Cognitive and Organizational Challenges of Big Data in Cyber Defense

Size: px
Start display at page:

Download "Cognitive and Organizational Challenges of Big Data in Cyber Defense"

Transcription

1 Cognitive and Organizational Challenges of Big Data in Cyber Defense Nathan Bos & John Gersh Johns Hopkins University Applied Laboratory The cognitive and organizational challenges associated with Big Data have not received much research attention. We have begun an interview study of analysts who work in the computer network (cyber) defense (CND) area and have experienced changes in data scale affecting their analytical work. We used a qualitative inquiry method, starting with relatively open-ended questions. Our interview protocol also asked analysts to describe critical incidents related to data use, and probed for previously-identified cognitive biases that may affect analysis in this domain. What does Big Data mean in CND? In an important sense, data size has not changed for CND analysts: they ve always had more than they can handle. This is the cognitive equivalent of an aspect of computer scientists original concept of big data: data too big to be memory-resident (Cox & Ellsworth, 1997). Raw data in CND can t fit in analysts long-term memory (let alone working memory!). Analysis has always required cognitive artifacts (Norman, 1992) to deal with their data. While one could start with words on paper, we could consider the (computer) spreadsheet as the ur-artifact in this domain. CND analysts still use spreadsheets in some cases to handle log entries from computers or defensive systems like intrusion-detection systems (IDSs). Today analysts cognitive artifacts are much more capable at accessing, correlating and presenting data. Nonetheless, the presentation may still rely on lists of events and objects. These artifacts have always played the same role: providing a representation that reduces the size and complexity of data to something that human cognition can handle. As a result, analysts view of data, and more importantly, their view of the world they re trying to understand are defined by the tools they use. The cyber defense domain has particular attributes that affect the relationship between analysts and their data: important data-driven decisions must be made in real time or near-real time. The domain is non-physical; almost all thinking is about abstractions. Information requirements and sensor development are driven by external actors: their capabilities, tactics, and strategies. This leads to a cycle of growth in data size: New threat capabilities and strategies New defensive strategy More and more diverse sensors with more, faster, and more diverse data More complex

2 technology to handle new kinds of and bigger data New threat capabilities in response Methods We present some initial findings based on N=6 analysts representing multiple organizations. Our qualitative analysis involves identifying common challenge themes and coding interview notes. We use the common Big Data dimensions of Volume, Variety and Velocity as both a way to structure interview questions and a tag for responses. We found, though, that analysts think more in terms of the challenge themes than in those data dimensions. The dimensions utility lies more in understanding how data size may affect of analysts thinking than in characterizing how analysts view their domain. We additionally coded issues as to whether they were primarily Technological, Cognitive or Organizational challenges. (Second level coding categories are not represented in this abstract.) Challenge Theme Type of issues Big Data dimension Challenge Cognitive Technological Organizational Volume Velocity Variety Tools and Automation Archiving Monitoring alerts Cognitive bias: WYSIATI Cognitive bias: Judgments of risk Pace of work Increasing coordination costs Tools and Automation Characteristics of the CND domain, its data, and the technology analysts use come together to raise complex challenges to analysts use of data to understand what s happening in their networks. In the past, threats were seen as intrusions, attempts to break through a defensive perimeter; IDSs issued alerts on attempts, and anti-virus software issued alerts on malware observed on computers. Data were seen as events with attributes happening on an individual computer. For a network, data also include packets, objects with attributes. These alerts were seen as high-level data (events); packets (objects) and, in some cases, log entries were seen as the raw data that generated them. Evolving threats have added complexity to the situation. Advanced persistent threats (APTs) represent an adversary s long-term presence in computers or other devices on a network through a variety of means. From that presence the adversary attempts to extract valuable information and exfiltrate it. Threat activity extends over time and involves coordinated action among many pieces of hidden software. Nevertheless, analysts can

