44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins A quick summary of the current state of big data technology and data science approaches used in cyber / network defender security analytics including summary use cases, a walk through of a reference architecture and breakdown of the required skills. Focus is on the knowledge needed to run a proof of concept and establish a programme for early benefits. Will then also include a view on the future of extending the platforms and capabilities of security analytics to cover performance metrics and data-driven security management approaches.

1. Security Analytics Beyond Cyber
Phil Huggins, Vice President, Security Science
11/9/2014

2. SECURITY SCIENCE
2
Agenda
 Big Data and Cyber
 Situational Awareness
 Security Analytics Beyond Cyber

3. 3
Big Data and Cyber Security

4. SECURITY SCIENCE
4
Big Data?
 Over-used buzzword.
 Doug Laney defined 3Vs in 2001
 Gartner promoted 3Vs in 2012
Google Trends
“Big Data” search interest over time
The 3Vs
Volume Velocity Variety Value Veracity

5. SECURITY SCIENCE
Big Data Disciplines
 More useful to break Big Data down by activities you actually do:
• Decision Making
Data-Driven
Management
Data Science • Analytics, Sense-Making
• Technology, Nuts and Bolts
Data
Engineering

6. SECURITY SCIENCE
6
Data Lakes & CoEs
 The data lake, an enterprise-wide Big Data platform, is emerging in
large scale businesses.
• Concentration of data
• Concentration of technology
 Tends to be associated with Big Data “Centres of Excellence”.
• Concentration of Data Engineering skills
• Concentration of Data Science skills
• The CoEs are often hunting for well-defined early adopter Use
Cases to prove their value.
• The Data Lakes provide unexpected opportunities for ‘data
enrichment’ across organisational boundaries.

7. SECURITY SCIENCE
7
Why Big Data for Cyber Security?
 Cyber Security is increasingly a data problem.
 We are collecting, processing and analysing more and more data in
order to address the threat landscape.
• Known threat indicators
• Indicator targeted subsets of monitoring
data
• Assumes in advance what the risk is
• Near real-time analysis with limited memory
Network
Monitoring
using SIEM

8. SECURITY SCIENCE
8
What are the main Cyber Security use cases for Big Data?
 Early adoption, provable ROI, vendor can develop a PoC without a
customer
• Probable matches to likely/possible threat
methods
• All the monitoring data over a longer period of
time
• Retroactive analysis using intelligence feeds
• Combining internal and external data sources
Network
Behavioural
Analytics
• More context and more data to investigate
• Single screen analysis
• Faster automated tooling for entity resolution and
event resolution
• Variety of visualisations available, timeline
visualisation especially key
Data-enabled
Investigation

9. SECURITY SCIENCE
Tools
• Hardware and
software
components
• Configuration
and utilization of
solution
components
People
• Skills of people
involved
• Engagement of
necessary
stakeholders
• Training
available
Process
• Essential
processes for
solution to work
• Includes
management of
tools,
knowledge,
intelligence and
people
Data
Sources
• The raw data
from a variety of
tools across the
environment.
• Includes
sensors, security
alerts and log
files.
Intelligence
• Data that
provides the
necessary
context to
enrich, interpret
and prioritize
analytic results
Knowledge
•The goal of the
data analysis
which is both
delivered to
stakeholders
and better
informs further
questions of the
data
9
What is a Big Data Security Analytics Capability?

10. SECURITY SCIENCE
10
What does a Big Data Security Analytics solution look like?

11. SECURITY SCIENCE
11
How does the Security Analytics team fit into an existing Security Team?

12. 12
Situational Awareness

13. SECURITY SCIENCE
13
What is Situational Awareness?
 Large body of academic work
 A variety of different processual vs cognitive models suggested
 Warning! The science is not robust in this area.
 Dr Mica Endsley described the popular three stage model in 1995
 Correlation with John Boyds OODA Loop.
SITUATIONAL AWARENESS
PERCEIVE UNDERSTAND PREDICT

14. SECURITY SCIENCE
14
How does Situational Awareness fit into Cyber Security?
OPERATIONAL CYBER SECURITY
OBSERVE ORIENTATE DECIDE ACT
SITUATIONAL AWARENESS
OPERATORS
HUNTERS
RESPONDERS
RESOLVERS
AUTOMATION?

15. SECURITY SCIENCE
15
How does Situational Awareness fit into Security Management?
SECURITY MANAGMENT
PLAN DO CHECK ACT
STUDY
SITUATION
SET GOALS
PLAN
ACTIVITIES
MEASURE
SUCCESS
STUDY
RESULTS
IMPROVE &
STANDARDISE
DELIVER
ACTIVITIES
SITUATIONAL
AWARENESS
SITUATIONAL AWARENESS AUTOMATION?

16. 16
Security Analytics Beyond Cyber

17. SECURITY SCIENCE
17
Why Data-Driven Security Management?
“The dearth of metrics and decision-making tools places the
determination of Information Security risk to the enterprise on the
judgment of IT security practitioners.” INFOSEC Research Council
“At present, the practice of measuring security is very ad-hoc. Many of
the processes for measurement and metric selection are mostly or
completely subjective or procedural.” Department of Homeland
Security
 Most security decisions made in absence of good data.
 Best/Good Practice is “cargo cult security”.

18. SECURITY SCIENCE
18
Low Hanging Fruit – Quantitative Security Management
 Mixed Data Sources, Visualisation, Sets of Questions, Summary
Statistics
 Trend Analysis, Security Posture, Perimeter View, Operational KPIs,
Controls Performance
 Good indicator is large Excel sheets with complex pivot tables
• Multiple data sources; vuln scanners or probes,
hardware inventory, cmdb, patch servers, SOC
monitoring, external information feeds
• Multiple clear questions.
• Candidate for Question-Focused Dataset
Vulnerability
Management
• Multiple data sources; risk register, project
plans, incident reports, SOC feed, audit reports
• Multiple stakeholders with distinct interests
• Candidate for Interactive Visualisation
Executive
Dashboard

19. SECURITY SCIENCE
19
Big Data Security Analytics Opportunities
 Once the Cyber use cases have been implemented there are
opportunities to operationalise and potentially automate some aspects
of security management activities
• Continuous monitoring, not just an annual
phishing exercise
• Enrich with HR data
• Report on trends and effectiveness of
awareness programs and training events
• Targeted training
Risky Staff
Behaviour
• Pre-Approved Change Controls at agreed
risk thresholds
• Firewall, network and server configuration
changes
• Increased targeted monitoring
• Distribution of IOCs to multiple endpoints
Automated
Incident
Response

20. SECURITY SCIENCE
20
The Future - Hypothesis-Driven Security Management
 Experiments to identify the effectiveness of security activities and
controls in your environment
 Multiple iterations following the Deming cycle
 Replace Best/Good Practice with the Right Practice for You
 Key skills:
1. Forming a useful, practical and measurable hypothesis
2. Achieving executive support for management experimentation
3. Understanding and applying the results to the business
• Some of these are Data Scientist skills, some are CISO skills.
• The CISO of the future will need to understand how to talk to Data
Scientists productively!

21. 21
Conclusion
 There are no silver bullets!
 We will still need humans in the loop but automation will allow us to
do more with less
 Build open cyber big data analytics platforms
 Invest in analytics skills now
 Security is transforming from a subjective art to a data and
automation discipline

22. THANK YOU
strozfriedberg.com
Phil Huggins, Vice President
T: +44 207 061 2299
phuggins@strozfriedberg.com