SlideShare a Scribd company logo

Security intelligence using big data presentation (engineering seminar)

Download as PPTX, PDF
M
Marco Casassa Mont

An overview of R&D work in the space of cyber security, focusing on technologies and case studies in the space of cyber security, big data for security, predictive analytics and usage of security intelligence for better situational awareness

Technology
1 of 42
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Actionable Security Intelligence from Big Data Simon Arnell (ESS) Marco Casassa Mont (HP Labs)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.2 Mind the Gap Strategic risk assessments Monitoring data Actionable security intelligence Some problems: • Reliance on humans • Slow and costly • Metrics not timely enough • Dissatisfaction and low confidence • No what-ifs or scenario exploration Local remediation
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.3 2010 2011 2012 2014 2013 2015 ESS and HPL Collaboration Roadmap Security Analytics Project ISAIAH Project SILAS Big Data for Security SDN for Security
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.5 The Security Operations challenge Email Hotline/Helpdesk Call Centre Other IDS Triage Incident Report Resolution Analyse Obtain Contact Information Provide Technical Assistance Coordinate information & Response Information Request Vulnerability Report weeks -> ? minutes day s months
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.6 The Security Operations research Email Hotline/Helpdesk Call Centre Other IDS Triage Incident Report Resolution Analyse Obtain Contact Information Provide Technical Assistance Coordinate information & Response Information Request Vulnerability Report Rapid Response (Software-defined Networking) Early detection (Big Data)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Our Solution
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Reports,ChartsandAnalyst Dashboards Model Library CustomerNetworks Search, Filtering & Data Loaders Architecture Big Data for Security Model- based Predictive Analytics
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.9 Key features Early detection Visualisations Risk Assessment Occurrence Detection Triage Analysis Remediation Resolution
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.10 Risk Assessment • More automated • Model-based • Grounded in real data • Longer term what-ifs 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.55 %riskmitigated daysto risk mitigation Current Situation policy 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.55 %riskmitigated daysto risk mitigation PredictedEffect - 1 policy 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.55 %riskmitigated daysto risk mitigation PredictedEffect - 2 policy
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. BD4S: Big Data For Security
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.12 HP Labs: Big Data for Security Identify Security Threats from Big Security Data Use Case: DNS Data • Big … • Gold mine for Security Information • Hard to collect and analyse
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.13 What is DNS? Client/Server Local DNS Server DNS Root “.” DNS .com DNS company.com QUERY: service.company.com? Check for Zone Check Cache REPLY: 58.25.88.90 DNS Traffic Generated by: - Users (e.g. by browsing web sites) - Applications, Servers, etc.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.14 What is the Problem? 1. Attacks on DNS servers Denial of Service Cache Poisoning Hijacking/Redirection Code Injection 2. Attacks that leverage DNS to attack third parties Footprinting Reflection & Amplification 3. Attacks that use DNS as infrastructure Communication to malicious servers Fast Flux Domain Name Generation DNS Tunneling Analysis
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.15 Compromised Server Example Victim Compromised DNS server www.hp.com?1 12.34.56.782 Can undetectably redirect victim to IP address of choosing.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.16 Botnet Command and Control Example Bot DNS server akaajkajkajd.cn? xisyudnwuxu.ru? dfknwerpbnp.biz? mneyqslgyb.info? cspcicicipisjjew.hu? C2 Server (mneyqslgyb.info ) Attacker can’t maintain C2 server at IP address for very long. So, registers a random domain name temporarily. Bot tries a bunch of random names until it finds one that resolves.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.17 DNS Tunneling (subdomain) Example Bot DNS server Compromised DNS Server (example.com) 93cc3daf.example.com4fac3215.example.coma86f4221.example.comddee9152.example.com8bd5ff12.example.comd4bb92a1.example.comef409132.example.com1bfa3207.example.com298c5b3a.example.com Asse t Asse t
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.18 The Scale of DNS Data • HP IT is currently rolling out ArcSight internally • Once deployed it will be 25% larger than any other non- governmental installation by volume • DNS Traffic per HP data center: 120,000 events/second (10B events/day) 1 10 100 1000 10000 100000 1000000 Routers VPN McAfee ePO Active Directory Web Proxy DNS Eventspersecond(logarithmicscale) 0 20000 40000 60000 80000 100000 120000 140000 Routers VPN McAfee ePO Active Directory Web Proxy DNS Eventspersecond(linearscale)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.19 The Big Scale of DNS Data 62,000,000,000 queries per day 12PB every 90 days …without smart collection
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.20 Our Solution End-to-end handling of DNS events Remediation • Techniques to block traffic automatically based on outcomes of analysis • Techniques to generate threat intelligence and feed it back into the system Analysis & Visualization • Real-time and near-time analysis • Graph algorithms • Anomaly detection • Novel visualizations to help analysts deal with huge amounts of data Collection & Storage • Bypass DNS logs completely. • Grab packets directly off the wire using custom hardware • Collect all the information needed to detect attacks • Independent of DNS server vendor • Goal: Throw out 99% of events
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.21 Architecture DNS Event Processing DNS Server(s) HPL DNS Connector Whitelist network tap DNS queries and responses ArcSight Logger ArcSight ESM Blacklist Analytical and Visualization Solution Event Logging Correlation & Alerting Blacklist & Whitelist Manager Real-Time Processing Historical Analysis DNS events: Queries & Replies
