Doing Analysis Carnegie Mellon University

Similar documents
Novetta Cyber Analytics

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

The Convergence of Security and Compliance

Data Sources for Cyber Security Research

Flow Analysis for Network Situational Awareness. Tim Shimeall January Carnegie Mellon University

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

White Paper. Closing PCI DSS Security Gaps with Proactive Endpoint Monitoring and Protection

Adversary Playbooks. An Approach to Disrupting Malicious Actors and Activity

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Intelligent and Secure Network

The Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Cyber Resilience - Protecting your Business 1

Cybersecurity: Incident Response Short

An Aflac Case Study: Moving a Security Program from Defense to Offense

Reinvent Your 2013 Security Management Strategy

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

align security instill confidence

Industrial Defender ASM. for Automation Systems Management

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

The 2017 State of Endpoint Security Risk

Transforming Security from Defense in Depth to Comprehensive Security Assurance

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

CND Exam Blueprint v2.0

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

CERT Development EFFECTIVE RESPONSE

Case Study. Top Financial Services Provider Ditches Detection for Isolation

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Traditional Security Solutions Have Reached Their Limit

Cybersecurity Fundamentals

Larry Clinton President & CEO Internet Security Alliance

Reducing the Cost of Incident Response

SIEM: Five Requirements that Solve the Bigger Business Issues

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Flow Analysis for Network Situational Awareness. Tim Shimeall January Carnegie Mellon University

Modelling Cyber Security Risk Across the Organization Hierarchy

in PCI Regulated Environments

GDPR: An Opportunity to Transform Your Security Operations

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

THE POWER OF TECH-SAVVY BOARDS:

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Symantec Security Monitoring Services

Threat Centric Vulnerability Management

Session 5311 Critical Testing Programs for Security Operations

Defending Against Unkown Automation is the Key. Rajesh Kumar Juniper Networks

Introducing Cyber Observer

Table of Contents Table of Contents...2 Introduction...3 Mission of IT...3 Primary Service Delivery Objectives...3 Availability of Systems...

Sustainable Security Operations

OWASP RFP CRITERIA v 1.1

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

Understanding Threat Intelligence In Today s Layered Security World

How AlienVault ICS SIEM Supports Compliance with CFATS

IBM Proventia Management SiteProtector Sample Reports

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

Incident Response Agility: Leverage the Past and Present into the Future

PALANTIR CYBERMESH INTRODUCTION

RSA IT Security Risk Management

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

Syllabus: AIT Information Systems Infrastructure Lifecycle Management

Cyber Security Maturity Model

How Breaches Really Happen

An Aflac Case Study: Moving a Security Program from Defense to Offense

Taking Control of Your Application Security

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Abstract. The Challenges. ESG Lab Review Proofpoint Advanced Threat Protection. Figure 1. Top Ten IT Skills Shortages for 2016

CompTIA CASP (Advanced Security Practitioner)

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

THE EVOLUTION OF SIEM

Incident response in the energy

A Unified Threat Defense: The Need for Security Convergence

Combating Cyber Risk in the Supply Chain

Cybersecurity for Service Providers

BUILDING AND MAINTAINING SOC

INFORMATION ASSURANCE DIRECTORATE

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

with Advanced Protection

5 Steps to Government IT Modernization

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

A Data-Centric Approach to Endpoint Security

MIS Week 6. Operating System Security. Windows Antivirus

RSA ADVANCED SOC SERVICES

Enhancing Threat Intelligence Data. 05/24/2017 DC416

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

Moderator: Presenters: Ross Albert Damon D Levine

Maximize Network Visibility with NetFlow Technology. Adam Powers Chief Technology Officer Lancope

Uncovering the Risk of SAP Cyber Breaches

ArcSight Activate Framework

See What You ve Been Missing

Packets Don t Lie: What s Really Happening on Your Network?

