Data Analytics for a Secure Smart Grid

Similar documents
After the Attack. The Transformation of EMC Security Operations

BIG DATA. Shaun McLagan General Manager, RSA Australia and New Zealand CHANGING THE REALM OF POSSIBILITY IN SECURITY

Advanced Threats: The New World Order

Using Network Forensics to Visualize Advanced Persistent Threats

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

SECURITY MEETS BIG DATA. Achieve Effectiveness And Efficiency. Copyright 2012 EMC Corporation. All rights reserved.

Getting Ahead of Advanced Threats

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

Combating a new generation of cybercriminal with in-depth security monitoring

Endpoint Threat Detection without the Pain

Security Analytics for Smart Grid

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Instilling Confidence in Security and Risk Operations with Behavioral Analytics and Contextualization

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Is your SIEM ready.???

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

RSA Security Anatomy of an Attack Lessons learned

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Things To Do After You ve Been Hacked

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Accenture Cyber Security Transformation. October 2015

Dealing with Big Data in Cyber Intelligence

With Great Power comes Great Responsibility: Managing Privileged Users

Analyzing HTTP/HTTPS Traffic Logs

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Covert Operations: Kill Chain Actions using Security Analytics

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

RSA Security Analytics

The session is about to commence. Please switch your phone to silent!

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Cyber and Operational Solutions for a Connected Industrial Era

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

I D C A N A L Y S T C O N N E C T I O N

Comprehensive Advanced Threat Defense

Unified Security, ATP and more

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

PERDIX: A FRAMEWORK FOR REALTIME BEHAVIORAL EVALUATION OF SECURITY THREATS IN CLOUD COMPUTING ENVIRONMENT

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Protecting against cyber threats and security breaches

Attack Intelligence: Why It Matters

After the Attack: RSA's Security Operations Transformed

The Next Generation Security Operations Center

Analytics: The Future of Security

HP Service Health Analyzer: Decoding the DNA of IT performance problems

The Next Generation Data Centers: SPECS and The 3 rd Platform.

Be Prepared. For Anything. Cyber Security - Confronting Current & Future Threats The role of skilled professionals in maintaining cyber resilience

Advanced Threat Protection with Dell SecureWorks Security Services

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

IBM SECURITY QRADAR INCIDENT FORENSICS

Unknown threats in Sweden. Study publication August 27, 2014

SPARKS Cybersecurity Technology and the NESCOR Failure Scenarios

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

How To Manage Security On A Networked Computer System

How To Manage Log Management

Security and Privacy

Cyber Security Metrics Dashboards & Analytics

The SIEM Evaluator s Guide

Data Science Transforming Security Operations

Continuous Network Monitoring

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

The Future of the Advanced SOC

I. TODAY S UTILITY INFRASTRUCTURE vs. FUTURE USE CASES...1 II. MARKET & PLATFORM REQUIREMENTS...2

Trading. Next Generation Monitoring. James Wylie Senior Manager, Product Marketing

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

BEYOND BI: Big Data Analytic Use Cases

Fight fire with fire when protecting sensitive data

Redefining Incident Response

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

APT Advanced Persistent Threat Time to rethink?

Fighting Off an Advanced Persistent Threat & Defending Infrastructure and Data. Dave Shackleford February, 2012

Bridging the gap between COTS tool alerting and raw data analysis

Detect & Investigate Threats. OVERVIEW

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

VMware Virtualization and Cloud Management Overview VMware Inc. All rights reserved

The Value of Vulnerability Management*

Under the Hood of the IBM Threat Protection System

2011 Forrester Research, Inc. Reproduction Prohibited

Protecting Sensitive Data Reducing Risk with Oracle Database Security

Enterprise Security Platform for Government

Security strategies to stay off the Børsen front page

Detect, Contain and Control Cyberthreats

Breaking the Cyber Attack Lifecycle

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Transcription:

Data Analytics for a Secure Smart Grid Dr. Silvio La Porta Senior Research Scientist EMC Research Europe Ireland COE.

Agenda APT modus operandi Data Analysis and Security SPARKS Data Analytics Module

Anatomy of an Attack Anatomy of a Response

APT Kill Chain Advanced Persistent Threat (APT) Phishing and Zero Day Attack An handful of users are targeted by two phishing attacks: Backdoor The user machine is accessed remotely by RAT like PlugX Lateral Movement Attacker elevates access to important user, service and admin accounts, as well specific system Data Gathering Data is acquired from target servers and staged for exfiltration Exfiltrate Data is exfiltrated via encryption file over ftp to external, compromised machine at a hosting provider One user opens Zero day payload (CVE-02011-ZZZX)

Traditional Security Is Not Working 97% of breaches led to compromise within days or less with 72% leading to data exfiltration in the same time Source: Verizon 2013 Data Breach Investigations Report 78% of breaches took weeks or more to discover 66% took months or more

Big Data on Security More sophisticated adversaries and sophisticated methods. Limited human capacity combined with massive amounts of events 40% of all survey respondents are overwhelmed with the security data they already collect 35% have insufficient time or expertise to analyse what they collect Security tools, tactics and defences becoming outdated: Content is static and not as dynamic as the threat landscape Segregated by too many point products, tool interfaces, disparate data sets 1 EMA, The Rise of Data-Driven Security, Crawford, Aug 2012 Survey Sample Size = 200