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.22 HP HAVEn Catalog massive volumes of distributed data Hadoop/ HDFS Process and index all information Autonomy IDOL Analyze at extreme scale in real-time Vertica Collect & unify machine data Enterprise Security Powering HP Software + your apps nApps Search engine ImagesIT/OT Transactional dataMobileTextsEmailAudioVideoSocial media Documents HAVEn
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.23 Security Event Logs HPL Threat Indicators & Anomaly Detection Library Network Systems HPL DNS Packet Capturer Filtered DNS events ESM Alerts RepSM External Whitelists & Blacklists Whitelist/ Blacklist Generator Real-time Analysis Historical Analysis RESTful / Native APIs Hadoop, Autonomy, R, Other Anomalies, Threats, GraphsESM Logger ESM GUI Event Pre- process or Events Syslog Server HPL Security Analytical & Visualization Security Analytical Workflows Orchestrator & Scheduler Anomaly Detection Threat Indicators Visualizatio n Processing Web Server Threat Central Software Defined Networking for Security
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Demo
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Model -Based Predictive Analytics
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Reports,ChartsandAnalyst Dashboards Model Library CustomerNetworks Statistical Trend Analysis Architecture Big Data for Security Predictive Analysis & What- if Scenarios
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Monthly Report: Threat & Vulnerability Management Demonstrator GUI: Screenshot
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Actionable Intelligence Some example areas: 1) Threat & Vulnerability Management 2) Zero Day Vulnerabilities 3) Identity & Access Management 4) Security Operations Centers
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.31 Example walk-through: Threat & Vulnerability Management • Inputs: – ArcSight data on patch installations – TippingPoint and OSVDB data on threat environment • Metrics: – Patch Uptake generated on periodic basis, and benchmarked against others – Zero day vulnerability lifetime – Predictions on risk exposure • Reports – Regular reports showing current state and trends
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.32 Example TVM Dataflow Microsoft Syslog TippingPoint OpenSource Vulnerability DataBase ArcSight Smart Connector ArcSight Smart Connector Base Data Source Base Data Source Derived Data Source Metric Estimation Security Analytics Risk Assessment Forecasting Historical Trending & Benchmarki ng SOC Operational Analyst SOC Strategic Analyst Client TVM Report
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.33 Example Metric: patch uptake • Current patch deployment data is analysed (e.g. based on data collected from ArcSight) • The chart shows % systems that had patches installed after certain number of days elapsed from their approval • The data is transformed to represent patch uptake curve • This is showing overall trend on how fast patches are being installed across systems • In this example, the chart shows that the take up is very slow in the first 3 weeks
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.34 Example: Historical Trending – of any metric type • Historical data of patch uptakes across the last 6 months, for example, can be viewed to identify historical trends • In this case this shows a worsening trend with patches installed much faster 6 months ago
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.35 Example: Benchmarking - How am I doing versus my peers? • The customer’s patch uptake can be benchmarked with the same data from other customers (e.g. in the same industry sector) • This example also shows that the customer’s patch installation processes are worse compared to others
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.36 What-ifs • Can adjust input parameter to Security Analytics model (e.g. TVM) to see predicted effect • In TVM example, can show current status and potential effects of AV enhancement and/or investment in HIPS • SILAS is now able to provide more realistic parameter values for models (based on statistical metric estimations) – rather than ball-park estimates
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.37 Example What-if/prediction: Risk Exposure • By feeding the patch uptake data together with global threat metrics to the Security Analytics model simulations, the predictions can be generated of the risk exposure window for this customer • In this case the predictions show that risk exposure window (from the vulnerability disclosure to mitigation) is very long (average 180 days) • This option can also be used to do what-if analysis, which in this case shows that with HIPS deployed the exposure window can be minimized considerably
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Examples • Defense in Depth effectiveness • Reduction in Risk Exposure window • Accurate provisioning/deprovisioning times • Utility improvement
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Conclusions
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.40 Current Status • BD4S solution in the process of being transferred to HP ESP and HP ESS • Successful BD4S Trial with HP IT Cyber Defence Center and starting 2 Customer PoCs • Starting PoC with HP Helion Public Cloud • Paid customer engagement involving Model-based Security Analytics • Developed Various Security Analytics models
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.41 Future Steps • Complete trials of BD4S • Extend BD4S beyond DNS requests • Build SDN demonstrator in UK Bristol Labs –Other “sensors” –Controlled sharing –More rapid response
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.42 Closing the loop? Big Data for Security Our Solution Playbooks Library SOC Analysts Notification Handler Managers SDN- enabled Customer Networks Workflow Manager Customer Networks
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.43 SDN4S deployment architecture BD4S SDN4S Reports Playbook s Other ApplicationsInternet Alerts DNS traffic SDN- enabled
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Thank you

