KNOW THE UNKNOWN WITH SECURITY ANALYTICS Understanding the Security Analytics and Intelligence (SAI) Framework for Intelligent Data Analysis & Actionable Insights www.wipro.com Bharat Shetty, Shailesh Mali and Suroop Chandran
Table of Contents 03...Abstract 03...Introduction 05...Challenges with Traditional Security Controls 06...Security Analytics and Intelligence (SAI) Framework 07...Critical Success Factors for Developing the SAI Framework 07...Approach for Building the SAI Framework 09...Conclusion 10...About the Authors 10...About Wipro Ltd.
Abstract In early 2013, Kaspersky Lab identified what it called Operation Red October, an advanced cyber-espionage campaign targeting diplomatic and government 1 institutions worldwide. Attackers used targeted malware to steal data and geopolitical intelligence from the target victims computer systems, mobile phones and enterprise network equipments. Data gathered was sent to command and control servers supported by a chain of proxies, which made it very complex to determine where the data was finally being collected. The most concerning part of Kaspersky s revelation is that it has been a sustained campaign dating back as far as 2007! It took five years to uncover the malware and it was detected by a research firm. None of the infected victims were able to detect it despite having no evident lack of security controls. Introduction 2 The 2013 Data Breach Investigations Report from Verizon Business confirms that the delay in the detection of security breaches was one of the commonality that existed in the responses received. 66% of the breaches took months or more to discover with 69% of incidents being discovered by an external party. What commonalities exist? 75% 71% 54% 75% 78% 69% 66% driven by financial targeted user compromised are considered of initial intrusions discovered by took months or motives (-) devices (+) servers (-) opportunistic rated as low external parties more to attacks (-) difficulty discover (+) Figure 1: Commonalities identified in the 2013 Data Breach Investigations Report 03
The data points (refer Figure 1) prove that the Attacker Free Time window is expanding (refer Figure 2), increasing the risk of significant business impact through data leakage or before a security breach is detected. Attacker Surveillance Target Analysis Access Probe Attack Set-up System Intrusion Attack Begins Cover-up Starts Discovery / Persistence Leap Frog Attacks Complete Cover-up Complete Maintain Foothold TIME TIME ATTACKER FREE TIME Physical Security Figure 2: Stages of a security attack Threat Analysis Defender Discovery Attack Forecast Monitoring & Controls Attack Identified Incident Reporting Containment & Eradication Impact Analysis Damage Identification System Reaction Response Recovery Threat Landscape Modern Stealthy Unknown Targeted Organized Theft Ever-increasing Motives Evolving Behavior Organized Crime Hacktivism Geopolitical Motives Advanced Tools Zero-day Exploits Ready-to-use Hacker-kits Encryption & Randomization LEVEL OF STEALTH TARGET VULNERABILTY INTENDED VICTIM GOALS & OBJECTIVES Low-and-Slow Attacks Targeted Attacks Availability vs. Data Breach Newer Attack Surface Cloud Infrastructure Social Media & Web.2.0 Mobile Devices Industrial Systems Open Known & Patchable Broad CONVENTIONAL Disorganized Disruption Figure 3: Threat landscape Changes & drivers 04
Challenges with Traditional Security Controls Traditional security controls, both technology as well as processes, continue to remain critical to the defense-in-depth approach towards defending an organization s critical assets. However, the data points mentioned earlier (refer Figure 3) confirm that these controls alone are proving to be ineffective in both preventing as well as detecting and These shortcomings are further compounded by the problem of Big Data. Big data, in the security context, refer to the tsunami of data that has to be dealt with, both in terms of the ever-increasing volume of data that has to be protected as well as the ever-increasing volume of data that is generated by security devices. The overall impact of the increase in this new breed of threats is depicted in the figure below (Figure 4). Preventative Controls understanding the latest, extremely-complex and multi-pronged attacks. There are various reasons that contribute to these shortcomings and the key factors being the use of signature-based security system. Most of Exists today s security controls such as anti malware, IDS/IPS etc. are signature based. These are good at detecting known threats. However, there is always a time lag in these controls which prevent them from being effective against zero-day attacks. Another key factor is the limitations faced by Security Information and Non-existent Unknown Threat Unknown Mitigation High Risk Event Managers (SIEMs) in identifying the threats, even after having access to log information from multiple security controls. Their usage is restricted by the performance constraint faced due to the