SlideShare a Scribd company logo

Security Analytics & Security Intelligence-as-a-Service

Download as PPTX, PDF
M
Marco Casassa Mont

The document details research and development activities at HP Labs focused on cloud and security, specifically in the realms of security analytics and intelligence as a service. It examines challenges in security management, the integration of scientific knowledge into security analytics, and various models for vulnerability and threat management. Additionally, it discusses the implications of these findings for improving security risk assessments and management processes within organizations.

Technology
Related topics:
Cyber-SecurityThreat Intelligence Risk Assessment
1 of 33
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
© Copyright 2010 Hewlett-Packard Development Company, L.P.1 © Copyright 2010 Hewlett-Packard Development Company, L.P.1 Marco Casassa Mont Cloud & Security Lab, HP Labs, Bristol HP Labs R&D Activities Cloud & Security Lab Security Analytics & Security Intelligence as a Service 01 February 2012
© Copyright 2010 Hewlett-Packard Development Company, L.P.2 HP LABS RESEARCH AREAS – Innovation at every touchpoint of information Information Analytics Mobile & Immersive Experience Printing & Content Delivery Services Networking Intelligent Infrastructure Cloud & Security Sustainability
3 SECURITY MANAGEMENT CHALLENGES how much to spend? security gets in the way just how secure are we? what’s going on? event correlation insecure code mis-configurations what to look for? trustworthy devices, infrastructurelegal constraints fragmentation, snake oil?
4 SECURITY MANAGEMENT – R&D AREAS Security Analytics Security Playbooks G-Cloud, Cells what’s going on? SEIM/Solutions (ArcSight, TippingPoint, etc.) TVC, Trusted Infrastructure fragmentation, snake oil? Forensic VM Security Intelligence as a Service
© Copyright 2010 Hewlett-Packard Development Company, L.P.5 © Copyright 2010 Hewlett-Packard Development Company, L.P.5 - Security Analytics - Security Intelligence-as-a Service
© Copyright 2010 Hewlett-Packard Development Company, L.P.6 Positioning our Work Vulnerability Disclosed Exploit Available Malware Patch Available Test Solution Patch Deployment Vulnerability Assessment Accelerated Patching Emergency Patching Exposed? Early Mitigation? Y Malware Reports? N Accelerate? N Patch Available? Workaround Available? Implement Workaround Y Y N Y Y Deploy Mitigation Y Risk reduced window (fromdisclosure time) across all vulnerabilities 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 timeline Proportionofvulnerabilities Trusted Infrastructure Policy, process, people, technology & operations SEIM/ Auditing/ Monitoring Security Analytics Economics/ Threats/ Investments GAP SECURITY ANALYTIC S SILAS: Security Intelligence as a Service
© Copyright 2010 Hewlett-Packard Development Company, L.P.77 © Copyright 2010 Hewlett-Packard Development Company, L.P. Risk Assessment with Security Analytics
© Copyright 2010 Hewlett-Packard Development Company, L.P.8 – Integrating Scientific Knowledge POSITIONING SECURITY ANALYTICS Economic Theory Business outcomes, utility, trade offs System Modelling Experiment and Prediction Simulation, statistics, analysis CISO / CIO / Business Security/Systems Domain knowledge Business Knowledge Mathematical modelling of systems, organizations, and operational processes, that affect or are affected by security. Probability theory and process algebra Past history, threat trends Threat Intelligence
© Copyright 2010 Hewlett-Packard Development Company, L.P.9 SECURITY ANALYTICS PROCESS
© Copyright 2010 Hewlett-Packard Development Company, L.P.10 SECURITY ANALYTICS MODELLING TOOLS External Threat Environment Internal Processes Mitigation Achieved
© Copyright 2010 Hewlett-Packard Development Company, L.P.11 SECURITY ANALYTICS MODELLING TOOLS Generate code to run the model
© Copyright 2010 Hewlett-Packard Development Company, L.P.12 SECURITY ANALYTICS MODELLING TOOLS Current Risk Window Risk window with HPIS investment Risk window with improved patching Run experiments and generate results
© Copyright 2010 Hewlett-Packard Development Company, L.P.13 SECURITY ANALYTICS: TEMPLATED AREAS – Vulnerability & Threat Management – Web Access Infection – Identity and Access Management – Incident Management & Remediation
© Copyright 2010 Hewlett-Packard Development Company, L.P.1414 © Copyright 2010 Hewlett-Packard Development Company, L.P. SILAS: Security Intelligence as a Service
