it operation analytic for security- missconf(sp1)
TRANSCRIPT
IT Operation Analytic for Security Santisook L.18 June 2016#MiSSConf(SP1)CP-Tower
Who am I ? • Santisook Limpeeticharoenchot . • Telecom Engineering, Business&Economic.• 16 years ago : Network Engineer. Implemented NW, Security for ISP/Telco, Bank, State Enterprise and Government. • 8 years ago : Managed Service Network & Outsourcing, Sales&Business Development.• 5 years ago : Started Machine Data Analytic.• Current : Sales Director@Stelligence Co.,Ltd : Operational Intelligence,Big Data &IT Operation Analytic Company. • Interested in : Big Data, Network & Security, Innovation & Entrepreneur, Math, BizModel, StartupEcosystem, …
Topics• Challenge & Demand• What’s ITOA ?• Anomaly Detection • Security Use cases • Q&A
What are CIO priorities ?Pro-active alerting and troubleshootingSLA
Performance monitoring, trending and tuningUser experience
Detect abnormal behaviors and data exfiltrationData security
Understanding demographics, behaviors and patternsBusiness intelligence and analytics
Forces driving need for Operation Analytic• More Data, More Complexity, New Technology
and New Attack • Dynamic , Big Impact, Required high skill resources• Lack of completed visibility • Required Actionable information
Lack of Visibility Hurts
How to get visibility ?
http://www.datacenterjournal.com/time-analytics-delivers-operations/
Big Data Anywhere “89% of business leaders believe Big Data will revolutionize business operations in the same way the Internet did”“83% have pursued Big Data projects in order to seize a competitive edge”“Global Big Data and Analytics market will reach $125B in hardware, software and services revenue this year”
“Banking, communications, media, utilities and wholesale trade increased their use of Big Data analytics the most in the last 12 months”
Big Data 3.0
Big Data Anywhere BIG DATA "USE CASES" WITHIN BUSINESS
48% Customer Analytics21% Operational Analytics12% Fraud and Compliance10% New Product & ServiceInnovation10% Enterprise Data WarehouseOptimization
12%
10%
Source : Datameer: Big Data: A Competitive Weapon for the Enterprise.
48%
21%
10%
ITOA is IT Operations' next big thingITOA is 'On the Rise' on the hype cycle, andexpects it to accelerate to integrate intomainstream IT operations in the next fewyears, with the emergence of an entirecategory of IT Operations Analyticsproducts and services.
Hype Cycle for IT Infrastructure Availability and Performance Management, 2015
It refers to a set of processes and technologies that: • Helps discover complex patterns in high volumes of IT system usage and performance data • Helps to identify problems and system behaviors faster, so as to rectify the problem(s) before they can arise• Automates the process of collecting, organizing, analyzing, and identifying patterns in a highly distributed, diverse and continuously changing application data environment.• Ensures an improved IT system performance and continuity• Relies heavily on Big Data Analytics.
What’s is ITOA?
Streamline data analysis, automate correlations, and increase productivityReact quickly to events / data generated by infrastructure, software, services, user devices
Optimize service levels and workload allocations Unleash innovation and create business value
Top Benefits Expected from ITOA
67%
Improved IT Staff Productivity
Better IT infrastructure utilization and optimization
53%Improved infrastructure availability and reduced downtime
51% Improved application code quality and defect reduction
Better application performance service levels
Users look to operations analytics to yield :
(Source : IDC)
ITOA is game changing.
Unleashing Innovation and Business Value with“IT OPERATIONS ANALYTICS”
http://www.itoa-landscape.org/
Analytic Required in Security domain
Data Breaches, Detected Late, Undetected.
• Move from Descriptive to Predictive Analysis • TopN -> Unsupervised Machine Learning
• Static Threshold-> Dynamic Threshold • Predefine Correlation Rules -> Auto detect
abnormaly
Major Issues in Detection and Response :
Source: Analytics and Intelligence Survey 2014, a SANS Survey, Written by David Shackleford, October 2014, p8
Source: Advanced Threat Detection with Machine-Generated Intelligence, Ponemon Institute, September 2015
Understanding the Challenge: What’s Normal or Abnormal In These Log Events?
