Making sense out of the Security Operations

Transcription

1 Gaweł Mikołajczyk Making sense out of the Security Operations Cisco Public 1

2 CONFidence Cisco Public 2

3 CONFidence 2016 Network Security Treasures Cisco Public 3

4 CONFidence 2016 Real World Threat Hunting Cisco Public 4

5 Four Pillars of Security Operations People Analytics Intelligence Technology Operationalization Advanced expertise Security research Security talent shortage Near real-time analytics Anomaly detection through statistical analysis Zero-day threat focus Deterministic Rules Data Science for behavioral analysis Access to actionable sources of intelligence Cisco intelligence Customer intelligence Open Source intelligence Hadoop for scalability and redundancy Streaming analytics focused on security Event intel and focused enrichment Full packet capture Cisco Public 5

6 I. People in Security Operations Roles and responsibilities Assume the 24/7 Operations. How many people do we need? Core Operations and Supporting Functions Shift-based coverage model. How to share info an collaborate? Security Analysts (Tiers), Security Investigators Define the skills, roles, responsibilities. IT vs OT. Incident Response / Forensics Folks Incident and Change Security Engineering Automation / Toolset Development Industry/Homegrown Threat Intelligence Expertise, Detection Engines Development, Tuning Data Science, Analytics Expertise Core System / Platform Development and Security R&D Non-technical Functions Engagement / Escalations / Projects Cisco Public 6

7 II Security Analytics Benefits: + Mature method of analysis + Covers the majority of known threats Deterministic Rules-Based Analytics (DRB) Benefits: Statistical Rules-Based Analytics (SRB) + Provides Anomaly Detection based on both volume and velocity of data clusters + Enables Trend Forecasting Benefits: Data Science- Centric Analytics (DSC) + Captures and stores large data sets in its raw format (Data Lake) + Classifies events and creates behavior profiles of data captured Challenges: Requires tuning Depends on prior knowledge of threat behavior Does not address polymorphic malware Challenges: Produces False Positives Requires significant storage and compute Allows for only a single variable to be analyzed per model Challenges: Models are generally customer specific and use case focused Requires significant storage and compute Cisco Public 7

8 Practical Use Case: OpenDNS Spike Rank (SPRank) Detects spikes in network traffic using mathematical concepts for wave analysis Often found in sound wave analysis (like Shazam, Pandora) Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 III. Making use of Security Intelligence Product Security Incident Response Team (PSIRT) Global Team Managing the Investigation and Reporting of Vulnerability Information for Cisco Products Vulnerability Research Team (VRT) Elite cyber security experts dedicated to identifying new trends, malware and vulnerabilities Computer Security Incident Response Team (CSIRT) Threat Assessment, Incident Detection and Response, and Incident Trending and Analysis Security Operations Centers Cisco Remote Managed Support and Managed Threat Defense Sourcefire Vulnerability Research Research and collection of vulnerabilities on endpoints, mobile devices, virtual systems, web and Security Community Data Actively work with and contribute discovered threat intelligence Security Research and Operations Experts with Deep Security Knowledge Deliver Threat Mitigation Procedures for Cisco Products Partner Data Exchange intelligence through private partnerships

10 Security Intelligence How it s done at Cisco Cisco Talos Cisco Collective Security Intelligence 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers WWW Endpoints Web Networks IPS Devices 35% worldwide traffic 13 billion web requests 24x7x365 operations 40+ languages 180,000+ File Samples per Day FireAMP Community Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities Honeypots Sourcefire AEGIS Program Private and Public Threat Feeds Dynamic Analysis Cisco Public 10

11 IV. Technology Telemetry/Intel Data Functions Analytic Functions Passive Tap Event Sensor Cisco Products Ingest Storage Deterministic Analysis Automated Hunts Statistical Analysis Send Notices Passive Tap Internal Events Third Party Products Machine / App Exhaust Search Compress Parse and Normalize Extract Features Connect Events and Entities Machine Learning Sensors at Point-of-Presence Distributed Entity LDAP / Active Directory Cisco ISE Intelligence Cisco TIP / Talos Custom / External Export Import Archive View Analyze Features Identify Anomalous Storage, Ingest, Analytics Centralized DCAP Cisco Public 11

12 Proposed Security Operations Flow Framework Full packet capture Protocol metadata Third-party applications Machine exhaust (logs) Parse + Format Threat Intelligence Feeds Enrich Alert Applications + Analyst Tools Log Mining and Analytics Network Packet Mining and PCAP Reconstruction Big Data Exploration, Predictive Modelling Unstructured telemetry Other streaming telemetry Enrichment Data Cisco Public 12

13 V. Security Operations Center Design / Facility CUSTOMER PORTAL 24/7 ACCESS Dedicated Customer Portal Collection, Storage, Analysis VPN SOC INTERNET Secure Connection (HTTPS/SSH/IPSec) VPN DEDICATED CUSTOMER SEGMENT FIREWALL Investigator Portal Administrative Consoles Authentication Services FIREWALL TICKETING Alerting/Ticketing System COMMON SERVICES Threat Intelligence ENTERPRISE PREMISE SOC DATA CENTER Cisco Public 13

14 Cisco Public 14

15 Cisco Public 15

16 Cisco Public 16

17 Good, now start building a Playbook playbook ˈplāˌbŏk noun A prescriptive collection of repeatable queries (reports) against security event data sources that lead to incident detection and response. Cisco Public 19

18 Develop a Hot Threats Dashboard Cisco Public 20

19 A SOC Example of Two-Week Timeframe 269,808 Security Events Threat intel sourced 61,816 Telemetry Ingested by DCAP Telemetry 207,992 generated Intelligence ~19,000 events/day to ~8,000 events/day to ~120 suspicious events/day to ~5 prioritized events/ day 113, Unique events, prioritization, correlation High fidelity events, triage activities Analyst -> Investigator Post-investigation tickets Actionable by client Analytics People Cisco Public 21

20 Metrics: How do we know you re working? Period Ending SI Events Device Sourced Events Total Security Events High Fidelity Events Investigated Post Investigation Tickets Created 2/13 93,967 1,408 95,375 2, /20 249,592 5, , Cisco Public 22

21 Reporting Example Summary of Threats Cisco Public 23

22 Reporting Example Pro-Active Threat Hunting Cisco Public 24

23 Present Even More Reasons for Your Existence! Top events fired per event source Top malicious domain Total infected hosts Top malware type/family Highest areas of infection (lab, DC, DMZ, etc.) Infections by theatre Infection by role/org (sales, engineering, marketing, etc.) Event rates and collection stats (total volume of alarms, then Alarms by source, index/filesize avg/day) Unique user counts avg/day Total attacks blocked Top infections by event source (event source detection ranking)

24 SOC = Tell A Story of Continuous Protection Cisco Public 27

25 If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. Bruce Schneier Security Guru Cisco Public 28

26 Thank you.