Adaptive Security and Incident Response - A Business-Driven Approach
-
Upload
algosec -
Category
Technology
-
view
102 -
download
1
Transcript of Adaptive Security and Incident Response - A Business-Driven Approach
![Page 1: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/1.jpg)
1
ADAPTIVE SECURITY & INCIDENT RESPONSE -A BUSINESS DRIVEN APPROACH
Tony Sequino
Director of Sales, AlgoSec
![Page 2: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/2.jpg)
2
64.5%
22.4%
7.9%
5.3%
Motivation Behind Attacks
Cyber Crime Cyber Epionage Hacktivism Cyber Warfare
February 2017
WE ARE UNDER ATTACK
“Data Breaches Increase 40 Percent in 2016”- Identity Theft Resource Center(ITRC) and CyberScout
“More than 4,000 ransomware attacks have occurred every day since the beginning of 2016 (300% increase compared to 2015)”- Computer Crime and Intellectual Property Section (CCIPS)
![Page 3: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/3.jpg)
3
THREAT LANDSCAPE BACKGROUND
• Advanced Persistent Threat (APT)• Social engineering• Malicious insiders
• Data is being exfiltrated (theft, extortion, espionage)
• Critical services go down• A compromised machine is part of
a DDoS attack network• …
The attackers are already inside the network
What can happen during an attack
![Page 4: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/4.jpg)
4
ADAPTIVE SECURITY & ACTIVE POLICY MANAGEMENT
“… active, preventive, investigative and response capabilities.”
“… context-aware network, endpoint and application security protection platforms”
Neil MacDonald, Peter Firstbrook, Gartner 2016
“Leverage the Security Ecosystem from within the SIEM – Avoid Context Switching”
“Maintain context during investigations”Splunk Partner Information, 2016
![Page 5: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/5.jpg)
5
DIGITAL TRANSFORMATION & ADAPTIVE SECURITY CHALLENGES• Far to much time spent reviewing, planning, approving change
requests
• Skilled Resource Availability
• Expanding Architectures & Environments• Datacenter, Hybrid Cloud, Cloud
• Distributed Data & Services
• Increasing Threat Landscape
• Changing Regulatory Environment
• Increasing Audit, Reporting & Management Requirements
![Page 6: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/6.jpg)
6
Malware Tools
DOES YOUR ENVIRONMENT LOOK LIKE THIS
Log Collection & Analysis
SIEM Solution
Vulnerability Scanner
Applications
Audit &Compliance
Security Policies
Network Estate
![Page 7: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/7.jpg)
7
Malware Tools
Log Collection & Analysis
SIEM Solution
Vulnerability Scanner
Applications
Audit &Compliance
Security Policies
Network Estate
ENTERPRISE SECURITY MODEL
SPHERE OF INFLUENCE
Security strategy influences your company’s business strategy and operations
SPHERE OF OPERATION
Security solution integration improves your organization’s operational posture
SPHERE OF CONTROL
Create and automate a single view of your network estate, traffic, governing policies and applications, aids in aligning security with your business needs and reducing your threat surface
![Page 8: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/8.jpg)
8
BROAD STAKEHOLDER LANDSCAPE
NetworksNetwork
OperationsNetwork
Engineering
Dev OpsInformation & App Security
Audit & Compliance
Risk CISOBusiness
Units
Senior Management
![Page 9: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/9.jpg)
9
DO YOU HAVE SOC (SECURITY OPERATIONS CENTER)?
• Yes• No• We are in the process of building one• I don’t know
POLL
Please vote using the “votes from audience” tab in your BrightTALK panel
![Page 10: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/10.jpg)
10
Network visibility and mappingStatic map (E.G. Visio)
Live map Live mapLive map across on -premise, SDN and cloud
Application to Security mapping None Static (CMDB) Static (CMDB) Live accurate mapping
Policy security posture(Overly permissive/undocumented rules)
Poor Fair Good Excellent
Security change managementManual. Error-prone
Mostly manual.Some errors.