© Copyright 2010 Hewlett-Packard Development Company, L.P.15 Why this is of Interest to Customers 1. ArcSight and TippingPoint provide a rich amount of data and events for real-time assessment of threats and incidents 2. Wouldn’t it be great if Customers could also make usage of this data for: • A longer-term Assessment and Predictions of their Security Risks/Exposures • A periodic validation of their security investments • An exploration of “what-if” scenarios related to: − Security and business processes − Operational processes in SOC centre
© Copyright 2010 Hewlett-Packard Development Company, L.P.16 Positioning SILAS Work Vulnerability Disclosed Exploit Available Malware Patch Available Test Solution Patch Deployment Vulnerability Assessment Accelerated Patching Emergency Patching Exposed? Early Mitigation? Y Malware Reports? N Accelerate? N Patch Available? Workaround Available? Implement Workaround Y Y N Y Y Deploy Mitigation Y Risk reduced window (fromdisclosure time) across all vulnerabilities 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 timeline Proportionofvulnerabilities Trusted Infrastructure Policy, process, people, technology & operations Assurance & Situational Awareness Security Analytics Economics/ Threats/ Investments HPL Work aims to address the GAP between: • Strategic, Business-Driven Security Risk Management e.g. HP Security Analytics • IT Driven Security Incident Management e.g. SIEM Solutions  Enable Decision Makers to Assess Strategic Risks  Enable Decision Makers to (Re-)evaluate their Security Investments
© Copyright 2010 Hewlett-Packard Development Company, L.P.17 SILAS Network ComponentsNetwork Components Systems Systems Systems Apps/Svcs Apps/Svcs Users Users ArcSight Data Feeds Rules Reports/ Data SILAS Service HP Security Analytics VTM Model IAM Model Web Access Model SOC Process Model … Model Templates Long-term Predictions & Risk Assessment Elapsed Time - Current Deprovisioning Process 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 54 56 58 60 More Days Proportion Elapsed Time VTM IAM Other Sources (e.g HP TippingPoint, vulnerability DBs, etc.) Processing & Feeding Parameters into Security Analytics Models Dashboards
© Copyright 2010 Hewlett-Packard Development Company, L.P.18 SILAS – Information Processing Configuration of ArcSight (Reports, ..) and External Sources Configuration of Data Sources In the Mapping System. Collection Of Data (Raw and Derived) Configuration of how to Process and Estimate Parameters within Models Actual Data Estimation of Security Analytics Parameters HP Security Analytics Simulation and generation of Long-term Risk Assessment outcomes Elapsed Time - Current Deprovisioning Process 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 54 56 58 60 More Days Proportion Elapsed Time Timestamp Patch Id SystemId PatchApprovalData PatchingDate Thu Sep 08 10:03:07 BST 2011 1990-2002 system041 Thu Sep 08 10:03:07 BST 2011 Thu Sep 08 10:03:07 BST2011 Mon Sep 12 00:38:35 BST 2011 1990-2004 system040 Fri Sep 09 07:34:35BST 2011 Mon Sep 12 00:38:35 BST 2011 Sun Sep 11 13:45:34 BST 2011 1990-2004 system042 Fri Sep 09 10:43:29BST 2011 Sun Sep 11 13:45:34 BST 2011
© Copyright 2010 Hewlett-Packard Development Company, L.P.19 SILAS – Estimation of Metrics Historical Estimates Data Histograms And Distributions Statistics Previous Assumptions Fitting with Supported Distribution Curves Confidence Level Final Estimate
© Copyright 2010 Hewlett-Packard Development Company, L.P.20 SILAS – Long-term Risk Predictions Elapsed Time - Current Deprovisioning Process 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 54 56 58 60 More Days Proportion Elapsed Time VTM – Risk Exposure by Protection (time to patch 95% systems) IAM – Risk Exposure due to Deprovisioning Processes (time to remove accounts)
© Copyright 2010 Hewlett-Packard Development Company, L.P.21 Q&A
© Copyright 2010 Hewlett-Packard Development Company, L.P.22 BACK-UP
© Copyright 2010 Hewlett-Packard Development Company, L.P.2323 © Copyright 2010 Hewlett-Packard Development Company, L.P. Vulnerability and Threat Management Area
