Dealing with Big Data in Cyber Intelligence

Similar documents
Gregg Gerber. Strategic Engagement, Emerging Markets

Integrating MSS, SEP and NGFW to catch targeted APTs

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Cisco & Big Data Security

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Find the needle in the security haystack

Accenture Cyber Security Transformation. October 2015

WHITE PAPER: THREAT INTELLIGENCE RANKING

Product Roadmap Symantec Endpoint Protection Suzanne Konvicka & Paul Murgatroyd

IBM QRadar Security Intelligence April 2013

Continuous Network Monitoring

Combating a new generation of cybercriminal with in-depth security monitoring

QRadar SIEM and FireEye MPS Integration

Symantec Managed Security Services The Power To Protect

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

End to End Security do Endpoint ao Datacenter

How To Manage Security On A Networked Computer System

Unified Security, ATP and more

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Eight Essential Elements for Effective Threat Intelligence Management May 2015

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Symantec Cyber Security Services: DeepSight Intelligence

IBM Security IBM Corporation IBM Corporation

The SIEM Evaluator s Guide

Protecting against cyber threats and security breaches

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

Unified Security Management and Open Threat Exchange

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

SANS Top 20 Critical Controls for Effective Cyber Defense

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

The Next Generation Security Operations Center

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

Cyber Security Metrics Dashboards & Analytics

Symantec Protection Center Enterprise 3.0. Release Notes

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

The webinar will begin shortly

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Intelligence Driven Security

Security strategies to stay off the Børsen front page

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

APPLICATION PROGRAMMING INTERFACE

HP ArcSight User Behavior Analytics

Using SIEM for Real- Time Threat Detection

Gaining and Maintaining Support for a SOC. Jim Goddard Executive Director, Kaiser Permanente

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Redefining SIEM to Real Time Security Intelligence

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Glasnost or Tyranny? You Can Have Secure and Open Networks!

ORGANIZADOR: APOIANTE PRINCIPAL:

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Countering Insider Threats Jeremy Ho

Modern Approach to Incident Response: Automated Response Architecture

AT&T Global Network Client for Windows Product Support Matrix January 29, 2015

Payment Card Industry Data Security Standard

Cybersecurity the Old Fashioned Way: Pass Known Good

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

AMPLIFYING SECURITY INTELLIGENCE

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

RSA Security Analytics

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

CyberArk Privileged Threat Analytics. Solution Brief

The Sophos Security Heartbeat:

Next Generation IPS and Reputation Services

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

IBM Security Intelligence Strategy

Risk Analytics for Cyber Security

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Incident Response. Proactive Incident Management. Sean Curran Director

ESG Brief. Overview by The Enterprise Strategy Group, Inc. All Rights Reserved.

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

Analyzing HTTP/HTTPS Traffic Logs

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Stop advanced targeted attacks, identify high risk users and control Insider Threats

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

IBM Security Strategy

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Transcription:

Dealing with Big Data in Cyber Intelligence Greg Day Security CTO, EMEA, Symantec Session ID: HT-303 Session Classification: General Interest

What will I take away from this session? What is driving big data in cyber? How is cyber intelligence evolving to create big data? How can or should I use this in my company? Should I be gathering my own data?

APT s since 2010 3

(Advanced) Persistent Targeted attacks Time 4

there are unconfirmed reports of infections dating back to 2007 as well. Symantec Security Response Blog Flamer 29 May 2012 5

Attack Evolution (motive and methods evolve) 1980 s 2000 s 2010 2011 2012

Not so advanced - Taidoor (14+ variants) Negotiations - US and Taiwan modernization of Taiwan s air- force. Targets: primarily private industry and influential international think tanks involved Specifically those who have expertise in South Asia and South-East Asia policy and military strategy peaked during the US-Taiwan Defense Industry Conference held on September 18th-20th

Targeted Attacks by Sector and Function ISTR 2011 3.157% 3.005% Government & Public Sector 3.169% 4.291% 5.866% 25.428% 5.990% 6.247% 15.431% 13.507% Manufacturing Finance IT Services Chemical & Pharmaceutical Transport & Utilities Non-Profit Marketing & Media Education Retail June 2012 7% C-Level 6% Senior 25% R&D 23% Sales 8% Media 10% 12% Shared Mailbox 9% PA Recruitment 8

Rise in Targeted Attack Activity over Time Average nr of targeted attacks blocked per day Average nr of targeted attacks blocked per day 200 150 154.3 540 450 360 462.5 100 82.1 93.1 78.0 92.9 77.0 108.3 99.9 94.1 270 246.3 233.1 50 25.6 30.0 50.1 180 90 64.0 147.9 127.3 0 Jan Feb Mar Avr May Jun Jul Aug Sep Oct Nov Dec 0 Jan Feb Mar Avr May Jun 2011 2012

So are we catching these today? 10

We hear about it from the masses! 11

Process - Can you turn 2 million+ decisions into 10? Potential threats (Deepsight) Asset Inventory (ITSM) Relevance (ITSM & CCS VM) Internal intelligence (MSS & SSIM) Prioritize risk (CCS Risk Manager) Current asset state (CCS VM) Security countermeasures (SEP & Gateway) Remediate (Workflow & CCS) Potential risk Actual Risk Actual status Managed business risk

Realistically we wait for alarm bells to ring? 13

So how to solve the problem? 14

Rethink: Anatomy of an attack Risk Posture and Policies 1. Research Strong security awareness, counter intelligence 2. Incursion 3. Discovery 4. Capture Continuous enforcement of controls according to risk policy (mgmt and protection) Actively monitor infrastructure (endpoint to perimeter), information and users Control unusual internal movement and access of sensitive data 5. Exfiltrate Counter intelligence, forensics, damage mitigations and information recovery 15

