Big data ... for security
Download as PPTX, PDF0 likes555 views
The document discusses the extensive IT infrastructure and security operations at Hewlett Packard Enterprise, detailing the scale of data management, including over 2.5 billion security events logged daily and various security analytics methods used for threat detection. It highlights the complexities involved in managing large volumes of DNS traffic, emphasizes the importance of machine learning and analytics for identifying advanced threats, and outlines the architecture for real-time threat detection. Additionally, it addresses ongoing challenges in data exfiltration and the need for comprehensive analysis in security protocols.
Big data ... for security
- 1. Big data … for security James Salter Hewlett Packard Labs December 3, 2015
- 2. This is what we are dealing with... 2 6 Next generation data centres 300K+ Employees and contractors A massive IT operation 41K+ servers 440K+ PCs deployed 15K+ switches 1,500+ enterprise routers 140+ Windows Domain Controllers Infrastructure 11.5M+ Internet mails per day sent/received 150K+ mobile devices39M IP Addresses 1.2M devices 450K mailboxes managed Connectivity 2.5B security events logged per day 2K+ managed firewalls 970K+ devices scanned for vulnerabilities 450K end points protected with anti-virus Security
- 3. Security events data HPE IT operates ArcSight internally Deployment 25% larger than any other non-governmental installation by volume 1 10 100 1000 10000 100000 1000000 1 2 3 4 5 6 Eventspersecond(logarithmicscale) DNS traffic per HPE data centre: – 120,000 events/second – ~64B events/day globally Routers VPN AntiVirus Active Directory Web Proxy DNS
- 4. 64 billion DNS events/day whitelist/blacklist 99% 4 640 million greylisted events
- 5. Collection is just part of the story Analytics is where the power comes from 5 Correlation Machine learning Graph analytics Anomaly detection Advanced persistent threats Data exfiltration User behaviour analysis/insider threat Endpoint visibility
- 6. Abuse case Botnet command and control Bot DNS server akaajkajkajd.cn? xisyudnwuxu.ru? dfknwerpbnp.biz? mneyqslgyb.info? cspcicicipisjjew.hu? C2 Server (mneyqslgyb.info) Attacker can’t maintain C2 server at IP address for very long. So it registers a random domain name temporarily. Bot tries a bunch of random names until it finds one that resolves.
- 7. AssetAsset Abuse case DNS tunneling (via subdomains) Bot DNS server (Compromised) DNS server (example.com) 93cc3daf.example.com4fac3215.example.coma86f4221.example.comddee9152.example.com8bd5ff12.example.comd4bb92a1.example.comef409132.example.com1bfa3207.example.com298c5b3a.example.com
- 8. Solution architecture: Overview 8 DNS server(s) DNS packet capture Whitelist network tap DNS queries and responses Blacklist Event logging Correlation and alerting Real-time processing Near-time, historical analysis DNS events: queries and replies
- 9. In use at HPE Hewlett Packard Enterprise Cyber Defense Center, Palo Alto 9
- 10. From Labs … to HPE … to Customers 10 Screenshot from HPE DNS Malware Analytics – HPE DNS Malware Analytics – Cloud-based managed or self-service analytics with on-premises capture modules
- 11. The next challenges 11 ? days ? 5 minutes 24 hours Increase the correlation time window Data exfiltration “hidden in the noise” Exfil time
- 12. The next challenges 12 Security Events DNS Outgoing ISP Packets 2.5 64 660 BillionsofEventsPerDay 0 700 350 Complete packet capture for all outgoing ISP connections