Evolution of Data Analytics in Security BI and Compliance driven Investigation Driven Behavior metrics driven Data-science driven Data goes in, hard to extract value Fast queries over large data Single source metrics, single correlation, rule based, high false positive Leverage full contextual info, multi-source, automatic, for low false positives

Data Science: The Next Security Frontier Beyond signatures Beyond simple metrics for thresholding Beyond manual engineering of rules Monitor each and every entity in its environmental context with 360 view over long time window with advanced mathematics

Today s Security Requirements Big Data Infrastructure Need a fast and scalable infrastructure to conduct real time and long term analysis High Powered Analytics Give me the speed and smarts to detect, investigate and prioritize potential threats Comprehensive Visibility See everything happening in my environment and normalize it Integrated Intelligence Help me understand what to look for and what others have discovered

Applying Intelligent Driven Security Analytics Big Data Analytics Governance Data Alert & Report Compliance Apps Systems Store Investigate & Analyze Visualize Incident Management Network Respond Remediation Public & Private Threat Intelligence

SPARKS Security analytics test Env. SCADA controller SCADA NEODYNE Enable New (?) attacks LIVE Install Security Analytics solutions In UTRC Middleware NESCOR attack trees Formulation Power Measurements SCADA BMS DB (e.g WSN) Log Files <new sources> Demo site attack down-selection Use Security Analytics as inputs for designing resilient control algorithms Final demonstration Pattern Generation Example of AMI.29: Unauthorized Device Acquires HAN Access and Steals Private Information

SPARKS Sec. Info. Analytics Component The module will be composed by two main components Static Rules Validator Auto-Detector SCADA Controller SPARKS Sec. Info. Analytics Component G.U.I. Static Rules Validator Auto-Detector Resilient Control System

Static Rules Validator The component will search for systems asserts violations Rules List contains the assertions to verify Adapter translate the rules in common language Parser get the rules and search for negative or positive outliers Static Rules Validator Rules list Adapter Parser

Intra-Meter Security Analytics 28 Measured Variables V A V B V C I A I B I C I N P A P B P C 18 Calculated Variables V AB, V BC, V CA Q A, S A Q B, S B Q C, S C P Total, Q Total, S total Power Factor E Active +,E Active - E Reactive +,E Reactive - E Apparent 28 + 18 = 46 Cross-Checking Value ~2 month of data 14,5 Million observations

Intra-Meter Security Analytics 18 Cross-Checking Equations V A V B V C I A I B I C I N V AB V BC V CA cos 1 V A 2 +V 2 B V 2 AA + cos 1 V B 2 +V 2 C V 2 BB + cos 1 V C 2 +V 2 A V 2 CC = 360 2V A V B 2V B V C 2V C V A

Real Time Analysis Equations need not be followed exactly, e.g., unsynchronised sampling We let the rule be followed approximately for each equation, difference or ratio of LHS and RHS are calculated EEEEE = 1 2π cos 1 V A 2 +V 2 2 B V AA + cos 1 V B 2 +V 2 2 C V BB + cos 1 V C 2 +V 2 2 A V CC 2V A V B 2V B V C 2V C V A We calculate and store histograms of all errors in normal operation In real time, we evaluate the current error and compute its probability If probability is too low, we flag the equation and display total number of equations violated

Daily Analysis At the end of the day, we compute the histogram for the day s errors We use the Kullback-Leibler distance of this histogram from the historical distribution as a measure to check whether a deviation exists If deviation is too high, we generate an alarm indicating that there might have been an attack present during the whole day

Nominal Value Check

Rules list example "Phase A Active Power Error", "Phase B Active Power Error", "Phase C Active Power Error", "Phase A Reactive Power Error", "Phase B Reactive Power Error", "Phase C Reactive Power Error", "Phase A Apparent Power Error 1", "Phase B Apparent Power Error 1", "Phase C Apparent Power Error 1", "Phase A Apparent Power Error 2", "Phase B Apparent Power Error 2", "Phase C Apparent Power Error 2", "Total Active Power Error", "Total Apparent Power Error", "Power Factor Error 1", "Power Factor Error 2", "Voltage Phase Error", "Neutral Current Error"

Nimbus Meters

Global View Num. of observation in a day = 1935360 Meter E01 last 24H detections

Detail of a Meter (EM10) Number of Rules that generated outliers Number of Nominal Value Outliers Time

Disconnection Threshold to trigger the alarm Connected Back

Distribution Distance The system checks the current day distribution against historical data distribution using the Kullback-Leibler distance :

Auto-Detector The component will use machine learning technique to evaluate the entire system state Rules Extractor get data from last readings Historical KB compare the new feature with system history Evaluator use tolerance to reduce FP and noise Auto-Detector Rules Extractor Historical KB Evaluator

Work in progress Data analytics Algorithm basic features : Patterns Detection and Patterns Violation (example battery is charged everyday between 7am-12am and discharged between 6pm-10pm) Inter Meter checks Dynamic rules and checks in the interface Interactive interface to zoom in time frames

Thank You for your attention Questions

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information