A brief run-through of the economics of controls, threats and how attackers and defenders think. Following an introduction to the current and next generation security analytics.
4. GRAPHS?
NAVIGATING A GRAPH
▸ Expensive exploits are expensive
▸ Use the least expensive weapon
▸ Cost of 0Day exploits
▸ Use once == expensive
5. DEFENDERS THINK IN POINT SOLUTIONS
IMPLEMENTING MOVIE-PLOT POINTS
▸ Natural-path engineering; layout buildings, let people find paths
▸ We find the best way forward
▸ We get around controls - it’s in our nature.
6. MOTIVATION IS NOT IMPACTED BY
CONTROLS.
AS LONG AS THE ATTACK IS ECONOMICALLY
FEASIBLE MOTIVATION REMAINS.
ME!
ACADEMIC PSEUDO-INTELLECTUALISM
7. MOTIVATION AND ECONOMIC BENEFIT
▸ The implementation of the “child pornography filter” did not
change the number of convictions in Denmark
▸ It did move it out of the “open” Internet
▸ Introducing a censorship filter for enticing terrorism will not
solve the problem of radicalising the youth
▸ It will move it from the “open” Internet somewhere else
▸ The clearing of pusher-street in Christiania did not stop the
sale of marihuana
▸ It did move it out of the open
▸ Laws work wonders for law-abiding citizens
8. ECONOMIC BENEFIT
▸ Paedophiles will not stop because of a DNS block,
regardless of the penalty
▸ Buying marihuana does not carry a penalty in Denmark
▸ Selling marihuana does not carry a penalty
(besides whatever you have on you at the point of arrest)
▸ We can only start winning once we understand what
“winning” is and what game we are actually playing
9. WE FIGHT HUMAN NATURE.
PICKING THE RIGHT BATTLE IS
KEY FOR WINNING.
ME
PICKING THE RIGHT BATTLE
10. WE WANT THE EASIEST ATTACKS.
NOT THE HARDEST.
ME
WINNING THE RIGHT BATTLE
11. EASY ATTACKS - SINCE WE CANT AVOID ATTACKS
SURRENDERING?
▸ Attackers are lazy
▸ Attackers optimise cost (0days)
▸ Controls raise the cost of attacks
▸ Making attacks hard to detect
▸ Controls are not “free”
▸ Cancer-screening has a higher mortality than not
screening
▸ Anti-Virus engines are points-of-infection
▸ Accept attacks will happen
▸ Deal with the attacks when they happen
▸ Don’t screen for cancer or move the attackers
away from the obvious routes
12. EASY ATTACKS - SINCE THEY CAN’T BE AVOIDED
NOT SURRENDERING - PICKING THE BATTLEFIELD
▸ Defensively design your security architecture
▸ Understand it’s weaknesses
▸ Exploit weaknesses
▸ Monitor and gather intelligence, and defend smarter
13. ECONOMY OF THE DEFENCE
SHOULDN’T WE INVEST IN CONTROLS?
▸ Of course!
▸ Controls associated with costs
towards the attacks
▸ The barrier of entry (cost of attack)
deters some, but typically only the
lowest on the spectrum
▸ Controls as point-solutions gives way
for target-fixation
▸ GDPR changes the economy of the
defence
15. CURRENT STATE OF SECURITY ANALYTICS
COMPONENTS OF SECURITY ANALYTICS
DATA
INGEST
PROCES ANALYSE PRESENT VIZ ACT.
16. CURRENT STATE OF SECURITY ANALYTICS
▸ Nothing new.
▸ Everyone does syslog
▸ Everyone has an agent
▸ Some do Flow-analytics
▸ Some do application-level analytics
▸ Few do full-packet captures
DATA INGESTION DATA
INGEST
PROCES ANALYSE PRESENT VIZ ACT.
17. CURRENT STATE OF SECURITY ANALYTICS
▸ Inbound content must be structured
▸ Structure sometimes follows a common language
▸ Taxonomy, Ontology - whatever floats your boat
▸ Some content is sometimes enriched with metadata
▸ Threat Intel, GeoIP, Asset Management DB info etc.