3 still view their data as a collection of events and objects. These events and objects, however, are now represented at a higher level of abstraction. Examples might be malware-exfiltrating-a-file, or a-command-and-control-message. Each of these is evidenced by a collection of lower-level events like log entries or packets. This is the sense in which analysts data size has not changed: they still deal with all the alerts and objects that they can handle. Now, though, analysts tools present them with alerts and objects that are more distant from the data. Here distance refers to their cognitive artifacts, representational distance from what was previously considered as fundamental data. (This distance is also relative to the current technology. Distance from data really means distance from what we formerly saw as the raw data for our analysis. Even in the past, for example, analysts were becoming distant from the individual bits making up a packet.) Senior analysts refer to this distance in terms of novice analysts lack of understanding of what alerts really mean: the specific kinds of lower-level events that generate them and their significance for the network and for the organizational mission. Similar concerns apply to forensic analyses. Even with more time to investigate a problem, they feel that novices may not have the skill to drill down from more abstract data to more concrete and then understand the data s connections and implications. These issues are exacerbated by an increase in variety of the underlying sensor data and the complexity of relationships among different kinds of data. (We found that variety and its concomitant complexity were the most challenging data dimension for analysts work. Dealing with this variety (as well as data volume and velocity) has required automation of increased complexity and span of action. For example, automation in an IDS involves the recognition of a particular set of attributes (signature) in a sequence of packets. Automation for dealing with APTs may require correlation among several kinds of data appearing in a particular sequence over an extended period of time. This evolution of automation brings with it the potential for changes in analysts roles and for operational errors that have been observed in using automation in other domains, for example in aviation or health care (Parasuraman & Wickens, 2008). Careful design of analysts tools can help to prevent such errors (Norman, 1990) Automated detection of (and perhaps response to) significant CND events has tended to put analysts into a supervisory role over the automation, which can be a significant change for them and their organizations. Analysts referred to a new rule-writing skill requirement. In addition to responding to alerts or analyzing situations, some analysts must now define rules for correlating complex sets of data and for alerting to complicated situations. Developing the skill needed formalize one s understanding of situations from data sets and the place of skilled rule-writers in organizations are new issues facing CND teams. In other cases rules may be invisible to analysts because they re inaccessibly embedded in commercial tools, which may constrain analyst s supervisory role. (Analysts may become distant from their analytics as well as from their data.) Various conceptual models have been developed for thinking about cognition in the supervisory control of dynamic systems. Concepts from such models include (among others) users comparing rules actions to expected outcomes (Hamill & Gersh, 1992) and the role in joint (human-system) cognitive systems of an artificial construct of knowledge

4 about the world (Hollnagel & Woods, 2005). Such concepts from other domains may prove useful in building similar models for analysts interactions with big data. Archiving When asked about challenges of data volume, most analysts we talked to first volunteered information related to archiving. For example, despite ever-cheaper storage, it is not considered cost effective to store full-packet data for very long. Different kinds of data and metadata are archived for different lengths of time. Organizations set archiving policies for different data types, with implications for what kinds of investigations can be conducted in the future. Monitoring alerts First-tier monitoring tasks are often based on automated alerts generated by monitoring tools. Increases in network traffic contribute to sometimes-overwhelming numbers of alerts. Analysts use experience and intuition to make risk judgments about alerts and decide which require further investigation. Changes in data volume and velocity require constant adaption in these judgments, (e.g. when a type of alert previously judged worthy of investigation becomes 100x more prevalent) which presents challenges for both novice and experienced analysts. Cognitive bias: WYSIATI Psychologist Daniel Kahneman describes a cognitive bias he calls What You See Is All There Is (Kahneman. 2011). This occurs when an analyst makes an implicit assumption that available data is complete, and may make incorrect inferences from absence of data (i.e. treating absence of evidence as evidence of absence). Logically, however, size of a dataset is not an indicator of completeness. Increasing data size may lead analysts to make more errors of this type. Cognitive bias: Judgments of risk Novice analysts tend to react to automated alerts as if each one represents a significant threat. They see the cyber world as an inherently dangerous, risky place. Judgments of probability and risk are the source of well-known biases (Kahneman, 2011).These biases can affect assessment of threat likelihood both in rapid response to alerts and in more deliberate investigation of incidents. Novice analysts tend to consider all alerts as representing real threats, considering the cyber domain as an inherently risky place, leading to more false alarm reports. More experienced analysts tend to think in terms of the explicit relationship between data from events and automated alert criteria and thresholds. They realize that these settings might produce many false alarms and react accordingly. Novices work to prove that each alert represents a threat; experts work to prove that it doesn t. This has been attributed to data size-driven distance from data and automation: novices don t have a clear picture of the relationships among events, data, and automation. The progression from novice to expert may be described as movement along a human-system receiver operating characteristic (ROC) curve (Sorkin & Woods, 1985)

5 Pace of work Increasing velocity of data corresponds to increasing rate of data collection. However, analysts report that the pace of work expected is dictated by the organization, not the data. Organizations respond to increased variety by expanding staff, changing analytical priorities, and when possible, adopting new tools. In response to increased volume, organizations often deprioritized certain types of attacks (e.g. nuisance software) and devote less time to open-ended exploration of the data. In the words of one analyst, I used to spend more time hunting. Increasing coordination costs The easiest way to scale up is to recruit more novice analysts and put them to work at Tier 1 analytical work of monitoring traffic and triaging alerts. Expanding organizations incurs well-understood increases in levels of management, training costs, and coordination costs between analysts, across shifts and specializations. Coordination also increases the value of standardized notation and procedures, which are not always present in the relatively new field of cyber-defense. References Cox, M., & Ellsworth, D. (1997). Managing big data for scientific visualization. ACM Siggraph: International Conference on Computer Graphics and Interactive Techniques. Hamill, B. W., & Gersh, J. R. (1992). Decision-making performance in rule-based supervisory control: Empirical development of a cognitive process model. Presented at the Joint Directors of Laboratories Basic Research Group Symposium on C2 Research. Hollnagel, E., & Woods, D. D. (2005). Joint cognitive systems: Foundations of Cognitive Systems Engineering. Boca Raton, FL: Taylor and Francis. Kahneman, D. (2011). Thinking Fast and Slow. New York NY, Farrar, Straus, and Giroux. Norman, D. A. (1990). The 'Problem' with Automation: Inappropriate Feedback and Interaction, not Over-Automation. Philosophical Transactions of the Royal Society of London. Series B Biological Sciences, 327(1241), Norman, D. A. (1992). Design principles for cognitive artifacts. Research in Engineering Design, 4(1), Parasuraman, R., & Wickens, C. D. (2008). Humans: Still vital after all these years of automation. Human Factors, 50(3), Sorkin, R., & Woods, D. D. (1985). Systems with human monitors: A signal detection analysis. Human-Computer Interaction, 1(1),

The SIEM Evaluator s Guide

The SIEM Evaluator s Guide Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are designed to collect, store, analyze, and report on log data for threat detection,

More information

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? Drive-by Downloads are a common technique used by attackers to silently install malware on a victim s computer. Once a target website has been weaponized with

More information

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming

More information

Security Visualization Past, Present, Future

Security Visualization Past, Present, Future Security Visualization Past, Present, Future Greg Conti West Point @cyberbgone http://dl.acm.org/citation.cfm?id=2671501 http://link.springer.com/chapter/10.1007%2f978-3-540-85933-8_11 http://images.cdn.stuff.tv/sites/stuff.tv/files/styles/big-image/public/25-best-hacker-movies-ever-the-matrix.jpg?itok=kiwtknw1

More information

Situational Awareness Through Network Visualization

Situational Awareness Through Network Visualization CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP Situational Awareness Through Network Visualization Pacific Northwest National Laboratory Daniel M. Best Bryan Olsen 11/25/2014 Introduction

More information

THE EVOLUTION OF SIEM

THE EVOLUTION OF SIEM THE EVOLUTION OF SIEM WHY IT IS CRITICAL TO MOVE BEYOND LOGS Despite increasing investments in security, breaches are still occurring at an alarming rate. 43% Traditional SIEMs have not evolved to meet

More information

Advanced Threats: The New World Order

Advanced Threats: The New World Order Advanced Threats: The New World Order Gary Lau Technology Consulting Manager Greater China gary.lau@rsa.com 1 Agenda Change of Threat Landscape and Business Impact Case Sharing Korean Incidents EMC CIRC

More information

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved. Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control

More information

INTRUSION PREVENTION AND EXPERT SYSTEMS

INTRUSION PREVENTION AND EXPERT SYSTEMS INTRUSION PREVENTION AND EXPERT SYSTEMS By Avi Chesla avic@v-secure.com Introduction Over the past few years, the market has developed new expectations from the security industry, especially from the intrusion

More information

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Solution Brief Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Finding

More information

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council Rethinking Information Security for Advanced Threats CEB Information Risk Leadership Council Advanced threats differ from conventional security threats along many dimensions, making them much more difficult

More information

SIEM is only as good as the data it consumes

SIEM is only as good as the data it consumes SIEM is only as good as the data it consumes Key Themes The traditional Kill Chain model needs to be updated due to the new cyber landscape A new Kill Chain for detection of The Insider Threat needs to

More information

Cyber Watch. Written by Peter Buxbaum

Cyber Watch. Written by Peter Buxbaum Cyber Watch Written by Peter Buxbaum Security is a challenge for every agency, said Stanley Tyliszczak, vice president for technology integration at General Dynamics Information Technology. There needs

More information

Security Analytics for Smart Grid

Security Analytics for Smart Grid Security Analytics for Smart Grid Dr. Robert W. Griffin Chief Security Architect RSA, the Security Division of EMC robert.griffin@rsa.com blogs.rsa.com/author/griffin @RobtWesGriffin 1 No Shortage of Hard

More information

U.S. Army Research, Development and Engineering Command. Cyber Security CRA Overview

U.S. Army Research, Development and Engineering Command. Cyber Security CRA Overview U.S. Army Research, Development and Engineering Command Cyber Security CRA Overview Dr. Ananthram Swami, ST Network Science 18FEB 2014 Cyber Security Collaborative Research Alliance A Collaborative Venture

More information

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE Solution Brief SUMMARY New security threats demand a new approach to security management. Security teams need a security analytics architecture that can handle

More information

A New Perspective on Protecting Critical Networks from Attack:

A New Perspective on Protecting Critical Networks from Attack: Whitepaper A New Perspective on Protecting Critical Networks from Attack: Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network 2014: A Year of Mega Breaches A Ponemon Study published

More information

Cyber and Operational Solutions for a Connected Industrial Era

Cyber and Operational Solutions for a Connected Industrial Era Cyber and Operational Solutions for a Connected Industrial Era OPERATIONAL & SECURITY CHALLENGES IN A HYPER-CONNECTED INDUSTRIAL WORLD In face of increasing operational challenges and cyber threats, and

More information

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense By: Daniel Harkness, Chris Strasburg, and Scott Pinkerton The Challenge The Internet is an integral part of daily

More information

Endpoint Threat Detection without the Pain

Endpoint Threat Detection without the Pain WHITEPAPER Endpoint Threat Detection without the Pain Contents Motivated Adversaries, Too Many Alerts, Not Enough Actionable Information: Incident Response is Getting Harder... 1 A New Solution, with a

More information

Taxonomy of Intrusion Detection System

Taxonomy of Intrusion Detection System Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use

More information

Advanced Threat Protection with Dell SecureWorks Security Services

Advanced Threat Protection with Dell SecureWorks Security Services Advanced Threat Protection with Dell SecureWorks Security Services Table of Contents Summary... 2 What are Advanced Threats?... 3 How do advanced threat actors operate?... 3 Addressing the Threat... 5

More information

SECURITY MEETS BIG DATA. Achieve Effectiveness And Efficiency. Copyright 2012 EMC Corporation. All rights reserved.

SECURITY MEETS BIG DATA. Achieve Effectiveness And Efficiency. Copyright 2012 EMC Corporation. All rights reserved. SECURITY MEETS BIG DATA Achieve Effectiveness And Efficiency 1 IN 2010 THE DIGITAL UNIVERSE WAS 1.2 ZETTABYTES 1,000,000,000,000,000,000,000 Zetta Exa Peta Tera Giga Mega Kilo Byte Source: 2010 IDC Digital

More information

Bio-inspired cyber security for your enterprise

Bio-inspired cyber security for your enterprise Bio-inspired cyber security for your enterprise Delivering global protection Perception is a network security service that protects your organisation from threats that existing security solutions can t

More information

Data Driven Security Framework to Success

Data Driven Security Framework to Success Data Driven Security Framework to Success Presented by Leonard Jacobs, MBA, CISSP, CSSA Founder, President and CEO of Netsecuris Inc. 1 Topics The Explosion of Security Data Threat-centric Security vs.

More information

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team Symantec Cyber Threat Analysis Program Symantec Cyber Threat Analysis Program Team White Paper: Symantec Security Intelligence Services Symantec Cyber Threat Analysis Program Contents Overview...............................................................................................

