#symvisionemea - veritasvox.veritas.com/legacyfs/online/veritasdata/symantec_vision_2014... ·...
TRANSCRIPT
SYMANTEC VISION SYMPOSIUM 2014
Anatomy Of a Cyber Attack A majority of cyber attacks follow this path
Integration Point of Cyber Security 3
2 INCURSION
3 DISCOVERY
4 CAPTURE
5 EXFILTRATION
1 RECONNAISANCE
SYMANTEC VISION SYMPOSIUM 2014
Cyber – A complex set of business & technical challenges
Integration Point of Cyber Security 4
Requirements for Cyber Security
Business ownership for competitive differentiation
Business Sponsorship
People & Process
Evolving Technologies
Data Governance
Security Architecture
Visibility & Agility
PEOPLE
TECHNOLOGY PROCESS
We Need Better Intelligence to be
Cyber Resilient
Cyber Risk Challenges
SYMANTEC VISION SYMPOSIUM 2014
Customer Challenges
Realization
Customer Needs Shift
Breach is Inevitable
Understanding Where Important
Data Is
Stopping Incoming Attacks
Finding Incursions
Containing & Remediating
Problems
Restoring Operations
Identify Protect Detect Respond Recover
Protection Only Protection + Detection
& Response
Integration Point of Cyber Security 5
SYMANTEC VISION SYMPOSIUM 2014
What is Integration? A Google definition…
7 Integration Point Of Cyber Security
2. Mathematics the finding of an integral or integrals. "integration of an ordinary differential equation”
3. Psychology the coordination of processes in the system, including diverse sensory information and motor impulses. 4. Psychoanalysis the process by which a well-balanced psyche becomes whole as the developing ego organizes the id, and the state that results or that treatment seeks to create or restore by countering the fragmenting effect of defense mechanisms.
Integration Point of Cyber Security
SYMANTEC VISION SYMPOSIUM 2014
Integration Point Requirements
Integration Point of Cyber Security 9
• Integration Point Technical Characteristics…
1. Data collection from endpoint, network, cloud and app
2. Putting data into context
3. Gaining a global view of security intelligence
4. Flexible analysis to process the multi-TBs of data
SYMANTEC VISION SYMPOSIUM 2014
Integration Point Tool Options for the Job
Integration Point of Cyber Security 10
Perform all the activities within the Security Monitoring Centre from within the customer environment
Insourcing
Outsource certain activities to a third party whilst retaining critical components within the customer control
Hybrid
Engage a third party to perform SOC activities on behalf of the customer
Outsourcing
Known Threat ID
Log Management
Collectors
Canned Reports
Raw Log Storage
Log Search
Incident Research
Anomoly ID
Workflow tools/API
Incident Analysis Tool
Customer operated/managed threat ID
Custom Rules
Custom Reports
Custom Collectors
Local Storage/Compute/Power/Maintenace
3rd party intelligence feeds (some)
Software Maintenance Required (ad hoc)
SIEM/Log Management Managed Services
Always-on - 24x7 monitoring and management
Active Threat ID/Rules team
Threat Analyst Reviewed Incidents
Web-based UI
Global Intelligence Network
Escalation Process
Global SOCs
Cloud-based Storage/Compute/Power/Maintenance
SYMANTEC VISION SYMPOSIUM 2014
Outsource
Cost Low CAPEX
Predictive OPEX
Control Lack of Environment Knowledge
SLA Based Services Difficult to Terminate / Change
Time to Value Handover, Service Definition
and SLA Measurement
Skill Set 3rd Party Responsibility
Hybrid
Cost Moderate CAPEX Predictive OPEX
Control Local and 3rd Party Expertise
Partial SLA Service Flexible Future Change
Time to Value Blended Approach
Skill Set Staff Augmentation
Integration Point Business Characteristics Comparisons
Integration Point of Cyber Security 11
Insource
Cost High CAPEX
Variable OPEX
Control Team Knows Environment Potentially Most Efficient
Complex to Manage
Time to Value People Recruitment, Tools
Procurement & Configuration
Skill Set Hard to Acquire, Retain, Train
