Cognitive and Organizational Challenges of Big Data in Cyber Defense
|
|
- Isaac Stafford
- 8 years ago
- Views:
Transcription
1 Cognitive and Organizational Challenges of Big Data in Cyber Defense Nathan Bos & John Gersh Johns Hopkins University Applied Laboratory The cognitive and organizational challenges associated with Big Data have not received much research attention. We have begun an interview study of analysts who work in the computer network (cyber) defense (CND) area and have experienced changes in data scale affecting their analytical work. We used a qualitative inquiry method, starting with relatively open-ended questions. Our interview protocol also asked analysts to describe critical incidents related to data use, and probed for previously-identified cognitive biases that may affect analysis in this domain. What does Big Data mean in CND? In an important sense, data size has not changed for CND analysts: they ve always had more than they can handle. This is the cognitive equivalent of an aspect of computer scientists original concept of big data: data too big to be memory-resident (Cox & Ellsworth, 1997). Raw data in CND can t fit in analysts long-term memory (let alone working memory!). Analysis has always required cognitive artifacts (Norman, 1992) to deal with their data. While one could start with words on paper, we could consider the (computer) spreadsheet as the ur-artifact in this domain. CND analysts still use spreadsheets in some cases to handle log entries from computers or defensive systems like intrusion-detection systems (IDSs). Today analysts cognitive artifacts are much more capable at accessing, correlating and presenting data. Nonetheless, the presentation may still rely on lists of events and objects. These artifacts have always played the same role: providing a representation that reduces the size and complexity of data to something that human cognition can handle. As a result, analysts view of data, and more importantly, their view of the world they re trying to understand are defined by the tools they use. The cyber defense domain has particular attributes that affect the relationship between analysts and their data: important data-driven decisions must be made in real time or near-real time. The domain is non-physical; almost all thinking is about abstractions. Information requirements and sensor development are driven by external actors: their capabilities, tactics, and strategies. This leads to a cycle of growth in data size: New threat capabilities and strategies New defensive strategy More and more diverse sensors with more, faster, and more diverse data More complex
2 technology to handle new kinds of and bigger data New threat capabilities in response Methods We present some initial findings based on N=6 analysts representing multiple organizations. Our qualitative analysis involves identifying common challenge themes and coding interview notes. We use the common Big Data dimensions of Volume, Variety and Velocity as both a way to structure interview questions and a tag for responses. We found, though, that analysts think more in terms of the challenge themes than in those data dimensions. The dimensions utility lies more in understanding how data size may affect of analysts thinking than in characterizing how analysts view their domain. We additionally coded issues as to whether they were primarily Technological, Cognitive or Organizational challenges. (Second level coding categories are not represented in this abstract.) Challenge Theme Type of issues Big Data dimension Challenge Cognitive Technological Organizational Volume Velocity Variety Tools and Automation Archiving Monitoring alerts Cognitive bias: WYSIATI Cognitive bias: Judgments of risk Pace of work Increasing coordination costs Tools and Automation Characteristics of the CND domain, its data, and the technology analysts use come together to raise complex challenges to analysts use of data to understand what s happening in their networks. In the past, threats were seen as intrusions, attempts to break through a defensive perimeter; IDSs issued alerts on attempts, and anti-virus software issued alerts on malware observed on computers. Data were seen as events with attributes happening on an individual computer. For a network, data also include packets, objects with attributes. These alerts were seen as high-level data (events); packets (objects) and, in some cases, log entries were seen as the raw data that generated them. Evolving threats have added complexity to the situation. Advanced persistent threats (APTs) represent an adversary s long-term presence in computers or other devices on a network through a variety of means. From that presence the adversary attempts to extract valuable information and exfiltrate it. Threat activity extends over time and involves coordinated action among many pieces of hidden software. Nevertheless, analysts can
