Advanced threat protection and big data


Published on

An ethical hacker's view of advanced threat protection and big data

Published in: Technology
1 Like
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The deployment of Big Data for fraud detection, and in place of security incident and event management (SIEM) systems, is attractive to many organisations. The overheads of managing the output of traditional SIEM and logging systems are proving too much for most IT departments and Big Data is seen as a potential saviour. There are commercial replacements available for existing log management systems, or the technology can be deployed to provide a single data store for security event management and enrichment. Taking the idea a step further, the challenge of detecting and preventing advanced persistent threats may be answered by using Big Data style analysis. These techniques could play a key role in helping detect threats at an early stage, using more sophisticated pattern analysis, and combining and analysing multiple data sources. There is also the potential for anomaly identification using feature extraction. Today logs are often ignored unless an incident occurs. Big Data provides the opportunity to automatically consolidate and analyse logs from multiple sources rather than in isolation. This could provide insight that individual logs cannot, and potentially enhance intrusion detection systems (IDS) and intrusion prevention systems (IPS) through continual adjustment and effectively learning “good” and “bad” behaviours. Integrating information from physical security systems, such as building access controls and even CCTV, could also significantly enhance IDS and IPS to a point where insider attacks and social engineering are factored in to the detection process. This presents the possibility of significantly more advanced detection of fraud and criminal activities. We know that organisational silos often reduce the effectiveness of security systems, so businesses must be aware that the potential effectiveness of Big Data style analysis can also be diluted unless these issues are addressed. At the very least, Big Data could result in far more practical and successful SIEM, IDS and IPS implementations.
  • In reality, Big Data is more about the processing techniques and outputs than the size of the data set itself, so specific skills are required to use Big Data effectively. There is a general shortage of specialist skills for Big Data analysis, in particular when it comes to using some of the less mature technologies. The growing use of Hadoop and related technologies is driving demand for staff with very specific skills. People with backgrounds in multivariate statistical analysis, data mining, predictive modelling, natural language processing, content analysis, text analysis and social network analysis are all in demand. These analysts and scientists work with structured and unstructured data to deliver new insights and intelligence to the business. Platform management professionals are also needed to implement Hadoop clusters, secure, manage and optimise them.Vendors such as Cloudera, MapR, Hortonworks and IBM offer training courses in Hadoop, offering organisations the opportunity to build their in-house skills to address Big Data challenges. 
  • Advanced threat protection and big data