SYMANTEC VISION SYMPOSIUM 2014
Cyber Security Group Integration Strategy
Integration Point of Cyber Security
Security Intelligence
Managed Security Services (MSS)
Advanced Threat Protection
Incident Response Security Simulation
Log Collection & Archiving
Log Analysis & Passive Discovery
12 12
360o Contextual View
Threat & Vuln Management
Intelligence Correlations
Controlled Malware Testing
Incident Response & Remediation
Real-time Monitoring
Applied Intelligence Analysis & Reporting
Symantec & 3rd Party Solutions
Cyber Intelligence
Asset Discovery
Policy/Controls & Benchmarking
Compliance & Audit Reports
Advanced Threat Protection Engine
Forensic Analysis & Visualization
Network & Host Forensics
Intelligence Fusion Cells
Global Data Collection
Big Data Analytics
SYMANTEC VISION SYMPOSIUM 2014
Cyber Security Group Integration Strategy
Integration Point of Cyber Security
Security Intelligence
Managed Security Services (MSS)
Advanced Threat Protection
Incident Response Security Simulation
Log Collection & Archiving
Log Analysis & Passive Discovery
13 13
360o Contextual View
Threat & Vuln Management
Intelligence Correlations
Controlled Malware Testing
Incident Response & Remediation
Real-time Monitoring
Applied Intelligence Analysis & Reporting
Symantec & 3rd Party Solutions
Cyber Intelligence
Asset Discovery
Policy/Controls & Benchmarking
Compliance & Audit Reports
Advanced Threat Protection Engine
Forensic Analysis & Visualization
Network & Host Forensics
Intelligence Fusion Cells
Global Data Collection
Big Data Analytics
SYMANTEC VISION SYMPOSIUM 2014
Symantec IS Security Intelligence
Integration Point of Cyber Security
2B+ events logged daily Over 100,000 security alerts
generated annually 200,000 daily code
submissions
7 Billion • File, URL & IP Classifications
• Capturing previously unseen threats & attack methods
1 Billion+ • Devices Protected • More visibility across devices creates better context and deeper insight
2.5 Trillion • Rows of Security Telemetry
• Putting “big data” analytics to work for every end user
Monitors Threats in 157+ countries
14 Data Centers World Wide
550 Threat Researchers
14
SYMANTEC VISION SYMPOSIUM 2014
Big Data Analysis
Intelligence Analysts
Data Fusion Warehouse
Analytics
Global Data Collection
Attack Quarantine System Malware Protection
Gateways
3rd Party Affiliates
Global Sensor Network
Phishing Detections
5 Global SOCs
Product Vendor Partnerships
Bugtraq submissions
Product data collection
15
DeepSight
Early Warning Services Portal
DataFeeds
Reputation & Security Risk Data
Vulnerability & Security Risk
DeepSight Solution: Access to GIN Data
15 Integration Point of Cyber Security
SYMANTEC VISION SYMPOSIUM 2014
Cyber Security Group Integration Strategy
Integration Point of Cyber Security
Security Intelligence
Managed Security Services (MSS)
Advanced Threat Protection
Incident Response Security Simulation
Log Collection & Archiving
Log Analysis & Passive Discovery
16 16
360o Contextual View
Threat & Vuln Management
Intelligence Correlations
Controlled Malware Testing
Incident Response & Remediation
Real-time Monitoring
Applied Intelligence Analysis & Reporting
Symantec & 3rd Party Solutions
Cyber Intelligence
Asset Discovery
Policy/Controls & Benchmarking
Compliance & Audit Reports
Advanced Threat Protection Engine
Forensic Analysis & Visualization
Network & Host Forensics
Intelligence Fusion Cells
Global Data Collection
Big Data Analytics
SYMANTEC VISION SYMPOSIUM 2014
Symantec’s Managed Security Services reduce the time required to detect and respond to security incidents, minimizing the potential business impact of increasingly sophisticated and targeted cyber attacks...
We are very excited about the enterprise security monitoring we have with Symantec Managed Security Services. It is helping us enhance our risk management approach.