Recommended

Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsMarco Casassa Mont
 
Runtime Protection in the Real World
Runtime Protection in the Real WorldRuntime Protection in the Real World
Runtime Protection in the Real WorldBrooks Garrett
 
Fighting cyber fraud with hadoop v2
Fighting cyber fraud with hadoop v2Fighting cyber fraud with hadoop v2
Fighting cyber fraud with hadoop v2Niel Dunnage
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
The Hadoop Guarantee: Keeping Analytics Running On Time
The Hadoop Guarantee: Keeping Analytics Running On TimeThe Hadoop Guarantee: Keeping Analytics Running On Time
The Hadoop Guarantee: Keeping Analytics Running On TimeInside Analysis
 
Professional incident response
Professional incident responseProfessional incident response
Professional incident responseBrooks Garrett
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 

Recommended

Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsMarco Casassa Mont
 
Runtime Protection in the Real World
Runtime Protection in the Real WorldRuntime Protection in the Real World
Runtime Protection in the Real WorldBrooks Garrett
 
Fighting cyber fraud with hadoop v2
Fighting cyber fraud with hadoop v2Fighting cyber fraud with hadoop v2
Fighting cyber fraud with hadoop v2Niel Dunnage
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
The Hadoop Guarantee: Keeping Analytics Running On Time
The Hadoop Guarantee: Keeping Analytics Running On TimeThe Hadoop Guarantee: Keeping Analytics Running On Time
The Hadoop Guarantee: Keeping Analytics Running On TimeInside Analysis
 
Professional incident response
Professional incident responseProfessional incident response
Professional incident responseBrooks Garrett
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Splunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonSplunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonBecky Burwell
 
Sqrrl June Webinar: An Accumulo Love Story
Sqrrl June Webinar: An Accumulo Love StorySqrrl June Webinar: An Accumulo Love Story
Sqrrl June Webinar: An Accumulo Love StorySqrrl
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Build a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security PostureBuild a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security PostureSplunk
 
Best Practices for Forwarder Hierarchies
Best Practices for Forwarder HierarchiesBest Practices for Forwarder Hierarchies
Best Practices for Forwarder HierarchiesSplunk
 
Geek Sync I CSI for SQL: Learn to be a SQL Sleuth
Geek Sync I CSI for SQL: Learn to be a SQL SleuthGeek Sync I CSI for SQL: Learn to be a SQL Sleuth
Geek Sync I CSI for SQL: Learn to be a SQL SleuthIDERA Software
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
Performance Models for Apache Accumulo
Performance Models for Apache AccumuloPerformance Models for Apache Accumulo
Performance Models for Apache AccumuloSqrrl
 
Why OpenStack matters and how you can get involved
Why OpenStack matters and how you can get involvedWhy OpenStack matters and how you can get involved
Why OpenStack matters and how you can get involvedMatthew Farina
 
Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for SecurityMarco Casassa Mont
 
Big Data for Security - Threat Analytics
Big Data for Security - Threat AnalyticsBig Data for Security - Threat Analytics
Big Data for Security - Threat AnalyticsMarco Casassa Mont
 
Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsMarco Casassa Mont
 
Hortonworks sqrrl webinar v5.pptx
Hortonworks sqrrl webinar v5.pptxHortonworks sqrrl webinar v5.pptx
Hortonworks sqrrl webinar v5.pptxHortonworks
 
