Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

Similar documents
RSA NetWitness Suite Respond in Minutes, Not Months

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

RSA INCIDENT RESPONSE SERVICES

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

RSA INCIDENT RESPONSE SERVICES

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Incident Response Agility: Leverage the Past and Present into the Future

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

ArcSight Activate Framework

Traditional Security Solutions Have Reached Their Limit

State of Security Operations

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

SentryWire Next generation packet capture and network security.

SentryWire Next generation packet capture and network security.

Machine-Powered Learning for People-Centered Security

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

esendpoint Next-gen endpoint threat detection and response

Resolving Security s Biggest Productivity Killer

Compare Security Analytics Solutions

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Cyber Defense Operations Center

SIEM Solutions from McAfee

Managed Endpoint Defense

Advanced Threat Intelligence to Detect Advanced Malware Jim Deerman

Novetta Cyber Analytics

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

The Future of Threat Prevention

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

TRIPWIRE VIA PLATFORM PROTECTING YOUR DATA WITH INTEGRATED SECURITY CONTROLS

Symantec Ransomware Protection

High-Throughput Real-Time Network Flow Visualization

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Evolution Of Cyber Threats & Defense Approaches

Threat Intel for All: There s More to Your Data than Meets the Eye

SIEM Product Comparison

Building and Instrumenting the Next- Generation Security Operations Center. Sponsored by

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

IT Security Mandatory Solutions. Andris Soroka 2nd of July, RIGA

Business white paper Hunting today

Reducing the Cost of Incident Response

CloudSOC and Security.cloud for Microsoft Office 365

empow s Security Platform The SIEM that Gives SIEM a Good Name

Advanced Threat Hunting:

Un SOC avanzato per una efficace risposta al cybercrime

Integrated, Intelligence driven Cyber Threat Hunting

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

May the (IBM) X-Force Be With You

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

THE EVOLUTION OF SIEM

Popular SIEM vs aisiem

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

to Enhance Your Cyber Security Needs

CISO as Change Agent: Getting to Yes

MCAFEE INTEGRATED THREAT DEFENSE SOLUTION

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Building an Effective Threat Intelligence Capability. Haider Pasha, CISSP, C EH Director, Security Strategy Emerging Markets Office of the CTO

THE ACCENTURE CYBER DEFENSE SOLUTION

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Top 10 use cases of HP ArcSight Logger

Threat Hunting in Modern Networks. David Biser

Gujarat Forensic Sciences University

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Automated Threat Management - in Real Time. Vectra Networks

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Power of the Threat Detection Trinity

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

CYBER SECURITY EFFECTIVENESS FOR THE RESOURCE-CONSTRAINED ORGANIZATION

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

MULTIVARIATE ANALYSIS OF STEALTH QUANTITATES (MASQ)

Enhancing Threat Intelligence Data. 05/24/2017 DC416

Intelligent and Secure Network

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

CYBERSECURITY MATURITY ASSESSMENT

BUILT TO STOP BREACHES. Cloud-Delivered Endpoint Protection

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Building a Threat-Based Cyber Team

Tuning HP ArcSight ESM prioritization

ForeScout Extended Module for Splunk

The Cognito automated threat detection and response platform

deep (i) the most advanced solution for managed security services

Combating Cyber Risk in the Supply Chain

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

The Rise of the Purple Team

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

SIEMLESS THREAT DETECTION FOR AWS

Transcription:

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries Chris Calvert, CISSP, CISM Director of Solutions Innovation Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

My job is innovation so I own the buzzword slides Hype Action (Google trends report) 2

The security industry is not catching enough bad guys Most enterprises remain challenged with missing critical breaches 229 days 100% is the median duration of how long breaches were present before discovery in 2013 (M-Trends Report) of business networks have traffic going to known malware hosting websites (Cisco 2014 Annual Security Report) 3

Why is this so hard? Bad guys know how to stay inside the bell curve. Known: Easier to detect Matches a signature Goes to a bad place Works in the clear Unauthorized use Outside of baseline Within monitored infrastructure Unknown: Harder to detect New behavior Goes to an approved place Works encrypted Authorized use Inside of baseline Outside monitored infrastructure 4

If hackers are challenging, then insiders are Source network Time of day Day of week HR status User identity Target system MAC address Edward Snowden Geography Aldrich Ames 5 Sensitivity of data Coworkers Lifestyle information Robert Hanssen