use of relational databases, inability to review data across larger time windows and poorly written use cases. Further to this, a determined attacker will go after the weakest link, which is usually the people element. This could be in the form of using social engineering and/or using compromised employees. A good example of this is AMSC going out of business following the leakage of intellectual 3 property to a rival firm. Figure 4: Impact on the risk posture due to the new breed of threats Dealing with these threats requires a comprehensive approach that covers the people, process and technology elements. However, the critical expectation is to improve the ability to detect these threats as near real-time as possible in short reducing the Attacker Free Time as depicted in Figure 2. Non-existent Exists Detective Controls 05
Security Analytics and Intelligence (SAI) Framework The Security Analytics and Intelligence (SAI) framework is a unique application of big data analytics in the security context, to gain actionable intelligence with a view to: Identify low frequency and previously unknown threats (Advanced Persistent Threats) through the production and review of intelligent reports Expedite investigation of a suspected breach and/or root cause analysis of actual security incidents Add business context to qualify security events and reclassify their severity Identify new attack patterns that can be fed back into existing protective/detective controls Enhance security controls Figure 5 below highlights the end state view of the SAI framework Enrichment of raw data with contextual information such as user, asset, location etc. Reports generated at pre-agreed frequency on intelligent themes and circulated to the domain SMEs Lean forward review/ smart eyeballing by domain SMEs used to highlight potential threats for further investigation and/or opportunities to enhance the deployed security controls Actual threats identified through this process converted into SIEM use cases for real-time monitoring and detection Expedite investigation of a suspected/actual security breach through the use of a big data solution and its robust search capability As highlighted above, the SAI framework aims to complement the organization s existing SIEM solution. It primarily aims to enrich the use cases utilized by the SIEM for detecting manifestation of known threats in real-time. The key use cases enabled by the SAI framework include: deployed within an organization. Reclassification of Security Events Potential Threats New Attack Patterns Security Control Enhancement Intelligent Reports Threat Analysts & Domain SMEs Asset Data Asset Awareness Security Analytics & Intelligence Business Awareness Operational Data Data Classification & Access Policies Data Awareness Threat Analytics Intelligent Reporting Zero-day Threats Known Threats Threat Intelligence Identity Repository & Authorizations User Awareness Threat Monitoring N/W Threats Network Session Awareness Events and Logs IT Infrastructure N/W Security Networks Endpoint Security Endpoints Application & Content Security Databases Identity & Access Management Applications Data Security Servers Figure 5: The Security Analytics and Intelligence framework The key highlights of the SAI framework include: Use of a big data solution to consolidate the operational data of interest Predictive Risk Modeling: Asset information such as services, locations, applications and access details, and business intelligence like asset criticality helps identify real attacks and severity of the incident. 06
User Profile Analytics: To track user activity, there are many sources such as applications, access control devices, Active Directory and Identity and Access Management. Security analytics are built from user profile based information collected from these sources and help in monitoring user behavior and alert on any deviation from the expected usage. Data Flow Analytics: Data leakage is another issue organizations are trying to control. Intentional or unintentional, the data leakage phenomenon is common and need to be monitored. Security analytics tool can analyze authority of the sender in the IDAM database and relate this event from other tools such as data loss prevention, proxy, malware analysis tool, etc. to confirm the data leakage. Malware Analytics: Advanced persistent threats and malware are a growing concern for every enterprise. Detection of malware and advanced persistent threats is not possible just by depending on IDS and antivirus solutions. Malware detection requires analytics solutions that deal with data threats through malware detection tools, proxy, packet capture and analysis tools, and VMDB/CMDB information. Network Traffic Analytics: Monitoring network traffic behavior changes and traffic protocol anomalies provide information about network activities like DOS events, malicious traffic events, configuration errors, etc. Root Cause Analysis & Outbreak/Pathway Analysis: An efficient response to