4. Big data & analytics HP
4. Big data & analytics HP4. Big data & analytics HP
4. Big data & analytics HPMITEF México
 
HP Vertica and MapR Webinar: Building a Business Case for SQL-on-Hadoop
HP Vertica and MapR Webinar: Building a Business Case for SQL-on-HadoopHP Vertica and MapR Webinar: Building a Business Case for SQL-on-Hadoop
HP Vertica and MapR Webinar: Building a Business Case for SQL-on-HadoopMapR Technologies
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentationJoseph Schorr
 
HP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for youHP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for youHP Enterprise Italia
 
To Serve and Protect: Making Sense of Hadoop Security
To Serve and Protect: Making Sense of Hadoop Security To Serve and Protect: Making Sense of Hadoop Security
To Serve and Protect: Making Sense of Hadoop Security Inside Analysis
 
Starting Small and Scaling Big with Hadoop (Talend and Hortonworks webinar)) ...
Starting Small and Scaling Big with Hadoop (Talend and Hortonworks webinar)) ...Starting Small and Scaling Big with Hadoop (Talend and Hortonworks webinar)) ...
Starting Small and Scaling Big with Hadoop (Talend and Hortonworks webinar)) ...Hortonworks
 
Up Your Analytics Game with Pentaho and Vertica
Up Your Analytics Game with Pentaho and Vertica Up Your Analytics Game with Pentaho and Vertica
Up Your Analytics Game with Pentaho and Vertica Pentaho
 
TIAD : Automation day by Jerôme Labat
TIAD : Automation day by Jerôme LabatTIAD : Automation day by Jerôme Labat
TIAD : Automation day by Jerôme LabatThe Incredible Automation Day
 
Hadoop as an Analytic Platform: Why Not?
Hadoop as an Analytic Platform: Why Not?Hadoop as an Analytic Platform: Why Not?
Hadoop as an Analytic Platform: Why Not?Inside Analysis
 

More Related Content

What's hot

Splunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonSplunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonBecky Burwell
 
Sqrrl June Webinar: An Accumulo Love Story
Sqrrl June Webinar: An Accumulo Love StorySqrrl June Webinar: An Accumulo Love Story
Sqrrl June Webinar: An Accumulo Love StorySqrrl
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Build a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security PostureBuild a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security PostureSplunk
 
Best Practices for Forwarder Hierarchies
Best Practices for Forwarder HierarchiesBest Practices for Forwarder Hierarchies
Best Practices for Forwarder HierarchiesSplunk
 
Geek Sync I CSI for SQL: Learn to be a SQL Sleuth
Geek Sync I CSI for SQL: Learn to be a SQL SleuthGeek Sync I CSI for SQL: Learn to be a SQL Sleuth
Geek Sync I CSI for SQL: Learn to be a SQL SleuthIDERA Software
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
Performance Models for Apache Accumulo
Performance Models for Apache AccumuloPerformance Models for Apache Accumulo
Performance Models for Apache AccumuloSqrrl
 
Why OpenStack matters and how you can get involved
Why OpenStack matters and how you can get involvedWhy OpenStack matters and how you can get involved
Why OpenStack matters and how you can get involvedMatthew Farina
 

What's hot (9)

Splunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonSplunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilson
 
Sqrrl June Webinar: An Accumulo Love Story
Sqrrl June Webinar: An Accumulo Love StorySqrrl June Webinar: An Accumulo Love Story
Sqrrl June Webinar: An Accumulo Love Story
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Build a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security PostureBuild a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security Posture
 
Best Practices for Forwarder Hierarchies
Best Practices for Forwarder HierarchiesBest Practices for Forwarder Hierarchies
Best Practices for Forwarder Hierarchies
 
Geek Sync I CSI for SQL: Learn to be a SQL Sleuth
Geek Sync I CSI for SQL: Learn to be a SQL SleuthGeek Sync I CSI for SQL: Learn to be a SQL Sleuth
Geek Sync I CSI for SQL: Learn to be a SQL Sleuth
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101
 
Performance Models for Apache Accumulo
Performance Models for Apache AccumuloPerformance Models for Apache Accumulo
Performance Models for Apache Accumulo
 
Why OpenStack matters and how you can get involved
Why OpenStack matters and how you can get involvedWhy OpenStack matters and how you can get involved
Why OpenStack matters and how you can get involved
 

Similar to Security intelligence using big data presentation (engineering seminar)

Big Data for Security - Threat Analytics
Big Data for Security - Threat AnalyticsBig Data for Security - Threat Analytics
Big Data for Security - Threat AnalyticsMarco Casassa Mont
 
Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsMarco Casassa Mont
 
Hortonworks sqrrl webinar v5.pptx
Hortonworks sqrrl webinar v5.pptxHortonworks sqrrl webinar v5.pptx
Hortonworks sqrrl webinar v5.pptxHortonworks
 
4. Big data & analytics HP
4. Big data & analytics HP4. Big data & analytics HP
4. Big data & analytics HPMITEF México
 
HP Vertica and MapR Webinar: Building a Business Case for SQL-on-Hadoop
HP Vertica and MapR Webinar: Building a Business Case for SQL-on-HadoopHP Vertica and MapR Webinar: Building a Business Case for SQL-on-Hadoop
HP Vertica and MapR Webinar: Building a Business Case for SQL-on-HadoopMapR Technologies
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentationJoseph Schorr
 
HP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for youHP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for youHP Enterprise Italia
 
To Serve and Protect: Making Sense of Hadoop Security
To Serve and Protect: Making Sense of Hadoop Security To Serve and Protect: Making Sense of Hadoop Security
To Serve and Protect: Making Sense of Hadoop Security Inside Analysis
 
Starting Small and Scaling Big with Hadoop (Talend and Hortonworks webinar)) ...
Starting Small and Scaling Big with Hadoop (Talend and Hortonworks webinar)) ...Starting Small and Scaling Big with Hadoop (Talend and Hortonworks webinar)) ...
Starting Small and Scaling Big with Hadoop (Talend and Hortonworks webinar)) ...Hortonworks
 
Up Your Analytics Game with Pentaho and Vertica
Up Your Analytics Game with Pentaho and Vertica Up Your Analytics Game with Pentaho and Vertica
Up Your Analytics Game with Pentaho and Vertica Pentaho
 
Hadoop as an Analytic Platform: Why Not?
Hadoop as an Analytic Platform: Why Not?Hadoop as an Analytic Platform: Why Not?
Hadoop as an Analytic Platform: Why Not?Inside Analysis
 
WCIT 2014 Rohit Tandon - Big Data to Drive Business Results: HP HAVEn
WCIT 2014 Rohit Tandon - Big Data to Drive Business Results: HP HAVEnWCIT 2014 Rohit Tandon - Big Data to Drive Business Results: HP HAVEn
WCIT 2014 Rohit Tandon - Big Data to Drive Business Results: HP HAVEnWCIT 2014
 
Top 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationTop 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationSridhar Karnam
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
 
HP TippingPoint Решение по предотвращению вторжений критических инфраструктур...
HP TippingPoint Решение по предотвращению вторжений критических инфраструктур...HP TippingPoint Решение по предотвращению вторжений критических инфраструктур...
HP TippingPoint Решение по предотвращению вторжений критических инфраструктур...Компания УЦСБ
 
Carpe Datum: Building Big Data Analytical Applications with HP Haven
Carpe Datum: Building Big Data Analytical Applications with HP HavenCarpe Datum: Building Big Data Analytical Applications with HP Haven
Carpe Datum: Building Big Data Analytical Applications with HP HavenDataWorks Summit
 
Casablanca a Cloud Security od HP – Miroslav Knapovský
Casablanca a Cloud Security od HP – Miroslav KnapovskýCasablanca a Cloud Security od HP – Miroslav Knapovský
Casablanca a Cloud Security od HP – Miroslav KnapovskýCasablanca
 

Similar to Security intelligence using big data presentation (engineering seminar) (20)

Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for Security
 
Big Data for Security - Threat Analytics
Big Data for Security - Threat AnalyticsBig Data for Security - Threat Analytics
Big Data for Security - Threat Analytics
 
Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS Analytics
 
Hortonworks sqrrl webinar v5.pptx
Hortonworks sqrrl webinar v5.pptxHortonworks sqrrl webinar v5.pptx
Hortonworks sqrrl webinar v5.pptx
 
4. Big data & analytics HP
4. Big data & analytics HP4. Big data & analytics HP
4. Big data & analytics HP
 
HP Vertica and MapR Webinar: Building a Business Case for SQL-on-Hadoop
HP Vertica and MapR Webinar: Building a Business Case for SQL-on-HadoopHP Vertica and MapR Webinar: Building a Business Case for SQL-on-Hadoop
HP Vertica and MapR Webinar: Building a Business Case for SQL-on-Hadoop
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentation
 
HP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for youHP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for you
 
To Serve and Protect: Making Sense of Hadoop Security
To Serve and Protect: Making Sense of Hadoop Security To Serve and Protect: Making Sense of Hadoop Security
To Serve and Protect: Making Sense of Hadoop Security
 
Starting Small and Scaling Big with Hadoop (Talend and Hortonworks webinar)) ...
Starting Small and Scaling Big with Hadoop (Talend and Hortonworks webinar)) ...Starting Small and Scaling Big with Hadoop (Talend and Hortonworks webinar)) ...
Starting Small and Scaling Big with Hadoop (Talend and Hortonworks webinar)) ...
 
