We re Gonna Need a Bigger Boat

Similar documents
Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

The Future of Threat Prevention

Compare Security Analytics Solutions

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Microsoft Security Management

Enhanced Threat Detection, Investigation, and Response

Video-Aware Networking: Automating Networks and Applications to Simplify the Future of Video

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Not your Father s SIEM

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Cisco Tetration Analytics

Reducing the Cost of Incident Response

Cisco Firepower NGFW. Anticipate, block, and respond to threats

RSA NetWitness Suite Respond in Minutes, Not Months

Case Study: Security Implementation for a Pharmaceutical Company

securing your network perimeter with SIEM

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Un SOC avanzato per una efficace risposta al cybercrime

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

PSOACI Tetration Overview. Mike Herbert

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

The Five Point Palm Exploding Heart Technique for Forensics. Andrew Hay The 451 Group

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

Enterprise & Cloud Security

align security instill confidence

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Increase Value from Big Data with Real-Time Data Integration and Streaming Analytics

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

May the (IBM) X-Force Be With You

Windows Server The operating system

Consumerization. Copyright 2014 Trend Micro Inc. IT Work Load

Battle between hackers and machine learning. Alexey Lukatsky Cybersecurity Business Consultant April 03, 2019

The New Era of Cognitive Security

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

SIEM: Five Requirements that Solve the Bigger Business Issues

Be effective in protecting against the cybercrime

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

locuz.com SOC Services

Threat Hunting in Modern Networks. David Biser

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

Microsoft Big Data and Hadoop

MITIGATE CYBER ATTACK RISK

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

SIEM Solutions from McAfee

the SWIFT Customer Security

Ο ρόλος της τεχνολογίας στο ταξίδι της συμμόρφωσης με τον Γενικό Κανονισμό. Αντιγόνη Παπανικολάου & Νίκος Αναστόπουλος

SentryWire Next generation packet capture and network security.

SentryWire Next generation packet capture and network security.

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

Securing Your Digital Transformation

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

How Breaches Really Happen

Cisco Tetration Analytics

Empower stakeholders with single-pane visibility and insights Enrich firewall security data

Intro to Niara. no compromise behavioral analytics. Tomas Muliuolis HPE Aruba Baltics Lead

The threat landscape is constantly

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

Spotlight Report. Information Security. Presented by. Group Partner

Synchronized Security

How to manage evolving threats on evolving ICT assets across Enterprise

Cisco Security Monitoring, Analysis and Response System 4.2

Popular SIEM vs aisiem

Power of the Threat Detection Trinity

A10 HARMONY CONTROLLER

Application Security at Scale

PULLING OUR SOCS UP VODAFONE GROUP AT RSAC Emma Smith. Andy Talbot. Group Technology Security Director Vodafone Group Plc

Abstract. The Challenges. ESG Lab Review Lumeta Spectre: Cyber Situational Awareness

An Aflac Case Study: Moving a Security Program from Defense to Offense

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

PrecisionAccess Trusted Access Control

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

The Critical Assets Filter for the SOC Focus discovery and analytics to expedite security investigations

Securing Your Microsoft Azure Virtual Networks

Security Automation Best Practices

Trisul Network Analytics - Traffic Analyzer

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

Product Roadmap Symantec Endpoint Protection Suzanne Konvicka & Paul Murgatroyd

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure

Infoblox as Part of the Ecosystem

Incident Response Agility: Leverage the Past and Present into the Future

RSA IT Security Risk Management

CSP 2017 Network Virtualisation and Security Scott McKinnon

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Unlocking the Power of the Cloud

Accelerate GDPR compliance with the Microsoft Cloud Agustín Corredera

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

SIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK.

Securing the Modern Data Center with Trend Micro Deep Security

R-SCOPING THE HUNT. An integrated solution with

Cisco Stealthwatch Endpoint License

Transcription:

SESSION ID: CSV-F01 We re Gonna Need a Bigger Boat Alan Ross Senior Principal Engineer Intel Corporation Grant Babb Research Scientist Intel Corporation

IT Analytics: All about the changing Enterprise Cloud + Evolving Threat Landscape = Complex Security Needs Open Source Vulnerabilities AWS Azure More financial Incentives Crimeware Market Design Partner Google Increased Compliance Pressure More Malware Sales Force Cloud Proxy Verizon DOS for Ransom Better Hacking Tools and Skills More Entry Points Critical Infrastructure Targets Eloqua Enterprise Alibaba Large Scale Attempts We Need Visibility, Transparency, and Control

