Sicurezza & Big Data: la Security Intelligence aiuta le aziende a difendersi dagli attacchi

Sicurezza & Big Data: la Security Intelligence aiuta le aziende a difendersi dagli attacchi Giovanni Abbadessa, IBM IT Security Architect Umberto Sansovini, IBM Security Consultant Document number

Big Data Facts Big data analytics is delivering value today 90% dei dati sono stati creati negli ultimi due anni 1 Big data analytics has the potential to reduce security risk and increase agility Big data analytics is challenging, but manageable expected to grow from US$3.2 billion in 2010 to US$16.9 billion in 2015 2 Existing big data analytics capabilities can be leveraged to improve information security Es. le istituzioni finanziarie utilizzano già sofisticati sistemi di analisi per antifrode ed antiriciclaggio. Le compagnie aeree svolgono una costante analisi dei comportamenti dei loro utenti, per proporre offerte ad-hoc 1 public.dhe.ibm.com/common/ssi/ecm/en/pos03099usen/pos03099usen.pdf 2 www.idc.com/getdoc.jsp?containerid=prus23355112 2

Innovative technology changes everything 1 trillion connected objects 1 billion mobile workers Social business Bring your own IT Cloud and virtualization 3

Organized groups are using multiple techniques Using social networking and social engineering to perform reconnaissance on spear-phishing targets, leading to compromised hosts and accounts Infiltrating a trusted partner and then loading malware onto the target s network Creating designer malware tailored to only infect the target organization, preventing positive identification by security vendors Exploiting zero-day vulnerabilities to gain access to data, applications, systems, and endpoints Communicating over accepted channels such as port 80 to exfiltrate data from the organization 4

Security Intelligence is enabling progress to optimized security Security Security Intelligence: Information and event management Advanced correlation and deep analytics External threat research Intelligence Optimized Role based analytics Identity governance Privileged user controls Data flow analytics Data governance Secure app engineering processes Fraud detection Advanced network monitoring Forensics / data mining Security rich systems Proficient User provisioning Access management Strong authentication Database activity monitoring Access monitoring Data loss prevention Application firewall Source code scanning Virtualization security Asset management Endpoint / network security management Basic Centralized directory Encryption Access control Application scanning Perimeter security Anti-virus People Data Applications Infrastructure JK 2012-04-26

What I can get from BigData to better protect my enterprise Examples of information security using BigData and Security Analytics Monitoring security incidents and events Addressing Phishing Keeping systems available Discovering a breach Identifying threat trends and evolution Detecting an embedded security attack 6

How to use BigData to improve security? BigData Analysis Process Security Insight Experts Tools Methods Visualizzation 7

Permutations of malicious identifiers are limitless Domain dogpile.com kewww.com.cn ynnsuue.com wpoellk.com moveinent.com moptesoft.com varygas.com earexcept.com fullrow.com colonytop.com IP Address 117.0.178.252 83.14.12.218 94.23.71.55 103.23.244.254 62.28.6.52 202.231.248.207 175.106.81.66 217.112.94.236 119.252.46.32 180.214.243.243 File Checksum c69d172078b439545dfff28f3d3aacc1 51e65e6c798b03452ef7ae3d03343d8f 6bb6b9ce713a00d3773cfcecef515e02 c5907f5e2b715bb66b7d4b87ba6e91e7 bf30759c3b0e482813f0d1c324698ae8 6391908ec103847c69646dcbc667df42 23c4dc14d14c5d54e14ea38db2da7115 208066ea6c0c4e875d777276a111543e 00b3bd8d75afd437c1939d8617edc22f 01e22cce71206cf01f9e863dcbf0fd3f 8

The Result Attackers are bypassing traditional security defenses We need a new approach 9

A change in mindset is already happening Audit, Patch & Block Detect, Analyze & Remediate Think like a defender, defense-in-depth Think like an attacker, counter intelligence 10

By monitoring for subtle indicators across all fronts 1 Break-in Spoofed email with malicious file attachment sent to users 2 Command & Control (CnC) Latch-on Anomalous system behavior and network communications 3 Expand Device contacting internal hosts in strange patterns 4 Gather Abnormal user behavior and data access patterns 5 Command & Control (CnC) Exfiltrate Movement of data in chunks or streams to unknown hosts 11

Building New Insights requires collecting and analyzing data from security infrastructure and beyond Traditional Security Operations and Technology Logs Events Alerts Configuration information System audit trails Identity context Network flows and anomalies Big Data Analytics External threat intelligence feeds Web page text E-mail and social activity Full packet and DNS captures Business process data Customer transactions 12

Brings New Considerations Storage and Processing Collection and integration Size and speed Enrichment and correlation Analytics and Workflow Visualization Unstructured analysis Learning and prediction Customization Sharing and export 13

Security has become a Big Data problem 14

Complementary analytics and workflow from IBM Security Intelligence Platform Big Data Platform Real-time Processing Real-time data correlation Anomaly detection Event and flow normalization Security context & enrichment Distributed architecture Security Operations Pre-defined rules and reports Offense scoring & prioritization Activity and event graphing Compliance reporting Workflow management IBM Security Intelligence with Big Data Big Data Warehouse Long-term, multi-pb storage Unstructured and structured Distributed infrastructure Preservation of raw data Hadoop-based backend Analytics and Forensics Advanced visuals and interaction Predictive & decision modeling Ad hoc queries Spreadsheet UI for analysts Collaborative sharing tools Pluggable UI 15

