The Cyber Threat Profiler



Similar documents
TEASER INVESTOR DECK 500k SEIS+EIS ROUND. In partnership with

Bio-inspired cyber security for your enterprise

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

End-user Security Analytics Strengthens Protection with ArcSight

IBM Security Strategy

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

Securing business data. CNS White Paper. Cloud for Enterprise. Effective Management of Data Security

External Supplier Control Requirements

The Hillstone and Trend Micro Joint Solution

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

IBM Security Intelligence Strategy

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

IBM QRadar Security Intelligence April 2013

INTRUSION PREVENTION SYSTEMS: FIVE BENEFITS OF SECUREDATA S MANAGED SERVICE APPROACH

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Observation and Findings

93% of large organisations and 76% of small businesses

On-Premises DDoS Mitigation for the Enterprise

Table of Contents. Page 2/13

SANS Top 20 Critical Controls for Effective Cyber Defense

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

Introducing IBM s Advanced Threat Protection Platform

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

1 Introduction Product Description Strengths and Challenges Copyright... 5

Cisco Security Intelligence Operations

IBM Protocol Analysis Module

10 Things Every Web Application Firewall Should Provide Share this ebook

First Line of Defense to Protect Critical Infrastructure

TLP WHITE. Denial of service attacks: what you need to know

IBM Security X-Force Threat Intelligence

Breaking down silos of protection: An integrated approach to managing application security

Swordfish

Where every interaction matters.

Smart cyber security for smart cities

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Analyzing HTTP/HTTPS Traffic Logs

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Protecting against cyber threats and security breaches

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Secure Web Applications. The front line defense

Beyond passwords: Protect the mobile enterprise with smarter security solutions

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

A strategic approach to fraud

Combating a new generation of cybercriminal with in-depth security monitoring

Bridging the gap between COTS tool alerting and raw data analysis

ICTN Enterprise Database Security Issues and Solutions

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

idata Improving Defences Against Targeted Attack

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Firewall and UTM Solutions Guide

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Fighting Advanced Threats

Security strategies to stay off the Børsen front page

Streamlining Web and Security

Protecting Your Organisation from Targeted Cyber Intrusion

Securing and protecting the organization s most sensitive data

TIBCO Cyber Security Platform. Atif Chaughtai

IBM Security Intrusion Prevention Solutions

Security Intelligence

IBM Advanced Threat Protection Solution

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Attack Intelligence: Why It Matters

INTRODUCING isheriff CLOUD SECURITY

Cybersecurity and internal audit. August 15, 2014

Continuous Network Monitoring

Fight fire with fire when protecting sensitive data

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

KASPERSKY PRIVATE SECURITY NETWORK: REAL-TIME THREAT INTELLIGENCE INSIDE THE CORPORATE INFRASTRUCTURE

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Protect Your Business and Customers from Online Fraud

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

Overcoming Five Critical Cybersecurity Gaps

ISO27032 Guidelines for Cyber Security

IBM Security re-defines enterprise endpoint protection against advanced malware

Modern Approach to Incident Response: Automated Response Architecture

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

The Global Attacker Security Intelligence Service Explained

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Cyber and Operational Solutions for a Connected Industrial Era

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

EC-Council. Certified Ethical Hacker. Program Brochure

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.

CASSIDIAN CYBERSECURITY SECURITY OPERATIONS CENTRE SERVICES

How To Buy Nitro Security

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

A Decision Maker s Guide to Securing an IT Infrastructure

Transcription:

Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection

INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are exploding exponentially, as are the risks of compromise from cyber attacks. This is a situation that is only going to get worse. The number of suitably qualified and experienced security experts are not able to increase proportionately with this fast changing cyber world. The answer is not to recruit more experts to handle the increasing workload, but instead use technology force multipliers to reduce the analytical burden and increase staff efficiency. Organisations will only be able to reduce the risk from cyber attacks with the use of sophisticated security controls to monitor, understand and ultimately prevent these attacks. Cyberlytic has developed the Cyber Threat Profiler to support an organisation by utilising the latest artificial intelligence and heuristic techniques to analyse and manage the risk that any malicious activity may bring to an organisation s network. It provides an effective suite of decision support tools to exploit a range of cyber threats, providing intelligent security risk assessments. The tool compliments security experts and existing network security components, removing the need to increase human resources to manage the increasing situational awareness requirements of responding to malicious activity on the network. OVERVIEW The volume and sophistication of cyber attacks is growing at an alarming rate. Government and large businesses are subject to constant and simultaneous cyber attacks from multiple threat actors, of varying skill and capability. THE PROBLEM Keeping pace with security breaches is a major challenge. According to the 2014 Information Security Breaches Survey prepared by consultants PWC for the UK Government s Department of Business Innovation and Skills, over 80% of large organisations reported having experienced a cyber security incident in the previous year. The research found that 55% of large businesses were attacked by an unauthorised outsider during the year and 73% of large organisations, including those in the public sector, suffered a virus infection or a malware incident. It is clear that organisations can no longer accept conventional security controls to protect against the growing cyber threat. Highly sought after security experts are required to keep on top of the attacks, using their judgment and experience to prioritise the organisation s response. It is their job to avert potentially catastrophic attacks. MAINTAIN YOUR SECURITY TEAM, MAKE THEM MORE EFFICIENT TO HANDLE TOMORROW S CYBER THREATS The CTP increases the efficiency of expert security staff, meaning less staff can handle more cyber incidents Expert staff required to handle tomorrow s cyber threats of cyber attacks every day Millions of atacks every day Today. Large businesses are coping with the scale of attack (e.g. 3 SOC staff) Next year. An exponential increase in expert security staff is needed to handle the likely increase in cyber attack. Figure 1: Exponential Growth from Cyber Attacks GCHQ state there is likely to be a 20 year skills gap of expert security staff. Cisco state there is a 1M shortfall in security experts today. Copyright Cyberlytic Limited 2015. All Rights Reserved. info@cyberlytic.com www.cyberlytic.com 2

THE CTP CONCEPT The Cyber Threat Profiler (CTP) is a software solution that complements existing network security components to provide real-time risk assessment and prioritise security alerts. The CTP provides an additional layer of security intelligence to enhance the capabilities of attack containment and provide cyber resilience. Security intelligence: The CTP complements existing network security monitoring suites to provide a real-time cyber risk assessment. Artificial Intelligence: The CTP provides a unique approach to analysing large volumes of pure attack data to determine and continually adapt to changing and new threat profiles. It uses several Artificial Intelligence (AI) techniques, including machine learning, to analyse live and historic data. Heuristic analysis: Attacks on live networks are correlated against normalised attack data to determine the relative sophistication of the attack, as well as the likely capability and effectiveness of the attacker. THE CYBER DOMAIN The CTP analyses the risks within the Cyber Sphere and is built on the ISO 27032 standard to define the Cybersecurity domain. In essence Cybersecurity is a subset of multiple security layers as described in the figure below. The Cybersecurity domain is a complex interaction between people, software and services using the internet, supported by worldwide distributed physical Information and Communications Technology (ICT) devices and connected networks. INFORMATION SECURITY APPLICATION SECURITY CYBER SECURITY NETWORK SECURITY INTERNET SECURITY Critical Information Infrastructure protection Figure 2: BS ISO 27301-2012: Relationship between Cybersecurity and the other Security Domains CYBER THREAT Cyber threat is where an individual or group of attackers try to compromise a weakness in the ICT devices and connected networks where the effect is an unwanted action that results in potential harm to the assets, a system, individual or organisation within the Cybersecurity domain. At a high level, the cyber threats can take several different forms. They can range from the internal Insider or external Hacker threat where they attack an organisation using: Weaknesses in the configuration of IT systems; or Weaknesses in the applications hosted on the IT Systems. CYBER ATTACKS A cyber attack is where an individual or group seeks to identify a misconfiguration or software vulnerability and then attempts to exploit the weakness in order to access sensitive information. These attacks could take the form of: Malicious code (buffer overflows); Injection Attacks (SQL injection, Cross Site Scripting); Manipulation of business logic (understand the processes); Exploitation of misconfigurations (incorrect or missing hardening); or Phishing attacks (malicious emails). They may combine these with non-cyber attacks such as social engineering, weak physical controls or the human insider. The exploitation of the weakness could result in the attacker destroying, exposing, altering, disabling, stealing or gaining unauthorised access to the organisations asset. This resource is usually an information asset that is stored, processed and transmitted within an ICT device and connected network, but could just as easily be a physical asset. CYBER RISK Cyber risk is the probability of an attacker (threat actor) identifying and compromising a vulnerability that results in an impact to the organisation affecting the confidentiality, integrity and/or availability of that asset within an ICT device or connected network. i.e. Cyber Risk is a function of (Threat & Impact & Vulnerability). THE CYBERLYTIC RISK METHODOLOGY A unique function of the CTP is that it provides a residual risk rating using the Cyberlytic methodology. It is based on quantifying the Cyber Risk defined above. An optional step in the configuration of the CTP is to work with the client organisation to configure the impact values. The client is best placed to assess the impact of a compromised asset, as they are the only ones to appreciate fully the consequence of that asset being compromised. The vulnerability values are defined by identifying the applications and services that are in use within the organisation. Once identified, they are then cross Copyright Cyberlytic Limited 2015. All Rights Reserved. info@cyberlytic.com www.cyberlytic.com 3