© Copyright 2010 Hewlett-Packard Development Company, L.P.24 AREAS UNDER VTM • System patch management o How long systems stay unmitigated? o What would be the effect of a change in process or policy deadlines? • Defence in depth o What would be the state of protection across the environment at the time of malware appearing? o How this would differ with additional mitigations? • Web security o What is the malware infection risk across users in an organisation? o How risk can be minimizing with faster updates or website blocking?
© Copyright 2010 Hewlett-Packard Development Company, L.P.25 RISK INDICATORS BASED ON VULNERABILITY TIMELINE Infection risk
© Copyright 2010 Hewlett-Packard Development Company, L.P.26 OVERALL VTM MODEL: external environment, internal processes, and mitigations
© Copyright 2010 Hewlett-Packard Development Company, L.P.27 • Extract values for parameters in a VTM model • Examples: – Up-to-date data on patch uptake • Regular scan of what patches installed across machines • Regular scan of vulnerabilities across machines – New AV signature file uptake/install timeline across machines • Event from AV software notifying when a new signature file was downloaded on a machine – Periodic effectiveness of Web Gateway • Event from gateway notifying what rule was triggered Security Incident and Event Management VTM Model with various parameter values Extract Relevant Parameters HP Labs Mapping System USING DATA FROM ArcSight Outcomes - Graphs
© Copyright 2010 Hewlett-Packard Development Company, L.P.28 RISK EXPOSURE WINDOW BY PROTECTION IT Domain A IT Domain B IT Domain C
© Copyright 2010 Hewlett-Packard Development Company, L.P.2929 © Copyright 2010 Hewlett-Packard Development Company, L.P. Identity and Access Management Area
© Copyright 2010 Hewlett-Packard Development Company, L.P.30 Areas under Identity and Access Management - Users can Join & Leave the Organisation; Change their Roles - Different types of Accounts: Normal Users, Super Users, Shared Accounts … Access Management Processes Provisioning of Access Rights to a User Metrics • Time to Provision • # failures • # success • … Deprovisioning of Access Rights from a User Metrics • Time to Deprovision • # failures • # success • … Failures: Miscommunication, Misconfigurations, … Failures: Miscommunication, Misconfigurations, … - User Joining - User Changing Role - User Leaving - User Changing Role Approval Phase Approval Phase Configuration/ Deployment Phase Configuration/ Deployment Phase Deprovisioning Phase Deprovisioning Phase Configuration/ Deployment Phase Configuration/ Deployment Phase • Provisioning/Deprovisioning of Access Rights to Users -What is the risk exposure due to access mgmt processes? -What is the impact on productivity? • Compliance - How effective are the compliance checking controls to mitigate risks (e.g. due to hanging accounts?) - What are suitable trade-offs between investing in provisioning/ deprovisioning capabilities and monitoring/auditing controls?
© Copyright 2010 Hewlett-Packard Development Company, L.P.31 IAM: Example - Model of the Deprovisioning Process of Users for Critical Service(s) OVERALL IAM MODEL: external environment, internal processes, existing controls and impact of failures
© Copyright 2010 Hewlett-Packard Development Company, L.P.32 • Extract values for parameters in a IAM model • Example of Parameters for the Model: • Frequency of people joining/leaving the organisation • Number and types of accounts (Super Users, Shared, etc.) • Likelihood that an account has not been correctly set-up (e.g. lock-out, password change, etc.) • Likelihood of an account being accessed by users not having the right to do it (e.g. user by user that has changed role) • … Security Incident and Event Management IAM Model with various parameter values Extract Relevant Parameters HP Labs Mapping System USING DATA FROM SIEM Elapsed Time - Current Deprovisioning Process 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 54 56 58 60 More Days Proportion Elapsed Time Outcomes - Graphs
© Copyright 2010 Hewlett-Packard Development Company, L.P.33 Risk Exposure for the Organisation due to Deprovisioning Processes Average Number of Deprovisioning Requests (per Year): 129. Number of Failures (Hanging Accounts): 49 of which 7 involving Super Users and 5 involving Shared Accounts. Number of Locked-out Accounts (after 45 days) without Removal: 6 NOTE: 15% lock-out controls are set Elapsed Time - Current Deprovisioning Process 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 54 56 58 60 More Days Proportion Elapsed Time Metrics: -Time to remove users accounts - # hanging accounts - Impact of lock-out control - …

