CyberDEW Een Distributed Early Warning Systeem ten behoeve van Cyber Security



Similar documents
Requirements Lifecycle Management succes in de breedte. Plenaire sessie SPIder 25 april 2006 Tinus Vellekoop

Citrix Access Gateway: Implementing Enterprise Edition Feature 9.0

Role of Anomaly IDS in Network

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Market Intelligence & Research Services. CRM Trends Overview. MarketCap International BV Januari 2011

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Intrusion Detection via Machine Learning for SCADA System Protection

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

Taxonomy of Intrusion Detection System

SURVEY OF INTRUSION DETECTION SYSTEM

CSCE 465 Computer & Network Security

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Maximizer Synergy. BE Houwaartstraat 200/1 BE 3270 Scherpenheuvel. Tel: Fax:

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION

The SIEM Evaluator s Guide

Concierge SIEM Reporting Overview

Data Driven Assessment of Cyber Risk:

OGH: : 11g in de praktijk

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

+ Even voorstellen Barry Derksen, Directeur BITTI B.V., Bedrijf met 10 toppers op : benchmark, advies, audit en interim/ project management

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

IC Rating NPSP Composieten BV. 9 juni 2010 Variopool

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Is het nodig risico s te beheersen op basis van een aanname..

The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack

Intrusion Detection System using Log Files and Reinforcement Learning

Detection. Perspective. Network Anomaly. Bhattacharyya. Jugal. A Machine Learning »C) Dhruba Kumar. Kumar KaKta. CRC Press J Taylor & Francis Croup

Assuring the Cloud. Hans Bootsma Deloitte Risk Services +31 (0)

Asset Management in praktijk AMC Seminar 8 november Bertrand van Leersum, ATO

TIA Portal Innovations Remote access

Contents. Intrusion Detection Systems (IDS) Intrusion Detection. Why Intrusion Detection? What is Intrusion Detection?

INTRUSION PREVENTION SYSTEMS: FIVE BENEFITS OF SECUREDATA S MANAGED SERVICE APPROACH

Intruders and viruses. 8: Network Security 8-1

Realization of Security Events Management System via OPENSTF

HR Transformation and Future of HR Brussel, 25 april 2013 Material part 1/2

Uniface en PostgreSQL, de eerste ervaringen

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

End-user Security Analytics Strengthens Protection with ArcSight

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Intrusion Detection for Grid and Cloud Computing

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

NL VMUG UserCon March

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

A Novel Solution on Alert Conflict Resolution Model in Network Management

Ecom Infotech. Page 1 of 6

12/17/2012. Business Information Systems. Portbase. Critical Factors for ICT Success. Master Business Information Systems (BIS)

Journal of Internet Banking and Commerce

Online Network Traffic Security Inspection Using MMT Tool

GE Measurement & Control. Cyber Security for NERC CIP Compliance

FUZZY DATA MINING AND GENETIC ALGORITHMS APPLIED TO INTRUSION DETECTION

Network Assessment Client Risk Report Demo

SIEM is only as good as the data it consumes

The Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection

The Cyber Threat Profiler

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

How to manage Business Apps - Case for a Mobile Access Strategy -

Getting the Most Out of SIEM. Presentation Title. Data in Big Data. Presented By: Dr. Char Sample, CERT

tablet technologie in het onderwijs

INTRUSION DETECTION SYSTEMS and Network Security

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

How to Detect and Prevent Cyber Attacks

System Specification. Author: CMU Team

Big Data-ready, Secure & Sovereign Cloud

COUNTERSNIPE

Situational Awareness Through Network Visualization

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

The Business case for monitoring points... PCM architecture...

SureSense Software Suite Overview

Network Security Monitoring

IDS / IPS. James E. Thiel S.W.A.T.

Risk-Based Monitoring

Intrusion Detection in AlienVault

Second-generation (GenII) honeypots

Bio-inspired cyber security for your enterprise

CASSIDIAN CYBERSECURITY SECURITY OPERATIONS CENTRE SERVICES

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

Intrusion Detection from Simple to Cloud

Segurança Redes e Dados

Instructies Tester Update DEHNrecord DRC LC M3

The new release of Oracle BI 11g R1

BSNL IDC Hosted Firewall Service. Total Network Security

Security strategies to stay off the Børsen front page

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Active Response: Automated Risk Reduction or Manual Action?

SURFnet Dashboard. Concept, Impressions and ideas. High quality internet for higher Education and Research

Transcription:

THALES NEDERLAND B.V. AND/OR ITS SUPPLIERS. THIS INFORMATION CARRIER CONTAINS PROPRIETARY INFORMATION WHICH SHALL NOT BE USED, REPRODUCED OR DISCLOSED TO THIRD PARTIES WITHOUT PRIOR WRITTEN AUTHORIZATION BY THALES NEDERLAND B.V. AND/OR ITS SUPPLIERS, AS APPLICABLE. www.thalesgroup.com CyberDEW Een Distributed Early Warning Systeem ten behoeve van Cyber Security NCSRA-II Workshop Critical Infrastructures Frans Jansen

2 / Inhoud CyberDEW? Team Ervaringen met SBIR fase1 Intrusion Detection Wat is het, context, het probleem CyberDEW, haalbaarheids studie Onderzoeks vragen Oplossing (Technisch & businesswise) Waarde van de haalbaarheids studie

3 / CyberDEW?

