Gaweł Mikołajczyk gmikolaj@cisco.com Making sense out of the Security Operations Cisco Public 1
CONFidence 2012 https://www.youtube.com/watch?v=ebi1xlmg5xe Cisco Public 2
CONFidence 2016 Network Security Treasures https://www.youtube.com/watch?v=oc4dgpis8b4 Cisco Public 3
CONFidence 2016 Real World Threat Hunting https://www.youtube.com/watch?v=yy-ljpovpgy Cisco Public 4
Four Pillars of Security Operations People Analytics Intelligence Technology Operationalization Advanced expertise Security research Security talent shortage Near real-time analytics Anomaly detection through statistical analysis Zero-day threat focus Deterministic Rules Data Science for behavioral analysis Access to actionable sources of intelligence Cisco intelligence Customer intelligence Open Source intelligence Hadoop for scalability and redundancy Streaming analytics focused on security Event intel and focused enrichment Full packet capture Cisco Public 5
I. People in Security Operations Roles and responsibilities Assume the 24/7 Operations. How many people do we need? Core Operations and Supporting Functions Shift-based coverage model. How to share info an collaborate? Security Analysts (Tiers), Security Investigators Define the skills, roles, responsibilities. IT vs OT. Incident Response / Forensics Folks Incident and Change Security Engineering Automation / Toolset Development Industry/Homegrown Threat Intelligence Expertise, Detection Engines Development, Tuning Data Science, Analytics Expertise Core System / Platform Development and Security R&D Non-technical Functions Engagement / Escalations / Projects Cisco Public 6
II Security Analytics Benefits: + Mature method of analysis + Covers the majority of known threats Deterministic Rules-Based Analytics (DRB) Benefits: Statistical Rules-Based Analytics (SRB) + Provides Anomaly Detection based on both volume and velocity of data clusters + Enables Trend Forecasting Benefits: Data Science- Centric Analytics (DSC) + Captures and stores large data sets in its raw format (Data Lake) + Classifies events and creates behavior profiles of data captured Challenges: Requires tuning Depends on prior knowledge of threat behavior Does not address polymorphic malware Challenges: Produces False Positives Requires significant storage and compute Allows for only a single variable to be analyzed per model Challenges: Models are generally customer specific and use case focused Requires significant storage and compute Cisco Public 7
Practical Use Case: OpenDNS Spike Rank (SPRank) Detects spikes in network traffic using mathematical concepts for wave analysis Often found in sound wave analysis (like Shazam, Pandora) http://blogs.cisco.com/security/how-opendns-predicts-attacks-when-hacker-infrastructure-is-cheap-and-plenty#more-182559 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
III. Making use of Security Intelligence Product Security Incident Response Team (PSIRT) Global Team Managing the Investigation and Reporting of Vulnerability Information for Cisco Products Vulnerability Research Team (VRT) Elite cyber security experts dedicated to identifying new trends, malware and vulnerabilities Computer Security Incident Response Team (CSIRT) Threat Assessment, Incident Detection and Response, and Incident Trending and Analysis Security Operations Centers Cisco Remote Managed Support and Managed Threat Defense Sourcefire Vulnerability Research Research and collection of vulnerabilities on endpoints, mobile devices, virtual systems, web and email Security Community Data Actively work with and contribute discovered threat intelligence Security Research and Operations Experts with Deep Security Knowledge Deliver Threat Mitigation Procedures for Cisco Products Partner Data Exchange intelligence through private partnerships
Security Intelligence How it s done at Cisco Cisco 1001 1101 1110011 0110011 101000 0110 00 1001 1101 1110011 0110011 101000 0110 00 101000 0110 00 0111000 111010011 101 1100001 110 101000 0110 00 0111000 111010011 101 1100001 110 Talos Cisco Collective 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 1100001110001110 1001 1101 1110011 0110011 101000 Security Intelligence 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers WWW Email Endpoints Web Networks IPS Devices 35% worldwide email traffic 13 billion web requests 24x7x365 operations 40+ languages 180,000+ File Samples per Day FireAMP Community Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities Honeypots Sourcefire AEGIS Program Private and Public Threat Feeds Dynamic Analysis Cisco Public 10
IV. Technology Telemetry/Intel Data Functions Analytic Functions Passive Tap Event Sensor Cisco Products Ingest Storage Deterministic Analysis Automated Hunts Statistical Analysis Send Notices Passive Tap Internal Events Third Party Products Machine / App Exhaust Search Compress Parse and Normalize Extract Features Connect Events and Entities Machine Learning Sensors at Point-of-Presence Distributed Entity LDAP / Active Directory Cisco ISE Intelligence Cisco TIP / Talos Custom / External Export Import Archive View Analyze Features Identify Anomalous Storage, Ingest, Analytics Centralized DCAP Cisco Public 11
Proposed Security Operations Flow Framework Full packet capture Protocol metadata Third-party applications Machine exhaust (logs) Parse + Format Threat Intelligence Feeds Enrich Alert Applications + Analyst Tools Log Mining and Analytics Network Packet Mining and PCAP Reconstruction Big Data Exploration, Predictive Modelling Unstructured telemetry Other streaming telemetry Enrichment Data Cisco Public 12
V. Security Operations Center Design / Facility CUSTOMER PORTAL 24/7 ACCESS Dedicated Customer Portal Collection, Storage, Analysis VPN SOC INTERNET Secure Connection (HTTPS/SSH/IPSec) VPN DEDICATED CUSTOMER SEGMENT FIREWALL Investigator Portal Administrative Consoles Authentication Services FIREWALL TICKETING Alerting/Ticketing System COMMON SERVICES Threat Intelligence ENTERPRISE PREMISE SOC DATA CENTER Cisco Public 13
Cisco Public 14
Cisco Public 15
Cisco Public 16
Good, now start building a Playbook playbook ˈplāˌbŏk noun A prescriptive collection of repeatable queries (reports) against security event data sources that lead to incident detection and response. Cisco Public 19
Develop a Hot Threats Dashboard http://blogs.cisco.com/security/implementing-a-hot-threat-dashboard Cisco Public 20
A SOC Example of Two-Week Timeframe 269,808 Security Events Threat intel sourced 61,816 Telemetry Ingested by DCAP Telemetry 207,992 generated Intelligence ~19,000 events/day to ~8,000 events/day to ~120 suspicious events/day to ~5 prioritized events/ day 113,713 1710 71 Unique events, prioritization, correlation High fidelity events, triage activities Analyst -> Investigator Post-investigation tickets Actionable by client Analytics People Cisco Public 21
Metrics: How do we know you re working? Period Ending SI Events Device Sourced Events Total Security Events High Fidelity Events Investigated Post Investigation Tickets Created 2/13 93,967 1,408 95,375 2,142 3 2/20 249,592 5,171 254,763 119 2 Cisco Public 22
Reporting Example Summary of Threats Cisco Public 23
Reporting Example Pro-Active Threat Hunting Cisco Public 24
Present Even More Reasons for Your Existence! Top events fired per event source Top malicious domain Total infected hosts Top malware type/family Highest areas of infection (lab, DC, DMZ, etc.) Infections by theatre Infection by role/org (sales, engineering, marketing, etc.) Event rates and collection stats (total volume of alarms, then Alarms by source, index/filesize avg/day) Unique user counts avg/day Total attacks blocked Top infections by event source (event source detection ranking)
SOC = Tell A Story of Continuous Protection Cisco Public 27
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. Bruce Schneier Security Guru Cisco Public 28
Thank you. gmikolaj@cisco.com