Mostly automated. Few errors
Automated policy pushVirtually error-free
Risk reporting and assessment Manual. CostlySome Automation.Costly
Automated and continuous
Automated and continuous
Network infrastructure auditing Network level Network level Network level Business application level
Alignment between security, network and service delivery teams
Poor Fair Good DevSecOps
THE SECURITY POLICY MANAGEMENT MATURITY MODEL
Level 1
Level 2
Level 3
Level 4
![Page 11: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/11.jpg)
11
Permissive EnvironmentIntroduces business risk
Restrictive Environment Slows response time to the business requests & needs
FINDING THE BALANCE
Where is the sweet spot for your business?
![Page 12: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/12.jpg)
12
BUSINESS-DRIVENSECURITY MANAGEMENT
![Page 13: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/13.jpg)
13
APPROACH FOR BUSINESS SECURITY ALIGNMENT
• Develop a plan which aligns your security strategy with company business strategy & operations
• Crack the Organizational Silos• Open & connected request and communication environment for all
stakeholder organizations
• Connected Networking, Security & Applications teams …
• Automate change & monitoring processes across your network estate
• Create an incident detection & rapid response environment
![Page 14: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/14.jpg)
14
THE SECURITY POLICY MANAGEMENT LIFECYCLE
Decommission redundant firewall rules and
application connectivity
Automatically migrate firewall rules
Zero-touch change management
Automated policy push
Smart validation
Policy monitoring
Enforce security posture
Out-of-the box auditing and compliance reports
Link firewall rules to applications
Policy clean up and optimization
Firewall rule recertification
Translate application connectivity into firewall rules
Assess risk and compliance
Tie cyber attacks and vulnerabilities to business processes
Auto-discover and map application connectivity and security infrastructure
Enable developers to define connectivity programmatically
![Page 15: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/15.jpg)
15
WHY HAVE ALGOSEC AT THE CORE?
Need to be more agile , efficient and aligned with the dynamic changes of the business
clean up policies and reduce risk of misconfigurations
Dynamic view of your network estate
Infrastructure-independent for business agility
Applications run the business…Business Driven Security needs application visibility
![Page 16: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/16.jpg)
16
THE ALGOSEC ECOSYSTEM
Integrate
Business Process
For a complete list of supported devices visit www.algosec.com
Manage
![Page 17: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/17.jpg)
17
THE ALGOSEC ECOSYSTEM
For a complete list of supported devices visit www.algosec.com
CONTROL
OPERATION
INFLUENCE
OPERATION
![Page 18: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/18.jpg)
18
THE ALGOSEC SECURITY MANAGEMENT SOLUTION
BusinessFlow FireFlow
FirewallAnalyzer
![Page 19: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/19.jpg)
19
THE ALGOSEC ECOSYSTEM
Integrate
Business Process
For a complete list of supported devices visit www.algosec.com
Manage
Supports a broad set of devices and environments
![Page 20: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/20.jpg)
20
Single pane of glass for managing and analyzing network security policies
ALGOSEC FIREWALL ANALYZER
Topology map and traffic simulation
Firewall rule optimization and cleanup
Network segmentation enforcement
Baseline configuration compliance
Audit-ready compliance reports
Risk assessment
![Page 21: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/21.jpg)
21
FIREWALL ANALYZER REPORT
![Page 22: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/22.jpg)
22
ALGOSEC FIREFLOWProcess firewall changes in minutes, not days.
Proactively mitigate risk and enforce compliance.
Security policy workflow automation
Topology analysis and optimal rule design
SLA tracking and complete audit trail
Integration with ticketing systems
Change validation and reconciliation
Proactive risk and compliance verification
Automated policy push & scheduling
![Page 23: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/23.jpg)
23
THE ALGOSEC ECOSYSTEM
Integrate
Business Process
For a complete list of supported devices visit www.algosec.com
Manage
Robust API set for application integration
![Page 24: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/24.jpg)
24
Discover and provision business application connectivity.
Manage risk from the business perspective.