referenced against a known set of vulnerabilities. The Cyberlytic Risk Methodology provides a risk value that takes into account the effectiveness of the existing security controls that are in place. Whilst we may not know the full extent of the security controls that have been implemented, the Cyberlytic Risk Methodology can identify the effectiveness of the resultant security controls that are protecting the assets. algorithms are updated regularly to remain current with the changing threat profiles. The CTP consists of two key core design components: Cyberlytic Adaptive Ruleset (CAR); a virtual application hosted inline on customer environment Cyberlytic Intelligence Platform (CIP); an offline analytics platform The threat characteristics are determined fully by the CTP. The CTP assesses the characteristics of the attacker and the sophistication of an individual attack. The combination of the vulnerability, the impact and the threat characteristics are calculated using our Artificial Intelligence algorithms to provide the residual risk rating, which is an accurate measure of the infosec risk of a specific attack. THE CTP DESIGN The CTP profiles the threat of an attack, and where applicable the attacker, to CLIENT NETWORK CTP Interface Security Event Collector Security Event Storage Database (NoSQL) Security Event Storage Database (NoSQL) Cyberlytic Adaptive Ruleset (CAR) SQLIA (SQL Injection Attack) XSS (Cross site Scripting) CSRF (Cross Site Request Forgery) DDOS (Distributed Denial of Service) Update CAR Modules Training the Classifier Cyberlytic Intelligence Platform (CIP) Prioritisation of Events (Risk Rating) CTP create a set of quantifiable features that are used to determine, in a consistent, quantifiable and reliable manner, the Cyber security risk. Security Event Collector Anonymised Client Network Segment Cyberlytic Classification baselining process DATA /CTF The CTP is dependent on alerts being initiated by existing network security monitors, Security Information and Event Management (SIEM) or Intrusion Detection Systems (IDS), to provide an additional layer of security intelligence. The Cyberlytic API provides the mechanism to connect to existing security environments. The CTP prioritises alerts received by these systems, depending on the risk they pose to the target system and underlying data. The results are presented in realtime to security teams and incident handlers within the operations centre. It is agnostic of existing security systems, but is dependent on alerts being initiated by the security tools within the client network. The CTP has been designed to: Connect to existing IDS, SIEM or NSM and receive attack data. Optionally, deploy our own sensors to detect the threats and capture the attack data Optionally, replicate un-attributable aspects of the customer target network within an un-attributable honeypot environment to receive and refine more relevant attack data gained from the wider hacking community Apply Machine Learning algorithms in a multi-layered approach to the data received from the target and CTF environments, to safely learn the effectiveness of existing and new attack characteristics Artificial Intelligence (AI) algorithms within the locally installed CTP determine the relative sophistication and likely capability of the attacker Each attack is prioritised and presented to security teams based on the risk to your business Supervised, semi-supervised and unsupervised learning means the AI Figure 3: The CTP Components THE CYBERLYTIC ADAPTIVE RULESET (CAR) The CAR provides an inline real-time assessment of each attack detected. It collects relevant attack data from the existing security tools and parses them to the threat modules. The CAR has a series of threat modules to determine the relative sophistication of attacks, together with the likely capability of the attacker. Each threat module represents a particular attack category, such as SQL (Standard Query Language) Injection Attack (SQLIA), Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF) and Distributed Denial of Service (DDOS). This supports the security incident response handler in taking appropriate and immediate action. These modules provide the real-time intelligence assessment and event prioritisation. Our unique and patented approach to characterising attacks means the CTP provides the highest accuracy of any security intelligence tool of its type. The adaptive ruleset is frequently and automatically updated via analysis of the Cyberlytic Intelligence Platform (CIP) without the need for a cyber security expert to interpret the rules. This allows the inline security event assessment to remain current, even as the threat sources are changing. CYBERLYTIC INTELLIGENCE PLATFORM (CIP) The CIP undertakes detailed analysis of all security data to identify changing threat profiles. The analysis process uses a multi-layered approach to perform a number of mathematical techniques. The CIP has been designed to analyse large volumes of data and has been designed to support big data analytics. Copyright Cyberlytic Limited 2015. All Rights Reserved. info@cyberlytic.com www.cyberlytic.com 4

