Noam Ikar R&DVP. Complex Event Processing and Situational Awareness in the Digital Age

Transcription

1 Noam Ikar R&DVP Complex Event Processing and Situational Awareness in the Digital Age

2 We need to correlate events from inside and outside the organization by a smart layer Cyberint CEO, Dec 2017.

3

4 Wikipedia Event processing is a method of tracking and analyzing (processing) streams of information (data) about things that happen (events), and deriving a conclusion from them. Complex event processing, or CEP, is event processing that combines data from multiple sources to infer events or patterns that suggest more complicated circumstances. The goal of complex event processing is to identify meaningful events (such as opportunities or threats) and respond to them as quickly as possible.

5 Gartner Complex-event processing (CEP) is a kind of computing in which incoming data about events is distilled into more useful, higher level complex event data that provides insight into what is happening. CEP is event-driven because the computation is triggered by the receipt of event data. CEP is used for highly demanding, continuous-intelligence applications that enhance situation awareness and support real-time decisions.

6 So, What is CEP? Data Source A Data Source B Data Source C Complex Business Rules Action A Action B Action C Multiple Data Sources CEP Engine Inbound/Outbound Actions Complex Event Processing and Situational Awareness in the Digital Age

7 Data Sources and Events Data can be collected from outside the perimeter, such as: OSINT, IOC, Feeds, Social, etc. Data can be collected from inside the perimeter, such as: SIEM Events, EDR, Controls, System Logs, etc. Data can be structured (i.e. IOC, SIEM Events), Unstructured (i.e. posts on forums) or Semi-Structured (i.e. data with free-text) Data should be enriched and timestamped for each record and potentially also for other Metadata For each event there is a correlated event processor - Batch or Stream (ETL) The events accumulation should support distributed storage repository to create a data lake The event can transform, enrich, aggregate, or apply other rules on the data DevOps related - it is important to support auto-scaling (and more)

8 CEP Engine The CEP engine executes the rules according to the business logic The engine can consume new rules in real time with no deployment - Event Processor Consumer (define new rules) i.e. fork logic The engine can support new types of rules i.e. new data source type The engine must support Big Data query and analysis Contextual Patterns Sequences (order of events) Trends and Anomaly Apply machine learning and deep learning models DevOps related - Monitor and maintain processes

9 Actions You control the structure of the action For each action include a timestamp and maybe also other Metadata and persist (contribute to data lake) The action can trigger an inbound activity i.e. discovery process. Or, an outbound activity - i.e. integration with third party (firewalls) The action can be direct (synchronously). Or indirect, i.e. schedule future actions (asynchronously). The action can be automatically initiated by the system (CEP engine) or manually by an admin/back office team. DevOps related - It is important to support auto-scaling (and more)

10 But it is not that simple Large number of data sources Social Media - Facebook, Twitter, VK, YouTube, Instagram, WhatsApp, etc. OSINT - Open web and Dark net External sources - Whois, PassiveDNS, etc. SIEM - Security Information and Event Management EDR - Endpoint Detection and Response System and Event Logs - Network, Operating Systems, Application, IDM, Cloud, etc. Amount of data to process is increasing, from Terabytes to Zettabytes. Deep Learning and Machine Learning is progressing.

11 Runtime vs. Research and Build Research environment - Available data for analytics, i.e. enabling Threat Hunting. Search Engines - on data lake including the follow up actions Big Data Tools Knowledge Base Enhanced User Interface Programming environment - Development and testing of the models (data sources, processes, actions). Runtime environment The production platform and services including the proper monitoring tools and administrative interfaces.

12 CEP Checklist Event Channels (data source and ETL) Modeling Events (enrichment and metadata) Processing Elements and Expressions Event augmentation Statefull processing and management Platform capabilities Development Environment Business interface Project considerations

13 Collector Analysis UI CEP as part of the architecture Argos UI Account Intelligence Online Protection IOC SIEM Events Dashboard Situational Awareness Data Layer Orchestration Complex Event Processing Big Data Response Box Intelligence OLP ML Correlation ML Correlation Research Lab Query Mng ML Forensics Correlation Avatar Management Crawlers Server Network Log SIEM Platform Cloud EDR Integration Application Deception

