BAE SYSTEMS CYBERREVEAL G-CLOUD SERVICE DEFINITION

Transcription

1 BAE SYSTEMS CYBERREVEAL G-CLOUD SERVICE DEFINITION 20

2 Table of contents 1 Introduction CyberReveal Overview CyberReveal Platform CyberReveal Analytics CyberReveal Investigator Technical Requirements CyberReveal Platform CyberReveal Analytics CyberReveal Investigator Service Delivery Evaluation Training Professional services Onboarding Applied Intelligence: Information Intelligence BAE Systems CyberReveal Page 1 of 14

3 1 Introduction Enterprises today face a range of cyber adversaries. Amongst the most sophisticated are criminal organisations and foreign governments determined to steal high-value information or disrupt critical services in order to inflict damage or gain unfair competitive advantage. It is almost impossible to prevent a determined, knowledgeable and well-resourced attacker from compromising an organisation. They will modify and re-modify their attack over weeks, months or even years to eventually defeat an organisation s security controls. Their actions may go undetected for some time, but the damage can be considerable and lasting. Many organisations have responded by proactively monitoring their infrastructure to detect attackers that have successfully gained access. The objective is simple: to find, investigate and respond effectively to attacks before lasting damage is done. Conventional security monitoring products are not effective. Enterprises that develop an in-house monitoring capability, by investing in technology and security analysts, often find their efforts hampered by the limitations of traditional monitoring products: Efficiency: Analysts and tools are overwhelmed by security alert data. Threat: New types of attack may go undetected by products that only recognise previously encountered attacks. Scale: The cost of processing increasing volumes of alert data becomes prohibitive. Decision making: The contextual information needed to assess alerts is distributed across several toolsets. To effectively manage the sophisticated cyber-attacks we face now, and will face in the future, a more sophisticated security monitoring platform is clearly needed. CyberReveal is a true big data security analytics and investigation platform. It brings together our heritage in network intelligence, big data analytics and cyber threat research into a unique enterprise-scale product. BAE Systems CyberReveal Page 2 of 14

4 2 CyberReveal Overview CyberReveal is a highly scalable, modular product stack for the detection and investigation of advanced security threats against an infrastructure. By utilizing the latest big data technologies and advanced security analytics, CyberReveal provides effective protection against targeted cyber-attacks. CyberReveal provides more sophisticated threat detection than traditional signatures and rules-based methods as the CyberReveal Analytics are behavioural based. This enables the analytics to find previously unknown threats due to anomalous behaviour, rather than just finding the subset of known threats that signatures provide. By combining and correlating multiple sources of data and alert sources, CyberReveal significantly increases analyst efficiency allowing analysts to make more informed decisions, quicker. Our solution was built for analysts, by analysts, and is the same technology which is deployed and proven in our managed security service, providing protection for over 150,000 endpoints across the globe. CyberReveal currently contains three core components, which can be split into: Platform: Big data platform that can store and process billions of events. Analytics: Advanced behavioural security analytics for the detection of the most sophisticated threats. Investigator: An intuitive investigation and response tool providing a single view of threats to the organization to support security and threat analyst workflows. 2.1 CyberReveal Platform Figure 1. CyberReveal Product Overview The CyberReveal big data platform is built from the ground up around the massively scalable Hadoop ecosystem. In our specific use case, Hadoop provides the scalability to store, process and rapidly query billions of infrastructure events per day and do so costeffectively on commodity hardware. BAE Systems CyberReveal Page 3 of 14

5 Figure 2. CyberReveal Platform CyberReveal aims to align with Apache releases of Hadoop and supports a range of distributions including HortonWorks, Cloudera and Greenplum Pivotal HD. If a Hadoop cluster already exists on the deployment environment, depending on the distribution, CyberReveal can leverage this existing infrastructure without requiring exclusive access to the cluster. CyberReveal provides an abstraction layer at the ingress of data, meaning that the CyberReveal Platform is agnostic to the specific data source and format being ingested. All data is normalized into standardized formats which can later be used in the analytics stage of the solution. The platform can leverage log data from existing monitoring infrastructure, or Applied Intelligence can provide the capability to collect the data using our network probes and host agents. The typical types of data that we envisage being ingested for detecting and investigating advanced threats include: - HTTP: Commonly collected from web proxies or network probes at the network perimeter, CyberReveal analyses HTTP transaction metadata records. CyberReveal supports many common proxy vendors such as Blue Coat. - CyberReveal can collect log data from gateways such as IronPort. The SMTP metadata is useful for detecting spear-phishing attacks (scheduled for release in version 1.2), which is a common form of infiltration. - Host: Integrating CyberReveal with either a third-party agent or the Detica Host Agent installed on each client machine or server can provide a richer view of the activities on BAE Systems CyberReveal Page 4 of 14

