The document details research and development activities at HP Labs focused on cloud and security, specifically in the realms of security analytics and intelligence as a service. It examines challenges in security management, the integration of scientific knowledge into security analytics, and various models for vulnerability and threat management. Additionally, it discusses the implications of these findings for improving security risk assessments and management processes within organizations.

1. © Copyright 2010 Hewlett-Packard Development Company, L.P.1 © Copyright 2010 Hewlett-Packard Development Company, L.P.1
Marco Casassa Mont
Cloud & Security Lab, HP Labs, Bristol
HP Labs
R&D Activities
Cloud & Security Lab
Security Analytics &
Security Intelligence as a
Service
01 February 2012

2. © Copyright 2010 Hewlett-Packard Development Company, L.P.2
HP LABS RESEARCH AREAS
– Innovation at every touchpoint of information
Information
Analytics
Mobile &
Immersive
Experience
Printing
& Content
Delivery
Services
Networking
Intelligent
Infrastructure
Cloud &
Security
Sustainability

3. 3
SECURITY MANAGEMENT CHALLENGES
how much to
spend?
security gets in the way
just how secure
are we?
what’s going
on?
event
correlation
insecure code
mis-configurations
what to look for?
trustworthy
devices, infrastructurelegal
constraints
fragmentation,
snake oil?

4. 4
SECURITY MANAGEMENT – R&D AREAS
Security
Analytics
Security Playbooks
G-Cloud, Cells
what’s going
on?
SEIM/Solutions
(ArcSight,
TippingPoint, etc.)
TVC, Trusted
Infrastructure
fragmentation,
snake oil?
Forensic VM
Security
Intelligence as a
Service

5. © Copyright 2010 Hewlett-Packard Development Company, L.P.5 © Copyright 2010 Hewlett-Packard Development Company, L.P.5
- Security Analytics
- Security Intelligence-as-a
Service

6. © Copyright 2010 Hewlett-Packard Development Company, L.P.6
Positioning our Work
Vulnerability
Disclosed
Exploit
Available
Malware Patch
Available
Test
Solution
Patch
Deployment
Vulnerability
Assessment
Accelerated
Patching
Emergency
Patching
Exposed?
Early
Mitigation?
Y
Malware
Reports?
N
Accelerate?
N
Patch
Available?
Workaround
Available?
Implement
Workaround
Y
Y
N
Y
Y
Deploy
Mitigation
Y
Risk reduced window (fromdisclosure time) across all vulnerabilities
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
timeline
Proportionofvulnerabilities
Trusted
Infrastructure
Policy, process, people,
technology
& operations
SEIM/
Auditing/
Monitoring
Security
Analytics
Economics/
Threats/
Investments
GAP
SECURITY
ANALYTIC
S
SILAS:
Security
Intelligence
as a
Service

7. © Copyright 2010 Hewlett-Packard Development Company, L.P.77 © Copyright 2010 Hewlett-Packard Development Company, L.P.
Risk Assessment with
Security Analytics

8. © Copyright 2010 Hewlett-Packard Development Company, L.P.8
– Integrating Scientific Knowledge
POSITIONING SECURITY ANALYTICS
Economic Theory
Business outcomes, utility,
trade offs
System
Modelling
Experiment and Prediction
Simulation, statistics,
analysis
CISO / CIO /
Business
Security/Systems
Domain
knowledge
Business Knowledge
Mathematical modelling of
systems, organizations, and
operational processes, that affect
or are affected by security.
Probability theory and process
algebra
Past history, threat
trends
Threat Intelligence

9. © Copyright 2010 Hewlett-Packard Development Company, L.P.9
SECURITY ANALYTICS PROCESS

10. © Copyright 2010 Hewlett-Packard Development Company, L.P.10
SECURITY ANALYTICS MODELLING TOOLS
External Threat Environment
Internal Processes
Mitigation Achieved

11. © Copyright 2010 Hewlett-Packard Development Company, L.P.11
SECURITY ANALYTICS MODELLING TOOLS
Generate code to run the model

12. © Copyright 2010 Hewlett-Packard Development Company, L.P.12
SECURITY ANALYTICS MODELLING TOOLS
Current Risk
Window
Risk window with
HPIS investment
Risk window with
improved patching
Run experiments and
generate results

13. © Copyright 2010 Hewlett-Packard Development Company, L.P.13
SECURITY ANALYTICS: TEMPLATED AREAS
– Vulnerability & Threat Management
– Web Access Infection
– Identity and Access Management
– Incident Management & Remediation

14. © Copyright 2010 Hewlett-Packard Development Company, L.P.1414 © Copyright 2010 Hewlett-Packard Development Company, L.P.
SILAS:
Security Intelligence
as a Service

15. © Copyright 2010 Hewlett-Packard Development Company, L.P.15
Why this is of Interest to Customers
1. ArcSight and TippingPoint provide a rich amount of data and events for
real-time assessment of threats and incidents
2. Wouldn’t it be great if Customers could also make usage of this data for:
• A longer-term Assessment and Predictions of their Security
Risks/Exposures
• A periodic validation of their security investments
• An exploration of “what-if” scenarios related to:
− Security and business processes
− Operational processes in SOC centre

16. © Copyright 2010 Hewlett-Packard Development Company, L.P.16
Positioning SILAS Work
Vulnerability
Disclosed
Exploit
Available
Malware Patch
Available
Test
Solution
Patch
Deployment
Vulnerability
Assessment
Accelerated
Patching
Emergency
Patching
Exposed?
Early
Mitigation?
Y
Malware
Reports?
N
Accelerate?
N
Patch
Available?
Workaround
Available?
Implement
Workaround
Y
Y
N
Y
Y
Deploy
Mitigation
Y
Risk reduced window (fromdisclosure time) across all vulnerabilities
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
timeline
Proportionofvulnerabilities
Trusted
Infrastructure
Policy, process, people,
technology
& operations
Assurance &
Situational
Awareness
Security
Analytics
Economics/
Threats/
Investments
HPL Work aims to
address the GAP between:
• Strategic,
Business-Driven Security
Risk Management
e.g. HP Security Analytics
• IT Driven Security
Incident Management
e.g. SIEM Solutions
 Enable Decision Makers to Assess Strategic Risks
 Enable Decision Makers to (Re-)evaluate their Security Investments

17. © Copyright 2010 Hewlett-Packard Development Company, L.P.17
SILAS
Network
ComponentsNetwork
Components
Systems
Systems
Systems
Apps/Svcs
Apps/Svcs
Users
Users
ArcSight
Data
Feeds
Rules
Reports/
Data
SILAS
Service
HP
Security
Analytics
VTM Model
IAM Model
Web Access Model
SOC Process Model
…
Model
Templates
Long-term
Predictions & Risk
Assessment
Elapsed Time - Current Deprovisioning Process
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0
2
4
6
8
10
12
14
16
18
20
22
24
26
28
30
32
34
36
38
40
42
44
46
48
50
52
54
56
58
60
More
Days
Proportion
Elapsed Time
VTM
IAM
Other
Sources
(e.g HP TippingPoint,
vulnerability DBs, etc.)
Processing &
Feeding
Parameters
into Security
Analytics Models
Dashboards

18. © Copyright 2010 Hewlett-Packard Development Company, L.P.18
SILAS – Information Processing
Configuration
of ArcSight
(Reports, ..) and
External Sources
Configuration
of Data Sources
In the Mapping
System. Collection
Of Data
(Raw and Derived)
Configuration
of how to
Process and
Estimate
Parameters
within Models
Actual
Data
Estimation
of Security
Analytics
Parameters
HP Security Analytics
Simulation
and generation of
Long-term
Risk Assessment
outcomes
Elapsed Time - Current Deprovisioning Process
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0
2
4
6
8
10
12
14
16
18
20
22
24
26
28
30
32
34
36
38
40
42
44
46
48
50
52
54
56
58
60
More
Days
Proportion
Elapsed Time
Timestamp
Patch
Id SystemId PatchApprovalData PatchingDate
Thu Sep 08 10:03:07
BST 2011 1990-2002 system041
Thu Sep 08 10:03:07 BST
2011 Thu Sep 08 10:03:07 BST2011
Mon Sep 12 00:38:35
BST 2011 1990-2004 system040
Fri Sep 09 07:34:35BST
2011 Mon Sep 12 00:38:35 BST 2011
Sun Sep 11 13:45:34
BST 2011 1990-2004 system042
Fri Sep 09 10:43:29BST
2011 Sun Sep 11 13:45:34 BST 2011

19. © Copyright 2010 Hewlett-Packard Development Company, L.P.19
SILAS – Estimation of Metrics
Historical
Estimates
Data
Histograms
And
Distributions
Statistics
Previous
Assumptions
Fitting with
Supported
Distribution
Curves
Confidence
Level
Final
Estimate

20. © Copyright 2010 Hewlett-Packard Development Company, L.P.20
SILAS – Long-term Risk Predictions
Elapsed Time - Current Deprovisioning Process
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0
2
4
6
8
10
12
14
16
18
20
22
24
26
28
30
32
34
36
38
40
42
44
46
48
50
52
54
56
58
60
More
Days
Proportion
Elapsed Time
VTM – Risk Exposure by Protection
(time to patch 95% systems)
IAM – Risk Exposure due to Deprovisioning Processes
(time to remove accounts)

21. © Copyright 2010 Hewlett-Packard Development Company, L.P.21
Q&A

22. © Copyright 2010 Hewlett-Packard Development Company, L.P.22
BACK-UP

23. © Copyright 2010 Hewlett-Packard Development Company, L.P.2323 © Copyright 2010 Hewlett-Packard Development Company, L.P.
Vulnerability and
Threat Management
Area

24. © Copyright 2010 Hewlett-Packard Development Company, L.P.24
AREAS UNDER VTM
• System patch management
o How long systems stay unmitigated?
o What would be the effect of a change in process or
policy deadlines?
• Defence in depth
o What would be the state of protection across the
environment at the time of malware appearing?
o How this would differ with additional mitigations?
• Web security
o What is the malware infection risk across users in an
organisation?
o How risk can be minimizing with faster updates or
website blocking?

25. © Copyright 2010 Hewlett-Packard Development Company, L.P.25
RISK INDICATORS BASED ON
VULNERABILITY TIMELINE
Infection risk

26. © Copyright 2010 Hewlett-Packard Development Company, L.P.26
OVERALL VTM MODEL:
external environment,
internal processes, and
mitigations

27. © Copyright 2010 Hewlett-Packard Development Company, L.P.27
• Extract values for parameters
in a VTM model
• Examples:
– Up-to-date data on patch uptake
• Regular scan of what patches installed across
machines
• Regular scan of vulnerabilities across machines
– New AV signature file uptake/install
timeline across machines
• Event from AV software notifying when a new
signature file was downloaded on a machine
– Periodic effectiveness of Web Gateway
• Event from gateway notifying what rule was
triggered
Security Incident
and Event
Management
VTM
Model with
various
parameter
values
Extract
Relevant
Parameters
HP Labs
Mapping
System
USING DATA FROM ArcSight Outcomes -
Graphs

28. © Copyright 2010 Hewlett-Packard Development Company, L.P.28
RISK EXPOSURE WINDOW BY
PROTECTION
IT Domain A IT Domain B
IT Domain C

29. © Copyright 2010 Hewlett-Packard Development Company, L.P.2929 © Copyright 2010 Hewlett-Packard Development Company, L.P.
Identity and Access
Management
Area

30. © Copyright 2010 Hewlett-Packard Development Company, L.P.30
Areas under Identity and Access Management
- Users can Join & Leave the Organisation;
Change their Roles
- Different types of Accounts: Normal Users,
Super Users, Shared Accounts …
Access Management Processes
Provisioning of Access Rights to a User
Metrics
• Time to Provision
• # failures
• # success
• …
Deprovisioning of Access Rights from a User
Metrics
• Time to Deprovision
• # failures
• # success
• …
Failures: Miscommunication, Misconfigurations, …
Failures: Miscommunication, Misconfigurations, …
- User Joining
- User
Changing
Role
- User Leaving
- User
Changing
Role
Approval
Phase
Approval
Phase
Configuration/
Deployment
Phase
Configuration/
Deployment
Phase
Deprovisioning
Phase
Deprovisioning
Phase
Configuration/
Deployment
Phase
Configuration/
Deployment
Phase
• Provisioning/Deprovisioning
of Access Rights to Users
-What is the risk exposure
due to access mgmt processes?
-What is the impact on
productivity?
• Compliance
- How effective are the compliance
checking controls to mitigate
risks (e.g. due to hanging accounts?)
- What are suitable trade-offs
between investing in provisioning/
deprovisioning capabilities and
monitoring/auditing controls?

31. © Copyright 2010 Hewlett-Packard Development Company, L.P.31
IAM: Example - Model of the
Deprovisioning Process
of Users for Critical Service(s)
OVERALL IAM MODEL:
external environment,
internal processes,
existing controls and
impact of failures

32. © Copyright 2010 Hewlett-Packard Development Company, L.P.32
• Extract values for parameters in a
IAM model
• Example of Parameters for the
Model:
• Frequency of people joining/leaving the organisation
• Number and types of accounts (Super Users, Shared, etc.)
• Likelihood that an account has not been correctly set-up
(e.g. lock-out, password change, etc.)
• Likelihood of an account being accessed by users not
having the right to do it (e.g. user by user that has changed
role)
• …
Security Incident
and Event
Management
IAM
Model with
various
parameter
values
Extract
Relevant
Parameters
HP Labs
Mapping
System
USING DATA FROM SIEM Elapsed Time - Current Deprovisioning Process
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0
2
4
6
8
10
12
14
16
18
20
22
24
26
28
30
32
34
36
38
40
42
44
46
48
50
52
54
56
58
60
More
Days
Proportion
Elapsed Time
Outcomes -
Graphs

33. © Copyright 2010 Hewlett-Packard Development Company, L.P.33
Risk Exposure for the Organisation due to Deprovisioning
Processes
Average Number of Deprovisioning Requests (per Year): 129.
Number of Failures (Hanging Accounts): 49 of which 7 involving Super Users and 5 involving Shared Accounts.
Number of Locked-out Accounts (after 45 days) without Removal: 6
NOTE: 15% lock-out controls are set
Elapsed Time - Current Deprovisioning Process
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0
2
4
6
8
10
12
14
16
18
20
22
24
26
28
30
32
34
36
38
40
42
44
46
48
50
52
54
56
58
60
More
Days
Proportion
Elapsed Time
Metrics:
-Time to remove
users accounts
- # hanging accounts
- Impact of
lock-out control
- …