▸ This part has to be fast - many vendors “cheat”
PROCESSING DATA
INGEST
PROCES ANALYSE PRESENT VIZ ACT.
18. ANALYSIS
▸ Analytics today is relatively simple
▸ Simple statistics
▸ Advanced statistics
▸ Patterns
▸ Known-bad, known-good analysis on more COTS
platforms
▸ Most vendors pack tons of alerts and correlations
SECURITY ANALYTICS DATA
INGEST
PROCES ANALYSE PRESENT VIZ ACT.
19. ANALYSIS
▸ Most vendors provide views on the raw data or an abstraction
of the raw data
▸ Most vendors provide a relatively easy way to setup views on
the raw or aggregated data for analytics
▸ Some vendors have great views when presenting alerts and
important events
▸ Few if any systems are able to present hierarchies of data, the
relationships between events and deviations on hierarchies
PRESENTATION DATA
INGEST
PROCES ANALYSE PRESENT VIZ ACT.
20. ANALYSIS
▸ Pie charts
▸ geo maps
▸ tables
▸ rows, columns and heatmaps
▸ Nothing you couldn't do with excel - and maybe thats ok
DATA VISUALIZATION DATA
INGEST
PROCES ANALYSE PRESENT VIZ ACT.
21. ANALYSIS
▸ We collect syslog, application data and network data
▸ We process it, transform it
▸ We enrich and present it both for the analyst and graphically
▸ Making the system provide actionable information for the
analyst
▸ Some systems even go the next step and perform proactive
responses on other platforms
▸ Shuts ports, adds to ACLs, disables users e.g.
ACTIONS DATA
INGEST
PROCES ANALYSE PRESENT VIZ ACT.
22. CURRENT STATE OF SECURITY ANALYTICS
COMPONENTS OF SECURITY ANALYTICS
DATA
INGEST
PROCES ANALYSE PRESENT VIZ ACT.
SCALING
OUT
ANCHOR
IN
ORG
INVEST
IN
PROJ.
IN-
HOUSE?
NON-INF
APPS
USING SIEM AND GETTING VALUE FROM ANALYTICS
24. USING AND GETTING VALUE OUT OF SIEM
SCALING OUT
▸ The only thing constant is change; 20% growth in volume
▸ Areas that we need to scale on
▸ Ingestion
▸ Processing
▸ Storage
▸ Presentation
25. USING AND GETTING VALUE OUT OF SIEM
SCALING OUT
▸ Ensure your system scales well when it comes to ingestion
▸ Everyone is doing it differently
▸ Some solutions tie together backends and presentation
layers
▸ Scaling presentation is immensely important for
widespread adoption in your organisation
▸ Scaling the backends should not be a concern in 2016
29. IN THE CORNER.
SILENTLY COLLECTING LOGS AND
TRIGGERING ALERTS, NOBODY
WILL EVER SEE.
ME
WHEN DO WE FAIL
30. USING AND GETTING VALUE OUT OF SIEM
ORGANISATIONAL ANCHORING
▸ SIEMS fail if they are the point solution to a problem
▸ Stakeholders lose interest
▸ The value-prop was never clear
▸ A great sale but a horrible purchase
31. USING AND GETTING VALUE OUT OF SIEM
ORGANISATIONAL ANCHORING
▸ Logs and network data is immensely rich in information
▸ This information can be used for much more than security
▸ Let help-desk-users use pre-defined views and prepared
analytics for easier resolution (move work to 1st level support)
▸ Allow your OPs team to use analytics for root-cause analysis,
statistics for predictions and forecasts
▸ Allow your management-team to view quality of infrastructure
and do controls of outsourced services
▸ Liberate data from silos
33. USING AND GETTING VALUE OUT OF SIEM
INVESTING IN THE PROJECT
▸ Set expectations - understand why we use analytics
▸ Introduce the notion of the Lockheed Martin Cyber Kill
Chain (see next slide)
▸ Understand the threat landscape
▸ Identify the key threats to the organisation (ext)
▸ Identify the key threats identified by the organisation (int)
▸ Bringing it all together
38. INVESTING IN THE PROJECT
IDENTIFYING KEY INTERNALLY IDENTIFIED THREATS
▸ Use the internal risk assessment
▸ Compare with external threat information
▸ Identify any potential gap - ask yourself why it exists
39. INVESTING IN THE PROJECT
BRINGING IT ALL TOGETHER
▸ With threats and critical systems identified
▸ And with an understanding of the kill-chain and the cost of
controls in mind
▸ The task of the project-team is to identify the success
criteria for the project with a common acceptance and
buy-in from leadership and stakeholders
41. THE SECURITY OPERATIONS CENTER
CONSIDERATIONS
▸ The 3 Ps
▸ People, Process and Technology
▸ Is it possible to retain skill
▸ With level we need
▸ In numbers sufficient to staff the SOC
▸ Are we mature enough to identify which alerts and incidents we want to act
on
▸ Can we with confidence say that we understand how to act when we
then receive the alert?