6 the infrastructure. Host agents can record details such as running processes, login attempts and user activity which can be correlated against network events. - Network: CyberReveal can also integrate with other network log data such as DNS, firewall or net-flow data. - Enrichment: CyberReveal also has the ability to bring in numerous sources of data which provide context to an investigation. Examples of this include asset databases, third party data such as Alexa rankings and WHOIS information. - Threat Intelligence: CyberReveal has the capability to ingest threat intelligence from numerous threat intelligence sources such as isight and extract meaningful signatures from them. These signatures can then be used within CyberReveal to detect threats or exported to network devices such as firewalls or intrusion prevention systems. Once the data has been ingested, the CyberReveal Platform relies on Apache Accumulo, which is built on top of the Hadoop File System, to store the data with granular, cell-level security. By using Accumulo to index the normalized data into key/value pairs, a subset of events can be retrieved from the whole dataset (which could scale to billions of records) in a matter of seconds. Accumulo provides a cost-effective, high performance and secure infrastructure for unified logging. 2.2 CyberReveal Analytics After the events have been ingested, the CyberReveal Analytics can be run across the entire breadth of the data stored in the platform. The CyberReveal Analytics can identify malicious behaviour within your IT infrastructure and raise alerts to CyberReveal Investigator. CyberReveal s behavioural analytics are able to find new attack methods and zero day exploits, where traditional rules or signature engines are commonly restricted to detecting known malicious activity. CyberReveal Analytics are driven by current threat intelligence gathered and created by Detica s Threat Intelligence team. The analytics are tested, refined and proven in Detica s managed security service which is run across a range of clients varying in sizes and industries. The CyberReveal Analytics are based on an extensible framework that provides the foundations for clients to write their own analytics to address their priority threats. Part of our offering also includes the opportunity to co-create analytics with CyberReveal s analytics development team to be able to design and create new analytics to meet the needs of the client. Training and Collaborative Analytics Services help clients become productive quickly. BAE Systems CyberReveal Page 5 of 14

7 Figure 3. CyberReveal Analytics We have defined attack models for APT (Advanced Persistent Threat). The APT pack is well established and proven within our managed security service. We employ multiple behavioural analytics to detect traits exhibited by the adversary at various stages of the attack. The APT attack model mainly focuses around covert information theft, although it is extensible to other malicious activity and the entire analytics framework is extensible to allow detection of other threats. The table below shows an example of various attack techniques that we look for within our APT analytics: Figure 4. CyberReveal APT Attack Techniques BAE Systems CyberReveal Page 6 of 14

8 2.3 CyberReveal Investigator Once the CyberReveal Analytics have run, these are then forwarded to CyberReveal Investigator. CyberReveal Investigator is the front-end operational tool for efficiently investigating alerts from both CyberReveal Analytics as well as third-party monitoring devices that provide alerts, such as SIEMs like ArcSight. Our aim is to improve analysts efficiency and effectiveness by providing their alert, incident or threat intelligence work queue in a single interface along with all contextual data and visualizations to enable them to quickly make accurate decisions. CyberReveal Investigator has an open architecture which enables quick and easy integration into the IT infrastructure. There are standard open APIs for the integration of alerting systems, threat intelligence, enrichment sources, ticketing as well as log sources for querying. Examples of some previous integrations with Investigator include CA Service Desk Manager and SharePoint for ticketing, ArcSight and Splunk for both alerting and querying, and asset directories and AV endpoint protections systems for enrichment Alerts and Threat Intelligence Figure 5. CyberReveal Investigator Investigator provides analysts unprecedented insight and efficiency through a unified view across the whole security infrastructure. It provides a single pane of glass into the security environment by integrating with the existing infrastructure to obtain greater operational benefits from them. For example, alerts from other monitoring systems as well as threat intelligence from multiple sources can be aggregated, correlated and investigated in one place Context and Visualizations CyberReveal Investigator has interactive tables and visualizations to enable investigators to effectively analyse information. This helps give the analyst more context and an intuitive understanding of the activity that is taking place. Within the visualisations, Investigator automatically links entities to provide a coherent graphical view of related entities in alerts or threat intelligence reports. These linked entities can come from a BAE Systems CyberReveal Page 7 of 14