The layers range from deep packet inspections through to event log analysis. The various layers gather specific attributes and use them for the differing mathematical analyses. The solution uses supervised, semi-supervised and unsupervised machine learning algorithms to continually update the adaptive rules that are maintained within the CAR. This allows the CTP to identify anomalies and reduce the impact of false positives whilst also being able to accurately classify the attack. This provides the flexibility to identify new attack vectors whilst assessing the risk from already known attack vectors. The machine learning can be carried out within the customer environment or offline within the Cyberlytic s cloud CIP. For customers unable to connect to Cyberlytic s cloud CIP, local CAR rules will be updated at agreed intervals using approved methods. THE DISPLAY The CTP results are presented using real-time displays to the Security Operations Centre (SOC) to support the security teams and incident handlers. The output follows the Structured Threat Information expression (STIX) standard to allow easy communication of the analysed threats to support transfer of data to existing reporting mechanisms. THE BENEFITS Cyberlytic has developed a security intelligence platform that uniquely learns and evolves the classification of cyber attack data. Highest accuracy Patented classification approach provides the most accurate attack detection available Machine learning continues to improve the accuracy of the toolset, meaning the risk of compromise will continue to be reduced over time Attacks are prioritised Security alerts are immediately prioritised based on the risk of the attack Increased effectiveness of the security response team Business Risk Context Protect your most important assets Proportional cyber defence through true recognition of infosec risk Expert decision support Integrates with and enhances existing security management systems Proactive, intelligence led, adaptive ruleset eliminates false positive results Vendor agnostic Complements other security systems Response time reduced from days to minutes Supports the Security Incident Handler in making timely and critical decisions. The CTP is an adaptive, expert learning and decision support tool. It allows security teams to respond immediately to serious attacks. This enables businesses to assess each cyber attack in real-time to determine the security risks to an organisations information assets. Copyright Cyberlytic Limited 2015. All Rights Reserved. info@cyberlytic.com www.cyberlytic.com 5

ABOUT CYBERLYTIC Cyberlytic is the originator and owner of intellectual property relating to real-time risk assessment and prioritisation of cyber-attacks. In January 2013, the founders of Cyberlytic were awarded two proof of concept contracts with the MOD (Defence Science and Technology Laboratory) and GCHQ respectively, to provide a cyber situational awareness software tool. The projects were successful, proving that a cyber attack could be prioritised depending on the relative sophistication of the attack and the likely capability of the attacker. As a result of the proof of concept, Cyberlytic has developed the Cyber Threat Profiler (CTP). The CTP applies security intelligence (http://www.gartner.com/it-glossary/ enterprise-security-intelligence-esi) by analysing attack data provided by a Capture the Flag (CTF) environment and customers existing security systems (there could be thousands of alerts at any one time) to instantly determine the risk of each attack and help the security team prioritise their response. For more information, visit www.cyberlytic.com Cyberlytic Limited is registered in England (No.8697618) with its registered office at 88 Wood Street, 10th Floor, London, England, EC2 7RS. Copyright Cyberlytic Limited 2014. All Rights Reserved. Cyberlytic and the names of Cyberlytic s products referenced herein are trademarks of Cyberlytic Limited and are registered in certain jurisdictions. For more information contact: Email: info@cyberlytic.com Tel: +44(0) 203 290 0011 MAR-WP-A4-V3-040215 Real-time Risk and Security Intelligence www.cyberlytic.com Copyright Cyberlytic Limited 2015. All Rights Reserved. info@cyberlytic.com www.cyberlytic.com 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information