More Related Content

PDF
Delve Labs - Upcoming Security Challenges for the Internet of Things
Frederic Roy-Gobeil, CPA, CGA, M.Tax.
 
PDF
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
PPTX
Top 10 tips for effective SOC/NOC collaboration or integration
Sridhar Karnam
 
PPTX
Best Practices for Scoping Infections and Disrupting Breaches
Splunk
 
PPT
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...
SparkCognition
 
PPTX
Is SIEM really Dead ? OR Can it evolve into a Platform ?
Aujas
 
PPTX
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Brian Andrzejewski
 
PPTX
Building an Analytics - Enabled SOC Breakout Session
Splunk
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Frederic Roy-Gobeil, CPA, CGA, M.Tax.
 
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
Top 10 tips for effective SOC/NOC collaboration or integration
Sridhar Karnam
 
Best Practices for Scoping Infections and Disrupting Breaches
Splunk
 
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...
SparkCognition
 
Is SIEM really Dead ? OR Can it evolve into a Platform ?
Aujas
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Brian Andrzejewski
 
Building an Analytics - Enabled SOC Breakout Session
Splunk
 

What's hot (20)

PPTX
SOC: Use cases and are we asking the right questions?
Jonathan Sinclair
 
PPTX
CSO CXO Series Breakfast
CSO_Presentations
 
PDF
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Erin Sweeney
 
PPTX
Splunk for Security: Background & Customer Case Study
Andrew Gerber
 
PPTX
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare ☁
 
PPTX
Splunk for Security Breakout Session
Splunk
 
PPTX
Splunk for Security-Hands On
Splunk
 
PPTX
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
PPT
Ca world 2007 SOC integration
Michael Nickle
 
PDF
When and How to Set up a Security Operations Center
Komand
 
PDF
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
Priyanka Aash
 
PPTX
Hands-On Security Breakout Session- ES Guided Tour
Splunk
 
PDF
Cyber Defense - How to be prepared to APT
Simone Onofri
 
PPTX
Stay out of headlines for non compliance or data breach
Sridhar Karnam
 
DOC
Real-time fallacy: how real-time your security really is?
Anton Chuvakin
 
PPTX
Splunk for Security - Hands-On
Splunk
 
PPT
SOC presentation- Building a Security Operations Center
Michael Nickle
 
PPTX
SplunkLive! Splunk for Insider Threats and Fraud Detection
Splunk
 
PDF
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
PDF
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...
Jorge Cardoso
 
SOC: Use cases and are we asking the right questions?
Jonathan Sinclair
 
CSO CXO Series Breakfast
CSO_Presentations
 
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Erin Sweeney
 
Splunk for Security: Background & Customer Case Study
Andrew Gerber
 
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare ☁
 
Splunk for Security Breakout Session
Splunk
 
Splunk for Security-Hands On
Splunk
 
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
Ca world 2007 SOC integration
Michael Nickle
 
When and How to Set up a Security Operations Center
Komand
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
Priyanka Aash
 
Hands-On Security Breakout Session- ES Guided Tour
Splunk
 
Cyber Defense - How to be prepared to APT
Simone Onofri
 
Stay out of headlines for non compliance or data breach
Sridhar Karnam
 
Real-time fallacy: how real-time your security really is?
Anton Chuvakin
 
Splunk for Security - Hands-On
Splunk
 
SOC presentation- Building a Security Operations Center
Michael Nickle
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
Splunk
 
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...
Jorge Cardoso
 
Ad

Similar to Security Analytics & Security Intelligence-as-a-Service (20)

PPTX
Solnet dev secops meetup
pbink
 
PPTX
SplunkLive! - Splunk for Security
Splunk
 
PPTX
Preparing for the Cybersecurity Renaissance
Cloudera, Inc.
 
PPTX
PPT-Splunk-LegacySIEM-101_FINAL
Risi Avila
 
PPTX
David valovcin big data - big risk
IBM Sverige
 
PDF
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
PPTX
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
 
PPTX
Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk
 
PDF
Scalar Security Roadshow April 2015
Scalar Decisions
 
PPT
How PCI And PA DSS will change enterprise applications
Ben Rothke
 
PDF
Splunk conf2014 - Operationalizing Advanced Threat Defense
Splunk
 
PPTX
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
PDF
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
sucesuminas
 
PPTX
Smart Analytics for The Big Unknown
Adrian Dumitrescu
 
PPTX
Cyber security within Organisations: A sneaky peak of current status, trends,...
Marco Casassa Mont
 
PDF
Data Science for Cyber Risk
Scott Allen Mongeau
 
PPTX
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
Splunk
 
PPT
Core.co.enterprise.deck.06.16.10
Core Security Technologies
 
PDF
Making Network Security Relevant
HP Enterprise Italia
 
PPTX
Virtual Gov Day - Security Breakout - Deloitte
Splunk
 
Solnet dev secops meetup
pbink
 
SplunkLive! - Splunk for Security
Splunk
 
Preparing for the Cybersecurity Renaissance
Cloudera, Inc.
 