Jim Miles - Director Information Security, PGi Corporation
MSS: Our Value Proposition
Integration Point of Cyber Security 17
SYMANTEC VISION SYMPOSIUM 2014
Global Service Delivery
Integration Point of Cyber Security
1st Threat Intelligence
Network : 70 TB of attack
data
5 Security Operation
Centers
1200+ Customers
380+ Staff
Analysts 100% GIAC
certified
15+ years Experience
17 billions logs per day
160 000 Correlation
rules
Service running on Day 1
15 days max for first
equipement onboarding
99,9% available service
Notification by phone in 10
minutes
18
SYMANTEC VISION SYMPOSIUM 2014
5 SOCs globally
Over 1000 security experts on a global scale
100% GIAC certified SOC analysts
Managed Security Service Expert Security on a Global Scale
Integration Point of Cyber Security
660 Billion Log Lines (per month)
Over 4.7M new events identified
(per day)
64.6M attack sensors
5M decoy accounts
8B+ email messages (Per day)
1.4B+ web requests (per day)
Big Data Security Analytics Security Intelligence World-class Expertise
19
SYMANTEC VISION SYMPOSIUM 2014
Our value proposition
Security incident
detection
Total Cost of
ownership
Service Onboarding transition /
correlation / remediation
High Expertise
Scalability
Integration Point of Cyber Security 20
SYMANTEC VISION SYMPOSIUM 2014
Driving Actionable Results
Desktops
Symantec MSS • Network
• Server
• Endpoint
• Data
• Compliance Restriction
• Organization
• Asset Value
• System Function
•Threats • Vulnerabilities
• Malcode • File & Site
Reputation
Integration Point of Cyber Security 21
SYMANTEC VISION SYMPOSIUM 2014
Complete visibility is needed to identify malware
Integration Point of Cyber Security 22
Authorized User
Authorized Activity
99%
Unauthorized User
Authorized
Activity
Unauthorized User
Unauthorized
Activity
Authorized User
Unauthorized Activity
• Around 99% of logs are Authorized User/Activity
• Malware attempts to behave like an authorized user to prevent identification
• Most valuable logs for incident detection
SYMANTEC VISION SYMPOSIUM 2014
MSS Monitoring Architecture
Customer Premise
Symantec SOC
Log Collection Platform
Security Analysts
Customer Portal
Symantec DeepSight Global Threat Intelligence
Data Warehouse
23
1. Logs are collected via vendor approved
protocols
2. On premise LCP compresses logs
and sends to MSS via encrypted SSL
3. Logs are sent for archiving and analysis via SOC
Technology Platform with over 160K signatures and
integration with GIN attack data
4. Events of interest are presented to a analyst for
validation, classification and escalation
5. Customer teams can access, logs, incidents, reports and real-time
dashboard via MSS Portal
Integration Point of Cyber Security
SYMANTEC VISION SYMPOSIUM 2014
MSS customer portal overview
Integration Point of Cyber Security 24
Latest security incidents and alerts
SYMANTEC VISION SYMPOSIUM 2014
Managed Security Services demo
Integration Point of Cyber Security 25
SYMANTEC VISION SYMPOSIUM 2014
Target Attacks Threat Trends Vulnerabilities Malicious Code Fraud Activity
Retain Analyze Advise
Collect Remediate
Threat Intelligence
Analysis & Prioritization
Visibility & Control
24 x 7 Global Budget Staff
Scalability More devices, more
collaborators, more services
All included service : people,
process, technologies Total Cost of Ownership
Onboarding transition, correlation, remediation
Global service
Human and contextual analysis High expertise
Unparalleled Intelligence, emerging threats and APT
Security Incident detection
Integration Point of Cyber Security 26
SYMANTEC VISION SYMPOSIUM 2014
Evolution of Firewall Technology
27
Traditional UTM or ISA Next Gen FW STAP
Determine who can talk to who, but they can’t hear what’s being said.