3 still view their data as a collection of events and objects. These events and objects, however, are now represented at a higher level of abstraction. Examples might be malware-exfiltrating-a-file, or a-command-and-control-message. Each of these is evidenced by a collection of lower-level events like log entries or packets. This is the sense in which analysts data size has not changed: they still deal with all the alerts and objects that they can handle. Now, though, analysts tools present them with alerts and objects that are more distant from the data. Here distance refers to their cognitive artifacts, representational distance from what was previously considered as fundamental data. (This distance is also relative to the current technology. Distance from data really means distance from what we formerly saw as the raw data for our analysis. Even in the past, for example, analysts were becoming distant from the individual bits making up a packet.) Senior analysts refer to this distance in terms of novice analysts lack of understanding of what alerts really mean: the specific kinds of lower-level events that generate them and their significance for the network and for the organizational mission. Similar concerns apply to forensic analyses. Even with more time to investigate a problem, they feel that novices may not have the skill to drill down from more abstract data to more concrete and then understand the data s connections and implications. These issues are exacerbated by an increase in variety of the underlying sensor data and the complexity of relationships among different kinds of data. (We found that variety and its concomitant complexity were the most challenging data dimension for analysts work. Dealing with this variety (as well as data volume and velocity) has required automation of increased complexity and span of action. For example, automation in an IDS involves the recognition of a particular set of attributes (signature) in a sequence of packets. Automation for dealing with APTs may require correlation among several kinds of data appearing in a particular sequence over an extended period of time. This evolution of automation brings with it the potential for changes in analysts roles and for operational errors that have been observed in using automation in other domains, for example in aviation or health care (Parasuraman & Wickens, 2008). Careful design of analysts tools can help to prevent such errors (Norman, 1990) Automated detection of (and perhaps response to) significant CND events has tended to put analysts into a supervisory role over the automation, which can be a significant change for them and their organizations. Analysts referred to a new rule-writing skill requirement. In addition to responding to alerts or analyzing situations, some analysts must now define rules for correlating complex sets of data and for alerting to complicated situations. Developing the skill needed formalize one s understanding of situations from data sets and the place of skilled rule-writers in organizations are new issues facing CND teams. In other cases rules may be invisible to analysts because they re inaccessibly embedded in commercial tools, which may constrain analyst s supervisory role. (Analysts may become distant from their analytics as well as from their data.) Various conceptual models have been developed for thinking about cognition in the supervisory control of dynamic systems. Concepts from such models include (among others) users comparing rules actions to expected outcomes (Hamill & Gersh, 1992) and the role in joint (human-system) cognitive systems of an artificial construct of knowledge
4 about the world (Hollnagel & Woods, 2005). Such concepts from other domains may prove useful in building similar models for analysts interactions with big data. Archiving When asked about challenges of data volume, most analysts we talked to first volunteered information related to archiving. For example, despite ever-cheaper storage, it is not considered cost effective to store full-packet data for very long. Different kinds of data and metadata are archived for different lengths of time. Organizations set archiving policies for different data types, with implications for what kinds of investigations can be conducted in the future. Monitoring alerts First-tier monitoring tasks are often based on automated alerts generated by monitoring tools. Increases in network traffic contribute to sometimes-overwhelming numbers of alerts. Analysts use experience and intuition to make risk judgments about alerts and decide which require further investigation. Changes in data volume and velocity require constant adaption in these judgments, (e.g. when a type of alert previously judged worthy of investigation becomes 100x more prevalent) which presents challenges for both novice and experienced analysts. Cognitive bias: WYSIATI Psychologist Daniel Kahneman describes a cognitive bias he calls What You See Is All There Is (Kahneman. 