Conozca como tener una completa visibilidad para identificar e investigar los ataques, detecte y analice ataques avanzados, antes que afecten al negocio, gestione los incidentes más importantes, permitiéndole combinar Logs con otros tipos de datos como tráfico en la red, información end point y datos en la nube.
How to Troubleshoot Apps for the Modern Connected Worker
DETECTE E INVESTIGUE LAS AMENAZAS AVANZADAS
1. 1
YO SIGO TRABAJANDO
EN CASA
Christian.Ramos@rsa.com
Senior System Engineer Bolivia,
Ecuador & Perú
2. 3
Internal Use -
Confidential
MANAGING DIGITAL RISK
AMID DISRUPTION
Accelerate threat detection and response from the endpoint to the cloud
For Security Digital Transformation
Sonia.Cordova@rsa.com Gabriela.Valdivia@rsa.com
Territory Manager NOLA Sr SecurID Account Manager
MaryPaz.Castillo@rsa.com Christian.Ramos@rsa.com
Channels Mexico, CA, Caribe & NOLA Senior System Engineer Bolivia, Ecuador & Perú
7. 8
TRANSFORMACIÓN DIGITAL
S O S T E N I B I L I D A D. C R E C I M I E N TO. E F I C I E N C I A .
8
Objetivo: Agrega valor en
cada componente del
proceso de negocio, de
manera coherente a la
estrategia general.
Tranformación Digital
Las cuatro tendencias:
“Los móviles no son una plataforma más, sino la
primera”
La Nube. “Vamos a ser capaces de definir todas
nuestras infraestructuras por software”
Lo Social. “El negocio quiere integrarse en la vida
del usuario y nos afecta”
Big data. “En la parte de IAM no sabemos qué
hacer, porque definir los controles de acceso va a
ser complicado. De ahí que deba haber algún tipo
de gestión diferente”.
8. 9
Internal Use -
Confidential
9
S U P P LY C H A I N S E C U R I T Y
O P E R AT I O N S W O R K F O R C E
DISRUPTIONDISRUPTIONIoT
Robotics
Vulnerabilities
Phishing
Privacy
GDPR
Cloud
9. 10
Internal Use -
Confidential
10
S E C U R I T Y
O P E R AT I O N S W O R K F O R C E
DISRUPTIONDISRUPTION CONTAIN ADAPTASSESSSUSTAIN
Address
compliance changes
Manage risk
assessments
Address
heightened threats
Address cloud
threats
Manage vendor
ecosystem
(who, what, where, why)
Manage
continuity efforts
Manage vendor
disruption
(supply chain continuity)
Manage
identity threats
Expand remote
workforce securely
Ensure proper
data access
MANAGE
PROCESS
AUTOMATION
RISK
MANAGE
PROCESS
AUTOMATION
RISK
MITIGATE CYBER
ATTACK RISK
MITIGATE CYBER
ATTACK RISK
BUILD BUSINESS
RESILIENCY
BUILD BUSINESS
RESILIENCY
SECURE YOUR
CLOUD
TRANSFORMATION
SECURE YOUR
CLOUD
TRANSFORMATION
EVOLVE DATA
GOVERNANCE &
PRIVACY
EVOLVE DATA
GOVERNANCE &
PRIVACY
MANAGE
THIRD
PARTY RISK
MANAGE
THIRD
PARTY RISK
MANAGE DYNAMIC
WORKFORCE RISK
MANAGE DYNAMIC
WORKFORCE RISK
MODERNIZE YOUR
COMPLIANCE
PROGRAM
MODERNIZE YOUR
COMPLIANCE
PROGRAM
S U P P LY C H A I N
10. 12
Internal Use -
Confidential
12
DIGITAL
TRANSFORMATION
VISIBILITY
ACTION
INSIGHT
D I G I TA L
R IS K MA N A G EME NT
RISK
MANAGEMENT
IT SECURITY
11. 13
Internal Use -
Confidential
13
Understand & Respond
to Cyber-Threats
Evolve
Security & Risk
Manage Complex
Regulatory Landscape
MANAGE DYNAMIC
WORKFORCE RISK
MANAGE PROCESS
AUTOMATION RISK
SECURE YOUR CLOUD
TRANSFORMATION
MODERNIZE YOUR
