This document discusses security monitoring architecture considerations for big data platforms. It begins with an introduction and overview of MSS, a security company. It then discusses requirements such as dealing with changing IT environments and cloud/big data. The current security architecture is shown, along with a new approach involving multi-dimensional analysis and correlation of security logs and events from various systems and applications. Finally, user experiences with MSS's log management system are described, along with recommendations for security monitoring programs.
4. 3 /14
1. Introduction > Example
PHP Configuration, Application Vul.
Developer, Operator, Security
Personal Information
ID/PASSWORD Attack
Hacking Technology
5. 4 /14
2. About MSS > company overview
History : SK M&C(2008.4) + SK Planet(2011.10)
Mission : HUG
Business Area
– Digital Contents : T Store, hoppin, T Cloud, Tictoc, Cyworld, Nate, NateOn, Cymera
– Integrated Commerce : 11st, Gifticon, Smart Wallet, Paypin, Styletag, T Shopping
– Marketing Communication : OK Cashbag, BENEPIA
– Location Based Service : T Map, picket, OK Map, NaviCall
– Advertising
Affiliates : SK Communications, Commerce planet, M & Service
7. 6 /14
3. MSS Requirement > Workaround
< IT Environment is changing > < Co-operation in your organization >
8. 7 /14
3. MSS Requirement > Cloud Computing & Big data
BIG DATA
Velocity Diversity Volume Analytics
Mobile Web 2.0 Cloud IoT
Privacy
Legacy Security
Incident
Management
Vague/Fear
?
9. 8 /14
3. MSS Requirement > Architecture(AS-IS)
< IDC #1 > <IDC #2> <IDC #3>
System
Architecture
PC 보안
Malware
E-mail 보안
L7 Firewall
<OFFICE>
N-sensor (Firewall, IDS/IPS, DDOS, NTMS)
Application-sensor (WAF)
Authentication & Log-Management
Vul-MNGT(Scanner, Expoit-DB)
People
&
Process
예방 탐지 분석 대응 개선
침해사고 대응지원시스템
취약점 DB Feed
Web Shell 탐지
웹 변조 감시
악성코드 감시
보안사고 신고
Honey-Net
Log-management
침입정보 분석시스템
10. 9 /149 /14
Firewall
Intrusion
Prevention System
Anti-Malicious
Site
New-Generation
Firewall
Antivirus
Traditional Security Solutions
Unable to block malware
from allowed addresses
Unable to detect malware
Unable to detect malware that
needs file-based analysis
Unable to block malware
from allowed websites
Unable to detect unknown
malware
New Approach
Signature based (Known)
Signature-less (Unknown)
Symptom Oriented
Responder-Pro(HBGary)
Autopsy Oriented
Fire Eye Protection
File Comparison
Parity Suite(Bit9)
True
False Positive
True Negative
False
Filtering & Co-relation
Event & Vulnerability
Multi-dimensional analysis
3. MSS Requirement > New approach
Ref : Ahnlab
Co-relation, Time series, Function Analysis
11. 10 /1410 /14
The bigger eye-sight for big data analysis rather than security information & Event
Signature based (Known)
End-point
(Host, Server)
Sensor
(NW, Application)
Filter
(NW, Application)
System log
Application log
Transaction log
Signature-less (Unknown)
Blacklist Asset_Vul IntelligenceH-Base Behavior
※ 위∙변조 방지, 일정기간 보관(Volume/Size), 정형/비정형, Parsing/실시간 분석
Multi-Dimensional analysis (Version2.0)
Log-management (Time sync & conversion, normalization, forward)
Security Intelligence (Visualize & Analytics)
3. MSS Requirement > Progress Direction
< Enterprise Environment >
Security log
< MSS Technology >
FW
IDS
WAF
DDOS
Web-GW
DLP
Etc
Biz awareness
Security awareness
12. 11 /1411 /14
하둡 클러스터 (HIVE) BI
원천 데이터 서버 및 어플라이언스
File, Syslog, SNMP, NetFlow, JDBC, FTP, SFTP, JMX, JMS 등
Analysis
4. User Experience
실시간 데이터 수집 및 저장
– 500G 이상/일, 4만 EPS 이상
– 초당 50만건 저장 및 Indexing
– 압축 : 500G → 89G(83%)
– 이중화 구성으로 로그유실 최소화
– 암호화 저장 및 해쉬값 보관
– 다양한 프로토콜 및 Parse 지원
– 에이전트 제공
외부시스템 연동 및 시각화
– 다수 분석계로 로그전송
– SDK 제공 및 HDFS 데이터 적재
– BI 솔루션 ETL 수행
강력한 쿼리 및 실시간 분석
– No-Sql (사용방법 직관적)
Log-management in SK Planet
13. 12 /1412 /14
Enterprise Architecture
- Enterprise에 적합한 보안관제 체계 (R&R, System Integration)
Technology
- Don’t Customize (시스템 이해, Partnership)
Process (Communication, Policy)
- 무조건 차단하지 말고 보고서를 쓰지 마라
- CERT 체계를 정비하고 대외 CERT와 커뮤니케이션 하라
- 사람도 시스템도 믿지 마라 (프로세스를 믿고 주기적으로 평가하라)
- 신고, 취약점 등 모든 징후를 모두 분석하지 않는다
- 직원의 신분을 노출하지 마라 (Ranger VS Reconnaissance)
People (Mission)
- 사고를 은폐하지 말고 분석∙ 대응하라 (경험과 노하우를 쌓아라)
- 내 권한을 유지하자 (Constituency, 법적 권한)
5. Wrap-up > Do & Don’t