Cyber Analytics: The New Security Dimension

Mario Balakgie

Copyright 2014 World Wide Technology, Inc. All rights reserved.

Director Cybersecurity
World Wide Technology, Inc

Industry Assessment of Challenges

Primary Security Challenges for 2014:

As trust erodesand it becomes harder to define which systems and relationships

are trustworthy and which are notorganizations face several key issues that
undermine their ability to address security with:
1) Greater attack surface area
2) Proliferation and sophistication of the attack model
3) Complexity of threats and solutions

*Source: Cisco Annual Security Report 2014

Todays Threats
THE VICTIM

THE CULPRIT

THE TARGET

THE ATTACK

THE CHASE

It could be you. All

sizes of businesses
and all industries are
at risk of some kind of
security event.

Most attacks are

perpetrated by
external actors.
Financially-motivated
criminal gangs are the
dominant type.

Mainly payment and

bank data, which can
be quickly converted
into cash. User
credentials are also a
popular target as
gateways to other
kinds of data or
systems.

Hacking and malware

are the most popular
attack methods.
Server and user
devices are the main
targets.

Attackers have gotten

faster at breaching
systems. Defenders
have gotten faster too,
but theyre falling
further behind. Many
breaches are detected
by third parties.

*Source: Verizon Data Breach Investigations Report 2014

2000

The Silver Bullet

Does Not Exist

FIREWALL
ANTI-VIRUS
CERTIFICATE MGMT
TIMELINE OF SECURITY CAPABILITIES

INTRUSION DETECTION
NETWORK ACCESS CTRL

APPLICATION CONTROL

2014

100%
Valid credentials used

243

40

63%

Median # of days before

detection

Average # of systems
accessed

Victims notified by
external entity

ADVANCED THREATS ARE HARD TO DETECT

Next Generation Techniques and Analytics

To achieve a reasonable level of protection, organizations must deploy
defenses against both known and unknown threatsincluding:

ZERO DAY
EXPLOITS

SPEAR
PHISHING

TARGETED
ATTACKS

TIMED
ATTACKS

LURES AND
REDIRECTS

SOCIAL MEDIA

Stopping known threats with current state of blocking and preventing

IS NO LONGER ADEQUATE!

Signature Detection Methods are NOT Enough

The average timeline for identifying a security breach is
measured in weeks or months.

We must change
the way we view
detection of
threats

FULL IDENTITY
MANAGEMENT

PACKET AND LOG

COLLECTION

BIG DATA
ANALYTICS

Who, what device,

connected how

Full context of
network traffic

Analyze large
amounts of data

A New Security Approach Is Required

PAST
PLATFORM
LAN/Internet Client/Server

TODAYS
PLATFORM
Mobile Cloud

Big Data Social

PC

Mobile Devices

IT CONTROLLED
PERIMETER-BOUND

USER-CENTRIC
BORDERLESS

PREVENTION
SIGNATURE-BASED

DETECTION
INTELLIGENCE-DRIVEN

*Source: RSA

Shift in Priorities and Capabilities

Monitoring
15%

Response
5%

Monitoring
33%

Response
33%

Prevention
80%

Prevention
33%

Todays
Priorities

Intelligence-Driven
Security
*Source: RSA

Why Cyber Analytics Architecture?

Establishes a Flexible Security Model for the Enterprise
Demonstrate Security Best Practices, including:

Security Architecture Design

Governance, Risk, and Compliance Processes and Tools
Packet Capture, Log, and Metadata Generation
Security Analysis, Big Data, and Visualizations
Security Incident Response
Forensics

Multi-vendor Integrated Security Solutions

Competency around Security, Big Data, Data Center, Networking,
Wireless, and other technologies

First Step: Assess your Readiness and Maturity Level

LEVEL 1

LEVEL 2

LEVEL 3

LEVEL 4

LEVEL 5

SECURITY CAPABILITIES

OPTIMIZED
MANAGED
DEFINED
REPEATABLE

INITIAL

RESILIENCE TO THREATS AND VULNERABILITIES

Ad hoc
No formal capabilities
Represents risks
Limited or non-existing
policies

Informal roles
Security practices
present but not
formalized

Application of CMMI maturity models to Information Security

Established policies
Roles defined
Some accountability
present
Compliance focused

Risks measured
Governance and
process defined
Information centric
approach
Metrics defined

Risk-aware culture
Continuous risk improvements
Business owners
Proactive approach to changes
in business, technology and
compliance