More information

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT Rashmi Knowles RSA, The Security Division of EMC Session ID: Session Classification: SPO-W07 Intermediate APT1 maintained access to

More information

Cisco Cyber Threat Defense - Visibility and Network Prevention

Cisco Cyber Threat Defense - Visibility and Network Prevention White Paper Advanced Threat Detection: Gain Network Visibility and Stop Malware What You Will Learn The Cisco Cyber Threat Defense (CTD) solution brings visibility to all the points of your extended network,

More information

TIBCO Cyber Security Platform. Atif Chaughtai

TIBCO Cyber Security Platform. Atif Chaughtai TIBCO Cyber Security Platform Atif Chaughtai 2 TABLE OF CONTENTS 1 Introduction/Background... 3 2 Current Challenges... 3 3 Solution...4 4 CONCLUSION...6 5 A Case in Point: The US Intelligence Community...7

More information

Cyber Situational Awareness for Enterprise Security

Cyber Situational Awareness for Enterprise Security Cyber Situational Awareness for Enterprise Security Tzvi Kasten AVP, Business Development Biju Varghese Director, Engineering Sudhir Garg Technical Architect The security world is changing as the nature

More information

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management INTRODUCTION Traditional perimeter defense solutions fail against sophisticated adversaries who target their

More information

RETHINKING CYBER SECURITY

RETHINKING CYBER SECURITY RETHINKING CYBER SECURITY Introduction Advanced Persistent Threats (APTs) and advanced malware have been plaguing IT professionals for over a decade. During that time, the traditional cyber security vendor

More information

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323

More information

A Framework for Effective Alert Visualization. SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks.

A Framework for Effective Alert Visualization. SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks. A Framework for Effective Alert Visualization Uday Banerjee Jon Ramsey SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks.com Abstract Any organization/department that

More information

GETTING MORE FOR LESS AS LOG MANAGEMENT AND SIEM CONVERGE

GETTING MORE FOR LESS AS LOG MANAGEMENT AND SIEM CONVERGE GETTING MORE FOR LESS AS LOG MANAGEMENT AND SIEM CONVERGE AN IANS INTERACTIVE PHONE CONFERENCE FEBRUARY 11, 2009 CHRIS PETERSON, CTO, FOUNDER, LOGRHYTHM NICK SELBY, IANS FACULTY SUMMARY OF FINDINGS Underwritten

More information

RETHINKING CYBER SECURITY

RETHINKING CYBER SECURITY RETHINKING CYBER SECURITY CHANGING THE BUSINESS CONVERSATION INTRODUCTION Advanced Persistent Threats (APTs) and advanced malware have been plaguing IT professionals for over a decade. During that time,

More information

White Paper. Intelligence Driven. Security Monitoring. v.2.1.1. nexusguard.com

White Paper. Intelligence Driven. Security Monitoring. v.2.1.1. nexusguard.com White Paper 1 Intelligence Driven Security Monitoring v.2.1.1 Overview In today s hypercompetitive business environment, companies have to make swift and decisive decisions. Making the right judgment call

More information

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture Using LYNXeon with NetFlow to Complete Your Cyber Security Picture 21CT.COM Combine NetFlow traffic with other data sources and see more of your network, over a longer period of time. Introduction Many

More information

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

GETTING REAL ABOUT SECURITY MANAGEMENT AND BIG DATA GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA" A Roadmap for "Big Data" in Security Analytics ESSENTIALS This paper examines: Escalating complexity of the security management environment, from threats

More information

Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D.

Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D. 18th Annual Space & Missile Defense Symposium IAMD Evolution and Integration/Key Topic: Predictive Cyber Threat Analysis Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D.

More information

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave

More information

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center Combating a new generation of cybercriminal with in-depth security monitoring 1 st Advanced Data Analysis Security Operation Center The Challenge Don t leave your systems unmonitored. It takes an average

More information

Getting Ahead of Advanced Threats

Getting Ahead of Advanced Threats Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil Territory Manager Israel & Greece 1 Threats are Evolving Rapidly Criminals Petty criminal s Unsophisticated Organized

More information

Intelligence Driven Security

Intelligence Driven Security Intelligence Driven Security RSA Advanced Cyber Defense Workshop Shane Harsch Senior Solutions Principal, RSA 1 Agenda Approach & Activities Operations Intelligence Infrastructure Reporting & Top Findings

More information

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst ESG Brief Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: Large organizations have spent millions of dollars on security

More information

The Cyber Threat Profiler

The Cyber Threat Profiler Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are

More information

1 2013 Solera Networks, A Blue Coat Company SOLERA NETWORKS BIG DATA SECURITY ANALYTICS

