security analytics for smart grid - the sparks project · network security use case (capture)...
TRANSCRIPT
1 © Copyright 2014 EMC Corporation. All rights reserved.
Security Analytics for Smart Grid
Dr. Robert W. Griffin Chief Security Architect RSA, the Security Division of EMC [email protected] blogs.rsa.com/author/griffin @RobtWesGriffin
2 © Copyright 2014 EMC Corporation. All rights reserved.
No Shortage of Hard Security Challenges
Infrastructure Transformation
Mobile Cloud
Less control over access device and back-end
infrastructure
Threat Landscape Transformation
APTs
Sophisticated Fraud
Fundamentally different tactics, more formidable than ever
Business Transformation
More hyper-extended, more digital
Extended Workforce
Networked Value
Chains Big
Data
http://www.emc.com/collateral/industry-overview/h11391-rpt-information-security-shake-up.pdf?pid=sbiclandingpage-sbicspecialreport-122112
3 © Copyright 2014 EMC Corporation. All rights reserved.
Emergence of New Attackers
Nation state
actors
PII, government, defense industrial base, IP rich organizations
Criminals
Petty criminals Organized crime
Organized, sophisticated supply chains (PII, financial services, retail)
Unsophisticated
Non-state actors
Terrorists Anti-establishment vigilantes
“Hacktivists” Targets of opportunity
PII, Government, critical infrastructure
4 © Copyright 2014 EMC Corporation. All rights reserved.
Speed Response Time 2 Decrease
Dwell Time 1
TIME
Attack Identified Response
System Intrusion
Attack Begins
Cover-Up Complete
Targeted Attacks
Cover-Up Discovery Leap Frog Attacks
1 TARGETED SPECIFIC OBJECTIVE
STEALTHY LOW AND SLOW
2 3 INTERACTIVE HUMAN INVOLVEMENT
Dwell Time Response Time
6 © Copyright 2014 EMC Corporation. All rights reserved.
Incident Response
Endpoint Visibility
& Analysis
Additional Business & IT Context
Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions
Capture Time Data
Enrichment
PACKET METADATA
Distributed Data
Collection
PACKETS
LIVE
LIVE
LIVE PARSING &
METADATA TAGGING
LOGS
LOG METADATA
Reporting & Alerting
Investigation & Forensics
Compliance
Malware Analysis
Intelligence Feeds
Security Analytics Use Cases
7 © Copyright 2014 EMC Corporation. All rights reserved.
Network Security Use Case (capture)
Incident Response
Endpoint Visibility
& Analysis
Additional Business & IT Context
Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions
Capture Time Data
Enrichment
PACKET METADATA
Distributed Data
Collection
PACKETS
LIVE
LIVE
LIVE PARSING &
METADATA TAGGING
Reporting & Alerting
Investigation & Forensics
Compliance
Malware Analysis
Intelligence Feeds
Optional
8 © Copyright 2014 EMC Corporation. All rights reserved.
Incident Detection Use Case (streaming)
Incident Response
Endpoint Visibility
& Analysis
Additional Business & IT Context
Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions
Capture Time Data
Enrichment
Distributed Data
Collection
LIVE
LIVE
LIVE PARSING &
METADATA TAGGING
LOGS LOG
METADATA
Reporting & Alerting
Investigation & Forensics
Compliance
Malware Analysis
Intelligence Feeds
9 © Copyright 2014 EMC Corporation. All rights reserved.
Advanced Analysis Use Case (historical)
Incident Response
Endpoint Visibility
& Analysis
Additional Business & IT Context
Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions
Capture Time Data
Enrichment
PACKET METADATA
Distributed Data
Collection
PACKETS
LIVE
LIVE
LIVE PARSING &
METADATA TAGGING
LOGS
LOG METADATA
Reporting & Alerting
Investigation & Forensics
Compliance
Malware Analysis
Intelligence Feeds
10 © Copyright 2014 EMC Corporation. All rights reserved.
Incident Response
Endpoint Visibility
& Analysis
Additional Business & IT Context
Threat Intelligence | Rules | Parsers | Alerts | Feeds | Apps | Directory Services | Reports & Custom Actions
Capture Time Data
Enrichment
PACKET METADATA
Distributed Data
Collection
PACKETS
LIVE
LIVE
LIVE PARSING &
METADATA TAGGING
LOGS
LOG METADATA
Reporting & Alerting
Investigation & Forensics
Compliance
Malware Analysis
Intelligence Feeds
Archived Storage Analysis Use Case (historical)
11 © Copyright 2014 EMC Corporation. All rights reserved.
Anomalous Behavior Detection
Differentiating Cyber Criminals from Online Customers
Sign-in
Homepage
My Account
Bill Pay Home
Add Bill Payee Enter Pay Amount
Select Bill Payee
Submit
Checking Account
View Checking
• Velocity • Page Sequence • Origin • Contextual Information
12 © Copyright 2014 EMC Corporation. All rights reserved.
Compromised Host Investigation
Find compromised Server or Workstation acting as SPAM host Multiple outbound SMTP connections from workstation. Multiple internet DNS connections from workstation
Find out how the workstation got infected
User clicked on the link and got infected by Trojan from drive-by download.
Recreate phishing e-mail message
Determine whether targeted phishing attack at play
Analyze malware Determine whether targeted or vanilla malware in use
2
3 4
1
13 © Copyright 2014 EMC Corporation. All rights reserved.
Single UI
Incident Management & Reporting
Visibility
Security Architecture
Team
Device Administration
Data Warehouse &
Ticketing System
IT Team
Applying Security Analytics Readiness, Response & Resilience (R3)
Workflow & Automation,
Rules, Alerts & Reports
Threat Triage
Analytic Intelligence Content Intelligence
Expertise
Level 1 Triage
Level 2 Triage
Level 3 Triage
Threat Intelligence
Controls
A/V IDS/IPS
Firewall/VPN Proxy
Packets Host File
DLP
SIEM Log Alerts
DLP Alerts
Signature less Alerts
Context
Business Context
Risk Context
Threat Context
Line of Business Owner Policy
Assessments Criticality
Vulnerability
Subscriptions Community
Open Source
14 © Copyright 2014 EMC Corporation. All rights reserved.
Questions for Discussion
Are the concerns regarding changes in threat landscape, information technology and business models relevant and significant? Are there use cases for security analytic for Smart Grid that would be a good place to start or particularly important? If you do security analytics currently, what information sources do you use to inform your security analyses? Security and safety analysis are closely related. Do you perform safety-related analysis currently? What is the main challenge SPARKS should address in the area of security analytics? Are there issues that you see in terms of applying security analytics to Smart Grid?
16 © Copyright 2014 EMC Corporation. All rights reserved.
Additional Questions for Discussion How much data does your smart-grid generate on average daily? How much of this data do you analyze? What is the most important device in terms of security in your smart grid network? What are the procedures that you use to check that it is properly working?