#symvisionemea - veritasvox.veritas.com/legacyfs/online/veritasdata/symantec_vision_2014... ·...

#SymVisionEmea

#SymVisionEmea

The Integration Point Of Cyber Security

Evelyne Lescuyer Security Engineer

SYMANTEC VISION SYMPOSIUM 2014

Anatomy Of a Cyber Attack A majority of cyber attacks follow this path

Integration Point of Cyber Security 3

2 INCURSION

3 DISCOVERY

4 CAPTURE

5 EXFILTRATION

1 RECONNAISANCE


Cyber – A complex set of business & technical challenges


Requirements for Cyber Security

Business ownership for competitive differentiation

Business Sponsorship

People & Process

Evolving Technologies

Data Governance

Security Architecture

Visibility & Agility

PEOPLE

TECHNOLOGY PROCESS

We Need Better Intelligence to be

Cyber Resilient

Cyber Risk Challenges


Customer Challenges

Realization

Customer Needs Shift

Breach is Inevitable

Understanding Where Important

Data Is

Stopping Incoming Attacks

Finding Incursions

Containing & Remediating

Problems

Restoring Operations

Identify Protect Detect Respond Recover

Protection Only Protection + Detection

& Response


#SymVisionEmea

Integration Point Of Cyber Security



What is Integration? A Google definition…

7 Integration Point Of Cyber Security

2. Mathematics the finding of an integral or integrals. "integration of an ordinary differential equation”

3. Psychology the coordination of processes in the system, including diverse sensory information and motor impulses. 4. Psychoanalysis the process by which a well-balanced psyche becomes whole as the developing ego organizes the id, and the state that results or that treatment seeks to create or restore by countering the fragmenting effect of defense mechanisms.

Integration Point of Cyber Security


Integration Point Requirements



Integration Point Requirements


• Integration Point Technical Characteristics…

1. Data collection from endpoint, network, cloud and app

2. Putting data into context

3. Gaining a global view of security intelligence

4. Flexible analysis to process the multi-TBs of data


Integration Point Tool Options for the Job


Perform all the activities within the Security Monitoring Centre from within the customer environment

Insourcing

Outsource certain activities to a third party whilst retaining critical components within the customer control

Hybrid

Engage a third party to perform SOC activities on behalf of the customer

Outsourcing

Known Threat ID

Log Management

Collectors

Canned Reports

Raw Log Storage

Log Search

Incident Research

Anomoly ID

Workflow tools/API

Incident Analysis Tool

Customer operated/managed threat ID

Custom Rules

Custom Reports

Custom Collectors

Local Storage/Compute/Power/Maintenace

3rd party intelligence feeds (some)

Software Maintenance Required (ad hoc)

SIEM/Log Management Managed Services

Always-on - 24x7 monitoring and management

Active Threat ID/Rules team

Threat Analyst Reviewed Incidents

Web-based UI

Global Intelligence Network

Escalation Process

Global SOCs

Cloud-based Storage/Compute/Power/Maintenance


Outsource

Cost Low CAPEX

Predictive OPEX

Control Lack of Environment Knowledge

SLA Based Services Difficult to Terminate / Change

Time to Value Handover, Service Definition

and SLA Measurement

Skill Set 3rd Party Responsibility

Hybrid

Cost Moderate CAPEX Predictive OPEX

Control Local and 3rd Party Expertise

Partial SLA Service Flexible Future Change

Time to Value Blended Approach

Skill Set Staff Augmentation

Integration Point Business Characteristics Comparisons


Insource

Cost High CAPEX

Variable OPEX

Control Team Knows Environment Potentially Most Efficient

Complex to Manage

Time to Value People Recruitment, Tools

Procurement & Configuration

Skill Set Hard to Acquire, Retain, Train


Cyber Security Group Integration Strategy


Security Intelligence

Managed Security Services (MSS)