• Port & protocol based
• IP-based detection
• Some IPS capabilities
Limited to catching what’s known
• Signature-based IPS & AV
• URL filtering
• Application control
Analyzes files to detect unknown & zero-day malware
• Virtual Execution
• Sandboxing
• File hash lookups
Integration Point of Cyber Security
SYMANTEC VISION SYMPOSIUM 2014
Information Security Service Overview of Advanced Threat Protection
Integration Point of Cyber Security
TODAY Manual correlation and remediation
TOMORROW Automated correlation and remediation
Automatically analyzes endpoints to: •determine whether malware is known & SEP has blocked; •verify whether endpoints are compromised; •Understand if / where infection has spread •Identifies the malware and blocks IP address
Initiates endpoint actions (clean, block, quarantine,
gather forensics, …)
Network Security detects suspected Malware and alerts
Symantec Advanced Threat Protection
Network Security detects suspected Malware
Determines whether malware is known and SEP has blocked it; verifies whether endpoints are compromised; understands if /
where infection has spread
Initiates endpoint actions (clean, block, quarantine,
gather forensics, …)
Launches corrective actions
Symantec End Point Protection Manager Symantec Advanced Threat Protection
Network Security Group Symantec End Point Protection Manager
Endpoint Security Group
28 28
SYMANTEC VISION SYMPOSIUM 2014
Network Adv. Threat Detection
Symantec Endpoint Protection / McAfee
MSS-ATP: Workflow
29
Symantec Managed Security Services
Virt Exec
Symantec Global Intelligence Network
• File Reputation
• Origin Intelligence
• Threat behaviour (VX) • Threat info (multi-source)
Outcome: Protected
• Mitigation guidance
INCIDENT
• Fingerprint
Billions of files (20 million new each week)
150 million endpoints
240,000 sensors across 200 countries
Release 1
ATP Alliance
Integration Point of Cyber Security
SYMANTEC VISION SYMPOSIUM 2014
Network Adv. Threat Detection
Symantec Endpoint Protection
Symantec Managed Security Services
Virt Exec
Symantec Global Intelligence Network
• File Reputation
• Origin Intelligence
• Threat behaviour (VX) • Threat info (multi-source)
Outcome: Not Protected
• Mitigation guidance
INCIDENT
• Fingerprint
Billions of files (20 million new each week)
150 million endpoints
240,000 sensors across 200 countries
Adversary & Threat Intelligence
RESPONSE
• Malware clean
• Network containment
• Search for file hash • Search for IOCs
• Increased security policy based on specific IP/app/user
• Quarantine endpoint OUTCOME
Outcome: Protected
Release 2 (coming soon)
30
MSS-ATP: Workflow
Integration Point of Cyber Security
SYMANTEC VISION SYMPOSIUM 2014
Cyber Security Group Integration Strategy
Integration Point of Cyber Security
Security Intelligence
Managed Security Services (MSS)
Advanced Threat Protection
Incident Response Security Simulation
Log Collection & Archiving
Log Analysis & Passive Discovery
31 31
360o Contextual View
Threat & Vuln Management
Intelligence Correlations
Controlled Malware Testing
Incident Response & Remediation
Real-time Monitoring
Applied Intelligence Analysis & Reporting
Symantec & 3rd Party Solutions
Cyber Intelligence
Asset Discovery
Policy/Controls & Benchmarking
Compliance & Audit Reports
Advanced Threat Protection Engine
Forensic Analysis & Visualization
Network & Host Forensics
Intelligence Fusion Cells
Global Data Collection
Big Data Analytics
SYMANTEC VISION SYMPOSIUM 2014 32
Security Intelligence
Advanced Threat Protection
Monitoring and Intelligence (MSS)
Incident Response
Offering Value
Security intelligence collection, analysis and sharing through customer portals, data feeds, multi-level briefs and security intelligence services
Provide access to intelligence, knowledge and skill sets needed for security intelligence programs and strategic security planning
Comprehensive 24x7 security monitoring & intelligence
Identify, prioritize, and respond to incidents and fill critical skill set gaps
Advanced Threat Protection across the enterprise
Enable enterprises to rapidly and effectively contain, investigate and remediate advanced threats
Advanced Incident Response & Forensics support
Immediate access to critical knowledge and skill sets during incident response
Security Simulation
and Development Program
Expertise, skill set development and cyber readiness through real life simulations Sets teams up for success
Cyber War Games and LiveFire Exercises
PREPARE
PREPARE
DETECT & RESPOND
DETECT & RESPOND
DETECT, RESPOND & RECOVER
32 Integration Point of Cyber Security
Cyber Security Group Offerings
SYMANTEC VISION SYMPOSIUM 2014
Cyber Security Group: Roadmap
Integration Point of Cyber Security 33
MSS – Advanced Threat Protection
Advanced Threat Protection Solution
GA: June 2014 Beta: coming soon
Symantec introduces new advanced threat detection and response capabilities unifying security across the endpoint, email and gateway helping organizations achieve better protection and drive down security OpEx.
GA: Summer 2014
Incident Response Managed Adversary Services
GA: Fall 2014
Thank you!
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
#SymVisionEmea
Integration Point of Cyber Security 34