What Scale? Intel IT Today (if fully instrumented): 30-40 billion network related events/day Adding cloud environments could drive that to 50+ billion Not including platform, app, etc. 100,000,000,000 10,000,000,000 1,000,000,000 100,000,000 10,000,000 Events 2002 2006 2010 2014 2018 We need a platform that can scale to Hundreds of Billions of events/day! 3

How do we process the data? Intel Analytics Toolkit Contextual Data HIVE Time-Series Matrix Graph DB Data Streams Batch Processes HBASE Hadoop File System (HDFS) Cloudera Hadoop

Analytic Approach Network Analysis Pattern Analysis Signal Analysis Visual Analysis

Graph Analysis: Latent Dirichlet Allocation Strives to put a population into subgroups based on their similarity SRCIP 1 SRCIP 2 DSTIP 1 DSTIP 2 IP addresses are nodes, flow details are edges Use to cluster on known (profiling) or unknown (automated behavior) SRCIP 3 SPORT 1 SPORT 2 DSTIP 3 DSTIP 4 DPORT 1 SPORT 3 DPORT 2 Connections Bytes/packets Bytes/packets

LDA results Question: What are the strongest matches for groups based on automated communication to wellknown ports? 123 22 587 80 445 Answer: Seven ports in four different groups are the strongest matches 135 137

N N N Patterns : Principal Component Analysis I N I Time Series Data = Patterns * (Λ N * I) * Dynamic Coefficients T The Use of PCs to summarize climatological fields have been found to be so valuable that it is almost routine. - Joliffe, Principal Component Analysis

PCA Results Question: Are there any anomalous patterns in this data? Answer: One source IP is talking to several destination IP s that do not exist (horizontal scan)

Signal Analysis: Fast Fourier Transform Represent flow data as a function of sines and cosines (waves) Jump from time domain to frequency domain (and back) Easily filter noise from signal, or remove other frequencies

Signal Analysis - FFT

Visual Analytics: IPython and D3

Possible Datasets Network Security Firewall, Proxy, DNS, DHCP, SMTP, Active Directory, Netflows Platform Security Antivirus, Antispyware, Host Intrusion, Firewall, Integrity Application Security Whitelisting, Integrity Software Defined Infrastructure Schedulers, Orchestration, Attestation, Integrity 13

What is Netflow? Network Accounting Protocol (routers, switches) Phone bill for network traffic Anything that crosses a network boundary creates a Netflow record - Including security threats and attacks

Netflows Bridge the Gap Data Size Security Events Large amount of time information lost, only know occurrence, further analysis difficult if not impossible X 1X Real-time alerting on what you know already Network Flows sampling makes analysis feasible, some information lost but not much, still a high noise-low signal problem 2X Telemetry data to find new insight, or deeper analysis from events Ease of Analysis Packet Stream no sampling of data, would require a complete copy of network data for analysis Forensic data for an identified threat you want to observe 100X

Additional Context Internal IP address ranges Roles of known IP addresses (e.g. proxy server, web server) Geolocation information Security device policies (e.g. firewall rules) 16

Actionable Insight Summary views and drill downs make investigations and incident response easier. Filtering noise will make the machine learning smarter and learn over time 17

Demo

Future Distributed Analytics Most heavy lifting will occur on premise Don t want to ship billions of events over wide area networks May want multiple instances for a global environment Cloud provider analytics are a likely trend to help with transparency Analytics will be combined and synthesized On-premise and cloud analytics will be correlated Analytic results will be shared across organizations to raise all boats This will be a very collaborative activity across industries 19

How To Apply Download test data sets: VAST, CERT (http://vacommunity.org/vast+challenge+2013%3a+mini-challenge+3) (https://www.cert.org/insider-threat/tools/) Investigate what data you collect today that can be used to look for security threats! Also are there other easy data sources to pull together and analyze? There is an abundant and extraordinary amount of free tools to start digging, learning and visualizing The democratization of data analytics and visualizations Gephi, Scilab, ipython, R, D3, NFDUMP, Tons of free courses online (e.g. Coursera Data Science) 20

Key Messages/Summary 1. The scale of compute has changed dramatically 2. We need a platform to store and process data at scale 3. We need algorithms and approaches to provide insight 4. We need actionable insights that solve hard problems 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback