Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Analytics Beyond Cyber

2,584 views

Published on

My presentation from 44con 2014 on the current state of security analytics and what the future holds.

Published in: Technology

Security Analytics Beyond Cyber

  1. 1. Security Analytics Beyond Cyber Phil Huggins, Vice President, Security Science 11/9/2014
  2. 2. SECURITY SCIENCE 2 Agenda  Big Data and Cyber  Situational Awareness  Security Analytics Beyond Cyber
  3. 3. 3 Big Data and Cyber Security
  4. 4. SECURITY SCIENCE 4 Big Data?  Over-used buzzword.  Doug Laney defined 3Vs in 2001  Gartner promoted 3Vs in 2012 Google Trends “Big Data” search interest over time The 3Vs Volume Velocity Variety Value Veracity
  5. 5. SECURITY SCIENCE Big Data Disciplines  More useful to break Big Data down by activities you actually do: • Decision Making Data-Driven Management Data Science • Analytics, Sense-Making • Technology, Nuts and Bolts Data Engineering
  6. 6. SECURITY SCIENCE 6 Data Lakes & CoEs  The data lake, an enterprise-wide Big Data platform, is emerging in large scale businesses. • Concentration of data • Concentration of technology  Tends to be associated with Big Data “Centres of Excellence”. • Concentration of Data Engineering skills • Concentration of Data Science skills • The CoEs are often hunting for well-defined early adopter Use Cases to prove their value. • The Data Lakes provide unexpected opportunities for ‘data enrichment’ across organisational boundaries.
  7. 7. SECURITY SCIENCE 7 Why Big Data for Cyber Security?  Cyber Security is increasingly a data problem.  We are collecting, processing and analysing more and more data in order to address the threat landscape. • Known threat indicators • Indicator targeted subsets of monitoring data • Assumes in advance what the risk is • Near real-time analysis with limited memory Network Monitoring using SIEM
  8. 8. SECURITY SCIENCE 8 What are the main Cyber Security use cases for Big Data?  Early adoption, provable ROI, vendor can develop a PoC without a customer • Probable matches to likely/possible threat methods • All the monitoring data over a longer period of time • Retroactive analysis using intelligence feeds • Combining internal and external data sources Network Behavioural Analytics • More context and more data to investigate • Single screen analysis • Faster automated tooling for entity resolution and event resolution • Variety of visualisations available, timeline visualisation especially key Data-enabled Investigation
  9. 9. SECURITY SCIENCE Tools • Hardware and software components • Configuration and utilization of solution components People • Skills of people involved • Engagement of necessary stakeholders • Training available Process • Essential processes for solution to work • Includes management of tools, knowledge, intelligence and people Data Sources • The raw data from a variety of tools across the environment. • Includes sensors, security alerts and log files. Intelligence • Data that provides the necessary context to enrich, interpret and prioritize analytic results Knowledge •The goal of the data analysis which is both delivered to stakeholders and better informs further questions of the data 9 What is a Big Data Security Analytics Capability?
  10. 10. SECURITY SCIENCE 10 What does a Big Data Security Analytics solution look like?
  11. 11. SECURITY SCIENCE 11 How does the Security Analytics team fit into an existing Security Team?
  12. 12. 12 Situational Awareness
  13. 13. SECURITY SCIENCE 13 What is Situational Awareness?  Large body of academic work  A variety of different processual vs cognitive models suggested  Warning! The science is not robust in this area.  Dr Mica Endsley described the popular three stage model in 1995  Correlation with John Boyds OODA Loop. SITUATIONAL AWARENESS PERCEIVE UNDERSTAND PREDICT
  14. 14. SECURITY SCIENCE 14 How does Situational Awareness fit into Cyber Security? OPERATIONAL CYBER SECURITY OBSERVE ORIENTATE DECIDE ACT SITUATIONAL AWARENESS OPERATORS HUNTERS RESPONDERS RESOLVERS AUTOMATION?
  15. 15. SECURITY SCIENCE 15 How does Situational Awareness fit into Security Management? SECURITY MANAGMENT PLAN DO CHECK ACT STUDY SITUATION SET GOALS PLAN ACTIVITIES MEASURE SUCCESS STUDY RESULTS IMPROVE & STANDARDISE DELIVER ACTIVITIES SITUATIONAL AWARENESS SITUATIONAL AWARENESS AUTOMATION?
  16. 16. 16 Security Analytics Beyond Cyber
  17. 17. SECURITY SCIENCE 17 Why Data-Driven Security Management? “The dearth of metrics and decision-making tools places the determination of Information Security risk to the enterprise on the judgment of IT security practitioners.” INFOSEC Research Council “At present, the practice of measuring security is very ad-hoc. Many of the processes for measurement and metric selection are mostly or completely subjective or procedural.” Department of Homeland Security  Most security decisions made in absence of good data.  Best/Good Practice is “cargo cult security”.
  18. 18. SECURITY SCIENCE 18 Low Hanging Fruit – Quantitative Security Management  Mixed Data Sources, Visualisation, Sets of Questions, Summary Statistics  Trend Analysis, Security Posture, Perimeter View, Operational KPIs, Controls Performance  Good indicator is large Excel sheets with complex pivot tables • Multiple data sources; vuln scanners or probes, hardware inventory, cmdb, patch servers, SOC monitoring, external information feeds • Multiple clear questions. • Candidate for Question-Focused Dataset Vulnerability Management • Multiple data sources; risk register, project plans, incident reports, SOC feed, audit reports • Multiple stakeholders with distinct interests • Candidate for Interactive Visualisation Executive Dashboard
  19. 19. SECURITY SCIENCE 19 Big Data Security Analytics Opportunities  Once the Cyber use cases have been implemented there are opportunities to operationalise and potentially automate some aspects of security management activities • Continuous monitoring, not just an annual phishing exercise • Enrich with HR data • Report on trends and effectiveness of awareness programs and training events • Targeted training Risky Staff Behaviour • Pre-Approved Change Controls at agreed risk thresholds • Firewall, network and server configuration changes • Increased targeted monitoring • Distribution of IOCs to multiple endpoints Automated Incident Response
  20. 20. SECURITY SCIENCE 20 The Future - Hypothesis-Driven Security Management  Experiments to identify the effectiveness of security activities and controls in your environment  Multiple iterations following the Deming cycle  Replace Best/Good Practice with the Right Practice for You  Key skills: 1. Forming a useful, practical and measurable hypothesis 2. Achieving executive support for management experimentation 3. Understanding and applying the results to the business • Some of these are Data Scientist skills, some are CISO skills. • The CISO of the future will need to understand how to talk to Data Scientists productively!
  21. 21. 21 Conclusion  There are no silver bullets!  We will still need humans in the loop but automation will allow us to do more with less  Build open cyber big data analytics platforms  Invest in analytics skills now  Security is transforming from a subjective art to a data and automation discipline
  22. 22. THANK YOU strozfriedberg.com Phil Huggins, Vice President T: +44 207 061 2299 phuggins@strozfriedberg.com

×