Up Your Analytics Game with Pentaho and Vertica
Up Your Analytics Game with Pentaho and Vertica Up Your Analytics Game with Pentaho and Vertica
Up Your Analytics Game with Pentaho and Vertica
 
TIAD : Automation day by Jerôme Labat
TIAD : Automation day by Jerôme LabatTIAD : Automation day by Jerôme Labat
TIAD : Automation day by Jerôme Labat
 
Hadoop as an Analytic Platform: Why Not?
Hadoop as an Analytic Platform: Why Not?Hadoop as an Analytic Platform: Why Not?
Hadoop as an Analytic Platform: Why Not?
 
WCIT 2014 Rohit Tandon - Big Data to Drive Business Results: HP HAVEn
WCIT 2014 Rohit Tandon - Big Data to Drive Business Results: HP HAVEnWCIT 2014 Rohit Tandon - Big Data to Drive Business Results: HP HAVEn
WCIT 2014 Rohit Tandon - Big Data to Drive Business Results: HP HAVEn
 
Top 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationTop 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integration
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
 
HP TippingPoint Решение по предотвращению вторжений критических инфраструктур...
HP TippingPoint Решение по предотвращению вторжений критических инфраструктур...HP TippingPoint Решение по предотвращению вторжений критических инфраструктур...
HP TippingPoint Решение по предотвращению вторжений критических инфраструктур...
 
Carpe Datum: Building Big Data Analytical Applications with HP Haven
Carpe Datum: Building Big Data Analytical Applications with HP HavenCarpe Datum: Building Big Data Analytical Applications with HP Haven
Carpe Datum: Building Big Data Analytical Applications with HP Haven
 
iKariera 2015
iKariera 2015iKariera 2015
iKariera 2015
 
Casablanca a Cloud Security od HP – Miroslav Knapovský
Casablanca a Cloud Security od HP – Miroslav KnapovskýCasablanca a Cloud Security od HP – Miroslav Knapovský
Casablanca a Cloud Security od HP – Miroslav Knapovský
 

Recently uploaded

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 

Recently uploaded (20)

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 

Security intelligence using big data presentation (engineering seminar)