Advanced Threat Protection

Incident Response Security Simulation

Log Collection & Archiving

Log Analysis & Passive Discovery

12 12

360o Contextual View

Threat & Vuln Management

Intelligence Correlations

Controlled Malware Testing

Incident Response & Remediation

Real-time Monitoring

Applied Intelligence Analysis & Reporting

Symantec & 3rd Party Solutions

Cyber Intelligence

Asset Discovery

Policy/Controls & Benchmarking

Compliance & Audit Reports

Advanced Threat Protection Engine

Forensic Analysis & Visualization

Network & Host Forensics

Intelligence Fusion Cells

Global Data Collection

Big Data Analytics










13 13









Cyber Intelligence

Asset Discovery








Big Data Analytics


Symantec IS Security Intelligence


2B+ events logged daily Over 100,000 security alerts

generated annually 200,000 daily code

submissions

7 Billion • File, URL & IP Classifications

• Capturing previously unseen threats & attack methods

1 Billion+ • Devices Protected • More visibility across devices creates better context and deeper insight

2.5 Trillion • Rows of Security Telemetry

• Putting “big data” analytics to work for every end user

Monitors Threats in 157+ countries

14 Data Centers World Wide

550 Threat Researchers

14


Big Data Analysis

Intelligence Analysts

Data Fusion Warehouse

Analytics


Attack Quarantine System Malware Protection

Gateways

3rd Party Affiliates

Global Sensor Network

Phishing Detections

5 Global SOCs

Product Vendor Partnerships

Bugtraq submissions

Product data collection

15

DeepSight

Early Warning Services Portal

DataFeeds

Reputation & Security Risk Data

Vulnerability & Security Risk

DeepSight Solution: Access to GIN Data

15 Integration Point of Cyber Security










16 16









Cyber Intelligence

Asset Discovery








Big Data Analytics


Symantec’s Managed Security Services reduce the time required to detect and respond to security incidents, minimizing the potential business impact of increasingly sophisticated and targeted cyber attacks...

We are very excited about the enterprise security monitoring we have with Symantec Managed Security Services. It is helping us enhance our risk management approach.

Jim Miles - Director Information Security, PGi Corporation

MSS: Our Value Proposition



Global Service Delivery


1st Threat Intelligence

Network : 70 TB of attack

data

5 Security Operation

Centers

1200+ Customers

380+ Staff

Analysts 100% GIAC

certified

15+ years Experience

17 billions logs per day

160 000 Correlation

rules

Service running on Day 1

15 days max for first

equipement onboarding

99,9% available service

Notification by phone in 10

minutes

18


5 SOCs globally

Over 1000 security experts on a global scale

100% GIAC certified SOC analysts

Managed Security Service Expert Security on a Global Scale


660 Billion Log Lines (per month)

Over 4.7M new events identified

(per day)

64.6M attack sensors

5M decoy accounts

8B+ email messages (Per day)

1.4B+ web requests (per day)

Big Data Security Analytics Security Intelligence World-class Expertise

19


Our value proposition

Security incident

detection

Total Cost of

ownership

Service Onboarding transition /

correlation / remediation

High Expertise

Scalability



Driving Actionable Results

Desktops

Symantec MSS • Network

• Server

• Endpoint

• Data

• Compliance Restriction

• Organization

• Asset Value

• System Function

•Threats • Vulnerabilities

• Malcode • File & Site

Reputation



Complete visibility is needed to identify malware


Authorized User

Authorized Activity

99%

Unauthorized User

Authorized

Activity

Unauthorized User

Unauthorized

Activity

Authorized User

Unauthorized Activity

• Around 99% of logs are Authorized User/Activity

• Malware attempts to behave like an authorized user to prevent identification

• Most valuable logs for incident detection


MSS Monitoring Architecture

Customer Premise

Symantec SOC

Log Collection Platform

Security Analysts

Customer Portal

Symantec DeepSight Global Threat Intelligence

Data Warehouse

23

1. Logs are collected via vendor approved

protocols

2. On premise LCP compresses logs

and sends to MSS via encrypted SSL

3. Logs are sent for archiving and analysis via SOC

Technology Platform with over 160K signatures and

integration with GIN attack data

4. Events of interest are presented to a analyst for

validation, classification and escalation

5. Customer teams can access, logs, incidents, reports and real-time

dashboard via MSS Portal



MSS customer portal overview


Latest security incidents and alerts


Managed Security Services demo



Target Attacks Threat Trends Vulnerabilities Malicious Code Fraud Activity

Retain Analyze Advise

Collect Remediate

Threat Intelligence

Analysis & Prioritization

Visibility & Control

24 x 7 Global Budget Staff

Scalability More devices, more

collaborators, more services

All included service : people,

process, technologies Total Cost of Ownership

Onboarding transition, correlation, remediation

Global service

Human and contextual analysis High expertise

Unparalleled Intelligence, emerging threats and APT

Security Incident detection



Evolution of Firewall Technology

27

Traditional UTM or ISA Next Gen FW STAP

Determine who can talk to who, but they can’t hear what’s being said.

