44con 2014 - security analytics beyond cyber, phil huggins
DESCRIPTION
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins A quick summary of the current state of big data technology and data science approaches used in cyber / network defender security analytics including summary use cases, a walk through of a reference architecture and breakdown of the required skills. Focus is on the knowledge needed to run a proof of concept and establish a programme for early benefits. Will then also include a view on the future of extending the platforms and capabilities of security analytics to cover performance metrics and data-driven security management approaches.TRANSCRIPT
Security Analytics Beyond Cyber
Phil Huggins, Vice President, Security Science
11/9/2014
2
SECURITY SCIENCE
Agenda
Big Data and CyberSituational AwarenessSecurity Analytics Beyond Cyber
3
Big Data and Cyber Security
4
SECURITY SCIENCE
Big Data?
Volume Velocity Variety Value Veracity
Over-used buzzword.
Doug Laney defined 3Vs in 2001
Gartner promoted 3Vs in 2012
Google Trends“Big Data” search interest over time
The 3Vs
SECURITY SCIENCE
Big Data Disciplines
More useful to break Big Data down by activities you actually do:
• Decision MakingData-Driven Management
• Analytics, Sense-MakingData Science
• Technology, Nuts and BoltsData Engineering
6
SECURITY SCIENCE
Data Lakes & CoEs
The data lake, an enterprise-wide Big Data platform, is emerging in large scale businesses.
• Concentration of data• Concentration of technology
Tends to be associated with Big Data “Centres of Excellence”.
• Concentration of Data Engineering skills• Concentration of Data Science skills
•The CoEs are often hunting for well-defined early adopter Use Cases to prove their value.•The Data Lakes provide unexpected opportunities for ‘data
enrichment’ across organisational boundaries.
7
SECURITY SCIENCE
Why Big Data for Cyber Security?
Cyber Security is increasingly a data problem.
We are collecting, processing and analysing more and more data in order to address the threat landscape.
• Known threat indicators• Indicator targeted subsets of
monitoring data• Assumes in advance what the risk is• Near real-time analysis with limited
memory
Network Monitoring using SIEM
8
SECURITY SCIENCE
• Probable matches to likely/possible threat methods
• All the monitoring data over a longer period of time
• Retroactive analysis using intelligence feeds
• Combining internal and external data sources
Network Behavioural Analytics
• More context and more data to investigate• Single screen analysis• Faster automated tooling for entity
resolution and event resolution• Variety of visualisations available, timeline
visualisation especially key
Data-enabled
Investigation
What are the main Cyber Security use cases for Big Data?
Early adoption, provable ROI, vendor can develop a PoC without a customer
9
SECURITY SCIENCE
Tools
• Hardware and software components
• Configuration and utilization of solution components
People
• Skills of people involved
• Engagement of necessary stakeholders
• Training available
Process
• Essential processes for solution to work
• Includes management of tools, knowledge, intelligence and people
Data Sources
• The raw data from a variety of tools across the environment.
• Includes sensors, security alerts and log files.
Intelligence
• Data that provides the necessary context to enrich, interpret and prioritize analytic results
Knowledge
•The goal of the data analysis which is both delivered to stakeholders and better informs further questions of the data
What is a Big Data Security Analytics Capability?
10
SECURITY SCIENCE
What does a Big Data Security Analytics solution look like?
11
SECURITY SCIENCE
How does the Security Analytics team fit into an existing Security Team?
12
Situational Awareness
13
SECURITY SCIENCE
What is Situational Awareness?
Large body of academic work A variety of different processual vs cognitive models
suggestedWarning! The science is not robust in this area.Dr Mica Endsley described the popular three stage model
in 1995Correlation with John Boyds OODA Loop.
SITUATIONAL AWARENESS
PERCEIVE UNDERSTAND PREDICT
14
SECURITY SCIENCE
How does Situational Awareness fit into Cyber Security?
SITUATIONAL AWARENESS
OPERATIONAL CYBER SECURITY
OBSERVE ORIENTATE DECIDE ACT
OPERATORS
HUNTERS
RESPONDERS
RESOLVERS
AUTOMATION?
15
SECURITY SCIENCE
How does Situational Awareness fit into Security Management?
SECURITY MANAGMENT
PLAN DO CHECK ACT
STUDY SITUATION SET GOALS
PLANACTIVITIES
MEASURESUCCESS
STUDY RESULTS
IMPROVE & STANDARDISE
DELIVERACTIVITIES
SITUATIONAL AWARENESS
SITUATIONAL AWARENESS AUTOMATION?
16
Security Analytics Beyond Cyber
17
SECURITY SCIENCE
Why Data-Driven Security Management?
“The dearth of metrics and decision-making tools places the determination of Information Security risk to the enterprise on the judgment of IT security practitioners.” INFOSEC Research Council
“At present, the practice of measuring security is very ad-hoc. Many of the processes for measurement and metric selection are mostly or completely subjective or procedural.” Department of Homeland Security
Most security decisions made in absence of good data.Best/Good Practice is “cargo cult security”.
18
SECURITY SCIENCE
Low Hanging Fruit – Quantitative Security Management
Mixed Data Sources, Visualisation, Sets of Questions, Summary Statistics
Trend Analysis, Security Posture, Perimeter View, Operational KPIs, Controls Performance
Good indicator is large Excel sheets with complex pivot tables
• Multiple data sources; vuln scanners or probes, hardware inventory, cmdb, patch servers, SOC monitoring, external information feeds
• Multiple clear questions.• Candidate for Question-Focused Dataset
Vulnerability Management
• Multiple data sources; risk register, project plans, incident reports, SOC feed, audit reports
• Multiple stakeholders with distinct interests
• Candidate for Interactive Visualisation
Executive Dashboard
19
SECURITY SCIENCE
Big Data Security Analytics Opportunities
Once the Cyber use cases have been implemented there are opportunities to operationalise and potentially automate some aspects of security management activities
• Continuous monitoring, not just an annual phishing exercise
• Enrich with HR data • Report on trends and effectiveness of
awareness programs and training events
• Targeted training
Risky Staff Behaviour
• Pre-Approved Change Controls at agreed risk thresholds
• Firewall, network and server configuration changes
• Increased targeted monitoring• Distribution of IOCs to multiple
endpoints
Automated Incident
Response
20
SECURITY SCIENCE
The Future - Hypothesis-Driven Security Management
Experiments to identify the effectiveness of security activities and controls in your environment
Multiple iterations following the Deming cycleReplace Best/Good Practice with the Right Practice for You
Key skills:1. Forming a useful, practical and measurable hypothesis2. Achieving executive support for management
experimentation3. Understanding and applying the results to the business
•Some of these are Data Scientist skills, some are CISO skills.•The CISO of the future will need to understand how to talk
to Data Scientists productively!
21
Conclusion
There are no silver bullets!We will still need humans in the loop but automation will
allow us to do more with lessBuild open cyber big data analytics platformsInvest in analytics skills now
Security is transforming from a subjective art to a data and automation discipline