incidents is one of the keys to prevent occurrence and recurrence of disruptive security problems. Root Cause Analysis (RCA) helps in identifying the root cause of the problem i.e. the what, why and how - providing deep insights and helping solve the problem. With the comprehensive information garnered through RCA, security analysis provides an ideal solution for identifying and figuring out breaches, minimizing the time taken for resolution and chalking out an effective plan to fight current and future events effectively. Outbreak/Pathway Analysis uses a predictive approach to ascertain the cause and possible solution for the event. Security analysis based on this kind of analysis helps in discovering the exact reach of an event in the network and provides a proactive solution to rectify the problem. Operational Intelligence: Organizations now view cyber security as an enterprise risk rather than just an IT risk and are constantly looking at measuring how security incidents impact business. However, without aligning security metrics against business KPIs, the value of the information provided is lost. Critical Success Factors for Developing the SAI Framework Following are the key tenets recommended for adopting the SAI framework within an organization: Take baby steps to implement the SAI framework: Although adopting a big data platform for consolidating the Operational Data is recommended, it is encouraged to review and reuse the existing log consolidation platform for building the initial success stories of application of the SAI framework. Focus on the crown jewels: The initial scope could be limited to the organization s crown jewels in terms of critical information assets. Use cases are the heart of the solution: The key towards success lies in understanding the functional processes revolving around the critical information assets and building contextualized reports (referred as use cases) to help identify deviations from the norm. Involvement of the SMEs, both technical and functional: Every organization has its nuances. Success in building useful use cases and their periodic review is only through the cooperation and participation of both the technical and functional SMEs in the organization. Approach for Building the SAI Framework The recommended approach for adoption of the SAI framework within an organization involves two sets of parallel activities: a) Evaluate the existing security controls with key focus on log consolidation and a SIEM solution with a view to iron out the technical platform to build the SAI framework b) Work with the client s domain experts to narrow down the scope involving the crown jewels and associated use cases for intelligent reports 07
The PDCA approach for adopting the SAI framework This approach aims to build small pools of successful implementations of the SAI framework in critical business functions before aiming for an organization-wide adoption. Plan Start Analyze the existing security controls (Focus on Log Consolidation & SIEM, if it exists) Workshops with stakeholders to narrow down the in-scope functions Workshop/s with relevant stakeholders from the in-scope functions to narrow down the potential threats Identify intelligent report themes to help identity the manifestation of threats (via previously unknown vectors) Define the technical solution to support the generation of intelligent reports Define the process along with relevant SMEs to review the intelligent reports Deploy Deploy the technical solution Design and develop the intelligent reports Institute the process involving the SMEs to review the reports Check Perform a pilot to confirm the alignment of the reports and the review process to be in-line with the stated objectives Incorporate feedback from the pilot results, if any Collect the results from running the process for a period of 4-6 months Analyze Review the results to ascertain the benefits and any lessons learnt Capture the areas of improvements for the next release cycle Identify similar/new 'functions' where the success from the current implementation can be built upon End Figure 6: PDCA approach for adopting the SAI framework The key activities involved in the various phases include: a) Plan Analyze the existing security controls with a view to understand what elements can be reused to build the SAI framework. Specific focus is applied on the Log Consolidation & SIEM solutions, if they exist. Workshops with stakeholders to narrow down the in-scope functions. Functions here represent both businesses and support processes that are critical to supporting the business and are susceptible to threat vectors impacting the critical information assets of the underlying business information. As mentioned earlier, the initial scope could be limited to the organization s crown jewels in terms of critical information assets. Workshops with relevant stakeholders from the in-scope functions to narrow down the potential threats relevant to those functions Identify intelligent report themes to help identify the manifestation of threats (via previously unknown vectors) Define the technical solution to support the generation of intelligent reports Define the process along with relevant SMEs to review the intelligent reports b) Deploy Deploy the technical solution to support the generation of the agreed upon reports. This could involve realigning the existing solutions (such as Log Consolidation) to enable the generation of the reports. 08