Advanced Cyber Analytics

TRADITIONAL INPUTS

ADVANCED THREAT DETECTION

CYBER ANALYTICS
HIDS/IPS/IDS

App Whitelisting

Anti-virus

Sandboxing
MONITOR

REPORT

Firewalls

Correlate

Correlate

Eliminate false positives

Access Control

Eliminate false positives

SIEM

Tune

Tune

Application Control

Threat Intelligence

Live Memory Analysis

BIG DATA

Data Loss

NextGen Firewall

PACKET
CAPTURE

Anomaly Detection

SITUATIONAL AWARENESS

AWARENESS

NEAR REAL TIME | BATCH

ANALYTICS
RESPONSE

MANAGEMENT

Cyber Analytics Reference Architecture

SECURITY SENSORS | DATA SOURCES

SENSORS

NETWORK | COMPUTE | STORAGE

INFRASTRUCTURE

Management tools allow

continuous monitoring,
updates and maintenance

Rules engines process alerts

and enable automated or
procedural responses

Dashboards and alerts

provide summarizations

Analytics process sensor

data looking for malicious
activities and anomalies

Sensors capture and

forward packets, metadata,
netflows, logs, etc.

IT Infrastructure monitors
enterprise networks

Improving the
Analytics Cycle

Prepare Enterprise;
Advance Analytics

BEFORE
OPTIMIZED
MANAGED
DEFINED
REPEATABLE
INITIAL

Adapt;
Remediate;
Tune

ADAPT

DURING

AFTER

Analyze Anomalies;
Forensic Analysis

Reduce Attacker
Free Time;
Predictive
Analytics

USE CASE
BIG DATA & ADVANCED
ANALYTICS

Security Event
Stratification
What are the most important events?
Which events can I ignore?
Which events are actionable?
What actions should be taken?

USE CASE
BIG DATA & ADVANCED
ANALYTICS

Malware Forecasting,
Analysis and Impact
What malware currently exists?
Which of my systems are vulnerable?
Which immediate patches or upgrades?
Prioritized risk scoring of malware

USE CASE
BIG DATA & ADVANCED
ANALYTICS

Exploit and Attack

Prediction
What are the signs of imminent attack?
Where and how would such an attack occur?
Which IT systems are vulnerable?
What would be the impact of such an attack?

USE CASE
BIG DATA & ADVANCED
ANALYTICS

Insider Threat
What employees are at a security risk?
Who has access to sensitive data?
Are they exhibiting anomalous behavior?
Where and when are they accessing the
system?

USE CASE
BIG DATA & ADVANCED
ANALYTICS

Enterprise Risk
Management
What assets are non-compliant?
What threats exist against those assets?
What has changed in the environment?
Where is the sensitive data and who has
access?

USE CASE
BIG DATA & ADVANCED
ANALYTICS

Incident Management
and Forensics
Where did the attacker go?
What was the timeline of the breach?
What was taken?
What was left behind, if anything?

USE CASE
BIG DATA & ADVANCED
ANALYTICS

Fraud Detection:
ECommerce Customers
Who is a normal user?
What is abnormal behavior?
How do they interact with the system?
Where and when are they accessing the
system?

Key Take Away

Organizations are at risk - likely to be
breached
Detection is Critical
Multi-Technology / Multi-Vendor Approach
Enterprise Processes and Continuous
Improvement are necessary

Summary
Cyber Analytics provides:
Multi-vendor integrated architecture for defense,
detection, response, and continuous improvement
Individuals products can be changed
Core functions remain constant
Aligns Enterprise IT, Security and Big Data
Flexibility in Use Case Design and Implementation

Thank You!

End-to-End Expertise
PUBLIC SECTOR

SERVICE PROVIDER

COMMERCIAL

IT PRODUCTS, SERVICES & SUPPLY CHAIN SOLUTIONS

NETWORK

SECURITY

COLLABORATION

DATA CENTER

SUPPLY CHAIN

Enterprise Campus/Branch
Data Center Networking
High-End Routing & Optical
Wireless & Mobility
Software-Defined
Networking

Access Control
Network & Data Protection
Security Management &
Analysis
Risk & Compliance

Unified Communications
Video
Conferencing & Client
Experience
Contact Center

Facilities
Information Storage & Backup
Compute & Virtualization
Data Center Transformation
Big Data

Integration Technology Center

Global Inventory Management
Staging and Logistics
Product Configuration
Serial # and Asset Tagging

ADVANCED TECHNOLOGY CENTER ARCHITECTURAL SOLUTIONS

PROFESSIONAL & ADVANCED SERVICES

Advanced Technology Center (ATC)

ATC Vision
To create a collaborative ecosystem to
design, build, educate, demonstrate
and deploy innovative technology
products and integrated architectural
solutions for our customers, partners
and employees around the globe.