ALGOSEC BUSINESSFLOW
Connectivity discovery and mapping
Request changes at the application level
Secure application decommissioning
Business-centric risk analysis
Impact assessment to avoid outages
Rapid datacenter and cloud migration
![Page 25: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/25.jpg)
25
APPLICATION RULE ASSOCIATION
• Viewers of a device's policy can now justify the existence of traffic rules, within the context of the application they support
• The users will be able to see a list of supported applications per rule and to drill down directly from the policy view to the application’s dashboard in BusinessFlow
• Clear visibility into the impact of a rule removal/rule modification
• Easily find Rules that do not support any application
Visibility into Supported Applications by Each Rule
![Page 26: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/26.jpg)
26
ALGOSEC BUSINESS FLOW
![Page 27: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/27.jpg)
27
BUSINESS FLOW RISK ANALYSIS
Vulnerability scanner data can be imported and combined with out of the box & customer defined risk definitions.
![Page 28: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/28.jpg)
28
BUSINESS FLOW VULNERABILITIES
Drill down to individual servers and associated rules for the application to identify specific vulnerabilities & risks
![Page 29: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/29.jpg)
29
SIEM/INCIDENT RESPONSE INTEGRATION
• Gain visibility into the severity of security events by showing the applications exposed to each attacked server
• Immediate threat path analysis by displaying the exposure of the attacked server to the Internet
• Isolate the attacked server with a click of a button
• Supports both QRadar and Splunk
Applications, Network Map and Automation
![Page 30: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/30.jpg)
30
SIEM/INCIDENT RESPONSEAN INTEGRATED APPROACH
![Page 31: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/31.jpg)
31
DO YOU UNDERTAKE ACTIVE INCIDENT RESPONSE?
• Yes• No• I don’t know
POLL
Please vote using the “votes from audience” tab in your BrightTALK panel
![Page 32: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/32.jpg)
32
Algosec Plugin
Allows the response to be done within a single context or container
![Page 33: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/33.jpg)
33
Identify
![Page 34: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/34.jpg)
34
AlgoSec Plugin adds an action menu for all IP address fields
Identify & Analyze effected applications and paths
![Page 35: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/35.jpg)
35
Identify effected application & contacts
Determine if:• It is a critical business process• Set priority for response• Who to notify• Next steps …
![Page 36: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/36.jpg)
36
A traffic simulation is generated for the impacted application and/or system(s)
Traffic is partially allowedWhat is accessible?
Devices that are allowing traffic are identified
Dynamic representation of the pathCan it reach the internet? – YesCan data be lost? – YesCan other systems or regions be impacted? - ?
Initiate Query
![Page 37: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/37.jpg)
37
10.3.3.3
Check traffic from impacted system to sensitive zone(s)
What can impacted system reach?• Is it a stepping stone?• Can critical data be accessed?• Can business operations be disrupted?• What are the reporting requirements?• What is the regulatory impact?
Some traffic allowed
Devices Allowing Traffic
![Page 38: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/38.jpg)
38
Take Action
![Page 39: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/39.jpg)
39
Initiate & track Algosec change request to isolate
impacted server
![Page 40: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/40.jpg)
40
Execute change to isolate the compromised server
from the network
Algosec Change Request
All devices allowing traffic are identified
and change request(s) created
![Page 41: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/41.jpg)
41
INCIDENT RESPONSE IN CONTEXT
Identify Analyze Notify Take Action
RemediateCapture Actions for Reporting
Final Report
01 02 03 04
05 06 07
![Page 42: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/42.jpg)
42
SUMMARY
• Stakeholder breadth requires open and rapid communications
• Build a plan that supports the needs of the business
• Dynamic traffic simulation streamlines responses to requests and aids in identification of problems and exposures
• Structured change automation eliminates errors and improves communication
• Regular monitoring and reporting ensures environment health
• Mapping applications to flows and ownership improves the change process, intragroup communications and issue response/resolution
• Application integration provides rapid identification and response to issues
![Page 43: Adaptive Security and Incident Response - A Business-Driven Approach](https://reader031.fdocuments.us/reader031/viewer/2022030317/5a6602077f8b9a21598b469b/html5/thumbnails/43.jpg)
43
MORE RESOURCES
www.algosec.com/resources
WHITEPAPERS
VIDEO
DATASHEET