security analytics for smart grid - the sparks project · network security use case (capture)...

1 © Copyright 2014 EMC Corporation. All rights reserved.

Security Analytics for Smart Grid

Dr. Robert W. Griffin Chief Security Architect RSA, the Security Division of EMC [email protected] blogs.rsa.com/author/griffin @RobtWesGriffin


No Shortage of Hard Security Challenges

Infrastructure Transformation

Mobile Cloud

Less control over access device and back-end

infrastructure

Threat Landscape Transformation

APTs

Sophisticated Fraud

Fundamentally different tactics, more formidable than ever

Business Transformation

More hyper-extended, more digital

Extended Workforce

Networked Value

Chains Big

Data

http://www.emc.com/collateral/industry-overview/h11391-rpt-information-security-shake-up.pdf?pid=sbiclandingpage-sbicspecialreport-122112


Emergence of New Attackers

Nation state

actors

PII, government, defense industrial base, IP rich organizations

Criminals

Petty criminals Organized crime

Organized, sophisticated supply chains (PII, financial services, retail)

Unsophisticated

Non-state actors

Terrorists Anti-establishment vigilantes

“Hacktivists” Targets of opportunity

PII, Government, critical infrastructure


Speed Response Time 2 Decrease

Dwell Time 1

TIME

Attack Identified Response

System Intrusion

Attack Begins

Cover-Up Complete

Targeted Attacks

Cover-Up Discovery Leap Frog Attacks

1 TARGETED SPECIFIC OBJECTIVE

STEALTHY LOW AND SLOW

2 3 INTERACTIVE HUMAN INVOLVEMENT

Dwell Time Response Time


Intelligence is the Game Changer


Incident Response

Endpoint Visibility

& Analysis

Additional Business & IT Context

Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions

Capture Time Data

Enrichment

PACKET METADATA

Distributed Data

Collection

PACKETS

LIVE

LIVE

LIVE PARSING &

METADATA TAGGING

LOGS

LOG METADATA

Reporting & Alerting

Investigation & Forensics

Compliance

Malware Analysis

Intelligence Feeds

Security Analytics Use Cases


Network Security Use Case (capture)

Incident Response

Endpoint Visibility

& Analysis



Capture Time Data

Enrichment

PACKET METADATA

Distributed Data

Collection

PACKETS

LIVE

LIVE

LIVE PARSING &

METADATA TAGGING



Compliance

Malware Analysis

Intelligence Feeds

Optional


Incident Detection Use Case (streaming)

Incident Response

Endpoint Visibility

& Analysis



Capture Time Data

Enrichment

Distributed Data

Collection

LIVE

LIVE

LIVE PARSING &

METADATA TAGGING

LOGS LOG

METADATA



Compliance

Malware Analysis

Intelligence Feeds


Advanced Analysis Use Case (historical)

Incident Response

Endpoint Visibility

& Analysis



Capture Time Data

Enrichment

PACKET METADATA

Distributed Data

Collection

PACKETS

LIVE

LIVE

LIVE PARSING &

METADATA TAGGING

LOGS

LOG METADATA



Compliance

Malware Analysis

Intelligence Feeds


Incident Response

Endpoint Visibility

& Analysis



Capture Time Data

Enrichment

PACKET METADATA

Distributed Data

Collection

PACKETS

LIVE

LIVE

LIVE PARSING &

METADATA TAGGING

LOGS

LOG METADATA



Compliance

Malware Analysis

Intelligence Feeds

Archived Storage Analysis Use Case (historical)


Anomalous Behavior Detection

Differentiating Cyber Criminals from Online Customers

Sign-in

Homepage

My Account

Bill Pay Home

Add Bill Payee Enter Pay Amount

Select Bill Payee

Submit

Checking Account

View Checking

• Velocity • Page Sequence • Origin • Contextual Information


Compromised Host Investigation

Find compromised Server or Workstation acting as SPAM host Multiple outbound SMTP connections from workstation. Multiple internet DNS connections from workstation

Find out how the workstation got infected

User clicked on the link and got infected by Trojan from drive-by download.

Recreate phishing e-mail message

Determine whether targeted phishing attack at play

Analyze malware Determine whether targeted or vanilla malware in use

2

3 4

1


Single UI

Incident Management & Reporting

Visibility

Security Architecture

Team

Device Administration

Data Warehouse &

Ticketing System

IT Team

Applying Security Analytics Readiness, Response & Resilience (R3)

Workflow & Automation,

Rules, Alerts & Reports

Threat Triage

Analytic Intelligence Content Intelligence

Expertise

Level 1 Triage

Level 2 Triage

Level 3 Triage

Threat Intelligence

Controls

A/V IDS/IPS

Firewall/VPN Proxy

Packets Host File

DLP

SIEM Log Alerts

DLP Alerts

Signature less Alerts

Context

Business Context

Risk Context

Threat Context

Line of Business Owner Policy

Assessments Criticality

Vulnerability

Subscriptions Community

Open Source


Questions for Discussion

Are the concerns regarding changes in threat landscape, information technology and business models relevant and significant? Are there use cases for security analytic for Smart Grid that would be a good place to start or particularly important? If you do security analytics currently, what information sources do you use to inform your security analyses? Security and safety analysis are closely related. Do you perform safety-related analysis currently? What is the main challenge SPARKS should address in the area of security analytics? Are there issues that you see in terms of applying security analytics to Smart Grid?


Thank You


Additional Questions for Discussion How much data does your smart-grid generate on average daily? How much of this data do you analyze? What is the most important device in terms of security in your smart grid network? What are the procedures that you use to check that it is properly working?

security analytics for smart grid - the sparks project · network security use case (capture)...

Documents