IT-Security-Symposium 2019 IT -Security im Fokus · IT-Security-Symposium 2019. IT -Security im...

IT-Security-Symposium 2019I T - S e c u r i t y i m F o k u sUmfassender IT-Schutz: Mehr als klassische Schutzansätze –Cloud, DLP, EndpointPatrick K. Kuttruff, Cyberdefense Strategist, Symantec

Umfassender IT-Schutz

Mehr als klassische Schutzansätze

Patrick K. Kuttruff CISM

Cyberdefense Strategist

Cloud, Netzwerk, Endpoint, Data

Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY

HeadquartersData Center

Regional Office

Roaming Users

Delivering a Comprehensive Security Model for the Cloud GenerationSymantec Integrated Cyber Defense

The CLOUD


25% of Cloud Docs are Broadly Shared1

1 1H 2016 Shadow Data Report

Proliferation of Cloud Apps

Variety of Endpoints

Shadow Data Problem

Compromised Accounts

Risk Assessment

Intrusion Detection

Proxy/Firewall

DLP

Incident Response

Investigations

Malware Detection

New Challenges

5


Visibility of Shadow IT Protection Against Malicious AttacksGranular Control of Sensitive Data

CASB 1.0

Data SecurityVisibility Threat Protection

6


CASB 1.0

How can I automate control of Shadow IT?

Can I apply my existing DLP policies to data in cloud apps?

Can I encrypt data and control who has access regardless of where it goes?

Which files in my cloud apps are malware?

Can I dynamically trigger MFA for risky transactions?

Can I track roaming users as part of my Shadow IT analysis?

Can I have my cloud activity be monitored by a Managed Service?

The NETWORK(PERIMETER)


Enriched traffic recording delivers unparalleled evidence

Security Camera and DVR for Your Network

Security Analytics –System of Record

24/7 lossless full packet recording

Intelligent/enriched system of record

Days, weeks or months of traffic

Appliance or VM

PE SCANNER

JSUNPACK

GEOLOCATION

MORE…

MA

“At a minimum, organizations should capture 30 days’ of

packet data. 60 days’ worth is even better.”


How does your organization stack up?

Maturing Incident Response Capabilities

THREAT/ANOMALY DETECTION

• All file, web, mail

• Machine learning

MALWARE ANALYSIS

• Static / behavioral

• Emulation

RECORD

• Full packet capture

• Evidence preservation

REPLAY

• File reconstruction

• File analysis

SEARCH / METADATA

• Real-time data capture

• Comprehensive application awareness (3,200+)

3RD – PARTY INTELLIGENCE

• Packet data enriched with URL and file reputation

• Global community threat intelligence

SECURITY TOOL INTEGRATION• SIEM

• NGFW

• IDS/IPS

• Endpoint

R E TA I NE V I D E N C E &

I M P A C T

E N R I C H E DI N V E S T I G AT I O N

P R OAC T I V EI N C I D E N T R E S P O N S E


Security Analytics

Remediate& Fortify

Reconstruct Incidents & Extract Evidence

Incident Response & Advanced Network Forensics

Detect Breaches & Integrate Context

THE SECURITY CAMERA & DVR FOR YOUR NETWORK


Full visibility of all traffic

Security Camera for Your Network:

Detect Breaches & Integrate Context

• Complete, lossless packet capture on high-speed network (24/7 – all ports/all traffic)

• Comprehensive DPI with layers 2-7 indexing (over 3,200 applications classified)

• Actionable intelligence, anomaly detection and event reconstruction (full packet, flow, session & file)

• Chronological display of all network events validates compliance and acceptable use policies

• Scalable deployment as either appliance/software/virtual appliance for days/weeks/months of traffic


Details for every alert


Reconstruct Incidents & Extract Evidence

• Know what happened before, during and after an alert, with complete, clear supporting evidence

• Multiple sources for real-time integrity & reputation of URL, IP address, file hash or email address

• Trace back and discover Tactics, Techniques & Procedures and identify Indicators of Compromise

• Integrated workflows with leading network and endpoint security tools to add context and improve effectiveness


Reduce time-to-resolution


Remediate & FortifyIncreased Time-to-Action

• Retrospective forensics analysis on any attack

• Answer critical “post-breach” questions that plague CISOs – how? what? who? when? …

• Root Cause Explorer quickly identifies the source of attack, reducing time-to-resolution

• Faster time-to-identification/action/reaction with Security Analytics allows up to 85% faster resolution

• Global Intelligence Network updated with newly-discovered threat intelligence

The ENDPOINT


Critical questions investigators need to answer

Limited Endpoint Visibility

• What happened on my endpoints?