    1. 1. Peter WoodChief Executive OfficerFirst•Base TechnologiesAdvanced Threat Protectionand Big DataAn Ethical Hacker’s View
    2. 2. Slide 2 © First Base Technologies 2013Who is Peter Wood?Worked in computers & electronics since 1969Founded First Base in 1989 (one of the first ethical hacking firms)CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‗expert‘Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupUK Chair, Corporate Executive ProgrammeFBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa
    3. 3. Slide 3 © First Base Technologies 2013Agenda• Big Data elevator pitch• Advanced Threats – really?• Why Big Data for security?• How can Big Data help?• Can we do it now?• Summing up
    4. 4. Slide 4 © First Base Technologies 2013Big Data elevator pitch
    5. 5. Slide 5 © First Base Technologies 2013Big Data is quite largeEvery day, we create 2.5 quintillion bytes of data — so much that90% of the data in the world today has been created in the lasttwo years alone. This data comes from everywhere: sensors usedto gather climate information, posts to social media sites, digitalpictures and videos, purchase transaction records, and cell phoneGPS signals to name a few. quintillion = 2.5 exabytes = 2.5x1018 bytesIDC projects that the digital universe will reach 40 zettabytesby 2020, resulting in a 50-fold growth from the beginning of2010 zettabytes = 40x1021 bytes = 57 times all thegrains of sand on all the beaches on earth
    6. 6. Slide 6 © First Base Technologies 2013Big Data can be useful• Creating transparency by making relevant data moreaccessible• Enabling experimentation to discover needs, exposevariability and improve performance - use data toanalyse variability in performance and understand theroot causes• Segmenting populations to customise actions and tailorproducts and services to meet specific needs• Replacing/supporting human decision-making withautomated algorithms in order to minimise risk• Innovating new business models, products and servicesMcKinsey Global Institute: “Big data: The next frontier for innovation,competition, and productivity”, May 2011
    7. 7. Slide 7 © First Base Technologies 2013Where are we with Big Data in general?• Mainstream adoption? Early days• Skills and risks underestimated• IT professionals say:- Over-hyped- Has a lot of potential- Vendors may not deliver on promises
    8. 8. Slide 8 © First Base Technologies 2013Advanced Threats – really?
    9. 9. Slide 9 © First Base Technologies 2013Advanced Threats• Massive increase in advanced malware bypassingtraditional security defenses• Volumes vary substantially among different industries• Email-based attacks are growing, with link- andattachment-based malware presenting significant risks• Cybercriminals are increasingly employing limited-usedomains in their spear phishing emails• Malicious email attachments growing more diverse,evading traditional security defensesFireEye Advanced Threat Report – 1H 2012
    10. 10. Weekly count from FireEye Web MPS appliances across global customer baseThese levels reflect the number of Web-based malware attacks that originatedoutside the target organization, successfully evaded traditional filters, and wereblocked or infected target systems
    11. 11. The Post Breach Boom, Ponemon Institute, February 2013Survey of 3,529 IT and IT security practitioners in US, Canada, UK, Australia,Brazil, Japan, Singapore and UAE
    12. 12. The Post Breach Boom, Ponemon Institute, February 2013Survey of 3,529 IT and IT security practitioners in US, Canada, UK, Australia,Brazil, Japan, Singapore and UAE
    13. 13. The Post Breach BoomPonemon Institute, February 2013
    14. 14. The Post Breach BoomPonemon Institute, February 2013
    15. 15. Slide 15 © First Base Technologies 2013Why Big Data for security?
    16. 16. Slide 16 © First Base Technologies 2013The tipping point• Complex threat landscape• Avalanche of new technology and challenges• Skills shortages?• Financial pressures, especially for headcount• Large organisations can‘t rely on ―traditional‖ defences:- Preventative controls- Siloed security solutions- Hardening- Processes and procedures
    17. 17. Slide 17 © First Base Technologies 2013The tipping point inputsComplex threat landscape:• Stealth malware• Targeted attacks• Social engineeringNew technologies and challenges:• Social networking• Cloud• BYOD / consumerisation• Virtualisation
    18. 18. Slide 18 © First Base Technologies 2013What do we do today?Traditional defences:• Signature-based anti-virus• Signature-based IDS/IDP• Firewalls and perimeter devicesTraditional approach:• Data collection for compliance• Check-list mindset• Tactical thinking
    19. 19. Slide 19 © First Base Technologies 2013SANS says …SANS Annual Log and Event Management Survey, May 2012
    20. 20. Slide 20 © First Base Technologies 2013How can Big Data help?
    21. 21. Slide 21 © First Base Technologies 2013How can Big Data help?• SIEM on steroids?• Fraud detection• APT detection?• Integration of IT and physical security?• SIEM + IDS/IPS?• Predictive analysis
    22. 22. Slide 22 © First Base Technologies 2013Big Data to Collect• Logs• Network traffic• IT assets• Senstitive / valuable information• Vulnerabilities• Threat intelligence• Application behaviour• User behaviour
    23. 23. Slide 23 © First Base Technologies 2013Big Data Analytics• Real-time updates• Behaviour models• Correlation• Heuristic capability• Interoperability• … advising the analysts?• … active defence?
    24. 24. Slide 24 © First Base Technologies 2013Can we do it now?
    25. 25. Slide 25 © First Base Technologies 2013Big Data = Big Investment, but …• Today: Big Data for Big Organisations with Big BudgetsNews from RSA Conference 2013:• HP say about 3% of companies are doing this today• Analysts expect 40% adoption by 2016• Cloud-based Big Data may enhance existing SIEM• … and overcome the skills gap• Enhancing SIEM with threat intelligence• Augmenting SIEM with IT asset informationMore Improvements To SIEM Than Big Data –, 22/02/2013
    26. 26. Slide 26 © First Base Technologies 2013Big Data Last YearGartner said:Sourcefires FireAMP technology and the technology from Prevx (acquiredby Webroot in 2010) are examples of security providers that determinemalicious intent by analysing vast amounts of observed executablebehaviors and metadataVendors such as NetWitness (acquired by RSA), Global DataGuard, Narus(acquired by Boeing), Solera and Fidelus Technologies, and networkbehavior analysis solutions, such as Lancope, collect large amounts ofnetwork packets and/or flows to support the analysis for anomalousactivitiesIn addition, some SIEM vendors, such as Q1 Labs (acquired by IBM) andHP ArcSight, can directly consume and analyze NetFlow dataInformation Security Is Becoming a Big Data Analytics Problem – Gartner, 23/03/2012
    27. 27. Slide 27 © First Base Technologies 2013Big Data TomorrowRSA says:Within the next two years, we predict big data analyticswill disrupt the status quo in most information securityproduct segments, including SIEM; network monitoring;user authentication and authorization; identitymanagement; fraud detection; and governance, risk &compliance.Big Data Holds Big Promise For Security – RSA Security Brief, January 2013
    28. 28. Slide 28 © First Base Technologies 2013Big Data Skills• Big Data is more about the processing techniques andoutputs than the size of the data set itself, so specificskills are required to use Big Data effectively• There is a general shortage of specialist skills for BigData analysis, in particular when it comes to using someof the less mature technologies
    29. 29. Slide 29 © First Base Technologies 2013Summary• All organisations need to invest in research and study ofthe emerging Big Data Security Analytics landscape• Big Data has the potential to defend against advancedthreats, but requires a Big Re-think of approach• Relevant skills are key to successful deployment, onlythe largest organisations can invest in this now• Offerings exist for the other 97% that can enhanceexisting technologies using cloud-based solutions
    30. 30. Slide 30 © First Base Technologies 2013Peter WoodChief Executive OfficerFirst Base Technologies peterwoodxNeed more information?