9 range of data sources and enrichment to easily investigate the full context of the activity and collate data from multiple sources. By standardising an interface to query the underlying data sources, analysts do not need technical knowledge to query each logging system. This not only means that querying any data source is quick and simple, but as it reduces the skill level required the team is more easily scaled. It also greatly improves efficiency as the analyst does not have to swivel-chair between systems. CyberReveal Investigator can integrate with any query source including the system we use in our solution, i.e. CyberReveal Platform. Enrichment is automatically done for each entity, both on the graph and in the Enrichment panel. This information helps give the analyst context to the data being presented. This enrichment information can be from both internal databases such as threat intelligence repositories as well as open source information such as Alexa rankings and blacklists Incident/Knowledge Management CyberReveal Investigator has a myriad of knowledge store functionality that not only aids in operationalising the investigation of alerts and intelligence reports but also improved efficiency through reduced repetition of work. Investigator integrates with an incident management system to enable tickets/cases to be created from an alert or intelligence. The fields being submitted to the ticketing system are automatically populated with the information of the alert, which reduces the risk of human error. Additionally, visualisations of contextual data can also be attached to the ticket so that further investigation can continue, potentially with other analysts in different teams. In addition to this, CyberReveal Investigator has a feature to maintain and share an analyst knowledge base across the team. This functionality enables an analyst to make a note against any entity within Investigator. These notes are viewable by all analysts, who have the correct permissions, instantly, enabling quick and easy knowledge sharing between analysts, reducing the time needed to investigate. This enables the analyst to quickly understand whether previous incidents relate to the activity they are investigating and what remediation was taken at that time. BAE Systems CyberReveal Page 8 of 14

10 3 Technical Requirements 3.1 CyberReveal Platform Many large organisations already have a preferred Hadoop distribution and CyberReveal can be installed on top of an existing Hadoop cluster, as long as the hardware is sufficient and the Hadoop version and distribution are supported. As part of our associated professional services associated with CyberReveal deployment we can install HortonWorks HDP 1.3, our preferred distribution, on client hardware. CyberReveal runs on Hadoop versions , up to 1.2. To-date CyberReveal has been deployed on a variety of Hadoop distributions including Cloudera, GreenPlum and HortonWorks. Applied Intelligence has a Hadoop testing facility and a programme of work to test CyberReveal on the most popular distributions. The actual number of machines required in your cluster will depend on various factors: - The size of the estate that you are monitoring - The number and type of analytics that you are running - The memory and CPU performance of the machines in the cluster - Intensity of IT usage of the user community - The data retention period, the HDFS replication factor and the data compression ratio We can estimate the number of machines required in your cluster based on your particular circumstances using our CyberReveal Cluster Sizing Model. As an example, a typical installation of CyberReveal in a 50,000 employee organisation might run on 15 commodity servers. For more detailed information on CyberReveal Platform and its interaction with Hadoop please contact the CyberReveal team. 3.2 CyberReveal Analytics Each CyberReveal Analytics pack takes various data types as input. Each data source enables various analytics within the pack depending on what each algorithm is trying to detect. For example, our Advanced Persistent Threat (APT) pack primarily uses HTTP data, metadata and host data. These data sources enable our CyberReveal Analytics to identify anomalous behaviour at each stage of the kill chain. The CyberReveal Platform provides an abstraction layer between the data sources and the CyberReveal Analytics. Therefore CyberReveal is not dependant on any particular brand of data source. You are free to create your own analytics in order to identify any threats in your environment. You will use your own knowledge of the threat and your environment in order to identify the data sources required. Full details of the data sources required for a specific analytics pack are available under NDA. BAE Systems CyberReveal Page 9 of 14

11 3.3 CyberReveal Investigator The CyberReveal Investigator front end component is a Java-based, web delivered application. Any reasonable business-grade specification PC or Mac will be able to run the software. It is envisaged that the analyst would have a dual monitor setup to derive the best use of the tool. BAE Systems CyberReveal Page 10 of 14

