Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries Chris Calvert, CISSP, CISM Director of Solutions Innovation Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
My job is innovation so I own the buzzword slides Hype Action (Google trends report) 2
The security industry is not catching enough bad guys Most enterprises remain challenged with missing critical breaches 229 days 100% is the median duration of how long breaches were present before discovery in 2013 (M-Trends Report) of business networks have traffic going to known malware hosting websites (Cisco 2014 Annual Security Report) 3
Why is this so hard? Bad guys know how to stay inside the bell curve. Known: Easier to detect Matches a signature Goes to a bad place Works in the clear Unauthorized use Outside of baseline Within monitored infrastructure Unknown: Harder to detect New behavior Goes to an approved place Works encrypted Authorized use Inside of baseline Outside monitored infrastructure 4
If hackers are challenging, then insiders are Source network Time of day Day of week HR status User identity Target system MAC address Edward Snowden Geography Aldrich Ames 5 Sensitivity of data Coworkers Lifestyle information Robert Hanssen
The geography of security detection has changed Data flows in many ways where should we catch and analyze it? Endpoint and network security Signature and pattern based Tactical: Streams of data Endpoint protection & logs Attacks easily detected & prevented Cyber defense: real-time correlation Known attack patterns Context data Security data Enterprise data Operational: Rivers of data SIEM and Platform protection Attacks analyzed & responded to Hunt team: long term analytics Unknown attack patterns Data ocean Strategic: Oceans of data Often the missing piece Contains important intelligence 6
All data is not equal The conventional wisdom of collect everything and figure it out later is wrong! And expensive $collect, $process, $analyze, $store, $manage You should consider the small analytics problems first Collect what matters to solving a real problem are all these logs useful? 7
We need to expand our detection capabilities Adding advanced analytics to detection is critical to the future of security. Detection techniques Understand Basic Context Asset, Network Identity / HR Advanced Context Application Flow & Payload Technical Intelligence Forensics IOC Identification Human Intelligence Sentiment analysis Motivation Explore Breadth Adhoc Query Small dataset Basic analysis IOC Search Indicator lists STIX/TAXII Analytical Query Analytical data mart Big data scale Visualization 1 Billion events in one picture Explain Reporting Threat Compliance Scoring Highlight risk Profiling Data Mining Clustering, Aggregation Affinity Grouping Machine Learning Classification The matrix Detect Monitoring RT Correlation ArcSight ESM Historical Analysis LT Correlation Epidemiology Statistical Analysis R programming Standard deviation Behavioral Baseline Insider Threat Depth 8
What stopped us from this kind of analysis? 9
Analytics of the future relies on columnar retrieval Compression Clustering Distributed Query 10
Find needles and understand haystacks using Disciplines of analytics Classification - context (asset model, etc ) Correlation - real-time (ESM) and historical Clustering common root cause Affinity Grouping - relationships in data Aggregation - assemble attacker profile Statistical Analysis reporting and anomalies 11
Visualization of big data affinity group This example reveals a command and control infrastructure Business statement Find command and control infrastructure in your enterprise Analytics statement Identify affinity groups Investigate anomalous groupings Anomalous grouping 1 million events Findings from visualization Hierarchical, highly-resilient C&C infrastructure 12
Visualization of big data scatterplot This example reveals a low and slow scan Business statement Find sophisticated port scan activity (distributed, randomized) Billions of events Analytics statement Plot multiple months of data on one scatterplot Findings from visualization Single multi-week scan from distributed, internal sources indicates advanced attacker 13
Visualization of big data anomaly chart This example reveals inappropriate communication (bottom 10 phenomenon) Business statement Find servers talking to suspicious hosts outside the network Analytics statement Plot all suspicious successful communications and review Graph filtered from billions of events Anomalous line Findings from visualization A host communicated w/ suspicious external website Unique in that no other host in the environment has ever talked to this external website 14
Analyzing the haystack aka reporting Volume 15 Time
The holy grail predictive analytics Analysis can help you determine behavioral chains to find the next expected event If you can determine typical steps in a breach, fraud or attack life-cycle You can introduce actions to monitor or block the activity following the behavior We know this is hard! Yet none of this is possible without big data and analytics. You are building capabilities that can grow with the maturity of your security program. Risk increases as activities connect 1 2 3 4 5 6 7 X 16
Security analytics = exploration http://h30499.www3.hp.com/t5/hp-security-products-blog/important-questions-for-big-security-data/ Data exploration is key! Explore! Ask adhoc questions Refine data mart (query or side table) Develop repeatable solution Drive events back to ESM Explore some more 17
Hunt team the way to operationalize analytics Process 18
Your hunt team needs a 2-sided skill set Roles and personas Security specialist: The go to person to get to the bottom of any major security incidents and would be responsible for actively hunting for indicators of breach This person understand and researched hyper-current attacker tactics, techniques and procedures Data scientist: Knowledgeable to run specialized queries. Tasked to regularly find interesting anomalies or affinities in the data to review with the security specialist. This person optimizes tooling/searches, finding patterns that can increase risk probability factors and finding common patterns in attacks. Security Data science 19
They re in there! Let s find them.
For more information Speak to our experts Chris.Calvert@hp.com Jeff.McGee@hp.com After the event Contact your sales rep Check out our blog: hp.com/go/securityproductsblog 21 Your Copyright feedback 2014 Hewlett-Packard is important Development Company, to us. L.P. The Please information take contained a herein few is subject minutes to change without to complete notice. the session survey.
Please give me your feedback Session TB3272 Speaker Chris Calvert Please fill out a survey. Hand it to the door monitor on your way out. Thank you for providing your feedback, which helps us enhance content for future events. 22
Thank you