4 / CyberDEW, a SBIR CyberSecurity project M. Bargh, R. Bakker ICT Security, Information Fusion, Sensors S. Choeni, D. Moolenaar, S. Verwer DataAnalysis, training, testsets THALES Research BL Security S. Iacob, T. Quillinan, P. de Oude InformationSecurity, Fusion, Distributed Datasharing W. Navest, F. Jansen BusinessPlan, System Architecture, Project leading

5 / Ervaringen met SBIR, fase1 Consortium tot stand gekomen netwerk Samenwerking 4 partijen, upfront taakverdeling, regelmatige meetings Strak geleid Goed bevallen. Smaakt naar meer Motivatie bedrijfsleven Kleinschalig project.. extern betaald gering risico Relatief gemakkelijk te starten Uitbreiden kennis & netwerk in nieuw domein

6 / Intrusion Detection

7 / Intrusion Prevention vs. Intrusion Detection Something s wrong Keep em out

8 / Intrusion Detection, taxonomy Intrusion Detection Systems, types Network based (NIDS) Based on network traffic promiscuous mode Host based (HIDS) application level Based on logs, O/S audit trails Login attempts, non-normal file access, abnormal sequence of sys calls Detection Methods Signature-based Search for patterns of known attacks. Compare with signatures Few false-positives, not suited for zero-day attacks Anomaly-based Look for out-of-norm behaviour Can detect new types, requires training/yields false positives

9 / Intrusion Detection, anomaly based Classical (statistical) Approach 1 st stage: build clean profile 2 nd stage: distinguish normal-anomalous using statistics Artificial Immune System Fingerprints (bit sequences) indicate allowed applications How to (best) represent behaviour in general Data Mining and Machine Learning Other methods Genetic algorithms/particle swarm search Clustering/fuzzy set theory Hierarchical neural networks Signal analysis (wavelet) Hidden Markov Models

10 / Intrusion Detection, the current situation Observations Rule based approach leads to False Positives & False Negatives Configuration is complex & environment specific Anomaly based Is hard, much time required to train the system Attacks have become more advanced Carried out in phases: reconnaissance/establishment/exploitation/2 nd spread Distributed out over time & place Attacks remain under the radar Statistical analysis averages out useful information No real false positives/negatives Weak Signals we have a problem

11 / CyberDEW, haalbaarheidsstudie

12 / CyberDEW, initial principles Mechanism (Clever) Attacks are carried out in phases Reconnaissance, intrusion, exploitation, secondary infection The principle Correlation & Fusion of (in themselves weak) signals can lead to detection Assumptions Causal relation between attack and observable events Change of traffic patterns in themselves too subtle to detect Users detect slowdown/different behaviour CERT alerts in general indicate attacks are going on Attack attempts are correlated in time & place Reconnaissance, carried out in batches temporal relation between scans Attacks simultaneously carried out (hide correlation, increase efficiency)

13 / CyberDEW, probleemstelling Causale modellen kunnen worden afgeleid van expert kennis? uitgebreid en getest worden met patronen uit verkeersdata? hoe partiële causale modellen combineren? Informatie van IDS en SIEM Zinvol & hoe efficient verzamelen & delen Wat nodig CyberDEW systeem veilig te maken? Hoe organisaties ertoe bewegen relevante info te delen? Wat is het meest realistische business model? Wat is marktgrootte en ROI? Verantwoordelijkheden van CyberDEW uitgever en gebruiker, hoe handhaven?

14 / An innovative solution. CyberDEW Value is found in the combination A solution based on Correlation & fusion using Dynamic Bayesian Networks Framework supports adding/adjusting parallel types of correlators Secure & Scalable Information sharing between nodes Combining information beyond the own domain Usage of heterogeneous information sources Attractive value-proposition for participants

15 / CyberDEW, Complex event detection... Alert CyberDEW Node Fuser Temporal correlator... Alert CyberDEW Node Fuser Temporal correlator Alert CyberDEW Node Alert CyberDEW Node Fuser Temporal correlator... Fuser Temporal correlator IDS IDS... IDS IDS IDS... IDS Correlator finds temporal and spatial correlations Fuser uses knowledge of local domain (probability thresholds) to decide if an alert needs to be fired

16 / Innovation, worked out further Informatie fusion collecting and combining of weak signals yields more than the sum of all parts IDS alerts Expert reports Intelligence reports (national entities NCSC/GOVCERT) User reports (social media, other organisations) Scalability and ease of configuration Data driven architecture (publish / subscribe) Modular fusion (partial fusion, hierarchically) Secure collaboration in information sharing Already proven in other projects (Martello) Contributor: has a say over contributed information System resilience (detect and counter sabotage)

17 / CyberDEW, Architecture ProcessingNode LeafNode

18 / CyberDEW, Expert & Analysis Process Integration Weak signals originate from physically distributed sources, e.g. IDS s running on different servers Information sources of physically distributed correlated events must be first collected in order to fuse them Dynamic Process Integration Framework (DPIF) supports integration of heterogeneous information sources and analysis processes (fusion algorithms) DPIF supports easy integration with 3 rd party tools Domain specific algorithms can be created with 3 rd party domain experts and could enrich the solution

19 / Example: Banking Domain

20 / Business perspectief Markt, daar naar toe & risico s Markt Dreigingen nemen toe 100% bescherming is niet mogelijk Behoefte aan monitoring & vroegtijdige alarmering stijgend Centrale overheid Go-to-market Initiële verkoop aan CyberDEW partners voor verdere ontwikkeling Thales verkooporganisatie (60 landen) + lokaal aanwezig (NL) Schaalbare & flexibele oplossing, competitief met IDS/IPS SOC Continue doorontwikkeling Risico s Ontwikkeling IDS/IPS, SOC

21 / Waarde Intrusion detectie door geavanceerde fusie Op basis van informatie sharing & processing framework Early warning met hogere betrouwbaarheid mogelijk Sterk afhankelijk van nauwkeurigheid van modellen Ontwikkelingstijd, 3 rd parties? Fuseert informatie uit veel/diverse bronnen Schaalbaar & toepasbaar op bestaande systemen Sterker naarmate breder

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information