14 Example - Asset Discovery & Vulnerability Assessment Main Domain Complex Business Rules Leaked Credential Active Directory Sub Domain Hijacking Removal Close Open Ports Multiple Data Sources CEP Engine Inbound/Outbound Actions

15 Example - Asset Discovery & Vulnerability Assessment (Cont.)

16 Example - Asset Discovery & Vulnerability Assessment (Cont.)

17 Example - Asset Discovery & Vulnerability Assessment (Cont.)

18 Example - Asset Discovery & Vulnerability Assessment (Cont.)

19 Thank You Noam Ikar VP R&D R&D 1.Data Scientist 2.Front-End Team Leader 3.Front-End Developer 4.Back-End Python Team Leader 5.Back-End Python Developer 6.R&D Support Team Leader 7.R&D Ops 8.Senior Product Manager Cyber Security Services 1.Cyber Intelligence Analysts Team Leader 2.Cyber Intelligence Analyst 3.SOC Expert 4.Cyber Blue Team Expert (Travel to London)

20 One Platform All Solutions CyberInt s solutions are provided from one central platform. Covering asset discovery, threat intelligence, social media protection, and mobile app protection and 3 rd party vendor risk. Benefiting from fully integrated data, providing unmatched detection and realtime response.

21 Digital Managed Detection and Response Map Detect Monitor Respond Digital Footprint Asset Discovery Social Media Presence Online Asset Vulnerabilities Fraudulent Activities Targeted Campaigns Risk Materialization Real-time Mitigation Investigations Identifying Weaknesses Take Downs exposure Threat Landscape (actors, forums, tools) Brand Infringement New and Emerging Threats Top Tools &Threat Actors On-site Incident Response Attack Vectors Threat Materialization

22 A Solution for Every Need Beyond the Perimeter Our capabilities beyond the perimeter provide you with a variety of solutions. From protecting you digital brand to identifying fraudulent activities, to protecting your business from cyber attacks.

23 Our Technology Stack Argos CyberScore CybeReadiness Threat Intelligence Vendor Risk Management Red Team Automation Argos Digital Asset Protection

24 What Retail Customers are Saying About CyberInt s Digital MDR Over the last couple of years, CyberInt has re-enforced our defenses, reduced our fraud rates and protected the Asos brand with their detection and response capabilities, in both the technology that they offer and their experienced services teams. Cliff Cohen, CIO For me, CyberInt is a true partner to the process of enhancing and improving CASINO group IT security operations policy and resiliency. Cyrille Elsen, CISO, Groupe Casino

25 Industry Recognition Whether it s to spot a major data leak, prevent a brand impersonation, or monitor a closed conversation threatening physical harm of key personnel, digital risk monitoring solutions are increasingly valuable for S&R pros who need to scour countless digital (i.e., social, mobile, web) channels and rapidly remediate these burgeoning crises before severe, long-lasting damage occurs. CyberInt s solution does not only identify intentions or bad actors but is useful in pre-empting attacks by proactively searching social media posts and activities. By identifying malicious links ahead of time, attacks can be subverted.

26 Our Intelligence Led SOC 24X7 Continuous Monitoring and Incident Management Advanced Threat Detection and Intelligence Based Attribution Log Management and Retention Ongoing Tuning and Improvements on Detection Out-of-the-Box Knowledge base and Incident Response procedures

27 Intelligence Led Managed SOC 24x7 Managed SOC, Incident investigations and response, Log retention and threat hunting Strategy & Governance - Cyber Strategy and Cyber Risk Profile Consulting, Workshops, Risk Assessments Threat Intelligence - Investigations, Threat Landscape Mapping, Reconnaissance Detect & Response Services - IRT Maturity Assessment, SIEM Enhancements, Response Team and Take Downs IRT Our Incident response team is ready to support you both on and off site Intelligence led Penetration Testing - Threat Intelligence Driven Penetration Testing

28

29 Today s threat landscape has evolved, presenting security practitioners with greater challenges than ever before When put together with the understanding that prevention alone is not enough to fend off threat actors, we ve developed a new breed of cyber security platforms that enhances the detection and response capabilities of businesses Our session will focus on the use of cutting edge technology to allow detection of cyber attacks and responding to them based on complex event processing