Achieving & Measuring the Value of Cyber Threat Information Sharing. Lindsley Boiney, Clem Skorupka (presenting)

THE TRIPWIRE NERC SOLUTION SUITE

Note. Some History 8/8/2011. TECH 6 Approaches in Network Monitoring ip/f: A Novel Architecture for Programmable Network Visibility

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

Automating the Top 20 CIS Critical Security Controls

Principles of Protection: Cybersecurity Data Protection. 11/01/2017 Julia Breaux William Sellers

Transcription:

Doing Analysis

What We Will Cover Introduction Your Network Fundamentals of networks, flow, and protocols Malicious traffic External Events & Trends Malware Networks in the Broad Working Together Network dependencies Analysis Summary 2

Building an Analysis Team Define your mission Develop network situational awareness Security Availability Non-traditional threat scenarios Know your network, Know external events & trends, Know how they work together 3

Building an Analysis Team (2) Define your needed skill sets Layer 2: Networking Layer 3 & 4: Ports and Protocols Layer 5-7: Applications Layer 9: Management Also remember soft skills Team building & Communications Research & Record Keeping 4

How would they help? Security Architect Network Engineer Programmer Statistician Tech Writer Mathematician Manager Team Leader Mentor 5

Performance Metrics Are they just a management nightmare? Why do you need metrics? Justify existing staff (and staff increases) Keep the threat visible Senior management sound bites Justify expenditures 6

Good Performance Metrics Baseline Inventory ( Know your network ) Services Offered Services Consumed Noise Level High volume events that can be quantified, normalized and compared Scan counts; vuln sweeps; brute force attempts Compare with open source metrics for the same event Do not combine discrete event types 7

Good Performance Metrics (2) Near misses Evaluate your defense-in-depth architecture Virus hits; drive-by-download misses; policy violations Hits Should be rare List, but avoid summarizing individual hits can not be compared with each other Work load Overtime hours for team members 8

Calibrating Your Infrastructure Can an alarm tell you if a theft has occurred? Rely on out-of-band management Leverage existing solutions built for other needs 9

What will you never know? Total ground truth on a network of any size How often is bad considered good? (false negative) What is the next attack? Why did they attack you? What are your competitors seeing? 10

Inherently Partial Data Technology shifts Attacker actions Defender actions Managerial decisions Network bandwidth 11

Correlation and Causation Baseline in dynamic environment Correlation vs. Causation Implications Need to be cautious in kinds of conclusions Consider strategies for dealing with analysis gone wrong 12

Indication and Proof Indication: There is reason to believe Proof: There is no other logically defensible explanation How much confidence do you need? Cost of false positive? Cost of false negative? 13

Clustering and Extrapolation Clustering groups reports into meaningful classes Similarity metric applied to common features Cohesion function calculates degree of similarity Clustering generates overlapping clusters (clumps) o Minimizes cohesion function betweens incident sets Extrapolation fills in the reporting gaps Extrapolation criterion establishes when and how Generates extrapolated incidents (x-incidents) 14

Correlation and Abduction Identifies sequences that constitute staged attack Generates x-incident chains Starting context establishes understanding of initial system/network configuration Causal relationships through pre-/post-condition chaining Precondition of first incident must satisfy starting context Postcondition of each incident must satisfy precondition of the subsequent incident Techniques available (abduction) for filling in gaps Strings together x-incident chains using attack patterns Abduction criterion establishes when and how 15

What We Will Cover Introduction Your Network Fundamentals of networks, flow, and protocols Malicious traffic External Events & Trends Malware Networks in the Broad Working Together Network dependencies Analysis Summary 16

Where we have been Know Network Know Events/Trends Know How They Fit 17

Governance Questions How do I know what I m looking for? How do I know why I m looking? How do I know where to look? How do I know when it s found? 18

NetSA Governance Survivalist Response Model Internationalist BITD Blinders NIMBY Threat Model Data Model Analysis Model Skynet Autism World Cop Bubble Operations Model End-to-End 19

Future of NetSA Analysis coalitions (FloCon on steroids) NetSA as a service Diversity of specializations Malware vs. Inventory vs. Architecture Diagnose vs. Track/Trace vs. Profile Packet level vs. Trace level vs. Flow level vs. Organizational More approachable formalisms Visualizations with meaning Drill down with extensibility Better handling of time 20

Conclusions NetSA is new as a systematic approach at scale NetSA is changing (arms race, technology) Need awareness WITHOUT total information Need awareness WITH confidence and timeliness Need awareness WITHOUT global state Need awareness WITH extensibility We live in interesting times 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback