How to Operationalize Big Data Security Analytics
0 likes56 views
The document discusses the operationalization of big data security analytics, focusing on the distinction between analysis and analytics in the security domain. It highlights the importance of using integrated data and advanced techniques for threat detection and response, emphasizing a holistic approach for effective cybersecurity. The integration of AI and machine learning is portrayed as transformative in identifying and managing cybersecurity threats efficiently.
How to Operationalize Big Data Security Analytics
- 1. 1 | © 2017 Interset Software How to Operationalize Big Data Security Analytics Jay Lillie, Director Field Operations
- 2. 2 | © 2017 Interset Software Analytics in the security domain is misunderstood (And it’s the fault of security vendors!)
- 3. 3 | © 2017 Interset Software Analysis and Analytics are not interchangeable Analysis Analytics⊃ I can perform analysis on anything, including data! “Analytics is a subset of analysis” Analytics is a special type of analysis that can be performed on data!
- 4. 4 | © 2017 Interset Software Analytics in the security domain is misunderstood Analytics Analysis ▪ philosophical ▪ interpretive ▪ subjective ▪ exploratory Analysis MAY be…
- 5. 5 | © 2017 Interset Software Analytics in the security domain is misunderstood ▪ mathematics ▪ statistics ▪ data science ▪ machine learning Analytics MUST have… ▪ queries ▪ rules & thresholds Security “analytics” is too often… ?? ???
- 6. 6 | © 2017 Interset Software Analytics focuses on different domain knowledge Security Analytics
- 7. 7 | © 2017 Interset Software So how do we meaningfully bring them together?
- 8. 8 | © 2017 Interset Software Accelerate detection activities with analytics Do what smart, talented people do… only faster… and with no pesky sleep required.
- 9. 9 | © 2017 Interset Software Identify Develop organizational understanding Protect Implement the appropriate safeguards Detect Identify the occurrence of a cybersecurity event Respond Take action regarding a detected cybersecurity event Recover Restore any capabilities or services that were impaired NIST Cybersecurity Framework https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
- 10. 10 | © 2017 Interset Software Identify Develop organizational understanding Protect Implement the appropriate safeguards Detect Identify the occurrence of a cybersecurity event Respond Take action regarding a detected cybersecurity event Recover Restore any capabilities or services that were impaired NIST Cybersecurity Framework https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
- 11. 11 | © 2017 Interset Software Common security operations patterns… Security Information and Event Management (SIEM) Log Management System (LMS) Endpoint & Data Loss Prevention (DLP) Identity and Access Management (IAM) Network Business Applications Security Operations Collect logs from various sources Write queries Define rules Manage alerts Attack reconstruction Detect Respond Case Mgmnt / Svc Desk
- 12. 12 | © 2017 Interset Software ….common problems Security Information and Event Management (SIEM) Log Management System (LMS) Endpoint & Data Loss Prevention (DLP) Identity and Access Management (IAM) Network Business Applications Collect logs from various sources Endless new queries Modify rules to have higher thresholds Ignore alerts Painfully long reconstruction We don’t know where to start looking for threats. We don’t have the staff to analyze 10,000 alerts per day. 60-80% of alerts are false positives. Rules based systems are brittle, hard to maintain.
- 13. 13 | © 2017 Interset Software Analytics works differently than analysis tools Endpoint (inc. DLP) Access, Auth, & Actions Network (NetFlow) Enrichment Data SecurityDataLake (Integrated) Security Analytics Dashboard& Hand-off Orchestration / Automation OpenDXL Case Mgmnt / Svc Desk REST API Detect Respond Acquire “Which things matter?” Bring logs and streaming sources together Baseline “What is normal?” Incorporate the patterns of behavior that make each entity like (and unlike) others Score “Where are the risks?” Principled analytical methods surface quantified potential threats Act “Who takes action?” Predetermined or ad hoc; automated or manual
- 14. 14 | © 2017 Interset Software SIEM The services a SIEM provides still have a place! Endpoint (inc. DLP) SIEM Access, Auth, & Actions Network (NetFlow) Enrichment Data SecurityDataLake (Integrated) Security Analytics Dashboard& Hand-off Orchestration / Automation OpenDXL Case Mgmnt / Svc Desk REST API SIEM
- 15. 15 | © 2017 Interset Software A holistic response requires integrated data Auth data Application / Service VPN Shared Resource Bring the threat to me: Who are my riskiest users, servers, websites…? Find the threat faster: Where are the riskiest periods of time, who interacts with what…? Integrated to give the broadest possible view Many sources yield a single, meaningful result set Find a Threat Lead Conduct a Threat Hunt
- 16. 16 | © 2017 Interset Software Strategically operationalize your security analytics Use the right tool, at the right time, in the right place…
- 17. 17 | © 2017 Interset Software Understand where you want to go first Detect Respond ▪ Know what you want to find ▪ Decide how you want to respond ▪ Then, use these to determine what you must detect
- 18. 18 | © 2017 Interset Software People ProcessTechnology Operationalization is a full-spectrum exercise ▪ Security Operations Center (SOC) ▪ IT Help Desk ▪ Cyber Incident Response Team (CIRT) ▪ Non-IT Coordination ▪ Service Desk (e.g., ITIL) ▪ Cyber threat ▪ Forensics / Evidence gathering ▪ Non-IT intersections ▪ Awareness / Escalation ▪ Case Management ▪ Orchestration ▪ Authentication / Access Control ▪ Enrichment Sources Security Operations
- 19. 19 | © 2017 Interset Software examples
- 20. 20 | © 2017 Interset Software Incident Detection: Theft of intellectual property X 2 Engineers stole data 1 Year $1 Million Spent Large security vendor failed to find anything 2 Weeks Easily identified the 2 Engineers Found 3 additional users stealing data in North America Found 8 additional users stealing data in China
- 21. 21 | © 2017 Interset Software Operations Integration: Process-based roadmap Generate alert SIEM Investigate threat SOC Close investigation SOC Coordinate response Svc Desk non- significant incident finding additional action required alert Create ticket Svc Desk escalate
- 22. 22 | © 2017 Interset Software Operations Integration: Process-based roadmap Detect events SIEM Discover significant risk Interset Create ticket Svc Desk Investigate threat SOC Close investigation SOC Coordinate response Svc Desk non- significant incident finding additional action required event risk escalation Other reported behavior varies notification 1 logs 3 5 6 7 varies Collect logs 2 Enrichment data varies 4 8 9
- 23. 23 | © 2017 Interset Software Linking technology: Analytics to orchestration Dashboard& Hand-off Orchestration / Automation OpenDXL Case Mgmnt / Svc Desk REST API Respond Lock account Isolate node Run script ▪ Fast: Yes, faster than a human ▪ Certainty: Not a single alert, but a distinguishable set of behaviors ▪ Predictable: Nothing gets missed And more…
- 24. 24 | © 2017 Interset Software Who is Interset?
- 25. 25 | © 2017 Interset Software Interset Summary Security analytics combined with AI / machine-learning is transformative. Interset big- data processing swiftly pinpoints threats, while expanding visibility to get a contextual picture of enterprise risk. We distill billions of events into hundreds of anomalies… Then into a handful of actionable SOC leads. Jay Lillie Director Field Ops jlillie@interset.com