Monday, August 24, 2015

2015 RSA Conference - How the security game has changed

The president of RSA, during the key note speech at the 2015 RSA conference, highlighted the fact that billion dollar companies that invest millions in shiny security devices, are still getting hacked. According to a recent Verizon Report, less than 1% were detected by SIEM. The solution is an upgraded security strategy, where security analysts dedicate time to "Hunting" for threats and breaches on the network. They need to spend time knowing what normal network activity is, and how our staff normally use the network, so that anomalies become more apparent.

Critical Principles for every Security Program:
·         Even advanced protection fails:
o   Cannot rely only on advanced protection. Motivated attackers can evade detection by sandboxes or advance technologies.
·         We need pervasive and true visibility:
o   Stuxnet and other advance threats were stealthy.
o   Need full packet capture and endpoint visibility, and which systems are communicating with each other, frequency and volume and content of these communications.
o   Need to have correlation of multiple sources of information, to detect attack.
o   Need to understand the scope/purpose of each attack, before cleaning up the affected machines (attacker may just learn what you can detect, and bypass it)
·         Identity management is a must:
o   Governance - who should have access to what
o   Access - Control who has access (implementation)
o   Lifecycle - Managing the evolution of that access over time
o   NOTE: Is a strategic business partner, not a cost center. Most breaches were based on malware and stolen credentials. Privileged accounts and Senior managers must be protected
·         Threat Intelligence matters:
o   External Threat Intelligence: from security vendors
o   Internal Threat Intelligence: from security analyst that are given time to "Hunt" the network
·         Prioritize risk:
o   Limited resources for maximum impact