This new vision for the security operations center (SOC) includes six core elements and its effectiveness is illustrated in a demonstration built by RSA that simulates an APT-like attack on a SOC before and after recommended elements have been implemented. The demonstration highlights how new technologies applied both during and after the incident are effective in thwarting the attack and improving the model. This next generation SOC demonstration leverages EMC, VMware and RSA technologies and combines experimental technologies and theoretical approaches with today's commercial products and best practices.
"Advanced persistent threats are inevitable for most large organizations," said David Hunter, chief technology officer, Worldwide Public Sector, VMware. "With the complexity of today's IT environment we expect to see APTs increasingly target corporate intellectual property requiring organizations to evolve their IT and security operations to counter APTs and other fast-evolving threats."
"To manage security at the speed and scale of the cloud and to deal with unpredictable adaptive threats such as APTs, organizations need to build upon the capabilities of today's SOCs evolving their security operations to effectively manage these new threats," said Bret Hartman, chief technology officer, RSA, The Security Division of EMC.
A New Vision for Security Operations: Six Core Elements
The vision includes six core elements and prescriptive guidance for how to incorporate these elements into existing security operations. These elements include:
-- Risk planning:The new SOC will take a more information-centric approach to security risk planning and invest in understanding which organizational assets are highly valuable and essential to protect. With priorities based on GRC policies, security teams need to conduct risk assessments that focus on the "crown jewels" of the enterprise.
-- Attack modeling:Understanding attack modeling in a complex environment requires determining which systems, people and processes have access to valuable information. Once the threat surface is modeled, organizations can then determine potential attack vectors and examine defense steps to isolate compromised access points efficiently and quickly. RSA Laboratories has developed theoretical models based on known APT techniques and employed game theory principles to identify the most efficient means of severing an attack path and optimize defense costs.
-- Virtualized environments:Virtualization will be a core capability of tomorrow's SOC -delivering a range of security benefits. For example, organizations can "sandbox" e-mail, attachments and URLs suspected of harboring malware. Anything suspicious can be launched in an isolated hypervisor and the virtual machine can be cut off from the rest of the system.
-- Self-learning, predictive analysis:To remain relevant in tomorrow's IT environment, a SOC will need to truly integrate compliance monitoring and risk management. The system should continually monitor the environment to identify typical states which can then be applied to identify problematic patterns early. Statistic-based predictive modeling will be able to help correlate various alerts. Developing such a system will require real-time behavior analysis innovations, although some of these elements are available today.
-- Automated, risk-based decision systems:A key differentiator of a more intelligent SOC will be its ability to assess risks instantly and vary responses accordingly. Similar to risk-based authentication, the SOC will employ predictive analytics to find high-risk events and then automatically initiate remediation activities. The prospect of dynamic typography is one of the most exciting areas of this type of systems automation for the cloud. To implement an APT, an attacker must understand network mapping and be able to model it. In response to this, organizations can remap their entire network infrastructure to disrupt an attacker's reconnaissance efforts. This is akin to physically rearranging a city at frequent intervals - and the entire process can be automated so that links between systems stay intact and dependencies are handled without human intervention.
-- Continual improvement through forensic analyses and community learning: Although forensic analysis can be resource-intensive, it is an imperative element of a SOC and key to mitigating the impact of subsequent attacks. Virtualized environments can provide snapshots of the IT environment at the time of the security event providing useful information if detection of the attack was delayed. Having a way to share information about attack patterns will be the future of the SOC. This concept should be embraced in order to exchange threat information within respective industries and better predict the path of the APT and thereby determine countermeasures.
Authors of the RSA Security Brief include many of the industry's foremost security leaders:
-- Sam Curry, Chief Technology Officer, Global Marketing, RSA, The Security Division of EMC -- Bret Hartman, Chief Technology Officer, RSA, The Security Division of EMC -- David Hunter, Chief Technology Officer, Worldwide Public Sector, VMware, Inc. -- David Martin, Chief Security Officer, EMC Global Security Organization, EMC Corporation -- Dennis R. Moreau, Ph.D., Senior Technology Strategist, RSA Laboratories, RSA, The Security Division of EMC -- Alina Oprea, Ph.D., Senior Technology Strategist, RSA, The Security Division of EMC -- Uri Rivner, Head of New Technologies, Consumer Identity Protection, RSA, The Security Division of EMC -- Dana Elizabeth Wolf, Senior Manager, New Business Development, RSA, The Security Division of EMC
RSA Security Briefs are designed to provide security leaders with essential guidance on today's most pressing information security risks and opportunities. Each Security Brief is created by a select response team of experts who mobilize across organizations to share specialized knowledge on a critical emerging topic. Offering both big-picture insight and practical technology advice, RSA Security Briefs are vital reading for today's forward-thinking security practitioners.
RSA will demonstrate its industry leadership by showing their new SOC capabilities demonstration applying this new vision in booth 1725 at RSA Conference 2011, February 14-18, at the Moscone Center in San Francisco.
RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world's leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments.
Combining business-critical controls in identity assurance, encryption & key management, SIEM, Data Loss Prevention and Fraud Protection with industry leading eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.
EMC Corporation (NYSE: EMC) is the world's leading developer and provider of information infrastructure technology and solutions that enable organizations of all sizes to transform the way they compete and create value from their information. Information about EMC's products and services can be found at www.EMC.com.
RSA and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. VMware is a registered trademark and/or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other company and product names may be trademarks of their respective owners.