  • 1. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Actionable Security Intelligence from Big Data Simon Arnell (ESS) Marco Casassa Mont (HP Labs)
  • 2. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.2 Mind the Gap Strategic risk assessments Monitoring data Actionable security intelligence Some problems: • Reliance on humans • Slow and costly • Metrics not timely enough • Dissatisfaction and low confidence • No what-ifs or scenario exploration Local remediation
  • 3. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.3 2010 2011 2012 2014 2013 2015 ESS and HPL Collaboration Roadmap Security Analytics Project ISAIAH Project SILAS Big Data for Security SDN for Security
  • 4. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.
  • 5. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.5 The Security Operations challenge Email Hotline/Helpdesk Call Centre Other IDS Triage Incident Report Resolution Analyse Obtain Contact Information Provide Technical Assistance Coordinate information & Response Information Request Vulnerability Report weeks -> ? minutes day s months
  • 6. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.6 The Security Operations research Email Hotline/Helpdesk Call Centre Other IDS Triage Incident Report Resolution Analyse Obtain Contact Information Provide Technical Assistance Coordinate information & Response Information Request Vulnerability Report Rapid Response (Software-defined Networking) Early detection (Big Data)
  • 7. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Our Solution
  • 8. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Reports,ChartsandAnalyst Dashboards Model Library CustomerNetworks Search, Filtering & Data Loaders Architecture Big Data for Security Model- based Predictive Analytics
  • 9. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.9 Key features Early detection Visualisations Risk Assessment Occurrence Detection Triage Analysis Remediation Resolution
  • 10. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.10 Risk Assessment • More automated • Model-based • Grounded in real data • Longer term what-ifs 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.55 %riskmitigated daysto risk mitigation Current Situation policy 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.55 %riskmitigated daysto risk mitigation PredictedEffect - 1 policy 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.55 %riskmitigated daysto risk mitigation PredictedEffect - 2 policy
  • 11. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. BD4S: Big Data For Security
  • 12. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.12 HP Labs: Big Data for Security Identify Security Threats from Big Security Data Use Case: DNS Data • Big … • Gold mine for Security Information • Hard to collect and analyse
  • 13. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.13 What is DNS? Client/Server Local DNS Server DNS Root “.” DNS .com DNS company.com QUERY: service.company.com? Check for Zone Check Cache REPLY: 58.25.88.90 DNS Traffic Generated by: - Users (e.g. by browsing web sites) - Applications, Servers, etc.
  • 14. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.14 What is the Problem? 1. Attacks on DNS servers Denial of Service Cache Poisoning Hijacking/Redirection Code Injection 2. Attacks that leverage DNS to attack third parties Footprinting Reflection & Amplification 3. Attacks that use DNS as infrastructure Communication to malicious servers Fast Flux Domain Name Generation DNS Tunneling Analysis
  • 15. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.15 Compromised Server Example Victim Compromised DNS server www.hp.com?1 12.34.56.782 Can undetectably redirect victim to IP address of choosing.
  • 16. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.16 Botnet Command and Control Example Bot DNS server akaajkajkajd.cn? xisyudnwuxu.ru? dfknwerpbnp.biz? mneyqslgyb.info? cspcicicipisjjew.hu? C2 Server (mneyqslgyb.info ) Attacker can’t maintain C2 server at IP address for very long. So, registers a random domain name temporarily. Bot tries a bunch of random names until it finds one that resolves.
  • 17. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.17 DNS Tunneling (subdomain) Example Bot DNS server Compromised DNS Server (example.com) 93cc3daf.example.com4fac3215.example.coma86f4221.example.comddee9152.example.com8bd5ff12.example.comd4bb92a1.example.comef409132.example.com1bfa3207.example.com298c5b3a.example.com Asse t Asse t
  • 18. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.18 The Scale of DNS Data • HP IT is currently rolling out ArcSight internally • Once deployed it will be 25% larger than any other non- governmental installation by volume • DNS Traffic per HP data center: 120,000 events/second (10B events/day) 1 10 100 1000 10000 100000 1000000 Routers VPN McAfee ePO Active Directory Web Proxy DNS Eventspersecond(logarithmicscale) 0 20000 40000 60000 80000 100000 120000 140000 Routers VPN McAfee ePO Active Directory Web Proxy DNS Eventspersecond(linearscale)
  • 19. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.19 The Big Scale of DNS Data 62,000,000,000 queries per day 12PB every 90 days …without smart collection
  • 20. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.20 Our Solution End-to-end handling of DNS events Remediation • Techniques to block traffic automatically based on outcomes of analysis • Techniques to generate threat intelligence and feed it back into the system Analysis & Visualization • Real-time and near-time analysis • Graph algorithms • Anomaly detection • Novel visualizations to help analysts deal with huge amounts of data Collection & Storage • Bypass DNS logs completely. • Grab packets directly off the wire using custom hardware • Collect all the information needed to detect attacks • Independent of DNS server vendor • Goal: Throw out 99% of events
  • 21. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.21 Architecture DNS Event Processing DNS Server(s) HPL DNS Connector Whitelist network tap DNS queries and responses ArcSight Logger ArcSight ESM Blacklist Analytical and Visualization Solution Event Logging Correlation & Alerting Blacklist & Whitelist Manager Real-Time Processing Historical Analysis DNS events: Queries & Replies
  • 22. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.22 HP HAVEn Catalog massive volumes of distributed data Hadoop/ HDFS Process and index all information Autonomy IDOL Analyze at extreme scale in real-time Vertica Collect & unify machine data Enterprise Security Powering HP Software + your apps nApps Search engine ImagesIT/OT Transactional dataMobileTextsEmailAudioVideoSocial media Documents HAVEn
