cyber security for financial services · cyber security for financial services carolyn duby, cyber...
TRANSCRIPT
1 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Cyber Security for Financial Services
Carolyn Duby, Cyber Security SMESolutions Engineer, Northeast
April 2017
2 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Disclaimer
This document may contain product features and technology directions that are under development, may be under development in the future or may ultimately not be developed.
Project capabilities are based on information that is publicly available within the Apache Software Foundation project websites ("Apache"). Progress of the project capabilities can be tracked from inception to release through Apache, however, technical feasibility, market demand, user feedback and the overarching Apache Software Foundation community development process can all effect timing and final delivery.
This document’s description of these features and technology directions does not represent a contractual commitment, promise or obligation from Hortonworks to deliver these features in any generally available product.
Product features and technology directions are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
Since this document contains an outline of general product development plans, customers should not rely upon it when making purchasing decisions.
3 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Agenda
• Outlook for Cyber Security Financial Services
• Trends over past year
• Challenges going forward
• New Hortonworks Solutions to Address Challenges
4 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Outlook for Financial Services
• Financial Services is a big target
• Hackers are more sophisticated
• Increased complexity of landscape
• Existing security tools can’t keep up
• Consequences are high
• New solutions needed to secure the enterprise
5 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Hackers Go Where the Money Is
Willie “The Actor” Sutton
Why do hackers target Financial Services
Companies?
Because that’s where the money is.
Source: https://www.fbi.gov/history/famous-cases/willie-sutton
6 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Cybercrime Underground Market
• Information and Services for Sale• Credit card account numbers
• Email and social media credentials
• Bank account credentials
• Russian business dossiers
• DDOS attacks
• Exploit kits
• Increasingly professional service
• Available 24 x 7
• Guaranteed results
Source: Secureworks Underground Hacker Markets Annual Report – April 2016
7 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
State Sponsored Hackers
• Capable, Well Compensated Hackers
• Sophisticated, effective attacks
• Difficult to detect
• Fly ”under the RADAR” longer
8 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Insiders are the weak link
• Tight security undermined by insiders
• Curious, Helpful, Conscientious Victims• 91 percent of cyberattacks start with phishing email
• Yahoo! breach of 500 million user accounts
• Whistleblowers and Hacktivists• Edward Snowden and Chelsea Manning
• Wikileaks, Panama Papers
• Disaffected• Citibank employee disables routers after bad review
• Targeted for bribery and outside influenceWikileaks
Edward Snowden and Chelsea Manning
ABC News
9 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Increased Complexity and Attack Surface
• Bring Your Own Device
• Cloud
• Network enabled Internet of Things
• Mirai Botnet disables online services
• Russian banks
• Dyn Domain Name Service
10 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Not in Control of your own Destiny
• Great security does not guarantee success
• External services
• DNS redirect at Brazilian Bank sends customers to fake site
• External trading networks
• Breaches of unrelated sites require action
• Users reuse passwords
• Replace credit cards affected by other company’s breach
• Security of new acquisitions
11 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Consequences
• Direct costs of incident and remediation
• Fines
• Consumer Litigation
• Wendy’s and Yahoo! Suits
• Loss of Consumer Confidence
• Opportunity cost
12 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Existing Cyber Security Solutions Don’t Scale to the Challenge
82% of breaches happened in minutes
8 months: Average time an advanced
security breach goes unnoticed
70%-80% of breaches are first
detected by a 3rd party.
2016 Verizon Data Breach Investigations Report
Current security tools installed in the data center can’t handle volume of data & threats from everywhere
13 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Problem Posed For Security Analysts
• Short staffed (1 M openings)
• Too many disparate tools
• Too many alerts to process
• Too much noise
• How to connect the dots of the relevant data points together?
14 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Problems in Investigating a Phishing Attack
Challenge
✕ The analyst had to jump from the SIEM to more than 7 different tools that took up valuable time.
✕ It took more than 24 hours across 2 SOC shifts to investigate, determine scope, remediate and do further forensics/investigation.