2011). This occurs when an analyst makes an implicit assumption that available data is complete, and may make incorrect inferences from absence of data (i.e. treating absence of evidence as evidence of absence). Logically, however, size of a dataset is not an indicator of completeness. Increasing data size may lead analysts to make more errors of this type. Cognitive bias: Judgments of risk Novice analysts tend to react to automated alerts as if each one represents a significant threat. They see the cyber world as an inherently dangerous, risky place. Judgments of probability and risk are the source of well-known biases (Kahneman, 2011).These biases can affect assessment of threat likelihood both in rapid response to alerts and in more deliberate investigation of incidents. Novice analysts tend to consider all alerts as representing real threats, considering the cyber domain as an inherently risky place, leading to more false alarm reports. More experienced analysts tend to think in terms of the explicit relationship between data from events and automated alert criteria and thresholds. They realize that these settings might produce many false alarms and react accordingly. Novices work to prove that each alert represents a threat; experts work to prove that it doesn t. This has been attributed to data size-driven distance from data and automation: novices don t have a clear picture of the relationships among events, data, and automation. The progression from novice to expert may be described as movement along a human-system receiver operating characteristic (ROC) curve (Sorkin & Woods, 1985)
5 Pace of work Increasing velocity of data corresponds to increasing rate of data collection. However, analysts report that the pace of work expected is dictated by the organization, not the data. Organizations respond to increased variety by expanding staff, changing analytical priorities, and when possible, adopting new tools. In response to increased volume, organizations often deprioritized certain types of attacks (e.g. nuisance software) and devote less time to open-ended exploration of the data. In the words of one analyst, I used to spend more time hunting. Increasing coordination costs The easiest way to scale up is to recruit more novice analysts and put them to work at Tier 1 analytical work of monitoring traffic and triaging alerts. Expanding organizations incurs well-understood increases in levels of management, training costs, and coordination costs between analysts, across shifts and specializations. Coordination also increases the value of standardized notation and procedures, which are not always present in the relatively new field of cyber-defense. References Cox, M., & Ellsworth, D. (1997). Managing big data for scientific visualization. ACM Siggraph: International Conference on Computer Graphics and Interactive Techniques. Hamill, B. W., & Gersh, J. R. (1992). Decision-making performance in rule-based supervisory control: Empirical development of a cognitive process model. Presented at the Joint Directors of Laboratories Basic Research Group Symposium on C2 Research. Hollnagel, E., & Woods, D. D. (2005). Joint cognitive systems: Foundations of Cognitive Systems Engineering. Boca Raton, FL: Taylor and Francis. Kahneman, D. (2011). Thinking Fast and Slow. New York NY, Farrar, Straus, and Giroux. Norman, D. A. (1990). The 'Problem' with Automation: Inappropriate Feedback and Interaction, not Over-Automation. Philosophical Transactions of the Royal Society of London. Series B Biological Sciences, 327(1241), Norman, D. A. (1992). Design principles for cognitive artifacts. Research in Engineering Design, 4(1), Parasuraman, R., & Wickens, C. D. (2008). Humans: Still vital after all these years of automation. Human Factors, 50(3), Sorkin, R., & Woods, D. D. (1985). Systems with human monitors: A signal detection analysis. Human-Computer Interaction, 1(1),
The SIEM Evaluator s Guide
Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are designed to collect, store, analyze, and report on log data for threat detection,
More informationDRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario
DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? Drive-by Downloads are a common technique used by attackers to silently install malware on a victim s computer. Once a target website has been weaponized with
More informationASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES
ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming
More informationSecurity Visualization Past, Present, Future
Security Visualization Past, Present, Future Greg Conti West Point @cyberbgone http://dl.acm.org/citation.cfm?id=2671501 http://link.springer.com/chapter/10.1007%2f978-3-540-85933-8_11 http://images.cdn.stuff.tv/sites/stuff.tv/files/styles/big-image/public/25-best-hacker-movies-ever-the-matrix.jpg?itok=kiwtknw1
More informationSituational Awareness Through Network Visualization
CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP Situational Awareness Through Network Visualization Pacific Northwest National Laboratory Daniel M. Best Bryan Olsen 11/25/2014 Introduction
More informationTHE EVOLUTION OF SIEM
THE EVOLUTION OF SIEM WHY IT IS CRITICAL TO MOVE BEYOND LOGS Despite increasing investments in security, breaches are still occurring at an alarming rate. 43% Traditional SIEMs have not evolved to meet
More informationAdvanced Threats: The New World Order
Advanced Threats: The New World Order Gary Lau Technology Consulting Manager Greater China gary.lau@rsa.com 1 Agenda Change of Threat Landscape and Business Impact Case Sharing Korean Incidents EMC CIRC
More informationCyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.
Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control
More informationINTRUSION PREVENTION AND EXPERT SYSTEMS
INTRUSION PREVENTION AND EXPERT SYSTEMS By Avi Chesla avic@v-secure.com Introduction Over the past few years, the market has developed new expectations from the security industry, especially from the intrusion
More informationFull-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform
Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Solution Brief Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Finding
More informationRethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council
Rethinking Information Security for Advanced Threats CEB Information Risk Leadership Council Advanced threats differ from conventional security threats along many dimensions, making them much more difficult
More informationSIEM is only as good as the data it consumes
SIEM is only as good as the data it consumes Key Themes The traditional Kill Chain model needs to be updated due to the new cyber landscape A new Kill Chain for detection of The Insider Threat needs to
More informationCyber Watch. Written by Peter Buxbaum
Cyber Watch Written by Peter Buxbaum Security is a challenge for every agency, said Stanley Tyliszczak, vice president for technology integration at General Dynamics Information Technology. There needs
More informationSecurity Analytics for Smart Grid
Security Analytics for Smart Grid Dr. Robert W. Griffin Chief Security Architect RSA, the Security Division of EMC robert.griffin@rsa.com blogs.rsa.com/author/griffin @RobtWesGriffin 1 No Shortage of Hard
More informationU.S. Army Research, Development and Engineering Command. Cyber Security CRA Overview
U.S. Army Research, Development and Engineering Command Cyber Security CRA Overview Dr. Ananthram Swami, ST Network Science 18FEB 2014 Cyber Security Collaborative Research Alliance A Collaborative Venture
More informationIMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE
IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE Solution Brief SUMMARY New security threats demand a new approach to security management. Security teams need a security analytics architecture that can handle
More informationA New Perspective on Protecting Critical Networks from Attack:
Whitepaper A New Perspective on Protecting Critical Networks from Attack: Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network 2014: A Year of Mega Breaches A Ponemon Study published
More informationCyber and Operational Solutions for a Connected Industrial Era
Cyber and Operational Solutions for a Connected Industrial Era OPERATIONAL & SECURITY CHALLENGES IN A HYPER-CONNECTED INDUSTRIAL WORLD In face of increasing operational challenges and cyber threats, and
More informationMachine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense
Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense By: Daniel Harkness, Chris Strasburg, and Scott Pinkerton The Challenge The Internet is an integral part of daily
More informationEndpoint Threat Detection without the Pain
WHITEPAPER Endpoint Threat Detection without the Pain Contents Motivated Adversaries, Too Many Alerts, Not Enough Actionable Information: Incident Response is Getting Harder... 1 A New Solution, with a
More informationTaxonomy of Intrusion Detection System
Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use
More informationAdvanced Threat Protection with Dell SecureWorks Security Services
Advanced Threat Protection with Dell SecureWorks Security Services Table of Contents Summary... 2 What are Advanced Threats?... 3 How do advanced threat actors operate?... 3 Addressing the Threat... 5
More informationSECURITY MEETS BIG DATA. Achieve Effectiveness And Efficiency. Copyright 2012 EMC Corporation. All rights reserved.
SECURITY MEETS BIG DATA Achieve Effectiveness And Efficiency 1 IN 2010 THE DIGITAL UNIVERSE WAS 1.2 ZETTABYTES 1,000,000,000,000,000,000,000 Zetta Exa Peta Tera Giga Mega Kilo Byte Source: 2010 IDC Digital
More informationBio-inspired cyber security for your enterprise
Bio-inspired cyber security for your enterprise Delivering global protection Perception is a network security service that protects your organisation from threats that existing security solutions can t
More informationData Driven Security Framework to Success
Data Driven Security Framework to Success Presented by Leonard Jacobs, MBA, CISSP, CSSA Founder, President and CEO of Netsecuris Inc. 1 Topics The Explosion of Security Data Threat-centric Security vs.
More informationSymantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team
Symantec Cyber Threat Analysis Program Symantec Cyber Threat Analysis Program Team White Paper: Symantec Security Intelligence Services Symantec Cyber Threat Analysis Program Contents Overview...............................................................................................
More informationBREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT
BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT Rashmi Knowles RSA, The Security Division of EMC Session ID: Session Classification: SPO-W07 Intermediate APT1 maintained access to
More informationCisco Cyber Threat Defense - Visibility and Network Prevention
White Paper Advanced Threat Detection: Gain Network Visibility and Stop Malware What You Will Learn The Cisco Cyber Threat Defense (CTD) solution brings visibility to all the points of your extended network,
More informationTIBCO Cyber Security Platform. Atif Chaughtai
TIBCO Cyber Security Platform Atif Chaughtai 2 TABLE OF CONTENTS 1 Introduction/Background... 3 2 Current Challenges... 3 3 Solution...4 4 CONCLUSION...6 5 A Case in Point: The US Intelligence Community...7
More informationCyber Situational Awareness for Enterprise Security
Cyber Situational Awareness for Enterprise Security Tzvi Kasten AVP, Business Development Biju Varghese Director, Engineering Sudhir Garg Technical Architect The security world is changing as the nature
More informationPALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management
PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management INTRODUCTION Traditional perimeter defense solutions fail against sophisticated adversaries who target their
More informationRETHINKING CYBER SECURITY
RETHINKING CYBER SECURITY Introduction Advanced Persistent Threats (APTs) and advanced malware have been plaguing IT professionals for over a decade. During that time, the traditional cyber security vendor
More informationIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
More informationA Framework for Effective Alert Visualization. SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks.
A Framework for Effective Alert Visualization Uday Banerjee Jon Ramsey SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks.com Abstract Any organization/department that
More informationGETTING MORE FOR LESS AS LOG MANAGEMENT AND SIEM CONVERGE
GETTING MORE FOR LESS AS LOG MANAGEMENT AND SIEM CONVERGE AN IANS INTERACTIVE PHONE CONFERENCE FEBRUARY 11, 2009 CHRIS PETERSON, CTO, FOUNDER, LOGRHYTHM NICK SELBY, IANS FACULTY SUMMARY OF FINDINGS Underwritten
More informationRETHINKING CYBER SECURITY
RETHINKING CYBER SECURITY CHANGING THE BUSINESS CONVERSATION INTRODUCTION Advanced Persistent Threats (APTs) and advanced malware have been plaguing IT professionals for over a decade. During that time,
More informationWhite Paper. Intelligence Driven. Security Monitoring. v.2.1.1. nexusguard.com
White Paper 1 Intelligence Driven Security Monitoring v.2.1.1 Overview In today s hypercompetitive business environment, companies have to make swift and decisive decisions. Making the right judgment call
More informationUsing LYNXeon with NetFlow to Complete Your Cyber Security Picture
Using LYNXeon with NetFlow to Complete Your Cyber Security Picture 21CT.COM Combine NetFlow traffic with other data sources and see more of your network, over a longer period of time. Introduction Many
More informationGETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"
GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA" A Roadmap for "Big Data" in Security Analytics ESSENTIALS This paper examines: Escalating complexity of the security management environment, from threats
More informationAnalytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D.
18th Annual Space & Missile Defense Symposium IAMD Evolution and Integration/Key Topic: Predictive Cyber Threat Analysis Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D.
More informationAddressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave
More informationCombating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center
Combating a new generation of cybercriminal with in-depth security monitoring 1 st Advanced Data Analysis Security Operation Center The Challenge Don t leave your systems unmonitored. It takes an average
More informationGetting Ahead of Advanced Threats
Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil Territory Manager Israel & Greece 1 Threats are Evolving Rapidly Criminals Petty criminal s Unsophisticated Organized
More informationIntelligence Driven Security
Intelligence Driven Security RSA Advanced Cyber Defense Workshop Shane Harsch Senior Solutions Principal, RSA 1 Agenda Approach & Activities Operations Intelligence Infrastructure Reporting & Top Findings
More informationEnterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: Large organizations have spent millions of dollars on security
More informationThe Cyber Threat Profiler
Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are
More information1 2013 Solera Networks, A Blue Coat Company SOLERA NETWORKS BIG DATA SECURITY ANALYTICS
1 2013 Solera Networks, A Blue Coat Company SOLERA NETWORKS BIG DATA SECURITY ANALYTICS $32.8B 100,000 Cyber Criminals State-Sponsored Spies Hactivists We live in a POST-PREVENTION Amount enterprises are
More informationApplying machine learning techniques to achieve resilient, accurate, high-speed malware detection
White Paper: Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection Prepared by: Northrop Grumman Corporation Information Systems Sector Cyber Solutions Division
More informationA New Approach to Assessing Advanced Threat Solutions
A New Approach to Assessing Advanced Threat Solutions December 4, 2014 A New Approach to Assessing Advanced Threat Solutions How Well Does Your Advanced Threat Solution Work? The cyber threats facing enterprises
More informationData Science Transforming Security Operations
SESSION ID: STR-W03 Data Science Transforming Security Operations Alon Kaufman Ph.D. Director Data Science & Innovation RSA Agenda Transforming Security Operations with Data Science The Vision: Where we
More informationRAVEN, Network Security and Health for the Enterprise
RAVEN, Network Security and Health for the Enterprise The Promia RAVEN is a hardened Security Information and Event Management (SIEM) solution further providing network health, and interactive visualizations
More informationSophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC
WHITE PAPER Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC www.openioc.org OpenIOC 1 Table of Contents Introduction... 3 IOCs & OpenIOC... 4 IOC Functionality... 5
More informationTHE ROLE OF IDS & ADS IN NETWORK SECURITY
THE ROLE OF IDS & ADS IN NETWORK SECURITY The Role of IDS & ADS in Network Security When it comes to security, most networks today are like an egg: hard on the outside, gooey in the middle. Once a hacker
More informationPresentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM
LISA 10 Speaking Proposal Category: Practice and Experience Reports Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM Proposed by/speaker: Wyman Stocks Information Security
More informationInstilling Confidence in Security and Risk Operations with Behavioral Analytics and Contextualization
WHITEPAPER Instilling Confidence in Security and Risk Operations with Behavioral Analytics and Contextualization Understanding Why Automated Machine Learning Behavioral Analytics with Contextualization
More informationNiara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning
Niara Security Analytics Automatically detect attacks on the inside using machine learning Automatically detect attacks on the inside Supercharge analysts capabilities Enhance existing security investments
More informationUSER-INITIATED NOTIFICATION: A CONCEPT FOR AIDING THE MONITORING ACTIVITIES OF PROCESS CONTROL OPERATORS
USER-INITIATED NOTIFICATION: A CONCEPT FOR AIDING THE MONITORING ACTIVITIES OF PROCESS CONTROL OPERATORS Stephanie Guerlain and Peter Bullemer Honeywell Technology Center Minneapolis, MN Monitoring activities
More informationUS-CERT Year in Review. United States Computer Emergency Readiness Team
US-CERT Year in Review United States Computer Emergency Readiness Team CY 2012 US-CERT Year in Review United States Computer Emergency Readiness Team CY 2012 What s Inside Welcome 1 Vison, Mission, Goals
More informationThree Fundamental Techniques To Maximize the Value of Your Enterprise Data
Three Fundamental Techniques To Maximize the Value of Your Enterprise Data Prepared for Talend by: David Loshin Knowledge Integrity, Inc. October, 2010 2010 Knowledge Integrity, Inc. 1 Introduction Organizations
More informationA Risk Assessment Methodology (RAM) for Physical Security
A Risk Assessment Methodology (RAM) for Physical Security Violence, vandalism, and terrorism are prevalent in the world today. Managers and decision-makers must have a reliable way of estimating risk to
More informationCombating a new generation of cybercriminal with in-depth security monitoring
Cybersecurity Services Combating a new generation of cybercriminal with in-depth security monitoring 1 st Advanced Data Analysis Security Operation Center The Challenge Don t leave your systems unmonitored.
More informationTripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER
Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Introduction A decade or more ago, logs of events recorded by firewalls, intrusion detection systems and other network devices were
More informationIntrusion Detection via Machine Learning for SCADA System Protection
Intrusion Detection via Machine Learning for SCADA System Protection S.L.P. Yasakethu Department of Computing, University of Surrey, Guildford, GU2 7XH, UK. s.l.yasakethu@surrey.ac.uk J. Jiang Department
More informationCyberArk Privileged Threat Analytics. Solution Brief
CyberArk Privileged Threat Analytics Solution Brief Table of Contents The New Security Battleground: Inside Your Network...3 Privileged Account Security...3 CyberArk Privileged Threat Analytics : Detect
More informationDefending Against Cyber Attacks with SessionLevel Network Security
Defending Against Cyber Attacks with SessionLevel Network Security May 2010 PAGE 1 PAGE 1 Executive Summary Threat actors are determinedly focused on the theft / exfiltration of protected or sensitive
More informationInformation Visualization WS 2013/14 11 Visual Analytics
1 11.1 Definitions and Motivation Lot of research and papers in this emerging field: Visual Analytics: Scope and Challenges of Keim et al. Illuminating the path of Thomas and Cook 2 11.1 Definitions and
More informationDiscover & Investigate Advanced Threats. OVERVIEW
Discover & Investigate Advanced Threats. OVERVIEW HIGHLIGHTS Introducing RSA Security Analytics, Providing: Security monitoring Incident investigation Compliance reporting Providing Big Data Security Analytics
More informationRule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)
Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) 01.1 Purpose
More informationEliminating Cybersecurity Blind Spots
Eliminating Cybersecurity Blind Spots Challenges for Business April 15, 2015 Table of Contents Introduction... 3 Risk Management... 3 The Risk Blind Spot... 4 Continuous Asset Visibility... 5 Passive Network
More informationComprehensive Advanced Threat Defense
1 Comprehensive Advanced Threat Defense June 2014 PAGE 1 PAGE 1 1 INTRODUCTION The hot topic in the information security industry these days is Advanced Threat Defense (ATD). There are many definitions,
More informationThe Next Generation Security Operations Center
The Next Generation Security Operations Center Vassil Barsakov Regional Manager, CEE & CIS RSA, the Security Division of EMC 1 Threats are Evolving Rapidly Criminals Petty criminals Unsophisticated Organized
More informationApplying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events
Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events Abstract Effective Security Operations throughout both DoD and industry are requiring and consuming unprecedented
More informationAnalyzing HTTP/HTTPS Traffic Logs
Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that
More informationDetect, Contain and Control Cyberthreats
A SANS Whitepaper Written by Eric Cole, PhD June 2015 Sponsored by Raytheon Websense 2015 SANS Institute Introduction Dwell Time Relates to damage because the longer a system is compromised, the bigger
More informationSPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles
PNNL-24138 SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles March 2015 LR O Neil TJ Conway DH Tobey FL Greitzer AC Dalton PK Pusey Prepared for the
More informationAdvanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA
Advanced SOC Design Next Generation Security Operations Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA 1 ! Why/How security investments need to shift! Key functions of a Security Operations
More informationEnCase Endpoint Security Product Overview
GUIDANCE SOFTWARE EnCase Endpoint Security EnCase Endpoint Security Product Overview Detect Sooner. Respond Faster. Recover Effectively. GUIDANCE SOFTWARE EnCase Endpoint Security EnCase Endpoint Security
More informationEffective Methods to Detect Current Security Threats
terreactive AG. Swiss Cyber Storm 2015. Effective Methods to Detect Current Security Threats Taking your IT security to the next level, you have to consider a paradigm shift. In the past companies mostly
More informationKNOWLEDGE ORGANIZATION
KNOWLEDGE ORGANIZATION Gabi Reinmann Germany reinmann.gabi@googlemail.com Synonyms Information organization, information classification, knowledge representation, knowledge structuring Definition The term