1 2013 Solera Networks, A Blue Coat Company SOLERA NETWORKS BIG DATA SECURITY ANALYTICS 1 2013 Solera Networks, A Blue Coat Company SOLERA NETWORKS BIG DATA SECURITY ANALYTICS $32.8B 100,000 Cyber Criminals State-Sponsored Spies Hactivists We live in a POST-PREVENTION Amount enterprises are

More information

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection White Paper: Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection Prepared by: Northrop Grumman Corporation Information Systems Sector Cyber Solutions Division

More information

A New Approach to Assessing Advanced Threat Solutions

A New Approach to Assessing Advanced Threat Solutions A New Approach to Assessing Advanced Threat Solutions December 4, 2014 A New Approach to Assessing Advanced Threat Solutions How Well Does Your Advanced Threat Solution Work? The cyber threats facing enterprises

More information

Data Science Transforming Security Operations

Data Science Transforming Security Operations SESSION ID: STR-W03 Data Science Transforming Security Operations Alon Kaufman Ph.D. Director Data Science & Innovation RSA Agenda Transforming Security Operations with Data Science The Vision: Where we

More information

RAVEN, Network Security and Health for the Enterprise

RAVEN, Network Security and Health for the Enterprise RAVEN, Network Security and Health for the Enterprise The Promia RAVEN is a hardened Security Information and Event Management (SIEM) solution further providing network health, and interactive visualizations

More information

Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC

Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC WHITE PAPER Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC www.openioc.org OpenIOC 1 Table of Contents Introduction... 3 IOCs & OpenIOC... 4 IOC Functionality... 5

More information

THE ROLE OF IDS & ADS IN NETWORK SECURITY

THE ROLE OF IDS & ADS IN NETWORK SECURITY THE ROLE OF IDS & ADS IN NETWORK SECURITY The Role of IDS & ADS in Network Security When it comes to security, most networks today are like an egg: hard on the outside, gooey in the middle. Once a hacker

More information

Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM

Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM LISA 10 Speaking Proposal Category: Practice and Experience Reports Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM Proposed by/speaker: Wyman Stocks Information Security

More information

Instilling Confidence in Security and Risk Operations with Behavioral Analytics and Contextualization

Instilling Confidence in Security and Risk Operations with Behavioral Analytics and Contextualization WHITEPAPER Instilling Confidence in Security and Risk Operations with Behavioral Analytics and Contextualization Understanding Why Automated Machine Learning Behavioral Analytics with Contextualization

More information

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning Niara Security Analytics Automatically detect attacks on the inside using machine learning Automatically detect attacks on the inside Supercharge analysts capabilities Enhance existing security investments

More information

USER-INITIATED NOTIFICATION: A CONCEPT FOR AIDING THE MONITORING ACTIVITIES OF PROCESS CONTROL OPERATORS

USER-INITIATED NOTIFICATION: A CONCEPT FOR AIDING THE MONITORING ACTIVITIES OF PROCESS CONTROL OPERATORS USER-INITIATED NOTIFICATION: A CONCEPT FOR AIDING THE MONITORING ACTIVITIES OF PROCESS CONTROL OPERATORS Stephanie Guerlain and Peter Bullemer Honeywell Technology Center Minneapolis, MN Monitoring activities

More information

US-CERT Year in Review. United States Computer Emergency Readiness Team

US-CERT Year in Review. United States Computer Emergency Readiness Team US-CERT Year in Review United States Computer Emergency Readiness Team CY 2012 US-CERT Year in Review United States Computer Emergency Readiness Team CY 2012 What s Inside Welcome 1 Vison, Mission, Goals

More information

Three Fundamental Techniques To Maximize the Value of Your Enterprise Data

Three Fundamental Techniques To Maximize the Value of Your Enterprise Data Three Fundamental Techniques To Maximize the Value of Your Enterprise Data Prepared for Talend by: David Loshin Knowledge Integrity, Inc. October, 2010 2010 Knowledge Integrity, Inc. 1 Introduction Organizations

More information

A Risk Assessment Methodology (RAM) for Physical Security

A Risk Assessment Methodology (RAM) for Physical Security A Risk Assessment Methodology (RAM) for Physical Security Violence, vandalism, and terrorism are prevalent in the world today. Managers and decision-makers must have a reliable way of estimating risk to

More information

Combating a new generation of cybercriminal with in-depth security monitoring

Combating a new generation of cybercriminal with in-depth security monitoring Cybersecurity Services Combating a new generation of cybercriminal with in-depth security monitoring 1 st Advanced Data Analysis Security Operation Center The Challenge Don t leave your systems unmonitored.

