Sicurezza & Big Data: la Security Intelligence aiuta le aziende a difendersi dai cyber-attacchi Giovanni Abbadessa, IBM T Security Architect Umberto Sansovini, IBM Security Consultant 1
Please note IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. 2
Big Data Facts Big data analytics is delivering value today 90% dei dati sono stati creati negli ultimi due anni 1 Big data analytics has the potential to reduce cyber security risk and increase agility Big data analytics is challenging, but manageable expected to grow from US$3.2 billion in 2010 to US$16.9 billion in 2015 2 Existing big data analytics capabilities can be leveraged to improve information security Es. le istituzioni finanziarie utilizzano già sofisticati sistemi di analisi per antifrode ed antiriciclaggio. Le compagnie aeree svolgono una costante analisi dei comportamenti dei loro utenti, per proporre offerte ad-hoc 1 public.dhe.ibm.com/common/ssi/ecm/en/pos03099usen/pos03099usen.pdf 2 www.idc.com/getdoc.jsp?containerid=prus23355112 3
Innovative technology changes everything 1 trillion connected objects 1 billion mobile workers Social business Bring your own IT Cloud and virtualization 4
Attacker motivations are rapidly escalating National Security Nation-state actors Stuxnet Espionage, Activism Sponsored groups and Hacktivists Aurora Monetary Gain Revenge, Curiosity Insiders and Script-kiddies Code Red Organized crime Zeus 5
Organized groups are using multiple techniques Using social networking and social engineering to perform reconnaissance on spear-phishing targets, leading to compromised hosts and accounts Infiltrating a trusted partner and then loading malware onto the target s network Creating designer malware tailored to only infect the target organization, preventing positive identification by security vendors Exploiting zero-day vulnerabilities to gain access to data, applications, systems, and endpoints Communicating over accepted channels such as port 80 to exfiltrate data from the organization 6
Security Intelligence is enabling progress to optimized security Security Security Intelligence: Information and event management Advanced correlation and deep analytics External threat research Intelligence Optimized Role based analytics Identity governance Privileged user controls Data flow analytics Data governance Secure app engineering processes Fraud detection Advanced network monitoring Forensics / data mining Security rich systems Proficient User provisioning Access management Strong authentication Database activity monitoring Access monitoring Data loss prevention Application firewall Source code scanning Virtualization security Asset management Endpoint / network security management Basic Centralized directory Encryption Access control Application scanning Perimeter security Anti-virus People Data Applications Infrastructure 7 JK 2012-04-26
What I can get from BigData to better protect my enterprise Examples of information security using BigData and Security Analytics Monitoring security incidents and events Producing cyber intelligence Addressing Phishing Keeping systems available Discovering a breach Identifying threat trends and evolution Detecting an embedded cyber attack 8
How to use BigData to improve security? BigData Analysis Process Security Insight Experts Tools Methods Visualizzation 9
Permutations of malicious identifiers are limitless Domain dogpile.com kewww.com.cn ynnsuue.com wpoellk.com moveinent.com moptesoft.com varygas.com earexcept.com fullrow.com colonytop.com IP Address 117.0.178.252 83.14.12.218 94.23.71.55 103.23.244.254 62.28.6.52 202.231.248.207 175.106.81.66 217.112.94.236 119.252.46.32 180.214.243.243 File Checksum c69d172078b439545dfff28f3d3aacc1 51e65e6c798b03452ef7ae3d03343d8f 6bb6b9ce713a00d3773cfcecef515e02 c5907f5e2b715bb66b7d4b87ba6e91e7 bf30759c3b0e482813f0d1c324698ae8 6391908ec103847c69646dcbc667df42 23c4dc14d14c5d54e14ea38db2da7115 208066ea6c0c4e875d777276a111543e 00b3bd8d75afd437c1939d8617edc22f 01e22cce71206cf01f9e863dcbf0fd3f 10
The Result Attackers are bypassing traditional security defenses 11
We need a new Approach Image retrieved from http://melroseedcd.com/?p=1 12
A change in mindset is already happening Audit, Patch & Block Detect, Analyze & Remediate Think like a defender, defense-in-depth Think like an attacker, counter intelligence 13
By monitoring for subtle indicators across all fronts 1 Break-in Spoofed email with malicious file attachment sent to users 2 Command & Control (CnC) Latch-on Anomalous system behavior and network communications 3 Expand Device contacting internal hosts in strange patterns 4 Gather Abnormal user behavior and data access patterns 5 Command & Control (CnC) Exfiltrate Movement of data in chunks or streams to unknown hosts 14
Traditional Security Operations and Technology Big Data Analytics Logs Events Alerts Configuration information System audit trails Network flows and anomalies External threat intelligence feeds Web page text E-mail and social activity Identity context Full packet and DNS captures Business process data Customer transactions Building New Insights New Insights requires collecting and analyzing data from security infrastructure and beyond 15
Brings New Considerations Storage and Processing Collection and integration Size and speed Enrichment and correlation Analytics and Workflow Visualization Unstructured analysis Learning and prediction Customization Sharing and export 16
Security has become a Big Data problem 17
Complementary analytics and workflow from IBM Security Intelligence Platform Big Data Platform Real-time Processing Real-time data correlation Anomaly detection Event and flow normalization Security context & enrichment Distributed architecture Security Operations Pre-defined rules and reports Offense scoring & prioritization Activity and event graphing Compliance reporting Workflow management IBM Security Intelligence with Big Data Big Data Warehouse Long-term, multi-pb storage Unstructured and structured Distributed infrastructure Preservation of raw data Hadoop-based backend Analytics and Forensics Advanced visuals and interaction Predictive & decision modeling Ad hoc queries Spreadsheet UI for analysts Collaborative sharing tools Pluggable UI 18
