Data Driven Assessment of Cyber Risk:



Similar documents
Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Developing Cyber Threat Intelligence or not failing in battle.

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Cybersecurity Risk Management in the Telecom Sector. MUSTAPHA HUNEYD Corporate Information Security

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

End-user Security Analytics Strengthens Protection with ArcSight

WHITE PAPER: THREAT INTELLIGENCE RANKING

Advanced Threat Protection with Dell SecureWorks Security Services

Cyber Security Metrics Dashboards & Analytics

US-CERT Year in Review. United States Computer Emergency Readiness Team

NTT R&D s anti-malware technologies

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

Ty Miller. Director, Threat Intelligence Pty Ltd

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

NATIONAL CYBER SECURITY AWARENESS MONTH

Cybersecurity. Are you prepared?

Microsoft s cybersecurity commitment

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

How To Choose A Business Intelligence Toolkit

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Integrating MSS, SEP and NGFW to catch targeted APTs

Information Security. Incident Management Program. What is an Incident Management Program? Why is it needed?

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Protecting against cyber threats and security breaches

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

2010 Data Breach Investigations Report

Symantec Cyber Security Services: DeepSight Intelligence

Metric Matters. Dain Perkins, CISSP

Obtaining Enterprise Cybersituational

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

10 best practice suggestions for common smartphone threats

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Intelligence Driven Security

Solera Networks, A Blue Coat Company SOLERA NETWORKS BIG DATA SECURITY ANALYTICS

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

Supplier Relationship Management Tools

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

IBM Security Strategy


Gaining the upper hand in today s cyber security battle

Defending Against Data Beaches: Internal Controls for Cybersecurity

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

The Business Case for Security Information Management

Cisco Advanced Malware Protection for Endpoints

Visualizing Threats: Improved Cyber Security Through Network Visualization

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

Concierge SIEM Reporting Overview

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

Next Generation IPS and Reputation Services

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID

Recommended Practice Case Study: Cross-Site Scripting. February 2007

CyberReady Solutions. Integrated Threat Intelligence and Cyber Operations MONTH DD, YYYY SEPTEMBER 8, 2014

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

NASCIO 2015 State IT Recognition Awards

Defending Against Cyber Attacks with SessionLevel Network Security

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

IBM Advanced Threat Protection Solution

Find the needle in the security haystack

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

I D C A N A L Y S T C O N N E C T I O N

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

ASEAN Regional Forum Cyber Incident Response Workshop Republic of Singapore 6-7 September Co-Chair s Summary Report

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Payment Card Industry Data Security Standard

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Security Analytics for Smart Grid

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Information Technology Risk Management

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

ESKISP Manage security testing

Transcription:

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk Mustaque Ahamad, Saby Mitra and Paul Royal Georgia Tech InformationSecurity Center Georgia Tech Research Institute (In collaboration with the World ldeconomic Forum) 1

Talking About Cyber Risk Risk = Prob.[adverse event]*impact[adverse event] Attacks occur when threat sources exploit vulnerabilities Mean time to compromise? to Mean time to recover? (assuming detection) Traditional i ldependability d assumptions and solutions do not apply. 2

Why Even Try It? Current cyber risk is anecdote and perception based and we lack the ability to objectively assess the risk ikposed by ever evolving li cyber threats. Current cyber security threat data is fragmented and collected by disparate entities such as security vendors, vendors serving different sectors and academic research centers. Publicly available cyber security data is often delayed and does not provide the ability to quickly respond to new threats that require coordinated effort within a short time. A trusted data sharing and analysis platform that brings data from multiple sources and provides novel analysis will increase our ability to respond to emerging threats quickly and effectively. 3

Approach Explore partnerships to collect cyber risk relevant data from multiple sources and analyze it to create metrics that summarize current cyber security threats Combine public and proprietary data sources on cyber threats such as software vulnerabilities, drive by downloads and malware from a variety it of cyber security organizations. Provide threat analytics and visualization tools suitable for novice and advanced users, and that can be customized based on industry, technology platform, or geographic region 4

What dt data is relevant? Key Questions Vulnerabilities, alerts from IDS system, compromised or malicious services? Where does the data come from? Public, proprietary from security vendors or government or private entities? What can we do with such data for better understanding of cyber risk? Analysis, visualization, prediction? What value does a cyber risk tool offer? Actionable information?