✕ Half of my time spent getting the context needed for me to create the story
✕ The threat was detected too late. Instead of detecting the incident on 4/9, the threat should have been detected on 3/20 when the attacker spoofed Sonja’s email address
Need
✓ Want a Centralized View of my data so I don’t have to jump around and learn other tools Eliminate manual tasks to investigate a case
✓ Need to discover bad stuff quicker
✓ Need the System to create the context for me in real-time
✓ The current static rules in the SIEM didn’t detect the threat. Need smart analytics based on:
✓ User Sonja hasn’t used corp gmail in the last 3 months
✓ User Sonja can’t login from Ireland and Southern Cali at the same time
16 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Hortonworks Cyber Security Package
Hortonworks Cyber Security Package Capabilities:
▪ Single view of all relevant data including new sources
▪ Dynamic ingestion and enrichment of data customized for your enterprise
▪ Cost effective storage enables longer context
▪ Advanced statistical and machine learning models to detect cyber security attacks
▪ Integration with existing SIEMs and enterprise assets
Apache MetronCyber Security Data Ingestion
Package
Cyber Security Analytics Exchange
Advanced Cyber Analytics
The Hortonworks Cyber Security Package accelerates organizations abilities to deploy and integrate advanced Cyber Security capabilities within their enterprise environment
17 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Why Hortonworks Cybersecurity Package?
SOC Efficiency
• Reducing false positive
• Single view of threat
• Integrated threat feeds and asset info
• Integrate and combine tools: not just another screen to watch
• Faster Triage
More data, better data
• More sources
• Longer term analyzable data storage
• Fully enriched data with relevant context
Real-time
• Find threats faster
• Find context easier
• Mitigate early
Finding Unknowns
• Probabilities not rules
• Real-time profiles for intelligent baselines
• Dynamic rules responding to behavior not static rules written by hand
Machine Learning
• UEBA
• Relevance
• Feedback loop
• Triage everything that comes in
19 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Data Se
rvices an
d In
tegratio
n Laye
r
ModulesReal-time ProcessingCyber Security Engine
TelemetryParsers Enrichment
ThreatIntel
AlertTriage
Indexersand
Writers
Cyber SecurityStream Processing Pipeline
Apache Metron: Incubating Project
Tele
metry In
gest B
uffe
r
TelemetryData Collectors
Real-timeEnrich / ThreatIntel Streams
PerformanceNetwork
IngestProbes
/ OtherMachine Generated Logs(AD, App / Web Server,
firewall, VPN, etc.)
Security Endpoint Devices (Fireye, Palo Alto,
BlueCoat, etc.)
Network Data(PCAP, Netflow, Bro, etc.)
IDS(Suricata, Snort, etc.)
Threat Intelligence Feeds(Soltra, OpenTaxi,third-party feeds)
TelemetryData Sources
Data Vault
Real-Time Search
Evidentiary Store
Threat Intelligence Platform
Model as a Service
Community Models
Data Science Workbench
PCAP Forensics
20 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Cyber Security Journey
Single view into Cyber Security
Free data from security tools
Correlate and discover threats
Operational efficiency and governance
Predictive insights using machine learning
Single unified view of enterprise risk & security posture.
Innovate
Renovate
Single Holistic View
HistoricalRecords
OPEXReduction
SecurityTool
Ingest
DigitalProtection
FraudPrevention
PublicData
Capture
A C T I V EA R C H I V E
DATAD I S C O V E RY
P R E D I C T I V EA N A LY T I C S
CyberSecurity
MachineData
RiskModeling
21 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Data Freedom through Active Archive
Innovate
Renovate
Single Holistic View
HistoricalRecords
OPEXReduction
SecurityTool
Ingest
DigitalProtection
FraudPrevention
PublicData
Capture
A C T I V EA R C H I V E
DATAD I S C O V E RY
P R E D I C T I V EA N A LY T I C S
CyberSecurity
MachineData
RiskModeling
Data Freedom
Current security processes are manual as data is cut & paste from one security tool to another.