12 4 Service Delivery 4.1 Evaluation 4.2 Training Prior to a full deployment Applied Intelligence offer the option of evaluation. The evaluation period can last between one to three months, but is normally the full three months. During this period an information gathering exercise in undertaken to capture all relevant information relating to the Clients Business Drivers and Client Technology. Once this information has been gathered, to facilitate a smooth integration, we will install and configure the CyberReveal product During the evaluation period training will be provided to allow Client security analysts to exploit the tool. If the Client has chosen to take the analytics component of CyberReveal the evaluation period will include up to three workshops (one per month of the evaluation) to ensure the analytics are functioning appropriately. The output of these workshops will enable us to work together with the Client to build, test and refine analytics to prove and meet the Clients business requirements. Throughout this time, the Client will be able to evaluate the product against agreed success criteria and business objectives. We will provide assistance where required and are open to feedback on the product and where improvements could be made. The CyberReveal product is specifically designed to ensure that the Clients Security Analysts will require no formal Software or programming training or skills to be able to operate the product. Once the CyberReveal product has been installed the Security Analysts will receive training in how to use and exploit the tool effectively and efficiently. This standard training provision is included in the cost of the CyberReveal licence. Should the client wish to generate their own Analytics, then an understanding of Java and MapReduce as well as the technical architecture of Hadoop will be necessary. If the client wishes to support their own Hadoop cluster then an understanding of Hadoop, Oozie, MapReduce and Accumulo will be needed. This bespoke training is available as a professional service and as such is charged in line with our SFIA rate card. 4.3 Professional services Deploying the full solution requires a team typically comprising the following roles: - Technical Project Manager: A technical delivery and project manager from the CyberReveal team. They will be responsible for timely delivery of product evaluations and implementations. - Business Analyst: A CyberReveal business analyst who will work with the client team to define the business requirements for a specific implementation. The business analyst will also help to shape the business case and benefits of a CyberReveal implementation. - Technical Deployment: A CyberReveal technical architect who will work with client side technical team (network, IT and Security) to ensure a successful deployment of the product. - Analytics Lead: A CyberReveal cyber security analytics expert to work with your analytics team to create analytics relevant to your organisation. BAE Systems CyberReveal Page 11 of 14

13 - Systems Integration Partners: In addition, we have a number of our systems integration partners who can support the above roles. The exact compilation of the team and the amount of effort required for a successful deployment will depend on the complexity of the client network and number of integrations required. Our professional services are charged at the SFIA rate card attached. 4.4 Onboarding Deployment of the CyberReveal product to your network is an extensively defined and managed process to ensure a successful outcome that meets your business and security requirements. We use a framework process to identify and incorporate all relevant data sources and any legacy data stores you would like incorporating into the solution. The deployment process entails close working between our deployment engineers and your security operations staff and includes training on the product to enable your analysts to test and operate the system as quickly as possible. BAE Systems CyberReveal Page 12 of 14

14 5 Applied Intelligence: Information Intelligence BAE Systems Applied Intelligence is an information intelligence specialist. We help government and commercial organisations exploit information to deliver critical business services more effectively and economically. We also develop solutions to strengthen national security and resilience, enabling citizens to go about their lives freely and with confidence. By combining technical innovation and domain knowledge, we integrate and deliver world-class solutions often based on our own unique intellectual property to our customers most complex operational problems. We recognise the importance of Cloud services to the realisation of HMG s IT Strategy and have optimised many of our most compelling IT service offerings for Government on G-Cloud. Through these offerings we are at the forefront of realising the full benefits of Information Technology for our customers. Below is a summary of our G-Cloud services. G-Cloud Service Consultancy Service Integration and Management (SIAM) Information Security Agile Design and Delivery Architecture Data Services Service Description Providing Business and IT strategy and transformation consultancy services, including requirements management, organisational change, and business case & benefits management. Covering all aspects of SIAM services, from target operating model design, to service integration, supplier management, architecture and transition and transformation management. Cyber security assessments, architecture and testing services; Threat detection, protective monitoring and security management services; Cyber incident response, and Industrial Protection, Secure Web Gateway and Cross domain services. Services delivered using the Agile method for design and development, including Secure-by-Design services. The design of end-to-end architecture solutions, including infrastructure, operations, applications and service, as well as enterprise architecture. Data management, protection and exploitation services covering people, process, data and technologies. Includes maturity assessments, organisation design and provision of data analytics services. Programme Management Digital Media Secure Mobility & MobileProtect Provision of programme management and support experts to provide delivery and/or assurance of internal and external programmes. Digital transformation, media development, including user experience, social business and mobile media. From mobile strategy, through to development of your secure mobile proposition for your user base; Cloud based protection for your user base portfolio of mobile devices. NetReveal OnDemand Cl Cloud based delivery of the global leader in counter fraud software. For more details on our G-Cloud services for G-Cloud, visit or send us an at gcloud@baesystems.com. Applied Intelligence is part of BAE Systems, the premier global defence, security and aerospace company. BAE Systems delivers a full range of products and services for air, land and naval forces, as well as advanced electronics, security, information technology solutions and customer support services. BAE Systems CyberReveal Page 13 of 14

15 Applied intelligence Limited is a BAE Systems company, trading as BAE Systems Applied Intelligence. Applied Intelligence Limited is registered in England (No ) with its registered office at Surrey Research Park, Guildford, England, GU2 7YP. Copyright BAE Systems plc All Rights Reserved. BAE SYSTEMS, APPLIED INTELLIGENCE and the names of the BAE Systems Applied Intelligence products referenced herein are trademarks of BAE Systems plc and are registered in certain jurisdictions. BAE Systems CyberReveal Page 14 of 14