Creating Near Real-Time and End-to-End Cyber Situational Awareness of University Networks

Transcription

1 Creating Near Real-Time and End-to-End Cyber Situational Awareness of University Networks Dr. Deepinder Sidhu - Professor of Computer Science - UMBC Aaron Boteler - Cyberspace Analytics Gunnar Engelbach Cyberspace Analytics Randal Taylor Cyberspace Analytics POC - dsidhu@cyberspaceanalytics.com; Tel: Internet Technology Exchange, San Francisco, CA, October 15-18, 2017 The Gold Standard for Security 1

2 Discuss significant advances for addressing cyberspace challenges of university networks innovatively, effectively and inexpensively 1. Real-Time Network Mapping Analytics: vnoc 2. Cybersecurity & Compliance Analytics: CNOC 3. Real-Time Cyberspace Analytics: Intel NUC 2

3 Culture Information sharing, collaboration, free flow of information and ideas Restrictions often viewed as impediments Plethora of valuable information Credit cards, research data, intellectual property Student and faculty personal information Major targets of attack Extensive attack surface mobile, wireless, etc. Valuable resources mean attacks from everywhere 3

4 Real-Time Network Mapping Analytics Reverse Engineering Raw Data PCAP (OSPF/BGP), Router Configs, NMAP, Compliance Scores (DISA/PCI), Flow Records, Firewall Logs, Nessus Scanner, Splunk Exports, etc Mapping Network Big Data Analytic Fusion Engine Recreate Network Map Visualizing Network 3D Interactive Environment Massive Scalability 100K+ Animations, Interactive, Real-time Identifying Features Firewalls, NATs, Tunnels, Port Forwards, IDS/IPS, Phantom Devices, Mobile Devices, IoT Ingress/Egress Connections, Application/Service Properties, Flow Behaviors, Temporal Behaviors, Compliance/Vulnerability Results Reporting Problems Enabling Configuration Collisions, Duplicate Physical Interfaces, Phantom Devices, Unmanaged Network Nodes Device Inventory Management IP Address Inventory Management Subnet Management IP Threat Flow Overlays (Reputation) Export for Emulation Cybersecurity & Compliance Analytics Large Device Support Cisco Firewall/Router, Palo Alto Firewall, Checkpoint Firewall, Windows-based OS/Servers, Linuxbased OS/Servers, MAC-based OS/Servers Processing Compliance/Vulnerability DISA STIGS, USGCB, HIPPA Compliance, PCI Compliance, Vulnerability Scans, Visualizing Health Compliance/Vulnerability Score, Device Currency (Scan Age), Device Group/Cluster Summaries Identifying Features Compliance/Vulnerability Score, Device Currency (Scan Age), Device Misconfigurations, Compliance/Policy Violations Reporting Problems Ticket System Integration (Remedy9), Health Reports, Device Configuration Drift Reports Enabling Full Cyber Situational Awareness Intel NUC Platform Cost-effective Commodity Hardware Minimal Power & Space Requirements Low-cost, easy to deploy 4

5 Reverse engineer, map and visualize network Discover network blind spots Display real-time changes to network topology Identify network segmentations and boundary Identify misconfigurations, including duplicate IPs Optimize network to reduce attack surface Improve network hygiene Fingerprint network assets Baseline network configurations Create Virtual Network Operation Center (vnoc) 5

6 Large Enterprise Network Router Configs, NMAP Scans, Palo Alto Firewall Logs Enriched by extracted Properties Very Large Enterprise Network Router Configs, NMAP Scans, Juniper Firewall Logs R&D Big Data Network Data Fusion Analytics Big Data Network Mapping Analytics Analytics Identify Anomalies across Network Large-scale Correlation Logic Generic Enrichment Engine Real Discoveries Duplicate Addresses Phantom Devices Phantom OSPF Interfaces Unmanaged Devices (Security) Back Channels (Tunnels) 6

7 Simple & Advanced Network Node Search IP/Name and/or any combination of generic properties Any combination of Compliance/Vulnerability Results Aggregate score Individual rule pass/fail Highlight/Mark results Drill-down into the Nodes Highlight All Hosts in the Network that passed a particular rule in the.net 1.4 Framework STIG. 7

8 Network Mapping Video Real-time Mapping Incremental Add Data Sets Dynamically Build Network Map Interact with Network Map 8

9 Advance Analytics On-Demand Reports Review Mapping Log for Configuration Collisions Identify duplicate interfaces Identify Phantom Interfaces Node Attribute Report External Servers (Overlays Threat Information) Report Types External Addresses Internal Addresses External Clients/Servers Internal Client/Servers Mapping Logs End-Node Attributes Router Degree Sensor Logs Configuration Drift Compliance Scores Router Degree Report 9

10 Display enhanced network map with data from Sensors (taps) Scanning tools (Nessus, NMAP, ) Threat intelligence feeds (Lashback, Geospatial, ) Display real-time network configuration changes Identify vulnerabilities and security patches Conduct attack vector analysis to harden network Conduct regulatory/policy compliances for reports Real Discoveries STIGs, FISMA, PCI, HIPAA, NERC, --- Misconfigured tunnels Test resiliency under Unauthorized web servers Cyber-attacks Weak passwords Catastrophic failures Create Cyber Network Operation Center (CNOC) Firewall rules inconsistencies Unprotected wireless access points Text files containing passwords to sensitive systems Unpatched software & firmware 10

11 Network Map for Cyber Situational Awareness Built from Lab Environment Used PCAP and Compliance Results Palo Alto Firewall Device Used for Drift Example Aggregate of All Benchmarks Average Score Bar Graph 11

12 Large Device Support All types of Hosts All types of Network Equipment Integrates with Splunk, Remedy9 Compliance Standards Continuous compliance analysis Security Content Automation Protocol (SCAP) Engine tested and validated by NIST Verify and report on compliance status Organization configuration checking PCI DSS, HIPPA, NERC, SOX, FISMA (USGCB), STIGs, CIS, etc. Drill-Down 12

13 Visualizing Health Examine Composite/Vulnerability Score Group-basis Daily Trending Scores Device Analysis Identify role and functionality Baseline configuration and track drift Quantify Security Posture View Device Logs Interact with the Device 13

14 Network Drift Analytics Compliance/Vulnerability/Config Samples every N number of days Perform deep-diff on samples 14

15 Regulatory Compliance Configuration Drifts 15

16 Regulatory Compliance Security Dashboard Drill-Down 16

17 Data Extraction and Reporting 17

18 CONOP Active & Passive Collection Real-Time Taps Real-Time Update Visualize Deltas Create Virtual Reality of the Network s Data Space The Matrix Intel NUC- vnoc/cnoc Commodity Hardware Light weight Low Power Portable Passive Collections Automated Active Collections Automated Alerting Integration with Help Desk Interact Virtually with the Network Track Network Health/Map Changes CNOC 18

19 Attacks are a given knowledge is power Must go beyond simple analytics, tables, raw storage and expensive rack-mounted solutions Turn massive amounts of data into actionable and manageable information Merge network and cyber situational awareness This will only work if solutions are Scalable Affordable Supportable Effective CNOC Deployed in enterprise networks to implement robust security The Gold Standard for Security 19

20 Discussion 20