▸ Engagement models:
▸ Who takes action on our network during a breach
▸ What gets escalated back “home”
▸ Do we have sensitive data preventing a full managed SOC?
43. USING SIEM FOR ENTERPRISE APPLICATIONS
WHERE IS THE GOLD IN YOUR NETWORK
▸ Third generation SCADA
▸ Industry 4.0
▸ SOA-Enabling your ERP Platforms
▸ Federated Access with suppliers
44. WHERE IS THE GOLD
PATH OF LEAST RESISTANCE
▸ Vulnerabilities in SCADA
▸ Hard-coded admin-passwords
▸ non-patchable systems, “because operational IT”
▸ Non-networked mindset of admins
▸ Industry 4.0
▸ “Smart products with localisation point, status, historical
positions and data points, allowing globally unique
identification of all products” - Good luck with that
45. WHERE IS THE GOLD
PATH OF LEAST RESISTANCE
▸ SOA-Enabling your ERP Platforms
▸ % of SAP notes
found externally
▸ SAP offers mobile access, organisations offers BYOD
▸ Do we trust jail-break detection?
▸ Federated Access with external suppliers
▸ Identities does not exist any longer
▸ Business rules define access to the network now
46. WHERE IS THE GOLD
USE-CASES FOR ENTERPRISE APPLICATION SIEM USE
▸ Changing master data records
▸ Critical transactions (payments)
▸ Changes in performance data (valve pressure)
▸ Critical changes to equipment (voltage, valve positions)
▸ Abnormality on order sizes, frequency, workflows
▸ The data is here - why not use it?
49. NEXT GENERATION - CHALLENGES
DIVERSITY IN DATA - VALUE IS FOUND EVERYWHERE
TWO PROBLEMS
LARGE VARIATION
LARGE VOLUME
50. NEXT GENERATION
INFORMATION OVERLOAD: OVERCOMING CHALLENGES
▸ Even with effective alerts, the amount of data is
unmanageable
▸ Workflow is the key
PREPARE
SITUATIONAL
AWARENESS
IDENTIFY
ANALYSIS
REACT
INVESTIGATE
IMPROVE
COLLABORATE
51. NEXT GENERATION
WORKFLOW
▸ Situational awareness
▸ Identify anomalies based on what is observed
▸ Time of day deviations or time of year (scale!)
▸ Identify / analyse
▸ Based on the norm and baseline we can work on large-scale analytics
▸ Complex temporal changes in behaviours and activity
▸ React and “arm the investigators”
▸ Rapid response on what data was exposed, how and not least why
▸ Improve / Collaborate
▸ Feedback of the intelligence created in the analysis must be fed back into the system
▸ Partners and collaborators must receive the right amount of supporting information
▸ Think of this as the collective immune system
53. NEXT GENERATION
WORKING WITH DATA
▸ Drill-down
▸ Re-draw - build hierarchies based on relationships
▸ Use gathered data, third party threat intel or collaboration
data as a key to further expand on the search
▸ With our “enriched” analysis we can map a focus area
▸ Replay interactions over time, spot patterns and behaviour
▸ Login, data is moved out of network (repeat ad. inifitum)
54. NEXT GENERATION
LIMITATIONS OF CURRENT-GENERATION ARCHITECTURES
▸ Remember the architecture?