More information

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Introduction A decade or more ago, logs of events recorded by firewalls, intrusion detection systems and other network devices were

More information

Intrusion Detection via Machine Learning for SCADA System Protection

Intrusion Detection via Machine Learning for SCADA System Protection Intrusion Detection via Machine Learning for SCADA System Protection S.L.P. Yasakethu Department of Computing, University of Surrey, Guildford, GU2 7XH, UK. s.l.yasakethu@surrey.ac.uk J. Jiang Department

More information

CyberArk Privileged Threat Analytics. Solution Brief

CyberArk Privileged Threat Analytics. Solution Brief CyberArk Privileged Threat Analytics Solution Brief Table of Contents The New Security Battleground: Inside Your Network...3 Privileged Account Security...3 CyberArk Privileged Threat Analytics : Detect

More information

Defending Against Cyber Attacks with SessionLevel Network Security

Defending Against Cyber Attacks with SessionLevel Network Security Defending Against Cyber Attacks with SessionLevel Network Security May 2010 PAGE 1 PAGE 1 Executive Summary Threat actors are determinedly focused on the theft / exfiltration of protected or sensitive

More information

Information Visualization WS 2013/14 11 Visual Analytics

Information Visualization WS 2013/14 11 Visual Analytics 1 11.1 Definitions and Motivation Lot of research and papers in this emerging field: Visual Analytics: Scope and Challenges of Keim et al. Illuminating the path of Thomas and Cook 2 11.1 Definitions and

More information

Discover & Investigate Advanced Threats. OVERVIEW

Discover & Investigate Advanced Threats. OVERVIEW Discover & Investigate Advanced Threats. OVERVIEW HIGHLIGHTS Introducing RSA Security Analytics, Providing: Security monitoring Incident investigation Compliance reporting Providing Big Data Security Analytics

More information

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) 01.1 Purpose

More information

Eliminating Cybersecurity Blind Spots

Eliminating Cybersecurity Blind Spots Eliminating Cybersecurity Blind Spots Challenges for Business April 15, 2015 Table of Contents Introduction... 3 Risk Management... 3 The Risk Blind Spot... 4 Continuous Asset Visibility... 5 Passive Network

More information

Comprehensive Advanced Threat Defense

Comprehensive Advanced Threat Defense 1 Comprehensive Advanced Threat Defense June 2014 PAGE 1 PAGE 1 1 INTRODUCTION The hot topic in the information security industry these days is Advanced Threat Defense (ATD). There are many definitions,

More information

The Next Generation Security Operations Center

The Next Generation Security Operations Center The Next Generation Security Operations Center Vassil Barsakov Regional Manager, CEE & CIS RSA, the Security Division of EMC 1 Threats are Evolving Rapidly Criminals Petty criminals Unsophisticated Organized

More information

Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events

Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events Abstract Effective Security Operations throughout both DoD and industry are requiring and consuming unprecedented

More information

Analyzing HTTP/HTTPS Traffic Logs

Analyzing HTTP/HTTPS Traffic Logs Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that

More information

Detect, Contain and Control Cyberthreats

Detect, Contain and Control Cyberthreats A SANS Whitepaper Written by Eric Cole, PhD June 2015 Sponsored by Raytheon Websense 2015 SANS Institute Introduction Dwell Time Relates to damage because the longer a system is compromised, the bigger

More information

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles PNNL-24138 SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles March 2015 LR O Neil TJ Conway DH Tobey FL Greitzer AC Dalton PK Pusey Prepared for the

More information

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA Advanced SOC Design Next Generation Security Operations Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA 1 ! Why/How security investments need to shift! Key functions of a Security Operations

More information

EnCase Endpoint Security Product Overview

EnCase Endpoint Security Product Overview GUIDANCE SOFTWARE EnCase Endpoint Security EnCase Endpoint Security Product Overview Detect Sooner. Respond Faster. Recover Effectively. GUIDANCE SOFTWARE EnCase Endpoint Security EnCase Endpoint Security

More information

Effective Methods to Detect Current Security Threats

Effective Methods to Detect Current Security Threats terreactive AG. Swiss Cyber Storm 2015. Effective Methods to Detect Current Security Threats Taking your IT security to the next level, you have to consider a paradigm shift. In the past companies mostly

