actionable big data
DESCRIPTION
This presentation, originally presented at AusCERT 2014, dives into big data and how to leverage it for actionable security intelligence and insight for better incident response and preparedness.TRANSCRIPT
Actionable Big Data AusCERT 2014
Tyson Garrett
2
About Me
About Arbor
InternalNetwork"
Enterprise Assets"
Enterprise Perimeter"
" GlobalNetwork"
Threats"
Identify"
Understand"
Act"
4
So what is Big Data?
5
What is Big Data?
Well it’s not hadoop-jar
6
What is Big Data
Big data is the term for a collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications. The challenges include capture, curation, storage, search, sharing, transfer, analysis and visualization. - Wikipedia
7
What is Big Data
Another way of putting it could be:
Information that we can’t put into our traditional database and/or is difficult to access.
8
What is Actionable Big Data
From a security perspective: Providing a security analyst with relevant information as quickly and easily as possible
9
But what about Security Information and Event Management (SIEM’s)?
10
Rows and Columns of Threats
11
Are more reports helping us perform effective Incident Response?
Do We Need More Events, Or Better Events? • At Boston Medical Center they were experiencing 12,000
alarms a day, on average. That kind of cacophony was producing a growing problem known as "alarm fatigue.” – "Alarm fatigue is when there are
so many noises on the unit that it actually desensitizes the staff”
• "If you have multiple, multiple alarms going off with varying frequencies, you just don't hear them" – This can lead to a dangerous situation where patients can die
when an important alarm is missed, or an electrode on a patient's chest comes unstuck, or a monitor's battery goes dead.
13
What about my Next Gen, Cloud, Anti APT, Threat Protection Firewall System?
14
TRADITIONAL DEFENSES ARE NOT DESIGNED FOR ADVANCED THREATS
Firewalls and Intrusion Prevention Systems (IPS) operate in real time, and have only one chance in a timeframe of 5-8 microseconds to prevent an attack.
Attack Traffic Good Traffic
ISP
Firewall IPS
Target Applications &
Services
Firewalls and Intrusion Prevention
15
So what do we need to see?
16
We need to see Attack Timelines
17
Zoom from months and years to seconds
18
IP Address and Port Details aren’t enough
19
We need to know what's exactly going on
20
We need to understand who is involved
21
We need to be able to replay attacks
22
We need to be able to replay attacks
23
How do we do this?
24
Packet Capture or it didn’t happen….. • Full Packet Capture is the richest
source of data but it isn’t BIG DATA • Contains ALL of the network data, and can be taken
from ANYWHERE in the network via TAP or SPAN • Can be processed whenever you like – years later or
as a real time stream • Security analytics content derived from each capture
is cumulative, building a long running history of searchable and comparable attack data…this is BIG DATA
• Like CCTV for your network – Play, Pause and Rewind your data
• Enables base lining of metrics between data sets and trend comparison of different periods
25
Big Data Security Analytics 101 • Ability to store huge amounts of PCAPs • Ability to read historical files or process real time
streams • Need to be able to perform many hundreds of
operations on the data in parallel
26
Big Data Security Analytics 101 • Need to be able to store the outcome of these
operations in such a way that they can be quickly searched or updated
• Need to quickly extract the attack data from the rest of the packets
• Search must be latency free, independent of PCAP size.
27
We are 100% secure….are you sure? • How can you look back in time to
confirm what you didn’t know then?
• Assume has happened previously, how can you prove it?
• How do you confirm exact intent and impact?
• How do you learn from the past to improve your future security posture?
28
Learning from the past “Those who do not remember the past are
condemned to repeat it.” George Santayana
• Find out if an attacker used a zero day attack previously • Find out what systems were compromised • Find out what happened next?
– What other systems were compromised laterally – What data was accessed – What data was exfiltrated
• Find out if the attacker is still active, still in your network • Understand the effectiveness of existing controls • Understand what new controls are required
29
And we need to see context
30
We need to see context
31
Were you affected by Heartbleed? • So you have patched all your OpenSSL based systems. Is that it?
• Heartbleed could have been used against you before you applied the necessary updates, or even before the vulnerability became known to the public
• There are no application layer logs that would allow you to check if you were attacked or what data was stolen
• Any sensitive data stored in server memory could be disclosed to attacker
– Private SSL keys – Unencrypted passwords – Business critical documents
32
Looping for Zero Day A0acks such as Heartbleed
Week 1 Traffic Week 2 Traffic Week 3 Traffic
Total Analytics data after 1 week
Total Analytics data after 2 weeks
Total Analytics data after 3 weeks
Heartbleed attack here
Detection capability update but without signature for the Heartbleed attack
Detection capability update INCLUDING signature for the Heartbleed attack
Detection capability updates occur at different times. ALL traffic stored is replayed through latest detection capability automatically
All Traffic Looped – Heartbleed not found
All Traffic Looped – Heartbleed FOUND Now that Heartbleed attack has been identified, the attack timeline can be established
33
Heartbleed Demo
This is a reminder for me to Cmd-Tab to Chrome
34
But I’m a nerd/geek and wanted to see references to Anscombe’s Quartet
- Google/Bing/AskJeeves/W3Catalog ‘finding
needles in haystacks the size of countries’ Or
- https://bitly.com/bundles/packetloop/1
36