QRadar leverages BigData to identify security threats New appliances with massive scale Payload indexing leveraging a purpose-built data store Google-like search of large data sets Intelligent data policy management Advanced threat visualization and impact analysis Enrichment with X-Force and external intelligence 16

Example QRadar uses cases Behavior monitoring and flow analytics Network Traffic Doesn t Lie Attackers can stop logging and erase their tracks, but can t cut off the network (flow data) Activity and data access monitoring Improved Breach Detection 360-degree visibility helps distinguish true breaches from benign activity, in real-time Stealthy malware detection Irrefutable Botnet Communication Layer 7 flow data shows botnet command and control instructions 17

Extending Security Intelligence with additional Big Data analytics capabilities IBM Security QRadar Security Intelligence Platform Data collection and enrichment Event correlation Real-time analytics Offense prioritization Advanced Threat Detection 1. Analyze a variety of nontraditional and unstructured datasets 2. Significantly increase the volume of data stored for forensics and historic analysis 3. Visualize and query data in new ways 4. Integrate with my current operations Traditional data sources 18

By integrating QRadar with IBM s Enterprise Hadoop-based offering Security Intelligence Platform Big Data Platform IBM Security QRadar Data collection and enrichment Event correlation Real-time analytics Offense prioritization Advanced Threat Detection Real-time Streaming Insights IBM InfoSphere BigInsights Hadoop-based Enterprise-grade Any data / volume Data mining Ad hoc analytics Custom Analytics Traditional data sources Non-traditional 19

Extending Security Intelligence with Big Data Advanced Security Analytics & Correlation Engine Data Sources Security Devices Server and Host Logs Network and Virtual Activity Database Activity Application Activity Vulnerability and Config Data Threat Intelligence Feeds User Activity and Behavior Web, Blogs, & Social Activity Business Transactions Unstructured data (e.g. Email) Real-time Processing Focus on HOT, real-time data Event normalization Real-time correlation Data enrichment Big Data Warehouse Storage for HOT, Warm & cold data Unstructured and structured Distributed infrastructure Preserves raw data Scalable platform Large-scale machine learning Hadoop-based backend Security Operations Detailed security metrics Activity & event graphs Incident management Compliance reporting Big Data Security Workbench Big Data Analytics and Forensics Advanced visuals and interaction Predictive and decision modeling Ad hoc and historical queries Transaction and geo analysis Custom reports and dashboards Pluggable UI Collaborative sharing tools Collect Store & Process Analyze 20

Security Intelligence with Big Data Components and data flow Data Sources Real-time Processing Security Operations QRadar Security Intelligence Platform QRadar Console (Web interface) Security and Infrastructure Data Sources External Threat Intelligence Feeds Watch List Custom Rules Big Data Warehouse InfoSphere BigInsights Big Data Analytics and Forensics InfoSphere BigSheets Email, Web, Blogs, and Social Activity Hadoop Store Raw Data Relational Store High-value Information i2 Intelligence Analysis Collect Store & Process Analyze Flow of data/information 1 Data Collection & Enrichment (HOT) 3 Forward (HOT) & Store (HOT, Warm, cold) data 5 Advanced Visualizations and Investigation (Warm and cold) 21 Flow of knowledge 2 Real-time insights (HOT) 4 Big Data Analysis, Trends & History (Warm and cold) 6 Enrich / Adapt / Improve

InfoSphere BigInsights - flexible, enterprise-class solution for processing large volumes of data Enterprise Value BigInsights Basic Edition Free download with web support Limit to <= 10 TB of data (Optional: 24x7 paid support Core Fixed Term License) Hadoop Easy installation and programming BigInsights Enterprise Edition Tiered terabyte-based pricing Enterprise-grade features Analytics tooling / visualization Recoverability security Administration tooling Development tooling Flexible storage High availability Professional Services Offerings QuickStart, Bootcamp, Education, Custom Development 22

Spear-phishing phishing analysis ATTACKER TARGET User receives risky email from personal social network User is redirected to a malicious website Drive-by exploit is used to install malware on target PC 23

Using Big Data to mine for trends within email Use BigInsights to identify phishing targets and redirects Build visualizations, such as heat maps, to view top targets 24

Loading phishing data and corresponding redirects to QRadar 25

Hunting for targeted C&C domains ATTACKER Attacker registers or acquires a domain Compromised hosts phone home to attacker C&C servers Internal attacks lead to more infections Attacker changes the location of servers, but domains stay the same Hosts and servers phone home and exfiltrate data 26

Analyze historical DNS activity within organization 27

Automate correlation against DNS registries 28

Advanced analytics identify suspicious domains Why only a few hits across the entire organization to these domains? Correlating to public DNS registry information increases suspicions 29

Importing results to QRadar for real-time analysis View real-time data and look for active connections Correlate against network activity and visualize 30

Key Takeaways 1. Traditional defenses are insufficient 2. Security has become a Big Data problem 3. Security Intelligence is a Big Data solution 4. New analysis can lead to new insights Thank You!!! 31