COMPLIANCE PROGRAM
BUILD BUSINESS
RESILIENCY
MANAGE THIRD
PARTY RISK
EVOLVE DATA
GOVERNANCE & PRIVACY
MITIGATE CYBER
ATTACK RISK
DIGITAL
RISK MANAGEMENT
12. 14
Internal Use -
Confidential
RSA PORTAFOLIO
Single, Unified Solution To
Detect And Respond To Evolving Threats
Netwitness Logs
Netwitness Network
Netwitness Endpoint
Netwitness Cyber Incident and Breach Response
Netwitness User and Entity Behavior Analytics
Netwitness Orchestrator
Accelerate Business While You
Mitigate Identity Risk
SecurID – Authentication Manager
SecurID Access – MFA
Identity Governance & Lifecycle
Centralized Cross Channel Fraud For
Unified Detection And Mitigation
Fraud Action
Adaptive Authentication
Adaptive Authentication for Ecommerce
Proven Business Risk Management
Suite To Confidently
IT Security & Risk
Enterprise & Operational Risk
3rd Party Governance
Business Resiliency
Public Sector
Audit Management
Regulatory & Corporate Compliance
14. 16
Internal Use -
Confidential
WHAT IS YOUR MANTRA IN IT SECURITY?
15. 17
ATTACKERS TAKE ADVANTAGE OF CHALLENGES
TO TURN COMPROMISES INTO BREACHES
Minutes Hours Days Weeks Months
Breach
Detected
Breach
Detected
3rd Party
Detection
compromised in
MINUTES82% of exfiltration
occurred in DAYS99% discovered in
MONTHS64%
Spear Phishing
Attack
Malware
Installed
Initial Compromise
Communicate to
External Server
(C2)
Breach
Lateral
Movement
Discover
Critical Assets
Data
Exfiltration
16. 18
TRADITIONAL METHODS WON’T PROTECT YOU
“Traditional defense-in-depth components are still necessary, but are no longer sufficient
in protecting against advanced targeted attacks and advanced malware” – Gartner
Source: Gartner’s “Five Styles of Advanced Threat Defense”
Network Traffic Analysis
Style 1
Payload Analysis
Style 3
Endpoint Behavior Analysis
Style 4
Network Forensics
Style 2
Endpoint Forensics
Style 5
Where
to Look
Network
Payload
Endpoint
Time
SIEM
NBA – NTA - NFA
EDR
20. 22
METADATA
It’s the story behind the data
x.x.x.x 10.0.0.1 TCP/80
10.0.0.1 y.y.y.y UDP/53
China
Web
Server
Tor
Node
HTTP Post
no Get
Base64
Encoded
Payload
Encrypted
Zip File
Apache
runs
PowerShell
Command
line with Zip
Password
Payload is
FTP
Logs
Threat Intel
Network
Endpoint
In a single interface, at capture time
21. 23
RSA NETWITNESS UEBA
BEHAVIOURAL
ANALYTICS
SMART Alerts around specific
use cases- e.g. Data exfiltration
Context around detected risks-
which user, what time / activity?
Investigation of each detected
alert anomaly
RSA NETWITNESS
LOGS
BEHAVIORAL
ANALYTICS
UNIQUE UNSUPERVISED
3 STAGE MACHINE LEARNING
OUTCOME
22. 24
ANALYZING LOGON ACTIVITY - EXAMPLE
3,009
Indicators
56 Alerts
37
High Risk
Users
1.6B~Logon Events
7
Indicators
Abnormal Logon Time
Abnormal Source Computer
Abnormal Destination Computer
Multiple Successful Authentication
Multiple Failed Authentications
Multiple Source Computers
Multiple Destination Computers
Windows
Logons
(4624)
2 Months
5,000 AD users
1
Input
Source
Interactive Logons
4
Alerts
Brute Force
Authentication
Non-Standard
Hours
User Login to
Abnormal Computer
User Logins to
Multiple Hosts
23. 25
CONNECTING THE DOTS. LITERALLY.