▸ Ingest, process, analyse, visualise, act
▸ This is inherently inefficient and a testament to legacy
▸ “NoSQL” is more part of the problem than the solution
▸ “BigData” in it’s true form is what will move us forward
▸ We spend most of the hardware available for processing
data to store it and to prepare it
55. NEXT GENERATION
INSIGHTS INTO NEXT-GENERATION ARCHITECTURES
▸ Small hardware footprint needed for storage
▸ No processing, no normalisation, just straight to disk
▸ Use the hardware you have for analytics
▸ Towards realtime analytics and away from “Queries”
▸ Ingestion of full packet capture as an equal part to log-
collections
57. NEXT GENERATION ARCHITECTURE
BIG DATA?
▸ Hadoop (ecosystem) is full of great and powerful tools
▸ Cluster management, realtime streaming, graph
databases, distributed file systems (HDFS) etc.
▸ The technology is ready - vendors just need to get going ;)
58. CONCLUSIONS
ANALYTICS TRENDS
▸ Machine Learning
▸ People who bought X also looked at Y
▸ Automatic signature and pattern creation
▸ Payload analytics
▸ Deep behavioural analytics on network and log data
▸ Frameworks supports use-cases we could only dream of
▸ Online packet compression in real-time
▸ Analysis on packets to reconstruct network topologies behind NAT
59. CONCLUSIONS
ANALYTICS TRENDS
▸ Machine Learning Based Botnet Detection With Dynamic
Adaptation
▸ Botnet beaconing based on linguistic analytics of DNS-names
▸ Detect stealthy DDoS against large-scale networks (ML)
▸ Automated discovery, attribution, analysis and risk
assessment
▸ Social connectivity graphs, Machine-Learning, automatic
malware reverse-engineering
60. CONCLUSIONS
ANALYTICS TRENDS
▸ Creation of “Social graphs” by crawling social networks
and intercepting mail traffic
▸ Creation of “Social graphs” by analysing voice patterns
and writing patterns regardless of from where they
originate
▸ Combining social graphs and analyse sentiment
▸ (Radicalisation between actors)
61. NEXT GENERATION
PRODUCTISING
▸ Anomaly detection
▸ Machine learning (SparkML2.0 just released)
▸ Graph processing (All of Facebook is stored in 1 GraphDB)
▸ Scale dynamically - provision servers and services along
with the processing need
▸ Scale locally or in the cloud - based on data sensitivity
62. NEXT GENERATION
ENRICHMENT
▸ Enriching data is possible today but sees relatively slow
adoption in security
▸ STIX/TAXII/Cybox/Yara and other standards provide an
ontology for attacks, actors, motives
▸ The SIEM of tomorrow will evaluate every event against
internal and external threat intelligence sources
▸ The SIEM of tomorrow will forward-integrate with whatever
“flavor of the month” point-solution implemented
64. CONCLUSIONS
TRANSITIONS
▸ The threat-landscape is changing
▸ The efficiency of technical controls declines in comparison to
the economy of the attacker
▸ We have to level the playing field by understanding our
weaknesses
▸ Ensure we have security analytics in place
▸ Ensure we have the insights and capacities to deal with it our
selves or move it to a third party (responsibility not included)
65. CONCLUSIONS
TECHNOLOGY TRENDS
▸ We move to larger platforms
▸ Built with the tools developed at Twitter, LinkedIN and
Facebook
▸ Queries, SQL and pre-processed data does not scale
▸ Imagine an out-sourced SOC with an installed capacity for
the 20 of the Top2000 companies in Europe -
▸ Milions and Milions of events every second (EPS)
66. ANALYTICS
WRAP UP
▸ We have the technology now
▸ We have the math
▸ And we are starting to understand
the threats and playing field
▸ The vendors just have to wrap
everything together
▸ Few, if any, organisations have the
capacity to write algorithms