Security Analytics for Smart Grid

Transcription

1 Security Analytics for Smart Grid Dr. Robert W. Griffin Chief Security Architect RSA, the Security Division of EMC 1

2 No Shortage of Hard Security Challenges Mobile Cloud Big Extended Workforce Networked Value Chains APTs Sophisticated Fraud Infrastructure Transformation Business Transformation Threat Landscape Transformation Less control over access device and back-end infrastructure More hyper-extended, more digital Fundamentally different tactics, more formidable than ever 2

3 Emergence of New Attackers Petty criminals Organized crime Criminals Unsophisticated Organized, sophisticated supply chains (PII, financial services, retail) Nation state actors PII, government, defense industrial base, IP rich organizations Terrorists Anti-establishment vigilantes Non-state actors PII, Government, critical infrastructure Hacktivists Targets of opportunity 3

4 Targeted Attacks 1 TARGETED SPECIFIC OBJECTIVE 2 STEALTHY 3 INTERACTIVE LOW AND SLOW HUMAN INVOLVEMENT System Intrusion Attack Begins Cover-Up Discovery Leap Frog Attacks Cover-Up Complete TIME Dwell Time Response Time Attack Identified Response 1 Decrease Dwell Time 2 Speed Response Time 4

5 Intelligence is the Game Changer 5

6 Security Analytics Use Cases Distributed Collection Capture Time Enrichment Incident Response PACKETS LOGS PARSING & METADATA TAGGING PACKET METADATA LOG METADATA Reporting & Alerting Investigation & Forensics Intelligence Feeds Compliance Malware Analysis Endpoint Visibility & Analysis Additional Business & IT Context Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports & Custom Actions 6

7 Network Security Use Case (capture) Distributed Collection Capture Time Enrichment Incident Response PARSING & METADATA TAGGING PACKETS PACKET METADATA Reporting & Alerting Investigation & Forensics Compliance Malware Analysis Endpoint Visibility & Analysis Optional Intelligence Feeds Additional Business & IT Context Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports & Custom Actions 7

8 Incident Detection Use Case (streaming) Distributed Collection Capture Time Enrichment Incident Response PARSING & METADATA TAGGING LOGS LOG METADATA Reporting & Alerting Investigation & Forensics Compliance Malware Analysis Endpoint Visibility & Analysis Intelligence Feeds Additional Business & IT Context Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports & Custom Actions 8

9 Advanced Analysis Use Case (historical) Distributed Collection Capture Time Enrichment Incident Response PARSING & METADATA TAGGING PACKETS LOGS PACKET METADATA LOG METADATA Reporting & Alerting Investigation & Forensics Intelligence Feeds Compliance Malware Analysis Endpoint Visibility & Analysis Additional Business & IT Context Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports & Custom Actions 9

10 Archived Storage Analysis Use Case (historical) Distributed Collection Capture Time Enrichment Incident Response PACKETS LOGS PARSING & METADATA TAGGING PACKET METADATA LOG METADATA Reporting & Alerting Investigation & Forensics Intelligence Feeds Compliance Malware Analysis Endpoint Visibility & Analysis Additional Business & IT Context Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports & Custom Actions 10

11 Anomalous Behavior Detection Differentiating Cyber Criminals from Online Customers Velocity Page Sequence Origin Contextual Information Homepage Sign-in My Account Add Bill Payee Bill Pay Home Select Bill Payee Enter Pay Amount Submit Checking Account View Checking 11

12 Compromised Host Investigation Find compromised Server or Workstation acting as SPAM host Multiple outbound SMTP connections from workstation. Multiple internet DNS connections from workstation Find out how the workstation got infected User clicked on the link and got infected by Trojan from drive-by download Recreate phishing message Determine whether targeted phishing attack at play 3 Analyze malware Determine whether targeted or vanilla malware in use 12

13 Applying Security Analytics Readiness, Response & Resilience (R3) Controls Visibility Context A/V IDS/IPS Firewall/VPN Proxy SIEM Log Alerts Single UI Incident Management & Reporting Business Context Line of Business Owner Policy DLP DLP Alerts Risk Context Assessments Criticality Vulnerability Packets Host File Signature less Alerts Threat Context Subscriptions Community Open Source Device Administration Security Architecture Team Workflow & Automation, Rules, Alerts & Reports Content Intelligence Level 1 Triage Level 2 Triage Analytic Intelligence Level 3 Triage Threat Triage Threat Intelligence Warehouse & Ticketing System IT Team Expertise 13

14 Questions for Discussion Are the concerns regarding changes in threat landscape, information technology and business models relevant and significant? Are there use cases for security analytic for Smart Grid that would be a good place to start or particularly important? If you do security analytics currently, what information sources do you use to inform your security analyses? Security and safety analysis are closely related. Do you perform safety-related analysis currently? What is the main challenge SPARKS should address in the area of security analytics? Are there issues that you see in terms of applying security analytics to Smart Grid? 14

15 Thank You 15

16 Additional Questions for Discussion How much data does your smart-grid generate on average daily? How much of this data do you analyze? What is the most important device in terms of security in your smart grid network? What are the procedures that you use to check that it is properly working? 16