  • 23. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.23 Security Event Logs HPL Threat Indicators & Anomaly Detection Library Network Systems HPL DNS Packet Capturer Filtered DNS events ESM Alerts RepSM External Whitelists & Blacklists Whitelist/ Blacklist Generator Real-time Analysis Historical Analysis RESTful / Native APIs Hadoop, Autonomy, R, Other Anomalies, Threats, GraphsESM Logger ESM GUI Event Pre- process or Events Syslog Server HPL Security Analytical & Visualization Security Analytical Workflows Orchestrator & Scheduler Anomaly Detection Threat Indicators Visualizatio n Processing Web Server Threat Central Software Defined Networking for Security
  • 24. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Demo
  • 25. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Model -Based Predictive Analytics
  • 26. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Reports,ChartsandAnalyst Dashboards Model Library CustomerNetworks Statistical Trend Analysis Architecture Big Data for Security Predictive Analysis & What- if Scenarios
  • 27. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Monthly Report: Threat & Vulnerability Management Demonstrator GUI: Screenshot
  • 28. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Actionable Intelligence Some example areas: 1) Threat & Vulnerability Management 2) Zero Day Vulnerabilities 3) Identity & Access Management 4) Security Operations Centers
  • 29. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.31 Example walk-through: Threat & Vulnerability Management • Inputs: – ArcSight data on patch installations – TippingPoint and OSVDB data on threat environment • Metrics: – Patch Uptake generated on periodic basis, and benchmarked against others – Zero day vulnerability lifetime – Predictions on risk exposure • Reports – Regular reports showing current state and trends
  • 30. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.32 Example TVM Dataflow Microsoft Syslog TippingPoint OpenSource Vulnerability DataBase ArcSight Smart Connector ArcSight Smart Connector Base Data Source Base Data Source Derived Data Source Metric Estimation Security Analytics Risk Assessment Forecasting Historical Trending & Benchmarki ng SOC Operational Analyst SOC Strategic Analyst Client TVM Report
  • 31. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.33 Example Metric: patch uptake • Current patch deployment data is analysed (e.g. based on data collected from ArcSight) • The chart shows % systems that had patches installed after certain number of days elapsed from their approval • The data is transformed to represent patch uptake curve • This is showing overall trend on how fast patches are being installed across systems • In this example, the chart shows that the take up is very slow in the first 3 weeks
  • 32. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.34 Example: Historical Trending – of any metric type • Historical data of patch uptakes across the last 6 months, for example, can be viewed to identify historical trends • In this case this shows a worsening trend with patches installed much faster 6 months ago
  • 33. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.35 Example: Benchmarking - How am I doing versus my peers? • The customer’s patch uptake can be benchmarked with the same data from other customers (e.g. in the same industry sector) • This example also shows that the customer’s patch installation processes are worse compared to others
  • 34. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.36 What-ifs • Can adjust input parameter to Security Analytics model (e.g. TVM) to see predicted effect • In TVM example, can show current status and potential effects of AV enhancement and/or investment in HIPS • SILAS is now able to provide more realistic parameter values for models (based on statistical metric estimations) – rather than ball-park estimates
  • 35. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.37 Example What-if/prediction: Risk Exposure • By feeding the patch uptake data together with global threat metrics to the Security Analytics model simulations, the predictions can be generated of the risk exposure window for this customer • In this case the predictions show that risk exposure window (from the vulnerability disclosure to mitigation) is very long (average 180 days) • This option can also be used to do what-if analysis, which in this case shows that with HIPS deployed the exposure window can be minimized considerably
  • 36. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Examples • Defense in Depth effectiveness • Reduction in Risk Exposure window • Accurate provisioning/deprovisioning times • Utility improvement
  • 37. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Conclusions
  • 38. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.40 Current Status • BD4S solution in the process of being transferred to HP ESP and HP ESS • Successful BD4S Trial with HP IT Cyber Defence Center and starting 2 Customer PoCs • Starting PoC with HP Helion Public Cloud • Paid customer engagement involving Model-based Security Analytics • Developed Various Security Analytics models
  • 39. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.41 Future Steps • Complete trials of BD4S • Extend BD4S beyond DNS requests • Build SDN demonstrator in UK Bristol Labs –Other “sensors” –Controlled sharing –More rapid response
  • 40. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential.42 Closing the loop? Big Data for Security Our Solution Playbooks Library SOC Analysts Notification Handler Managers SDN- enabled Customer Networks Workflow Manager Customer Networks
  • 41. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.43 SDN4S deployment architecture BD4S SDN4S Reports Playbook s Other ApplicationsInternet Alerts DNS traffic SDN- enabled
  • 42. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Confidential. Thank you

Editor's Notes

  1. SP: “it can potentially down-the-line reduce the bottleneck of expertise/skills required by individuals to analyze data; this might then empower ESS in different territories in the future, as SILAS also represents a first attempt to put the kind of thinking that honed Security Analytics “in a box” (by e.g. relating steps in the analysis process in a logical manner, and restricting configuration choices to a simplified set of options, etc.).”
  2. SP: “SILAS can empower ESS; metrics here are likely to be slow-changing and equally useful to many internal and external functions (e.g. “compliance” measures). Also of value to a modeling/automation methodology, by gathering further data points for the same metric, the data used by models becomes more representative (even when slicing by e.g. client sector), and the outputs of the models more “accurate” – the more clients that get involved, the more rewarding the benchmarking process becomes _for both new customers and those that continually support the process_.”