EFFECTIVE ANOMALY DETECTION IN ACTION
User: Randall S. Anderson
Raw events
Threat Indicators
Correlated alert with scoring
24. 26
CONNECTING THE DOTS. LITERALLY.
EFFECTIVE ANOMALY DETECTION IN ACTION
User: Randall S. Anderson
Raw events
Threat Indicators
Correlated alert with scoring
25. 27
CONNECTING THE DOTS. LITERALLY.
EFFECTIVE ANOMALY DETECTION IN ACTION
User: Randall S. Anderson
Raw events
Threat Indicators
Correlated alerts with scoring
Alert Score = 15
26. 28CONFIDENTIAL
VISUALIZING HOW UEBA WORKS
WITH EXISTING RSA NETWITNESS LOGS
Data from Existing RSA
NetWitness Deployment
Creates baseline of normal
behavior
UEBA
Monitors Indicators /
Continues to Collect Data
Indicator 1 Indicator 2
Indicator 3 Indicator 4
Anomalies DetectedAnomalies Grouped Together
Uniqueness: High
Severity: High
27. 29CONFIDENTIAL
SUPERVISED VS. UNSUPERVISED MACHINE
LEARNING
Supervised Machine
Learning
Item Attribute 1 Attribute 2
Large Red
Medium Red
Small Red
Large Green
Medium Green
Small Green
Large Blue
Medium Blue
Small Blue
Large Yellow
Medium Yellow
Small Yellow
? Administrator has to
label data types
The system tries to
decide what to do
based on learned labels
when data comes in
28. 30
ORCHESTRATION & AUTOMATION
Gartner defines security orchestration, automation and response, or SOAR, as
technologies that enable organizations
• ORCHESTATION [to collect security threats data and alerts from different sources, where
incident analysis and triage can be performed leveraging a combination of human and
machine power]
• AUTOMATION [to help define, prioritize and drive standardized incident response activities
according to a standard workflow.]
SOAR tools allow an organization to define incident analysis and response procedures (aka
plays in a security operations playbook) in a digital workflow format, such that a range of
machine-driven activities can be automated.
29. 31
RSA NETWITNESS ORCHESTATOR
AUTHENTICATION
DATA ENRICHMENT
VULNERABILITY
SIEM
THREAT
INTEL
NETWORK
FORENSICS
ANALYTICS
BYOI
CASE MANAGEMENT
ALERTS
/INCIDENTS
COLLABORATIONUSER/ENTITY
RESPONSE
ACTION
MACHINE
LEARNING
CASE
MANAGEMENT
AUTOMATED
PLAYBOOKS
30. 32
EMPOWER ANALYSTS WITH RISK &
AUTOMATIONRSA NetWitness v11 Respond enables Essential
Incident Management actions for a SOC
RSA NetWitness Orchestrator enables
Advanced Incident Orchestration &
Automation Needs
RSA Archer Cyber Incident &
Breach Response enables a Business
response to declared Security Incidents
31. 45
Internal Use -
Confidential
45
INNOVATION TRUST LEADERSHIP ECOSYSTEM
IoT
Robotics
Vulnerabilities
Corporate
Governance
Privacy
GDPR
Cloud
Digital BusinessRegulatory
Change
Hackers
& Malware
Encryption
Authentication
Fraud Risk Engine
SIEM/SOAR
Integrated Risk
Management
35+ years
12,500+ customers
50M+ identities
2B consumers
94% of the
Fortune 500
Recognized
leadership by
analyst firms
Industry leading
events and
thought leadership
Expertise, guided by
proven frameworks
700+ practitioners
400+ global
partners
1100+ product
integrations
Robust customer
community
WHY RSA