Security Operations Centers in action Richard Nichols

RSA Advance
Security
Operations
Center
Solution
Richard Nichols
Security Analytics & Global
Accounts Director
#RSAemeaSummit
© Copyright 2014 EMC Corporation. All rights reserved.
1
The RSA Perspective
The attack surface
is expanding
Attackers are becoming
more sophisticated
Existing strategies &
controls are failing
Security teams
are missing
attacks
Teams need to
increase experience
& efficiency
Tools & processes
must adapt to
today’s threats
© Copyright 2015 EMC Corporation. All rights reserved.
2
Cyber-Espionage Detection
99%
Percent of successful attacks that went
undiscovered by logs
Percent of incidents that took weeks or more to
discover
83%
-  VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT
© Copyright 2015 EMC Corporation. All rights reserved.
3
Cyber-Espionage Detection
85%
Percent of cases where victims learned about their
breach from an external party
Percent of incidents that took weeks or more to
discover
83%
-  VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT
© Copyright 2015 EMC Corporation. All rights reserved.
4
Attackers Are Getting Stronger
Attacker
Capabilities
Time To
Discovery
-  VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT
© Copyright 2015 EMC Corporation. All rights reserved.
5
SECURITY & RISK CHALLENGES
Detecting & Stopping
Threats
Customers
Partners
Third-Parties
Cloud
OnPrem
Managing
Identities & Access
Shadow IT
Mobile
Employees
BYOD
Preventing Fraud &
Cybercrime
© Copyright 2015 EMC Corporation. All rights reserved.
Ensuring
Compliance
6
Be the hunter,
not the hunted
© Copyright 2015 EMC Corporation. All rights reserved.
7
TRANSFORM
Visibility
Analysis
Intelligence-Driven Security
Action
© Copyright 2015 EMC Corporation. All rights reserved.
8
See More
Visibility
P
L
E
N
Packets, Logs,
Endpoints, NetFlow
© Copyright 2015 EMC Corporation. All rights reserved.
Capture Time
Data Enrichment
Business &
Compliance Context
9
Understand Everything
Analysis
Correlate
Multiple Data
Sources
© Copyright 2015 EMC Corporation. All rights reserved.
Endpoint Threat
Detection
Out-of-the-box
Content
Big Data &
Data Science
10
Investigate & Remediate Faster
Action
Prioritized & Unified
Analyst Workflow
© Copyright 2015 EMC Corporation. All rights reserved.
Investigate down
to finest details
Integrate SOC
Best Practices
11
Building an ASOC is a Journey
Optimizing
Quantitatively
Managed
Defined
Managed
Initial
© Copyright 2015 EMC Corporation. All rights reserved.
Incident Response is a Key Force of
an organization’s security defenses &
risk management
(10% of Organizations)*
Incident Response as an
Emerging security function
(25% of Organizations)*
Ad Hoc Incident Response
(65% of Organizations)*
* ”The Critical Incident Response
Maturity Journey”
RSA White Paper – Dec 2013
12
Capabilities Along Maturity Level
Initial
Managed
Ad Hoc
Emerging
Incident Mgt
Quantitatively Managed /
Optimizing
Key Force
Analyst
Effectiveness
Clearing
Known Alerts
•  Alert aggregation
•  Basic Workflow
Defined
SOC Program
Effectiveness
Risk Based View
Of SOC Program
SecOps Capabilities Leveraged
•  Business Context
•  Multiple analyst workflow
•  Prioritize based on context
•  IR Procedures - OOTB
© Copyright 2015 EMC Corporation. All rights reserved.
•  Customized IR procedures
•  Tiered analyst workflow
•  SOC Program Mgmt.
•  Team Management
•  Shift management
•  Breach preparedness
•  Continuous improvement
•  Security Control efficacy
•  Risk based view of IR
•  Link to overall GRC
KPIs
13
Domain
RSA Security Operations Management
Process
RSA SecOps
People
Incident
Response
© Copyright 2014 EMC Corporation. All rights reserved.
Framework &
Alignment
Breach
Response
Technology
SOC Program
Management
14
Benefits
Detect and analyze before attacks impact the business
Investigate, prioritize, and remediate incidents
Unleash the potential of your existing security team
Evolve existing tools with better visibility & workflow
© Copyright 2015 EMC Corporation. All rights reserved.
15
EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.