Let’s do test for anomaly detection…
• Thresholds cannot catch this anomaly in periodic data
Anomaly Detection
Probabilistic Modeling and Analysis• Not just simple “Bell Curve” (average, stddev) that other techniques use• sophisticated machine-learning techniques to best-fit the right statistical model for your data.• Bayesian distribution modeling, time-series decomposition, clustering, and correlation analysis• Better models = better outlier detection = less false alarms
Models Matter• Simple models miss real outliers • Automatic Models with “Detectors”
Outliers<0.01% chance
likeliho
od
observed valuesX
ModelGaussian
Rare Events
Deviations in Counts or Values
Unusual vs. peers
===
“responsetime by host”“count by error_type”
“rare by EventID”“rare by process”
“sum(bytes) over client_ip”
Use Case 1:Find metrics deviation in time series• Automatic periodicity
Use Case 2:Find Important IDS/IPS EventsChallenge: How do you find the signs of advanced threats amid thousands of daily high-severity alerts? Difficulty of creating effective rules
results in a high false positive rate Advanced Evasion Techniques (AETs)
well-known to attackers
Use Case 2:Find Important IDS/IPS EventsSolution: Let machine learning filter out normal ‘noise’ and identify unusual counts, signatures, protocols and destinations by source
• Anomaly Detective generates a dozen or so alerts per week
• Accuracy & alert detail enable faster determination of threat level
I like AD because I haven’t had to tune a single IDS rule since it was deployed.- Craig Merchant, Senior Security Architect, Oracle
Use Case 3:Detect DNS Tunneling ActivityChallenge: How do you detect DNS Tunneling (C2, data exfiltrationsor other abuses of DNS) ?
Encrypted messages disguised as subdomains can contain control or data payloads
Insufficient monitoring of DNS for ‘tunneling’ activity poses a significant risk
Calculated information content= 3126
Deviations in Counts or Values
Use Case 3:Detect DNS Tunneling ActivityWhat impresses me about Anomaly Detective is its ability to automatically find anomalous behavior in machine data by relying on trends in the data itself instead of hard-coding rules.- Peter Davis, CTO, Turnberry Solutions
Solution:By detecting anomalies in DNS query subdomain characteristics
• Use Case: Learn typical processes on each host
• Find rare processes that “start up and communicate”
Use Case 3:Rare Items as AnomaliesRare Events
Finds FTP process running for 3 hours on system that doesn’t normally run
Use Case 4:Rare Items as Anomalies= “rare by process”
Use Case 5:Population / Peer Outliers
• Host sending 20,000 requests/hours• Attempt to hack an IIS webserver
= “sum(bytes) over host”
Unusual vs. peers
Adding Value to existing SIEM• Better results than threshold based searches
• Example: “Unusual AD access”• SIEM: 148 notables/day• Anomaly Detection: 2 significant anomalies/week (500x reduction)
• Example: “Proxy Data Exfiltration” • SIEM: sum(bytes_out) > 10MB => 50,000 notables/month• Anomaly Detection: 12 significant anomalies, including exfiltrations <10 MB
• More sophisticated anomaly detection• Example: DNS Tunneling, Malware Command & Control Activity
Value – Less time/effort for humans to triage
Value – Reduce risk by detecting APTs, malware, rogue users that otherwise go unnoticed
Additional Security ApplicationsNo. Threat Indicator Category Identify… …By Finding Anomalies In1 Data Exfiltration Credit card numbers, Electronic Health
Records being stolenFirewall Logs, Web Proxy Logs, Secure Web
Gateway Logs, DNS Logs2 Malware Command & Control Activity Infected systems beaconing Web Proxy Logs, DNS Request Logs, Firewall
Logs3 Suspicious Account Activity New account creation, privilege changes Server, Directory Logs, Audit Logs4 Unauthorized Login Attempts/Activity Smart brute force attacks Server, Directory Logs, Audit Logs5 Compromised Endpoints Spreading malware internally EDR/ AV logs, Netflow records6 Suspicious Server Behaviors New bit torrents, chat rooms, file services Process starts, network connections7 Unusual IDS/IPS Events Unusual security events from security tools IDS/IPS/IDP/NGFW logs8 Unusual Network Activity Launching DDoS attack, excessive DNS
requestsFirewall Logs, Web Proxy Logs, Secure Web Gateway Logs, Netflow records, DPI Logs
9 Abusive/Attacking IP Addresses External data scrapers, internal snoopers Firewall Logs, Web Proxy Logs, Secure Web Gateway Logs, Netflow records, DPI Logs
10 Disabled/Interrupted Logging Attempts to hide tracks All types of log data
SANS: “Organizations Need To Understand Their Environment And What Constitutes Normal And Abnormal Behavior, Train Staff On How To Use Analytic Tools
And Define The Data They Need To Collect.”[1]
[1] Analytics and Intelligence Survey 2014, a SANS Survey, Written by David Shackleford, October 2014 , p8.http://www.sans.org/reading-room/whitepapers/analyst/analytics-intelligence-survey-2014-35507[2] http://digital-forensics.sans.org/media/poster_2014_find_evil.pdf
[2]
Summary Advantages of ITOA• Reduces mean-time-to repair (MTTR) and Avoids downtime• Increases insights into correlation of end-user interaction and business activity• Reduces operations cost with the efficient use of skilled personal• Applies pattern and statistics based algorithms• Helps in extracting meaningful information
www.stelligence.com
www.facebook.com/stelligence.com
@stelligence.com
Santisook Limpeeticharoenchot