More information

KNOWLEDGE ORGANIZATION

KNOWLEDGE ORGANIZATION KNOWLEDGE ORGANIZATION Gabi Reinmann Germany reinmann.gabi@googlemail.com Synonyms Information organization, information classification, knowledge representation, knowledge structuring Definition The term

More information

Incident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com

Incident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices

More information

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst ESG Lab Spotlight ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst Abstract: This ESG Lab Spotlight examines the

More information

RSA Security Anatomy of an Attack Lessons learned

RSA Security Anatomy of an Attack Lessons learned RSA Security Anatomy of an Attack Lessons learned Malcolm Dundas Account Executive John Hurley Senior Technology Consultant 1 Agenda Advanced Enterprise/ Threats The RSA Breach A chronology of the attack

More information

RSA Security Analytics

RSA Security Analytics RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources

More information

Protecting critical infrastructure from Cyber-attack

Protecting critical infrastructure from Cyber-attack Protecting critical infrastructure from Cyber-attack ACI-NA BIT Workshop, Session 6 (Cybersecurity) Long Beach, California October 4, 2015 Ben Trethowan Aviation Systems & Security Architect The scale

More information

Security Information and Event Management (SIEM)

Security Information and Event Management (SIEM) Security Information and Event Management (SIEM) How Does Your Business Benefit? intigrow White Paper By Wes Lambert Security Consultant wes.lambert@intigrow.com intigrow is a global enterprise security

More information

Making critical connections: predictive analytics in government

Making critical connections: predictive analytics in government Making critical connections: predictive analytics in government Improve strategic and tactical decision-making Highlights: Support data-driven decisions using IBM SPSS Modeler Reduce fraud, waste and abuse

More information

The Human Element in Cyber Security and Critical Infrastructure Protection: Lessons Learned

The Human Element in Cyber Security and Critical Infrastructure Protection: Lessons Learned The Human Element in Cyber Security and Critical Infrastructure Protection: Lessons Learned Marco Carvalho, Ph.D. Research Scientist mcarvalho@ihmc.us Institute for Human and Machine Cognition 40 South

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Predictive Cyber Defense A Strategic Thought Paper

Predictive Cyber Defense A Strategic Thought Paper Predictive Cyber Defense A Strategic Thought Paper Don Adams Vice President, Chief Technology Officer, Worldwide Government TIBCO Software Federal, Inc 2 Summary The art and science of multi-sensor data

More information

Getting Ahead of Malware

Getting Ahead of Malware IT@Intel White Paper Intel Information Technology Security December 2009 Getting Ahead of Malware Executive Overview Since implementing our security event monitor and detection processes two years ago,

More information

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some

More information

ThreatSpike Dome: A New Approach To Security Monitoring

ThreatSpike Dome: A New Approach To Security Monitoring ThreatSpike Dome: A New Approach To Security Monitoring 2015 ThreatSpike Labs Limited The problem with SIEM Hacking, insider and advanced persistent threats can be difficult to detect with existing product

More information

The Need for Intelligent Network Security: Adapting IPS for today s Threats

The Need for Intelligent Network Security: Adapting IPS for today s Threats The Need for Intelligent Network Security: Adapting IPS for today s Threats James Tucker Security Engineer Sourcefire Nordics A Bit of History It started with passive IDS. Burglar alarm for the network

More information

Intrusion Detection in AlienVault

Intrusion Detection in AlienVault Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

Compliance Guide: ASD ISM OVERVIEW

Compliance Guide: ASD ISM OVERVIEW Compliance Guide: ASD ISM OVERVIEW Australian Information Security Manual Mapping to the Principles using Huntsman INTRODUCTION In June 2010, The Australian Government Protective Security Policy Framework

More information

Development of Technology for Detecting Advanced Persistent Threat Activities

Development of Technology for Detecting Advanced Persistent Threat Activities FOR IMMEDIATE RELEASE Development of Technology for Detecting Advanced Persistent Threat Activities Visualizing correlations among hosts having suspicious activities to detect attacks such as stealth malware

More information

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA Advanced Visibility Moving Beyond a Log Centric View Matthew Gardiner, RSA & Richard Nichols, RSA 1 Security is getting measurability worse Percent of breaches where time to compromise (red)/time to Discovery

More information

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED The FBI Cyber Program Bauer Advising Symposium October 11, 2012 Today s Agenda What is the threat? Who are the adversaries? How are they attacking you? What can the FBI do to help? What can you do to stop

More information