite LOG MANAGEMENT SECURITY ANALYTICS SIEM NETWORK FORENSICS SERVER FORENSICS ENDPOINT FORENSICS The Principal Benefits of LogRhythm’s Unified Approach The Principal Benefits of LogRhythm’s Unified Approach LogRhythm’s unified SI approach delivers organizations the technology foundation to realize a highly efficient security operation across all stages of the detection and response process. Only a unified approach ensures that information, people, and processes are ideally aligned toward the objective of reducing MTTD and MTTR. Following are some of the key principal benefits realized via this approach: Comprehensive Big Data Analytics When deployed, LogRhythm has incredible visibility across the IT environment from a data acquisition standpoint. This visibility is leveraged via Security Analytics capabilities to conclusively detect threats via big data analytics approaches. Security Analytics delivered outside an integrated architecture approach introduces complexity, latency and increased cost of ownership. These issues often result in data gaps. LogRhythm has taken an integrated approach to ensure the Security Analytics capability has optimal access to all acquired forensic data, in real-time, with lowest cost of ownership possible. Holistic Contextual Analytics Context is critical in support of effective analytics and incident response efforts. Security Information and Event Management (SIEM) traditionally provides a rich store of environmental context such as host and network risk ratings, lists of privileged user accounts, known vulnerabilities, etc. This context is critical when trying to effectively surface and qualify threats requiring highest attention. LogRhythm’s integrated approach ensures context is configured once and maintained everywhere. This greatly helps ensure more accurate analytics and swifter incident response efforts, while reducing ongoing total cost of ownership. Globally Prioritized Threat Management Detecting threats is the easy part; discovering those that matter is the hard part. Security teams need a consolidated view of threats across their global landscape. Additionally, threats must be intelligently prioritized so end-user analysis cycles are spent effectively. LogRhythm’s comprehensive big data analytics, combined with holistic context, allows the system to not only detect a unique class of threats, but to prioritize those that are detected by LogRhythm and other technologies, all in a consolidated global view. This is imperative to achieving low MTTD and is critically enabled via LogRhythm’s unified platform approach.
  • 15. Surfacing Critical Cyber Threats Through Security Intelligence 13 LogRhythm Streamlined Incident Response When threats are discovered, the clock begins ticking. How fast incident responders can access relevant forensic data and context critically impacts the amount of time required to investigate each threat. As threats are investigated, a subset will be identified as incidents requiring a full response. LogRhythm’s unified approach ensures that forensic data associated with an incident is readily and immediately available to responders and automatic response capabilities. When forensic data is tightly coupled with the system responsible for orchestrating and automating incident response, response times are exponentially more efficient—especially when cross organizational workflow is required. To the contrary, when forensic data is decoupled, automatic responses become constrained, and incident responders have to scramble and hunt through disjointed disparate systems. Cross- organizational collaboration becomes manual and slow. All the while, the clock continues to tick. Conclusion As organizations evolve their Security Intelligence maturity, the realized reduction in MTTD and MTTR significantly reduces the risk of experiencing a damaging cyber incident. Of course, each organization needs to assess for itself the appropriate level of maturity based on its own risk tolerances. As organizations evolve their Security Intelligence maturity, the realized reduction in MTTD and MTTR signifi- cantly reduces the risk of experienc- ing a damaging cyber incident. Fortunately, organizations with limited budget and higher risk tolerances can achieve significant improvements in capability by moving towards a Level 2 posture. For organizations with more cyber security resources and much lower risk tolerances, moving towards Level 3 or even Level 4 might be appropriate. LogRhythm’s unified platform approach and flexible product architecture allow an organization to adopt and mature capabilities over time, comfortable in the fact that subsequent investments will build on previous steps along the maturity model. LogRhthym’s goal is to ensure that enterprises have a partner able to provide the integrated technology building blocks, and associated services, to most effectively and efficiently realize their Security Intelligence objectives so they can best protect themselves from damaging cyber threats. About LogRhythm LogRhythm, the leader in security intelligence and analytics, empowers organizations around the globe to rapidly detect, respond to and neutralize damaging cyber threats. The company’s patented and award-winning platform uniquely unifies next-generation SIEM, log management, network and endpoint forensics, and advanced security analytics. In addition to protecting customers from the risks associated with cyber threats, LogRhythm provides unparalleled compliance automation and assurance, and enhanced IT intelligence. LogRhythm is consistently recognized as a market leader. The company has been positioned as a Leader in Gartner’s SIEM Magic Quadrant report for three consecutive years, named a “Champion” in Info-Tech Research Group’s 2014- 15 SIEM Vendor Landscape report and ranked Best-in-Class (No. 1) in DCIG’s 2014-15 SIEM Appliance Buyer’s Guide. In addition, LogRhythm has received Frost & Sullivan’s SIEM Global Market Penetration Leadership Award and been named a Top Workplace by the Denver Post. To download or forward the complement to this paper, The Cyber Threat Risk – Oversight Guidance for CEOs and Boards, go to: www.logrhythm.comSIMM-CEO.
  • 16. LR_SIMM_CISO_01.15 © 2015 LogRhythm, Inc. All trademarks, service marks and trade names referenced in this material are the property of their respective owners.