PPT-Splunk-LegacySIEM-101_FINAL
Risi Avila
 
David valovcin big data - big risk
IBM Sverige
 
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
 
Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk
 
Scalar Security Roadshow April 2015
Scalar Decisions
 
How PCI And PA DSS will change enterprise applications
Ben Rothke
 
Splunk conf2014 - Operationalizing Advanced Threat Defense
Splunk
 
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
sucesuminas
 
Smart Analytics for The Big Unknown
Adrian Dumitrescu
 
Cyber security within Organisations: A sneaky peak of current status, trends,...
Marco Casassa Mont
 
Data Science for Cyber Risk
Scott Allen Mongeau
 
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
Splunk
 
Core.co.enterprise.deck.06.16.10
Core Security Technologies
 
Making Network Security Relevant
HP Enterprise Italia
 
Virtual Gov Day - Security Breakout - Deloitte
Splunk
 
Ad

More from Marco Casassa Mont (8)

PPTX
Cloud Computing: Security, Privacy and Trust Aspects across Public and Privat...
Marco Casassa Mont
 
PPTX
Big Data for Security - Threat Analytics
Marco Casassa Mont
 
PPTX
Big Data for Security - DNS Analytics
Marco Casassa Mont
 
PPTX
Big Data for Security - DNS Analytics
Marco Casassa Mont
 
PPTX
Big Data for Security - DNS Analytics
Marco Casassa Mont
 
PPTX
Security intelligence using big data presentation (engineering seminar)
Marco Casassa Mont
 
PPT
Policy Management: An Overview
Marco Casassa Mont
 
PPTX
Big Data for Security
Marco Casassa Mont
 
Cloud Computing: Security, Privacy and Trust Aspects across Public and Privat...
Marco Casassa Mont
 
Big Data for Security - Threat Analytics
Marco Casassa Mont
 
Big Data for Security - DNS Analytics
Marco Casassa Mont
 
Big Data for Security - DNS Analytics
Marco Casassa Mont
 
Big Data for Security - DNS Analytics
Marco Casassa Mont
 
Security intelligence using big data presentation (engineering seminar)
Marco Casassa Mont
 
Policy Management: An Overview
Marco Casassa Mont
 
Big Data for Security
Marco Casassa Mont
 

Recently uploaded (20)

PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
August Patch Tuesday
Ivanti
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
August Patch Tuesday
Ivanti
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Encapsulation theory and applications.pdf
gurumoop
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
project resource management chapter-09.pdf
ssuser00e6e21
 