Design and develop the intelligent reports Institute the process involving the SMEs to review the reports c) Check Perform a pilot to confirm the alignment of the reports and the review process to be in-line with the stated objectives Incorporate the feedback from the pilot results, if any Collect the results from running the process for a period of 4-6 months d) Analyze Conclusion As security threats become more sophisticated and dangerous, intelligent, efficient and real-time protection is not only critical but an absolute necessity for an organization. By adopting the SAI framework, organizations can implement a security system that delivers threat intelligence and actionable insights for real-time detection, instant response and efficient safeguard against highly malicious, unknown and advanced threats. Preventative Controls Review the results to ascertain the benefits and any lessons learnt Capture the areas of improvements for the next release cycle Exists Adoption of Security Analytics Identify similar/new functions where the success of the current implementation can be built upon The figure below (Figure 7) depicts the incremental approach adopted by an organization to implement the SAI framework. Business Benefits Non-existent Unknown Threat Unknown Mitigation High Risk Detective Controls Threshold of accumulated business benefits to build a case for organizational wide adoption Organization-wide Adoption Non-existent Exists Figure 8: Impact of adoption of SAI s framework on organization s risk posture The SAI framework s unique People, Process and Technology approach delivers an end to end security model that enables enterprise customers to think and act strategically, be proactive in mitigating security risks and Analyze Plan Check Do Fn: Data Leakage Solution Fn: Payment Gateway Analyze Plan Do defend their data and IT infrastructure. The SAI framework acts as a critical component in closing the security gap and addressing key challenges of both current and future threats effectively and intelligently. References Plan Analyze Do Check Fn: Remote Access Check Fn: User Access Management In-scope Functions (Fn) Figure 7: Incremental approach for adopting the SAI framework 1-http://www.kaspersky.com/about/news/virus/2013/Kaspersky_Lab_ Identifies_Operation_Red_October_an_Advanced_Cyber_Espionage_ Campaign_Targeting_Diplomatic_and_Government_Institutions_ Worldwide 2 -http://www.verizonenterprise.com/dbir/2013/ 3 - http://www.bloomberg.com/news/2012-03-15/china-corporateespionage-boom-knocks-wind-out-of-u-s-companies.html 09
About the Authors Bharat Shetty is Practice Head - Consulting and System Integration, Enterprise Security Solutions at Wipro Technologies. He can be reached at bharat.shetty@wipro.com Shailesh Mali is Consultant Lead Security Analytics, Enterprise Security Solutions at Wipro Technologies. He can be reached at shailesh.mali@wipro.com Suroop Mohan Chandran is Cyber Security Architect, Enterprise Security Solutions at Wipro Technologies. He can be reached at suroop.chandran@wipro.com About Wipro Ltd. Wipro Ltd. (NYSE:WIT) is a leading Information Technology, Consulting and Outsourcing company that delivers solutions to enable its clients do business better. Wipro delivers winning business outcomes through its deep industry experience and a 360 degree view of "Business through Technology" - helping clients create successful and adaptive businesses. A company recognized globally for its comprehensive portfolio of services, a practitioner's approach to delivering innovation and an organization wide commitment to sustainability, Wipro has a workforce of 140,000 serving clients across 61 countries. For more information, please visit www.wipro.com. 10
DO BUSINESS BETTER NYSE:WIT OVER 140,000 EMPLOYEES 61 COUNTRIES CONSULTING SYSTEM INTEGRATION OUTSOURCING Wipro Technologies, Doddakannelli, Sarjapur Road, Bangalore - 560 035, India Tel: +91 (80) 2844 0011, Fax: +91 (80) 2844 0256, Email: info@wipro.com North America South America United Kingdom Germany France Switzerland Poland Austria Sweden Finland Benelux Portugal Romania Japan Philippines Singapore Malaysia Australia China South Korea New Zealand WIPRO TECHNOLOGIES 2013 No part of this booklet may be reproduced in any form by any electronic or mechanical means (including photocopying, recording and printing) without permission in writing from the publisher, except for reading and browsing via the world wide web. Users are not permitted to mount this booklet on any network server. IND/RB/DECEMBER2013- DECEMBER2014