Tool-Centric security program creates incompatibility and inefficiency.
Leverage the Hadoop ecosystem to free data from vendor locked in security tools.
Gain ability to keep data in commodity storage for expense reduction
Reduce or eliminate expensive licensing costs for duplicative storage of same data.
Create automated efficient security processes & workflow.
22 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Insights through Data Discovery
Innovate
Renovate
Single Holistic View
HistoricalRecords
OPEXReduction
SecurityTool
Ingest
DigitalProtection
FraudPrevention
PublicData
Capture
A C T I V EA R C H I V E
DATAD I S C O V E RY
P R E D I C T I V EA N A LY T I C S
CyberSecurity
MachineData
RiskModeling
Data Discovery and Insight
Leverage consolidated & correlated data lake for insights.
Create consolidated automated processes & workflow for Opexreduction.
Gain increased protection of digital assets through holistic view of location, configuration, vulnerabilities, and threats for risk based prioritization of what matters most.
Ability to migrate from expensive suites of security tools with redundant features to open source alternatives that do exactly what you need.
23 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Showing value through analytics
Innovate
Renovate
Single Holistic View
HistoricalRecords
OPEXReduction
SecurityTool
Ingest
DigitalProtection
FraudPrevention
PublicData
Capture
A C T I V EA R C H I V E
DATAD I S C O V E RY
P R E D I C T I V EA N A LY T I C S
CyberSecurity
MachineData
RiskModeling
Risk based Analytics
Leverage machine learning techniques for a risk based security posture
Measure and visualize the value security brings to the organization.
Freedom from the avalanche of rules based alerting.
Move from a reactive to proactive security posture.
24 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Single Holistic View
Innovate
Renovate
Single Holistic View
HistoricalRecords
OPEXReduction
SecurityTool
Ingest
DigitalProtection
FraudPrevention
PublicData
Capture
A C T I V EA R C H I V E
DATAD I S C O V E RY
P R E D I C T I V EA N A LY T I C S
CyberSecurity
MachineData
RiskModeling
Single Holistic View
Single view of the risk posture of the organization.
Ability to drill down from enterprise risk to individual activity influencing risk.
Ability to extend to additional use-cases in agile and cost effective manner.
25 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Hortonworks Cyber Security Package (HCP)
Hortonworks Led Apache Project which provides a scalable advanced security ingestion and enrichment
framework built on top of HDP/HDF
Cyber Security Analytics Exchange
A Hortonworks Led Apache Project of statistical and machine learning models and packs that represents the next generation defense for combating security
attacks
Real-Time Application and System log ingestion, indexing and visualization of cyber data, including
dashboards and cyber notebook templates
Phase 2
Phase 1
The Hortonworks Cyber Security Package can be implemented in an iterative manner to enable organizations to gain instant productivity for ingesting, processing and storing cyber data
Cyber Security Data Ingestion Package
Phase 3
Apache Metron
26 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Summary
• Financial services organizations need effective security
• Threat landscape is evolving
• Hackers are more capable and motivated
• Hortonworks Cyber Security Package
• Single View into Cyber Security
• Built on cost effective HDF and HDP
• Faster detection, efficient investigation
• Dynamic detection algorithms
30 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Hortonworks Cyber Security Package (HCP)
Hortonworks Led Apache Project which provides a scalable advanced security ingestion and enrichment
framework built on top of HDP/HDF
Cyber Security Analytics Exchange
A Hortonworks Led Apache Project of statistical and machine learning models and packs that represents the next generation defense for combating security
attacks
Real-Time Application and System log ingestion, indexing and visualization of cyber data, including