• Which files were used and where did they come form?

• Did malware spread to other endpoints?

• What process has been changed on my endpoints?

• Did attackers establish persistence on the endpoint?16


• Most effective ransomware protection

• Defend against file-less threats including memory based exploits

• Virtual patching for critical vulnerabilities

• Block polymorphic malware

• Detect stealthy threats

• Investigate and Hunt IoCs

• Rapidly fix endpoints

• Automate IR tasks

• Identify hidden adversaries

• Expose attackers’ intent and tactics to enhance security posture

• Auto-assess application risk

• Protect IT approved apps from exploits

• Isolate suspicious apps to prevent privileged operations

• Stop persistent threats on Active Directory

• Use world’s largest civilian GIN to block common threats

• Block lateral movement and command & control traffic

• Device-level control and lockdown (USB, system files)

• Remediate malware infections

Symantec Endpoint Portfolio Delivers Cutting Edge Technologies

Multilayered, Single-agent, Endpoint Protection

APPLICATION CONTROL

NETWORK FIREWALL & INTRUSION

PREVENTION

DEVICE CONTROL & POWER ERASER

REPUTATION ANALYSIS

Agent

Anti-malware

ANTIVIRUS

Advanced Malware Protection

BEHAVIOR MONITORING

ADVANCED MACHINE LEARNING

EMULATOR

Agent

MEMORY EXPLOIT MITIGATION

Agent

EDR

EDRHardening

APPLICATION ISOLATION

Agent

DECEPTION

Deception

AgentSingle Agent

THREAT DEFENSE FORACTIVE DIRECTORY


Symantec EDR delivers incident investigation and response across Windows, macOS and Linux.

Get alerted to threats that ‘hide in plain sight’

Detect StealthyThreats

Rapidly FixEndpoints

Hunt and Investigate IoCs

Automate and Integrate

Find suspicious objects, inspect, convict and

contain

Remediate impacted endpoints with one-click

Enhance productivity for analysts at every level

Symantec EDR Overview

18


See system and process changes threats made to endpoints Feed these events to cloud-based analytics for custom detections

Endpoint Recording and Playback

Retrieve and playback everything available on the local queue

Continuous recording over time

Request data1 2 3 4 5

Endpoint Activity Recorder

Investigate

19

Event Type Event Description

Session User session logon and logoff

Process Launch and terminate

Module Loads and unloads

File Create, Read, Delete, Rename

Folder Folder operations

Registry Key Operations on registry key

Registry Value Operations on registry values

Network Actor process network

Named object Named object attributes

Run custom analytics on recorded events, create custom detections and alerts


Find suspicious objects and related events

Investigate, Hunt and Prioritize

Endpoint IoCSearch

• Search for IoCs in real-time across database and endpoints

• Search Endpoint Activity Recorder streamed events

• Leverage quick filters

• Customer extended scan areas (e.g. \Downloads, \Box )

Forensic Collection

Real-time Auto IncidentGeneration / Sandbox

• Memory exploit detections

• Suspicious PowerShell

• Risk scored recorder events

• Automatically submit suspicious files to sandbox (on-premises or cloud)

• Full endpoint and file/process dumps

• Acquire process-memory

• Collect PE and non-PE files

• Acquire OS forensic artifacts (e.g. Prefetch, MFT, Brower history)

Investigate

20


Complete and Rapid Endpoint Repair

• Blacklist or whitelist a file

• Delete a file, reverse load point changes, return endpoint to a pre-infection state

• Quarantine compromised endpoints

• Fortify against future infection

.EXE

.EXE

Blacklist a malicious file Isolate an

endpoint

.EXEDelete a malicious file

Fully remediate across endpoints from a single console with one click.