• Port & protocol based

• IP-based detection

• Some IPS capabilities

Limited to catching what’s known

• Signature-based IPS & AV

• URL filtering

• Application control

Analyzes files to detect unknown & zero-day malware

• Virtual Execution

• Sandboxing

• File hash lookups



Information Security Service Overview of Advanced Threat Protection


TODAY Manual correlation and remediation

TOMORROW Automated correlation and remediation

Automatically analyzes endpoints to: •determine whether malware is known & SEP has blocked; •verify whether endpoints are compromised; •Understand if / where infection has spread •Identifies the malware and blocks IP address

Initiates endpoint actions (clean, block, quarantine,

gather forensics, …)

Network Security detects suspected Malware and alerts

Symantec Advanced Threat Protection

Network Security detects suspected Malware

Determines whether malware is known and SEP has blocked it; verifies whether endpoints are compromised; understands if /

where infection has spread

Initiates endpoint actions (clean, block, quarantine,

gather forensics, …)

Launches corrective actions

Symantec End Point Protection Manager Symantec Advanced Threat Protection

Network Security Group Symantec End Point Protection Manager

Endpoint Security Group

28 28


Network Adv. Threat Detection

Symantec Endpoint Protection / McAfee

MSS-ATP: Workflow

29

Symantec Managed Security Services

Virt Exec

Symantec Global Intelligence Network

• File Reputation

• Origin Intelligence

• Threat behaviour (VX) • Threat info (multi-source)

Outcome: Protected

• Mitigation guidance

INCIDENT

• Fingerprint

Billions of files (20 million new each week)

150 million endpoints

240,000 sensors across 200 countries

Release 1

ATP Alliance



Network Adv. Threat Detection

Symantec Endpoint Protection

Symantec Managed Security Services

Virt Exec

Symantec Global Intelligence Network

• File Reputation

• Origin Intelligence

• Threat behaviour (VX) • Threat info (multi-source)

Outcome: Not Protected

• Mitigation guidance

INCIDENT

• Fingerprint

Billions of files (20 million new each week)

150 million endpoints

240,000 sensors across 200 countries

Adversary & Threat Intelligence

RESPONSE

• Malware clean

• Network containment

• Search for file hash • Search for IOCs

• Increased security policy based on specific IP/app/user

• Quarantine endpoint OUTCOME

Outcome: Protected

Release 2 (coming soon)

30

MSS-ATP: Workflow











31 31









Cyber Intelligence

Asset Discovery








Big Data Analytics

SYMANTEC VISION SYMPOSIUM 2014 32



Monitoring and Intelligence (MSS)

Incident Response

Offering Value

Security intelligence collection, analysis and sharing through customer portals, data feeds, multi-level briefs and security intelligence services

Provide access to intelligence, knowledge and skill sets needed for security intelligence programs and strategic security planning

Comprehensive 24x7 security monitoring & intelligence

Identify, prioritize, and respond to incidents and fill critical skill set gaps

Advanced Threat Protection across the enterprise

Enable enterprises to rapidly and effectively contain, investigate and remediate advanced threats

Advanced Incident Response & Forensics support

Immediate access to critical knowledge and skill sets during incident response

Security Simulation

and Development Program

Expertise, skill set development and cyber readiness through real life simulations Sets teams up for success

Cyber War Games and LiveFire Exercises

PREPARE

PREPARE

DETECT & RESPOND

DETECT & RESPOND

DETECT, RESPOND & RECOVER

32 Integration Point of Cyber Security

Cyber Security Group Offerings


Cyber Security Group: Roadmap


MSS – Advanced Threat Protection

Advanced Threat Protection Solution

GA: June 2014 Beta: coming soon

Symantec introduces new advanced threat detection and response capabilities unifying security across the endpoint, email and gateway helping organizations achieve better protection and drive down security OpEx.

GA: Summer 2014

Incident Response Managed Adversary Services

GA: Fall 2014

Thank you!

Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

#SymVisionEmea


#symvisionemea - veritasvox.veritas.com/legacyfs/online/veritasdata/symantec_vision_2014... ·...

Documents