More informationIncident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com
Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices
More informationAlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals
AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst
ESG Lab Spotlight ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst Abstract: This ESG Lab Spotlight examines the
More informationRSA Security Anatomy of an Attack Lessons learned
RSA Security Anatomy of an Attack Lessons learned Malcolm Dundas Account Executive John Hurley Senior Technology Consultant 1 Agenda Advanced Enterprise/ Threats The RSA Breach A chronology of the attack
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources
More informationProtecting critical infrastructure from Cyber-attack
Protecting critical infrastructure from Cyber-attack ACI-NA BIT Workshop, Session 6 (Cybersecurity) Long Beach, California October 4, 2015 Ben Trethowan Aviation Systems & Security Architect The scale
More informationSecurity Information and Event Management (SIEM)
Security Information and Event Management (SIEM) How Does Your Business Benefit? intigrow White Paper By Wes Lambert Security Consultant wes.lambert@intigrow.com intigrow is a global enterprise security
More informationMaking critical connections: predictive analytics in government
Making critical connections: predictive analytics in government Improve strategic and tactical decision-making Highlights: Support data-driven decisions using IBM SPSS Modeler Reduce fraud, waste and abuse
More informationThe Human Element in Cyber Security and Critical Infrastructure Protection: Lessons Learned
The Human Element in Cyber Security and Critical Infrastructure Protection: Lessons Learned Marco Carvalho, Ph.D. Research Scientist mcarvalho@ihmc.us Institute for Human and Machine Cognition 40 South
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationPredictive Cyber Defense A Strategic Thought Paper
Predictive Cyber Defense A Strategic Thought Paper Don Adams Vice President, Chief Technology Officer, Worldwide Government TIBCO Software Federal, Inc 2 Summary The art and science of multi-sensor data
More informationGetting Ahead of Malware
IT@Intel White Paper Intel Information Technology Security December 2009 Getting Ahead of Malware Executive Overview Since implementing our security event monitor and detection processes two years ago,
More informationCyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies
Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some
More informationThreatSpike Dome: A New Approach To Security Monitoring
ThreatSpike Dome: A New Approach To Security Monitoring 2015 ThreatSpike Labs Limited The problem with SIEM Hacking, insider and advanced persistent threats can be difficult to detect with existing product
More informationThe Need for Intelligent Network Security: Adapting IPS for today s Threats
The Need for Intelligent Network Security: Adapting IPS for today s Threats James Tucker Security Engineer Sourcefire Nordics A Bit of History It started with passive IDS. Burglar alarm for the network
More informationIntrusion Detection in AlienVault
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationCompliance Guide: ASD ISM OVERVIEW
Compliance Guide: ASD ISM OVERVIEW Australian Information Security Manual Mapping to the Principles using Huntsman INTRODUCTION In June 2010, The Australian Government Protective Security Policy Framework
More informationDevelopment of Technology for Detecting Advanced Persistent Threat Activities
FOR IMMEDIATE RELEASE Development of Technology for Detecting Advanced Persistent Threat Activities Visualizing correlations among hosts having suspicious activities to detect attacks such as stealth malware
More informationAdvanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA
Advanced Visibility Moving Beyond a Log Centric View Matthew Gardiner, RSA & Richard Nichols, RSA 1 Security is getting measurability worse Percent of breaches where time to compromise (red)/time to Discovery
More informationThe FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED
The FBI Cyber Program Bauer Advising Symposium October 11, 2012 Today s Agenda What is the threat? Who are the adversaries? How are they attacking you? What can the FBI do to help? What can you do to stop
More information