Enabling Cyber in a world of big data 1. Cyber Intelligence (what may and is happening) to anyone or just to me? 2. What does this actually mean to me? 3. What should I do Prevent Respond 16

Can I enhance my security with better Cyber Intel Looking for better Intel/early warning systems Specific contextual intelligence Briefings on new specific threats and the mitigations Correlation and awareness between our industry data and the your environment; help in prioritizing, defining risk and response Response to incident Contextual data Geneology how to prioritize and action events and incidents

Internal External New Intelligence requirements Big data! Malware URL /Domain Vulnerability/ Attack IP File Mobile Scam/Sta bility Correlation (220mil rows per day, ½ Petabyte per Yr, 1.7 trillion+ rows todate) Internal intelligence (Logs, SIEM tools, Threat analysis, Behavoural/Heurisitcs, etc..) Analysis What does this mean to me? 18

Security Industry example File reputation 2 Rate nearly every file on the internet 4 Check the DB during scans 2.5+ billion files 1 175+ million PCs Is it new? Bad reputation? Prevalence Age 5 Provide actionable data 3 Look for associations Source Behavior Associations 19

IP reputation being able to mine the data (genealogy) 2 0

Smart File Reputation All about the correlation Over 100 Billion Associations Symantec Big Data Security 21

Big Data scalability & speed Understand your time frame requirements! E.g: File reputation: Based on who downloads - what from where - Not just how many times a file is downloaded. 2 million URLs When one machine downloads a file, all reputations must be re-calculated! 6.3 billion files 175+ million machines That s over 100 billion associations that must be refreshed every few hours from 2Billion+ queries!

It s all about the information How do you apply the data? 23

How to leverage cyber intelligence Security products Security industry data Managed Security Services (MSS) Summary feed Query-able data Contextual/Meta Data 24 Logs, SIEMs Threat Analysis

Some key questions for you to contemplate 1. What intelligence do you gather today? 2. What intelligence should you be gathering? How long do you keep it? 3. What external data do you receive? 4. How are you going to correlate the data? So you have the expertise & resources? 5. How are you prioritizing the data? 6. What is an acceptable timescale to analyze? 25

Why do you need better intelligence? Increase detection of malware Identify/prevent targeted persistent attacks Understand the threat genealogy Who what where and why Post attack forensic analysis Prioritize your responses? 26

Correlated cyber intel output: Sykipot (2011) More Info: Detailed review in: The Sykipot Attacks, Symantec Connect Blog http://www.symantec.com/con nect/blogs/sykipot-attacks Long-running, very focused campaigns Targets Defense industries, Governments, etc

Understand the anatomy and geneology 3 attackers 52 emails sent on 3 dates Targeting 30 mailboxes of 2 Defense industries

Understand the techniques/objectives Commands received by Sykipot ipconfig /all netstat ano net start net group "domain admins" /domain tasklist /v dir c:\*.url /s dir c:\*.pdf /s dir c:\*.doc /s net localgroup administrators type c:\boot.ini systeminfo

Elderwood project connecting the Dots! Hydraq/Aurora + many more A platform is a technical term for the integrated building blocks used by software developers There is evidence that the Elderwood group have a platform that they use to build the components of their attacks Consistent document file used across multiple campaigns Common SWF file used to trigger exploit code Automated registration of domain names Automated intelligence gathering on targets Tool to automate generation of web-based email accounts December, 2010 CVE -2010-0249 March, 2011 CVE -2011-0609 June, 2011 CVE -2011-2110 CVE -2012-1875 2010 2011 2012 April, 2011 CVE -2011-0611 April 24, 2012 CVE -2012-0779 May 7, 2012 May 30, 2012 CVE -2012-1889 August 15, 2012 CVE -2012-1535 30

How to leverage the data? 31

The Current Paradigms Have It Backwards. Systems with Vulnerabilities & Exposures, 2 Incidents, New Threats. Systems with Sensitive Information that Support Critical Business 20 processes. 100 Systems without compensating controls. Critical Business Processes at Risk. 400

Visualization & Risk modeling evolution 33

Summary - What do I differently tomorrow? 1. Do you know if you have been breached? a. We need to better understand our own environments (own big data) Infrastructure, users, information b. Record everything or focus on high impact areas? Profile to baseline normal c. 3 rd parties/supply chain can be the weak link 2. Accept that you have or will be breached, what do you do? Too much information, how do you spot the wood for the trees? Do you have the forensics? 3. What is an acceptable breach? 34

Summary - What do I differently tomorrow? 3. What external feeds are you using today? a. Do you monitor social channels for chatter of a breach? b. What Intelligence feeds do you receive/use? Are you gathering attack or attack attribute data? Reputational data? 4. Do you have the skills and the tools? a. Big analyst skills requirement! b. What is the right big data tool for you? c. How do you correlate to business impact? 35

Summary - What do I differently tomorrow? 5. Be clear on your objectives for big data a. Detection (During or after)? b. Forensics? c. Better business response? What is the appropriate timescales for these? 6. Do I have the resource to do this internally or should I outsource? 36

Summary Cyber Intel key to future success as targeted attacks evolve, requires correlation of your intelligence data and external data 1. Recognize there is more to threat mitigation than real-time defense 2. Do you correlate your existing internal security data (State/Incident)? 3. Are you leveraging the security industry big data that already exists today? In Security products or your Incident Response teams? 4. How do/will you correlate suspicious activities into something meaningful? 5. How do/will you visualize/prioritize your response activities? 6. Do you have the budget/resource/capability to achieve this or should you outsource the solution? 37

Thank you Greg Day Security CTO EMEA Symantec Twitter: GregDaySecurity 38

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information