EDR with SEP

Respond

21


Interactive graphics simplifies complex investigations

Visualization

• Visual incident diagrams and alerts• Connect impacted endpoints with actors and objects,

pivot for more detail

• Quickly learn the source, timing and impact of an incident

• Visual link analysis• Understand contextual relationship between unrelated

data types

• Transform large amounts of data into interactive graphics and reports• Focus on relevant activity with machine-assisted

analysis

• Simplify reporting

Investigate

22


Manual activities and processes hinder SOC productivity

Complex Manual Workflows

SOC managers need to reduce the mean time to resolution, lower cost:

• Skilled analysts are hard to find and retain

• Must speed triage and prioritize alerts

• Need to capture and reuse the best practices of skilled analysts to enhance incident response and threat hunting

People, process and infrastructure need to be integrated to streamline operations:

• Simplify the management of data flows and initiate actions across control points

• Require more from existing investments in SIEM and ticketing products 23


Leverage built-in playbooks, create custom workflows

Automate Investigation and Artifact Collection

Built-in Playbooks Custom Workflows Artifact Collection

Quickly initiate cyber security functions and leverage expert investigation methods with built-in playbooks.

Automate repetitive manual tasks and create custom investigation flows.

Gain in-depth visibility into endpoint activity with automated artifact collection.

Automate

24


Only Symantec delivers integrated cyber defense

Integrations with Symantec and Partner Products

25

ControlPoints

Email Security

WebGateway

Cloud Security

SIEM

Orchestration & Automation

Ticketing

Global Intelligence Network

Data Loss Prevention

Encryption

SOC Integration

Advanced Threat

Protection

EDR

Content Analysis

SEP + EDR

ITMSSecurityAnalytics

Integrate

The DATA


BEST IN CLASS TERMINATION POINTS & PROTECTION

DEEP ARTIFICIAL INTELLIGENCE & AUTOMATION

A DARK INTERNETTHE COMING FISCAL CRISIS

Pressing Problems in Data ProtectionChanging usage models will mandate a platform architecture

28

Data Breaches

Targeted threats aim to steal sensitive data from critical devices

Regulations Compliance

Increased scrutiny demands data visibility, access controls and leakage risk


Foundation to a Data Protection Program

Superior Detection

Integrated Platform

Visibility Everywhere

30

Comprehensive detection methods

Visibility and protection on all channels and locations

Integration with the rest of your security architecture

Provider Ecosystem

Third-Party Integrations

Information Exchange Layer

Managed Security Services Provider

Custom Outcomes


Cloud Access Security Broker

Web Gateways

Data Detection and Protection in The CloudData protection must be consistent across all channels

31

Endpoint Storage Network

DATA DETECTIONAND PROTECTION

SaaS/IaaS(AWS, Box, OneDrive, SFDC…)

Web(LinkedIn, Facebook, Twitter…)

Email (O365, Gmail)

Cloud

DATA DETECTION

AND PROTECTION

POLICIES MANAGEMENTPOLICIES MANAGEMENT

Email Security

Detection in the cloud All control points Single pane of glass Mobile & BYOD


Locate where your sensitive information resides across

your cloud, mobile, network, endpoint and storage systems

DISCOVER

Where does your confidential data live?

Understand how your sensitive information is being

used, including what data is being handled and by whom

MONITOR

How is it being used?

Stop sensitive information from being leaked or stolen

by enforcing data loss policies and educating employees

PROTECT

How do you prevent data loss?

33Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY

Answers these critical questions about your information

Data Loss Prevention


From DLP to An Integrated Data Security Platform

Data Loss PreventionEndpoint, Storage, Network, Cloud

Cloud Access Security Broker (CASB)

Data Classification (ICT)

User and Entity Behavior Analytics (ICA)

Identity and Access Management (VIP)

Web Gateways (ProxySG, WSS, Mobile)

Digital Rights Management (ICE)

Email Security, Encryption, SSLV, SEP, CCS…

Key products

Web Gateways

ICT

ICA SEP

VIP ICE

CASB

Endpoint Security (SEP)

Next Steps


Where do we go from here?

• Engage• Teil des 360°IT Security Workshop• Meet & Greet the New Symantec• Solution Overview (Face-to-Face, WebEx)• Demo• Architecture Workshop

• Evaluate• Existing Environment: Health Check• Proof of Concept (PoC)• Advanced Threat Assessment

• Network

• Endpoint• Cloud

• Deploy & BE SAFE ☺

Thank You!

IT-Security-Symposium 2019 IT -Security im Fokus · IT-Security-Symposium 2019. IT -Security im...

Documents

Transcript of IT-Security-Symposium 2019 IT -Security im Fokus · IT-Security-Symposium 2019. IT -Security im...