The geography of security detection has changed Data flows in many ways where should we catch and analyze it? Endpoint and network security Signature and pattern based Tactical: Streams of data Endpoint protection & logs Attacks easily detected & prevented Cyber defense: real-time correlation Known attack patterns Context data Security data Enterprise data Operational: Rivers of data SIEM and Platform protection Attacks analyzed & responded to Hunt team: long term analytics Unknown attack patterns Data ocean Strategic: Oceans of data Often the missing piece Contains important intelligence 6

All data is not equal The conventional wisdom of collect everything and figure it out later is wrong! And expensive $collect, $process, $analyze, $store, $manage You should consider the small analytics problems first Collect what matters to solving a real problem are all these logs useful? 7

We need to expand our detection capabilities Adding advanced analytics to detection is critical to the future of security. Detection techniques Understand Basic Context Asset, Network Identity / HR Advanced Context Application Flow & Payload Technical Intelligence Forensics IOC Identification Human Intelligence Sentiment analysis Motivation Explore Breadth Adhoc Query Small dataset Basic analysis IOC Search Indicator lists STIX/TAXII Analytical Query Analytical data mart Big data scale Visualization 1 Billion events in one picture Explain Reporting Threat Compliance Scoring Highlight risk Profiling Data Mining Clustering, Aggregation Affinity Grouping Machine Learning Classification The matrix Detect Monitoring RT Correlation ArcSight ESM Historical Analysis LT Correlation Epidemiology Statistical Analysis R programming Standard deviation Behavioral Baseline Insider Threat Depth 8

What stopped us from this kind of analysis? 9

Analytics of the future relies on columnar retrieval Compression Clustering Distributed Query 10

Find needles and understand haystacks using Disciplines of analytics Classification - context (asset model, etc ) Correlation - real-time (ESM) and historical Clustering common root cause Affinity Grouping - relationships in data Aggregation - assemble attacker profile Statistical Analysis reporting and anomalies 11

Visualization of big data affinity group This example reveals a command and control infrastructure Business statement Find command and control infrastructure in your enterprise Analytics statement Identify affinity groups Investigate anomalous groupings Anomalous grouping 1 million events Findings from visualization Hierarchical, highly-resilient C&C infrastructure 12

Visualization of big data scatterplot This example reveals a low and slow scan Business statement Find sophisticated port scan activity (distributed, randomized) Billions of events Analytics statement Plot multiple months of data on one scatterplot Findings from visualization Single multi-week scan from distributed, internal sources indicates advanced attacker 13

Visualization of big data anomaly chart This example reveals inappropriate communication (bottom 10 phenomenon) Business statement Find servers talking to suspicious hosts outside the network Analytics statement Plot all suspicious successful communications and review Graph filtered from billions of events Anomalous line Findings from visualization A host communicated w/ suspicious external website Unique in that no other host in the environment has ever talked to this external website 14

Analyzing the haystack aka reporting Volume 15 Time

The holy grail predictive analytics Analysis can help you determine behavioral chains to find the next expected event If you can determine typical steps in a breach, fraud or attack life-cycle You can introduce actions to monitor or block the activity following the behavior We know this is hard! Yet none of this is possible without big data and analytics. You are building capabilities that can grow with the maturity of your security program. Risk increases as activities connect 1 2 3 4 5 6 7 X 16

Security analytics = exploration http://h30499.www3.hp.com/t5/hp-security-products-blog/important-questions-for-big-security-data/ Data exploration is key! Explore! Ask adhoc questions Refine data mart (query or side table) Develop repeatable solution Drive events back to ESM Explore some more 17

Hunt team the way to operationalize analytics Process 18

Your hunt team needs a 2-sided skill set Roles and personas Security specialist: The go to person to get to the bottom of any major security incidents and would be responsible for actively hunting for indicators of breach This person understand and researched hyper-current attacker tactics, techniques and procedures Data scientist: Knowledgeable to run specialized queries. Tasked to regularly find interesting anomalies or affinities in the data to review with the security specialist. This person optimizes tooling/searches, finding patterns that can increase risk probability factors and finding common patterns in attacks. Security Data science 19

They re in there! Let s find them.

For more information Speak to our experts Chris.Calvert@hp.com Jeff.McGee@hp.com After the event Contact your sales rep Check out our blog: hp.com/go/securityproductsblog 21 Your Copyright feedback 2014 Hewlett-Packard is important Development Company, to us. L.P. The Please information take contained a herein few is subject minutes to change without to complete notice. the session survey.

Please give me your feedback Session TB3272 Speaker Chris Calvert Please fill out a survey. Hand it to the door monitor on your way out. Thank you for providing your feedback, which helps us enhance content for future events. 22

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback