security analytics: from data to actionh41382. · 2014-09-12 · visualization • 1 billion events...
TRANSCRIPT
![Page 1: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/1.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries Chris Calvert, CISSP, CISM – Director of Solutions Innovation
![Page 2: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/2.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
My job is innovation so I own the buzzword slides
(Google trends report)
Hype
Action
![Page 3: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/3.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
Most enterprises remain challenged with missing critical breaches
The security industry is not catching enough bad guys
of business networks have traffic going to known malware hosting websites (Cisco 2014 Annual Security Report)
229 days 100% is the median duration of how long breaches were present before discovery in 2013 (M-Trends Report)
![Page 4: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/4.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
Bad guys know how to stay inside the bell curve. Why is this so hard?
Unknown: Harder to detect
• New behavior • Goes to an approved place • Works encrypted • Authorized use • Inside of baseline • Outside monitored infrastructure
• Matches a signature • Goes to a bad place • Works in the clear • Unauthorized use • Outside of baseline • Within monitored infrastructure
Known: Easier to detect
![Page 5: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/5.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
Source network Time of day Day of week
User identity Target system MAC address Geography
HR status
Sensitivity of data Coworkers Lifestyle information
Robert Hanssen
Aldrich Ames Edward Snowden
If hackers are challenging, then insiders are …
![Page 6: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/6.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
The geography of security detection has changed Data flows in many ways – where should we catch and analyze it?
Security data
Enterprise data
Context data
Data ocean
Cyber defense: real-time correlation Known attack patterns
Hunt team: long term analytics Unknown attack patterns
Operational: Rivers of data • SIEM and Platform protection • Attacks analyzed & responded to
Tactical: Streams of data • Endpoint protection & logs • Attacks easily detected &
prevented
Strategic: Oceans of data • Often the missing piece • Contains important intelligence
Endpoint and network security Signature and pattern based
![Page 7: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/7.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
All data is not equal
And expensive… • $collect, $process,
$analyze, $store, $manage
You should consider the small analytics problems first
Collect what matters to solving a real problem – are all these logs useful?
The conventional wisdom of collect everything and figure it out later is wrong!
![Page 8: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/8.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8
Detection techniques
Basic Context • Asset, Network • Identity / HR
Advanced Context • Application • Flow & Payload
Technical Intelligence • Forensics • IOC Identification
Human Intelligence • Sentiment analysis • Motivation
Adhoc Query • Small dataset • Basic analysis
IOC Search • Indicator lists • STIX/TAXII
Analytical Query • Analytical data mart • Big data scale
Visualization • 1 Billion events in
one picture
Reporting • Threat • Compliance
Scoring • Highlight risk • Profiling
Data Mining • Clustering, Aggregation • Affinity Grouping
Machine Learning • Classification • The matrix…
Monitoring • RT Correlation • ArcSight ESM
Historical Analysis • LT Correlation • Epidemiology
Statistical Analysis • R programming • Standard deviation
Behavioral Baseline • Insider Threat
Understand
Explore
Explain
Detect
Brea
dth
Depth
We need to expand our detection capabilities Adding advanced analytics to detection is critical to the future of security.
![Page 9: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/9.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
What stopped us from this kind of analysis?
![Page 10: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/10.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
Analytics of the future relies on columnar retrieval
Compression Clustering Distributed Query
![Page 11: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/11.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
Find needles and understand haystacks using…
Classification - context (asset model, etc…)
Correlation - real-time (ESM) and historical
Clustering – common root cause
Affinity Grouping - relationships in data
Aggregation - assemble attacker profile
Statistical Analysis – reporting and anomalies
Disciplines of analytics
![Page 12: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/12.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
This example reveals a command and control infrastructure
Visualization of big data – affinity group
Business statement • Find command and control
infrastructure in your enterprise
Analytics statement • Identify affinity groups • Investigate anomalous groupings
1 million events
Anomalous grouping
Findings from visualization • Hierarchical, highly-resilient C&C
infrastructure
![Page 13: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/13.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
Business statement • Find sophisticated port scan
activity (distributed, randomized)
Analytics statement • Plot multiple months of data on
one scatterplot
Billions of events
Findings from visualization • Single multi-week scan from
distributed, internal sources indicates advanced attacker
This example reveals a low and slow scan
Visualization of big data – scatterplot
![Page 14: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/14.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14
Business statement • Find servers talking to suspicious
hosts outside the network
Analytics statement • Plot all suspicious successful
communications and review
Graph filtered from billions of events
Findings from visualization • A host communicated w/ suspicious external website • Unique in that no other host in the environment has
ever talked to this external website
This example reveals inappropriate communication (bottom 10 phenomenon)
Anomalous line
Visualization of big data – anomaly chart
![Page 15: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/15.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
Analyzing the haystack – aka reporting
Time
Volu
me
![Page 16: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/16.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
The holy grail – predictive analytics Analysis can help you determine behavioral chains to find the next expected event
You can introduce actions to monitor or block the activity following the behavior
If you can determine typical steps in a breach, fraud or attack life-cycle
We know this is hard! Yet none of this is possible without big data and analytics. You are building capabilities that can grow with the maturity of your security program.
1 2 3 4 5 6 7
Risk
incr
ease
s as a
ctiv
itie
s con
nect
X
![Page 17: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/17.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
Security analytics = exploration
Data exploration is key! • Explore! • Ask adhoc questions • Refine data mart (query or side table) • Develop repeatable solution • Drive events back to ESM • Explore some more
http://h30499.www3.hp.com/t5/HP-Security-Products-Blog/Important-Questions-for-Big-Security-Data/
![Page 18: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/18.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
Hunt team – the way to operationalize analytics
Process
![Page 19: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/19.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
Your hunt team needs a 2-sided skill set
Security Data science
Roles and personas Security specialist: • The “go to” person to get to the bottom of any major security incidents and would be
responsible for actively hunting for indicators of breach • This person understand and researched hyper-current attacker tactics, techniques
and procedures
Data scientist: • Knowledgeable to run specialized queries. Tasked to regularly find interesting
anomalies or affinities in the data to review with the security specialist. • This person optimizes tooling/searches, finding patterns that can increase risk
probability factors and finding common patterns in attacks.
![Page 20: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/20.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
They’re in there! Let’s find them.
![Page 21: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/21.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21
For more information After the event
• Contact your sales rep
• Check out our blog: hp.com/go/securityproductsblog
Your feedback is important to us. Please take a few minutes to complete the session survey.
Speak to our experts
![Page 22: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/22.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session TB3272 Speaker Chris Calvert
Please give me your feedback
![Page 23: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/23.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
![Page 24: Security analytics: From data to actionh41382. · 2014-09-12 · Visualization • 1 Billion events in ... Adding advanced analytics to detection is critical to the future of security](https://reader033.vdocument.in/reader033/viewer/2022050402/5f803f4dcaa4aa2d290cb057/html5/thumbnails/24.jpg)