dashboards and cyber notebook templates
Phase 2
Phase 1
The Hortonworks Cyber Security Package can be implemented in an iterative manner to enable organizations to gain instant productivity for ingesting, processing and storing cyber data
Cyber Security Data Ingestion Package
Phase 3
Apache Metron
31 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Cyber Security Deployment Overview
Enterprise AssetsN
iFi P
roce
sso
r(s)
Hortonworks provides customers the ability to iteratively deploy cyber security solutions based on required features in order to support real-time ingestion of enterprise logs, network data and instantly gain insights into cyber related data
Apache Metron
Real-Time Data Parsing and Correlation
Real-Time Data Enrichment and
Cyber Feeds
PCAP Replay and Evidence
Store
Cyber Dashboard and
workbench
Analytics Exchange
Cyber Analytics Packs
Cyber Security Data Ingestion Package
Syslog and Application Data Ingestion
Real-Time Search IndexCyber Dashboard and
workbench
Kaf
ka M
essa
ge B
us
32 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Cyber Security – Phase 1: Data Ingestion Package
Enterprise AssetsN
iFi P
roce
sso
r(s)
The foundation of the Hortonworks Cyber Security Package is the Data Ingestion Package which provides the ability to ingest application and system logs for indexing, visualization along with cyber specific dashboards and notebooks
Cyber Security Data Ingestion Package
Syslog and Application Data Ingestion
Real-Time Search IndexCyber Dashboard and
workbench
Kaf
ka M
essa
ge B
us
33 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Cyber Security – Phase 2: Apache Metron
Enterprise AssetsN
iFi P
roce
sso
r(s)
Apache Metron adds the ability to consume pcap, NetFlow and real-time cyber feeds at scale to consume all netowrk related data in order to correlate and enrich cyber feeds and provide more relevant cyber alerts
Apache Metron
Real-Time Data Parsing and Correlation
Real-Time Data Enrichment and
Cyber Feeds
PCAP Replay and Evidence
Store
Cyber Dashboard and
workbench
Cyber Security Data Ingestion Package
Syslog and Application Data Ingestion
Real-Time Search IndexCyber Dashboard and
workbench
Kaf
ka M
essa
ge B
us
34 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Cyber Security – Phase 3: Analytics Exchange
Enterprise AssetsN
iFi P
roce
sso
r(s)
The Cyber Analytics Exchange introduces Cyber Security models developed using Machine Learning algorithms that are trained oncustomer data and then deployed for real-time integration with Apache Metron
Apache Metron
Real-Time Data Parsing and Correlation
Real-Time Data Enrichment and
Cyber Feeds
PCAP Replay and Evidence
Store
Cyber Dashboard and
workbench Analytics Exchange
Cyber Analytics PacksCyber Security Data Ingestion Package
Syslog and Application Data Ingestion
Real-Time Search IndexCyber Dashboard and
workbench
Kaf
ka M
essa
ge B
us
35 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
PCAP
NETFLOW
DPI
Network Tap
IDS
AV
FIREWALL
HOST LOGS
PARSE
NORMALIZE
USER
ASSET
GEO
WHOIS
CONN
TAG
VALIDATE
PROCESS
ENRICH
STIX
Flat Files
Aggregators
Model As AService
Cloud Services
LABEL
Real-TimeSearch
InteractiveDashboards
DataModelling
KnowledgeGraphs
PCAPStore
IntegrationLayer
PCAPReplay
SecurityLayer
WorkflowEngine
RulesEngine
Apache Metron
AnalyticsExchange
36 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
YARN
Model as a Service
Historical Data Store
Model ServiceREST interface
Model Store
ZookeeperStorm Enrichment Bolt Service Discovery
HDFS
Trai
n /
Up
dat
e
HBase
Metron JSON Object
Metron JSON Object with added score, confidence
etc. from model
37 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Profiler: Lightweight behavior modeling over time
HBaseProfiler Bolt
• HyperLogLogPlus
• T-Digest
• Bloom filter
• MAD outlier
Cardinality
Statistics
Presence
Outliers
How many servers connected?
Average over different periods
Finding small needles in big haystacks
Detecting unusual events in streams
Triage Scoring Model features Aggregations over Time
Fast Cache