security analytics: from data to actionh41382. · 2014-09-12 · visualization • 1 billion events...

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries Chris Calvert, CISSP, CISM – Director of Solutions Innovation

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

My job is innovation so I own the buzzword slides

(Google trends report)

Hype

Action


Most enterprises remain challenged with missing critical breaches

The security industry is not catching enough bad guys

of business networks have traffic going to known malware hosting websites (Cisco 2014 Annual Security Report)

229 days 100% is the median duration of how long breaches were present before discovery in 2013 (M-Trends Report)


Bad guys know how to stay inside the bell curve. Why is this so hard?

Unknown: Harder to detect

• New behavior • Goes to an approved place • Works encrypted • Authorized use • Inside of baseline • Outside monitored infrastructure

• Matches a signature • Goes to a bad place • Works in the clear • Unauthorized use • Outside of baseline • Within monitored infrastructure

Known: Easier to detect


Source network Time of day Day of week

User identity Target system MAC address Geography

HR status

Sensitivity of data Coworkers Lifestyle information

Robert Hanssen

Aldrich Ames Edward Snowden

If hackers are challenging, then insiders are …


The geography of security detection has changed Data flows in many ways – where should we catch and analyze it?

Security data

Enterprise data

Context data

Data ocean

Cyber defense: real-time correlation Known attack patterns

Hunt team: long term analytics Unknown attack patterns

Operational: Rivers of data • SIEM and Platform protection • Attacks analyzed & responded to

Tactical: Streams of data • Endpoint protection & logs • Attacks easily detected &

prevented

Strategic: Oceans of data • Often the missing piece • Contains important intelligence

Endpoint and network security Signature and pattern based


All data is not equal

And expensive… • $collect, $process,

$analyze, $store, $manage

You should consider the small analytics problems first

Collect what matters to solving a real problem – are all these logs useful?

The conventional wisdom of collect everything and figure it out later is wrong!


Detection techniques

Basic Context • Asset, Network • Identity / HR

Advanced Context • Application • Flow & Payload

Technical Intelligence • Forensics • IOC Identification

Human Intelligence • Sentiment analysis • Motivation

Adhoc Query • Small dataset • Basic analysis

IOC Search • Indicator lists • STIX/TAXII

Analytical Query • Analytical data mart • Big data scale

Visualization • 1 Billion events in

one picture

Reporting • Threat • Compliance

Scoring • Highlight risk • Profiling

Data Mining • Clustering, Aggregation • Affinity Grouping

Machine Learning • Classification • The matrix…

Monitoring • RT Correlation • ArcSight ESM

Historical Analysis • LT Correlation • Epidemiology

Statistical Analysis • R programming • Standard deviation

Behavioral Baseline • Insider Threat

Understand

Explore

Explain

Detect

Brea

dth

Depth

We need to expand our detection capabilities Adding advanced analytics to detection is critical to the future of security.


What stopped us from this kind of analysis?


Analytics of the future relies on columnar retrieval

Compression Clustering Distributed Query


Find needles and understand haystacks using…

Classification - context (asset model, etc…)

Correlation - real-time (ESM) and historical

Clustering – common root cause

Affinity Grouping - relationships in data

Aggregation - assemble attacker profile

Statistical Analysis – reporting and anomalies

Disciplines of analytics


This example reveals a command and control infrastructure

Visualization of big data – affinity group

Business statement • Find command and control

infrastructure in your enterprise

Analytics statement • Identify affinity groups • Investigate anomalous groupings

1 million events

Anomalous grouping

Findings from visualization • Hierarchical, highly-resilient C&C

infrastructure


Business statement • Find sophisticated port scan

activity (distributed, randomized)

Analytics statement • Plot multiple months of data on

one scatterplot

Billions of events

Findings from visualization • Single multi-week scan from

distributed, internal sources indicates advanced attacker

This example reveals a low and slow scan

Visualization of big data – scatterplot


Business statement • Find servers talking to suspicious

hosts outside the network

Analytics statement • Plot all suspicious successful

communications and review

Graph filtered from billions of events

Findings from visualization • A host communicated w/ suspicious external website • Unique in that no other host in the environment has

ever talked to this external website

This example reveals inappropriate communication (bottom 10 phenomenon)

Anomalous line

Visualization of big data – anomaly chart


Analyzing the haystack – aka reporting

Time

Volu

me


The holy grail – predictive analytics Analysis can help you determine behavioral chains to find the next expected event

You can introduce actions to monitor or block the activity following the behavior

If you can determine typical steps in a breach, fraud or attack life-cycle

We know this is hard! Yet none of this is possible without big data and analytics. You are building capabilities that can grow with the maturity of your security program.

1 2 3 4 5 6 7

Risk

incr

ease

s as a

ctiv

itie

s con

nect

X


Security analytics = exploration

Data exploration is key! • Explore! • Ask adhoc questions • Refine data mart (query or side table) • Develop repeatable solution • Drive events back to ESM • Explore some more

http://h30499.www3.hp.com/t5/HP-Security-Products-Blog/Important-Questions-for-Big-Security-Data/


Hunt team – the way to operationalize analytics

Process


Your hunt team needs a 2-sided skill set

Security Data science

Roles and personas Security specialist: • The “go to” person to get to the bottom of any major security incidents and would be

responsible for actively hunting for indicators of breach • This person understand and researched hyper-current attacker tactics, techniques

and procedures

Data scientist: • Knowledgeable to run specialized queries. Tasked to regularly find interesting

anomalies or affinities in the data to review with the security specialist. • This person optimizes tooling/searches, finding patterns that can increase risk

probability factors and finding common patterns in attacks.


They’re in there! Let’s find them.


For more information After the event

• Contact your sales rep

• Check out our blog: hp.com/go/securityproductsblog

Your feedback is important to us. Please take a few minutes to complete the session survey.

Speak to our experts

• [email protected]

• [email protected]

mailto:[email protected]@hp.com

mailto:[email protected]


Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session TB3272 Speaker Chris Calvert

Please give me your feedback


Thank you

security analytics: from data to actionh41382. · 2014-09-12 · visualization • 1 billion events...

Documents