Current Data Sources Public data Vulnerabilities reported to NVD Summarized proprietary data Drive by download risk data froma major security vendor Potentially malicious network traffic targeting an enterprise IDS/IPS alert data captured from Georgia Tech networks

Overall System Architecture Dashboard & Decision Support Visualization and Predictive Analytics A tool to display cyber security metrics and analysis that is customized to a specific technology profile, industry or region Data Warehouse Database A structured t and consolidated d view of the public and proprietary it cyber security dt data Data Extractors Software to interpret data sources and extract data to populate a common database Possible Data Sources Proprietary Threat intelligence from security organizations IDS data from security service providers New vulnerability data from software vendors Public National vulnerabilities database (NVD), Secunia, Security Focus, and others Research Centers (e.g., Georgia Tech Information Security Center) GTISC uses proprietary systems to identify drive by downloads (malware) in popular domains. GTISC collects 1 million malware samples every month and identifies command and control domains setup by criminals to issue directives. Cyber Risk Relevant Data Vulnerabilities and Threat Intelligence Errors in commonly used software that t can be used to compromise personal or corporate systems Malware Software used to disrupt operations, gather sensitive information, or gain access to private computer systems. 7

The Why and What Why we need What we need Predictive Analysis Expected volume/severity of attacks on a day Expected number of 0 day vulnerabilities on a day Coordinated Response Sharing of countermeasures / response to threats Threat Intelligence Emerging threat intelligence from security organizations Alert Data Intrusion Detection System Data from security service providers like IBM and Dell New Vulnerabilities New Vulnerability Data from software vendors More Comprehensive Response More malware samples and more C&C domains will provide for a more protected environment for everyone Malware samples and C&C Domains Additional malware samples and C&C domains from security service providers and security vendors to be shared within a trusted group What we have Public Vulnerability Data GT Information Security Center GTISC collection of 1 million malware National vulnerabilities database (NVD), samples every month, as well as command Secunia, Security Focus, and others and control (C&C) domains. Vulnerabilities Malware 8

Challenge I Access to Real world Threat Data Data Sources: Partnerships with various organizations to obtain cyber risk relevant data is critical for the success of the project Security Vendors and Service Providers Dell Secureworks IBM ISS Symantec Consumers of Security Solutions CERTs Banks Software Vendors Microsoft Oracle SAP Client Companies & Govt. Agencies IDS data Malware samples C&C domain list Vulnerabilities Malware samples C&C domain list Vulnerabilities Countermeasures Typical profiles Security Needs IDS Data Critical partnerships Supporting partnerships 9

Challenge II Analytics Analytics: While combining data sets provides new opportunities, developing customized tools will depend on the data feeds available Drive by Download Risk Compromised websites infect user machines just because they visit Serious threats for everyday users Georgia Tech can detect likelihood of such infections Behavior Fingerprints of Malware Rapidly changing gmalware means we must focus on execution behavior Georgia Tech processes about 100,000 samples each day Malware families and spread What is My Cb Cyber Risk Td Today? Predictive Analytics IT profile and security posture Value associated with target Observed malicious activity Mitigation options and ability Epidemiological analysis How far can an attack spread?how rapidly can it spread? Are certain sectors under higher risk? What if scenarios How would these change with a specific mitigation plan? 10

Challenge III Threat Visualization for Ati Actionable Information Visualization: Aggregating all the data feeds in a meaningful way to provide a cyber threat barometer is difficult. Using Visualization for Navigating Large Amounts of Threat Data Data overload is a serious problem Flower field metaphor for presenting big picture Threatened assets can be easily identified for additional analysis An abnormal asset visualization points to increased risk From Big Picture to Deeper Insights Click on it can provide details of vulnerabilities, exploits and attack information Better situation awareness and response strategy 11

Example of System Provided Intelligence: Malware Source 12

Vulnerability Disclosure Calendar 13

Vulnerability Data Visualization Demo

Potential Benefits Data driven cyber risk assessment can enhance cyber resilience Modeling attacks: Will we ever have be MTTA and MTTR for cyber attacks? Predictive value: early attack warning & proactive response Better intelligence about emerging threats and vulnerabilities More effective human in the loop decision making with analytics and visualization CERT 2.0 Real time access to threat information 15

Planned Work: Threat Weather Reports Public vulnerability data collection and analysis Calendar style visualization shows high level trends and allowsdrill down for deeper insights Customization for given information technology profile (sector or organization specific) Malware Threat Intelligence Drive by download risk by daily analysis of popular websites Attempted attack data visualization and and timebased trends 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information