The president of RSA, during the key note speech at the 2015
RSA conference, highlighted the fact that billion dollar companies that invest
millions in shiny security devices, are still getting hacked. According to a
recent Verizon Report, less than 1% were detected by SIEM. The solution is an
upgraded security strategy, where security analysts dedicate time to
"Hunting" for threats and breaches on the network. They need to spend
time knowing what normal network activity is, and how our staff normally use
the network, so that anomalies become more apparent.
Critical Principles for every Security Program:
·
Even advanced protection fails:
o Cannot
rely only on advanced protection. Motivated attackers can evade detection by
sandboxes or advance technologies.
·
We need pervasive and true visibility:
o Stuxnet
and other advance threats were stealthy.
o Need
full packet capture and endpoint visibility, and which systems are
communicating with each other, frequency and volume and content of these
communications.
o Need
to have correlation of multiple sources of information, to detect attack.
o Need
to understand the scope/purpose of each attack, before cleaning up the affected
machines (attacker may just learn what you can detect, and bypass it)
·
Identity management is a must:
o Governance
- who should have access to what
o Access
- Control who has access (implementation)
o Lifecycle
- Managing the evolution of that access over time
o NOTE:
Is a strategic business partner, not a cost center. Most breaches were based on
malware and stolen credentials. Privileged accounts and Senior managers must be
protected
·
Threat Intelligence matters:
o External
Threat Intelligence: from security vendors
o Internal
Threat Intelligence: from security analyst that are given time to
"Hunt" the network
·
Prioritize risk:
o Limited
resources for maximum impact
Reference:
