Situational Awareness Through Network Visualization

Similar documents
Implementing Data Models and Reports with Microsoft SQL Server 2012 MOC 10778

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

First Line of Defense

TORNADO Solution for Telecom Vertical

Flexible Web Visualization for Alert-Based Network Security Analytics

Ecom Infotech. Page 1 of 6

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

The Purview Solution Integration With Splunk

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Business Intelligence and Healthcare

SQL Server 2012 Business Intelligence Boot Camp

Combating a new generation of cybercriminal with in-depth security monitoring

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Microsoft SQL Business Intelligence Boot Camp

The SIEM Evaluator s Guide

Cognitive and Organizational Challenges of Big Data in Cyber Defense

New Era in Cyber Security. Technology Development

<no narration for this slide>

Cisco IPS Manager Express

RAVEN, Network Security and Health for the Enterprise

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

20 A Visualization Framework For Discovering Prepaid Mobile Subscriber Usage Patterns

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Adobe Insight, powered by Omniture

Data Mining, Predictive Analytics with Microsoft Analysis Services and Excel PowerPivot

Security strategies to stay off the Børsen front page

IBM SECURITY QRADAR INCIDENT FORENSICS

End to End Solution to Accelerate Data Warehouse Optimization. Franco Flore Alliance Sales Director - APJ

White Paper. Intelligence Driven. Security Monitoring. v nexusguard.com

Hillstone Intelligent Next Generation Firewall

This Conference brought to you by

A New Perspective on Protecting Critical Networks from Attack:

CyberArk Privileged Threat Analytics. Solution Brief

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture

Machine Data Analytics with Sumo Logic

TIBCO Cyber Security Platform. Atif Chaughtai

BIG DATA THE NEW OPPORTUNITY

Innovative, High-Density, Massively Scalable Packet Capture and Cyber Analytics Cluster for Enterprise Customers

SQL Server 2012 End-to-End Business Intelligence Workshop

Monitor and Manage Your MicroStrategy BI Environment Using Enterprise Manager and Health Center

Business Benefits From Microsoft SQL Server Business Intelligence Solutions How Can Business Intelligence Help You? PTR Associates Limited

Visualization methods for patent data

Hunting for the Undefined Threat: Advanced Analytics & Visualization

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Security Event Management. February 7, 2007 (Revision 5)

The Importance of Cybersecurity Monitoring for Utilities

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS

Cyber Security Metrics Dashboards & Analytics

Scaling Analytics to Meet Real-Time Threats in Large Enterprises: A Deep Dive into LogRhythm s Security Analytics Platform

Threat intelligence visibility the way forward. Mike Adler, Senior Product Manager Assure Threat Intelligence

Application Performance Monitoring (APM) Technical Whitepaper

IBM Cognos Training: Course Brochure. Simpson Associates: SERVICE associates.co.uk

CA Virtual Assurance/ Systems Performance for IM r12 DACHSUG 2011

THE OPEN UNIVERSITY OF TANZANIA

Kaseya Traverse. Kaseya Product Brief. Predictive SLA Management and Monitoring. Kaseya Traverse. Service Containers and Views

Big Data Are You Ready? Jorge Plascencia Solution Architect Manager

Network Monitoring for Cyber Security

Network Metrics Content Pack for VMware vrealize Log Insight

Analyzing the Customer Experience. With Q-Flow and SSAS

CHAPTER - 5 CONCLUSIONS / IMP. FINDINGS

DNP Serial SCADA to SCADA Over IP: Standards, Regulations Security and Best Practices

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

XpoLog Center Suite Log Management & Analysis platform

First Line of Defense

$99.95 per user. SQL Server 2008/R2 Reporting Services CourseId: 162 Skill level: Run Time: 37+ hours (195 videos)

SQL Server Administrator Introduction - 3 Days Objectives

Expanding Uniformance. Driving Digital Intelligence through Unified Data, Analytics, and Visualization

Information management software solutions White paper. Powerful data warehousing performance with IBM Red Brick Warehouse

Cover. White Paper. (nchronos 4.1)

SANS Top 20 Critical Controls for Effective Cyber Defense

Edge Configuration Series Reporting Overview

Paper Robert Bonham, Gregory A. Smith, SAS Institute Inc., Cary NC

Aternity Virtual Desktop Monitoring. Complete Visibility Ensures Successful VDI Outcomes

On-Premises DDoS Mitigation for the Enterprise

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

Transforming the Telecoms Business using Big Data and Analytics

1. INTERFACE ENHANCEMENTS 2. REPORTING ENHANCEMENTS

NETFORT LANGUARDIAN MONITORING WAN CONNECTIONS. How to monitor WAN connections with NetFort LANGuardian Aisling Brennan

Find what matters. Information Alchemy Turning Your Building Data Into Money

Flow Visualization Using MS-Excel

Assets, Groups & Networks

Lavastorm Resolution Center 2.2 Release Frequently Asked Questions

Consuming Real Time Analytics and KPI powered by leveraging SAP Lumira and SAP Smart Business in Fiori SESSION CODE: 0611 Draft!!!

Introduction. Acknowledgments Support & Feedback Preparing for the Exam. Chapter 1 Plan and deploy a server infrastructure 1

Big Data: Rethinking Text Visualization

TRIPWIRE NERC SOLUTION SUITE

Implementing Data Models and Reports with Microsoft SQL Server

MicroStrategy Course Catalog

Cyber Security RFP Template

How To Create An Insight Analysis For Cyber Security

Minder. simplifying IT. All-in-one solution to monitor Network, Server, Application & Log Data

Transcription:

CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP Situational Awareness Through Network Visualization Pacific Northwest National Laboratory Daniel M. Best Bryan Olsen 11/25/2014

Introduction Operated by Battelle since 1965 Unique S&T strength and capabilities Mission-driven collaborations Daniel Best Cyber Security Researcher Visual Analytics Group Extensive application design and development experience Cyber security visual analytics research focus Graph analytics secondary research focus Founder of the Patchwork Cyber Analytics Pwnage Squad (PCAPS) Bryan Olsen Cyber Security Engineer Data Sciences & Analytics Group Research focus on enabling cyber analytics using high performance architectures Integration of visual analytic tools with parallel database architectures Research behavioral signatures of cyber attacks Applied OLAP techniques to cyber domain to enable high level trending and data exploration 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 1

Need Identify when network activity deviates from expected behavior Is today different from yesterday? Explore large volumes of data to identify patterns, unexpected activity, and indicators of attack Analyzing raw network flow records is infeasible Capabilities to assist in understanding of network and typical network communication patterns Move away from reacting to the known, to exploring the unknown 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 2

Approach Combine summarization of behavior with scalable visualization of raw network flow Be adaptable to different networks (network flow format, database technology, etc..) Visualize normal vs. abnormal activity Configurable hierarchy of IP addresses for logical groupings Scale charts based on available space More data as more space is available Visualize millions of network flows on one display Color encode traffic features for rapid identification of patterns Drill down from visual patterns to raw data 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 3

clique CLIQUE builds behavioral baselines for hosts or groups A model of predicted activity based on past activity compared to current activity CLIQUE helps visualize the deviation of an actor from this predicted activity. Our models are built from connection-level variables rather than content it s fast. Adaptive thresholds alert analysts to offnormal behaviors, down to the level of the individual host. Trade model expressiveness for ease of computation CLIQUE relies on counts ( payloads, transactions, etc ) that are quick to measure and easy to distribute Easy to compute means we can also be flexible users can ask for new models to be created on the fly 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 4

traffic circle A tool for interacting visually with massive log tables (up to hundreds of millions of rows) Useful for quickly identifying features and patterns What does the normal pace of activity look like? What sort of traffic does a sensor generate? What odd features are in a log that we didn t know to look for? 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 5

Benefits Efficient identification of deviations from expected activity Shorten analysis time by highlighting what to look at first Reduce the amount of data review required for deeper investigation Understand typical network behavior patterns Visually interact with network flow at scale Investigate millions of network flows at once Expose features in traffic that would otherwise be missed Gain deeper insight into communications CLIQUE and Traffic Circle provide a means to understand an enterprise network and assist investigation 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 6

Competition VisAlert: Network visualization tool that correlates alert logs using what, when, and where attributes Portvis: Visualization of network communication data focusing on ports Time-Based Network Visualizer (TNV): Depicts network traffic by visualizing packets and links between local and remote hosts VIAssist: Network and geospatial visualization operating on large multidimensional datasets for cyber defenders We provide a behavioral investigation and network flow exploration process unlike our competitors. 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 7

Status Improving clique Configurability through wizards Greater flexibility for data sources X and Y axis configurable Category field selectable Migrating traffic circle One environment to enable better workflow Infrastructure in place Initial view started Increasing user base Added capability to view more than just network flow (SCADA, Financial, etc.) 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 8

Status Usability Assessment Working on workflow and ease of use Better menus and layout Testing Automated user testing added to build server User interaction scripted through Jelly Red teaming planned when appropriate (Excelis) 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 9

Transition to Practice DHS S&T Deployed for the past year Used on a daily bases for operational tasks Great feedback and first hand use cases NBACC Deployed for the past year Transitioning to greater usage Commercialization Identified potential transition partner 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 10

Thanks Daniel M. Best Cyber Security Researcher VISUAL ANALYTICS Phone: (509) 372-6728 daniel.best@pnnl.gov Bryan Olsen Cyber Security Engineer DATA SCIENCES & ANALYTICS Phone: (509) 372-6268 bryan.olsen@pnnl.gov vis.pnnl.gov pnnl.gov 5/1/2015 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information