QRadar leverages Big Data to identify security threats New appliances with massive scale Payload indexing leveraging a purpose-built data store Google-like search of large data sets Intelligent data policy management Advanced threat visualization and impact analysis Enrichment with X-Force and external intelligence 19
Example QRadar uses cases Behavior monitoring and flow analytics Network Traffic Doesn t Lie Attackers can stop logging and erase their tracks, but can t cut off the network (flow data) Activity and data access monitoring Improved Breach Detection 360-degree visibility helps distinguish true breaches from benign activity, in real-time Stealthy malware detection Irrefutable Botnet Communication Layer 7 flow data shows botnet command and control instructions 20
Extending Security Intelligence with additional Big Data analytics capabilities IBM Security QRadar Data collection and enrichment Event correlation Real-time analytics Offense prioritization Security Intelligence Platform Advanced Threat Detection 1. Analyze a variety of non-traditional and unstructured datasets 2. Significantly increase the volume of data stored for forensics and historic analysis 3. Visualize and query data in new ways 4. Integrate with my current operations Traditional data sources 21
By integrating QRadar with IBM s Enterprise Hadoopbased offering Security Intelligence Platform Big Data Platform IBM Security QRadar Data collection and enrichment Event correlation Real-time analytics Offense prioritization Advanced Threat Detection Real-time Streaming Insights IBM InfoSphere BigInsights Hadoop-based Enterprise-grade Any data / volume Data mining Ad hoc analytics Custom Analytics Traditional data sources Non-traditional 22
Extending Security Intelligence with Big Data Advanced Security Analytics & Correlation Engine Data Sources Security Devices Server and Host Logs Network and Virtual Activity Database Activity Application Activity Vulnerability and Config Data Threat Intelligence Feeds User Activity and Behavior Web, Blogs, & Social Activity Business Transactions Unstructured data (e.g. Email) Real-time Processing Focus on HOT, real-time data Event normalization Real-time correlation Data enrichment Big Data Warehouse Storage for HOT, Warm & cold data Unstructured and structured Distributed infrastructure Preserves raw data Scalable platform Large-scale machine learning Hadoop-based backend Security Operations Detailed security metrics Activity & event graphs Incident management Compliance reporting Big Data Security Workbench Big Data Analytics and Forensics Advanced visuals and interaction Predictive and decision modeling Ad hoc and historical queries Transaction and geo analysis Custom reports and dashboards Pluggable UI Collaborative sharing tools Collect Store & Process Analyze 23
Security Intelligence with Big Data Components and data flow Data Sources Real-time Processing Security Operations QRadar Security Intelligence Platform QRadar Console (Web interface) Security and Infrastructure Data Sources External Threat Intelligence Feeds Watch List Custom Rules Big Data Warehouse InfoSphere BigInsights Big Data Analytics and Forensics InfoSphere BigSheets Email, Web, Blogs, and Social Activity Hadoop Store Raw Data Relational Store High-value Information i2 Intelligence Analysis Collect Store & Process Analyze Flow of data/information 1 Data Collection & Enrichment (HOT) 3 Forward (HOT) & Store (HOT, Warm, cold) data 5 Advanced Visualizations and Investigation (Warm and cold) Flow of knowledge 2 Real-time insights (HOT) 4 Big Data Analysis, Trends & History (Warm and cold) 6 Enrich / Adapt / Improve 24
InfoSphere BigInsights - flexible, enterprise-class solution for processing large volumes of data Enterprise Value BigInsights Basic Edition Free download with web support Limit to <= 10 TB of data (Optional: 24x7 paid support Core Fixed Term License) Hadoop Easy installation and programming BigInsights Enterprise Edition Tiered terabyte-based pricing Enterprise-grade features Analytics tooling / visualization Recoverability security Administration tooling Development tooling Flexible storage High availability Professional Services Offerings QuickStart, Bootcamp, Education, Custom Development 25
Spear-phishing phishing analysis ATTACKER TARGET User receives risky email from personal social network User is redirected to a malicious website Drive-by exploit is used to install malware on target PC 26
Using Big Data to mine for trends within email Use BigInsights to identify phishing targets and redirects Build visualizations, such as heat maps, to view top targets 27
Loading phishing data and corresponding redirects to QRadar 28
Hunting for targeted C&C domains ATTACKER Attacker registers or acquires a domain Compromised hosts phone home to attacker C&C servers Internal attacks lead to more infections Attacker changes the location of servers, but domains stay the same Hosts and servers phone home and exfiltrate data 29
Analyze historical DNS activity within organization 30
Automate correlation against DNS registries 31
Advanced analytics identify suspicious domains Why only a few hits across the entire organization to these domains? Correlating to public DNS registry information increases suspicions 32
Importing results to QRadar for real-time analysis View real-time data and look for active connections Correlate against network activity and visualize 33
Key Takeaways 1. Traditional defenses are insufficient 2. Security has become a Big Data problem 3. Security Intelligence is a Big Data solution 4. New analysis can lead to new insights Thank You!!! 34
Acknowledgements and Disclaimers: Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. Copyright IBM Corporation 2013. All rights reserved. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Please update paragraph below for the particular product or family brand trademarks you mention such as WebSphere, DB2, Maximo, Clearcase, Lotus, etc IBM, the IBM logo, ibm.com, [IBM Brand, if trademarked], and [IBM Product, if trademarked] are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information at www.ibm.com/legal/copytrade.shtml If you have mentioned trademarks that are not from IBM, please update and add the following lines: [Insert any special 3rd party trademark names/attributions here] Other company, product, or service names may be trademarks or service marks of others. 35