Security Analytics & Security Intelligence-as-a-Service

  • 1. © Copyright 2010 Hewlett-Packard Development Company, L.P.1 © Copyright 2010 Hewlett-Packard Development Company, L.P.1 Marco Casassa Mont Cloud & Security Lab, HP Labs, Bristol HP Labs R&D Activities Cloud & Security Lab Security Analytics & Security Intelligence as a Service 01 February 2012
  • 2. © Copyright 2010 Hewlett-Packard Development Company, L.P.2 HP LABS RESEARCH AREAS – Innovation at every touchpoint of information Information Analytics Mobile & Immersive Experience Printing & Content Delivery Services Networking Intelligent Infrastructure Cloud & Security Sustainability
  • 3. 3 SECURITY MANAGEMENT CHALLENGES how much to spend? security gets in the way just how secure are we? what’s going on? event correlation insecure code mis-configurations what to look for? trustworthy devices, infrastructurelegal constraints fragmentation, snake oil?
  • 4. 4 SECURITY MANAGEMENT – R&D AREAS Security Analytics Security Playbooks G-Cloud, Cells what’s going on? SEIM/Solutions (ArcSight, TippingPoint, etc.) TVC, Trusted Infrastructure fragmentation, snake oil? Forensic VM Security Intelligence as a Service
  • 5. © Copyright 2010 Hewlett-Packard Development Company, L.P.5 © Copyright 2010 Hewlett-Packard Development Company, L.P.5 - Security Analytics - Security Intelligence-as-a Service
  • 6. © Copyright 2010 Hewlett-Packard Development Company, L.P.6 Positioning our Work Vulnerability Disclosed Exploit Available Malware Patch Available Test Solution Patch Deployment Vulnerability Assessment Accelerated Patching Emergency Patching Exposed? Early Mitigation? Y Malware Reports? N Accelerate? N Patch Available? Workaround Available? Implement Workaround Y Y N Y Y Deploy Mitigation Y Risk reduced window (fromdisclosure time) across all vulnerabilities 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 timeline Proportionofvulnerabilities Trusted Infrastructure Policy, process, people, technology & operations SEIM/ Auditing/ Monitoring Security Analytics Economics/ Threats/ Investments GAP SECURITY ANALYTIC S SILAS: Security Intelligence as a Service
  • 7. © Copyright 2010 Hewlett-Packard Development Company, L.P.77 © Copyright 2010 Hewlett-Packard Development Company, L.P. Risk Assessment with Security Analytics
  • 8. © Copyright 2010 Hewlett-Packard Development Company, L.P.8 – Integrating Scientific Knowledge POSITIONING SECURITY ANALYTICS Economic Theory Business outcomes, utility, trade offs System Modelling Experiment and Prediction Simulation, statistics, analysis CISO / CIO / Business Security/Systems Domain knowledge Business Knowledge Mathematical modelling of systems, organizations, and operational processes, that affect or are affected by security. Probability theory and process algebra Past history, threat trends Threat Intelligence
  • 9. © Copyright 2010 Hewlett-Packard Development Company, L.P.9 SECURITY ANALYTICS PROCESS
  • 10. © Copyright 2010 Hewlett-Packard Development Company, L.P.10 SECURITY ANALYTICS MODELLING TOOLS External Threat Environment Internal Processes Mitigation Achieved
  • 11. © Copyright 2010 Hewlett-Packard Development Company, L.P.11 SECURITY ANALYTICS MODELLING TOOLS Generate code to run the model
  • 12. © Copyright 2010 Hewlett-Packard Development Company, L.P.12 SECURITY ANALYTICS MODELLING TOOLS Current Risk Window Risk window with HPIS investment Risk window with improved patching Run experiments and generate results
  • 13. © Copyright 2010 Hewlett-Packard Development Company, L.P.13 SECURITY ANALYTICS: TEMPLATED AREAS – Vulnerability & Threat Management – Web Access Infection – Identity and Access Management – Incident Management & Remediation
  • 14. © Copyright 2010 Hewlett-Packard Development Company, L.P.1414 © Copyright 2010 Hewlett-Packard Development Company, L.P. SILAS: Security Intelligence as a Service
  • 15. © Copyright 2010 Hewlett-Packard Development Company, L.P.15 Why this is of Interest to Customers 1. ArcSight and TippingPoint provide a rich amount of data and events for real-time assessment of threats and incidents 2. Wouldn’t it be great if Customers could also make usage of this data for: • A longer-term Assessment and Predictions of their Security Risks/Exposures • A periodic validation of their security investments • An exploration of “what-if” scenarios related to: − Security and business processes − Operational processes in SOC centre
  • 16. © Copyright 2010 Hewlett-Packard Development Company, L.P.16 Positioning SILAS Work Vulnerability Disclosed Exploit Available Malware Patch Available Test Solution Patch Deployment Vulnerability Assessment Accelerated Patching Emergency Patching Exposed? Early Mitigation? Y Malware Reports? N Accelerate? N Patch Available? Workaround Available? Implement Workaround Y Y N Y Y Deploy Mitigation Y Risk reduced window (fromdisclosure time) across all vulnerabilities 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 timeline Proportionofvulnerabilities Trusted Infrastructure Policy, process, people, technology & operations Assurance & Situational Awareness Security Analytics Economics/ Threats/ Investments HPL Work aims to address the GAP between: • Strategic, Business-Driven Security Risk Management e.g. HP Security Analytics • IT Driven Security Incident Management e.g. SIEM Solutions  Enable Decision Makers to Assess Strategic Risks  Enable Decision Makers to (Re-)evaluate their Security Investments
  • 17. © Copyright 2010 Hewlett-Packard Development Company, L.P.17 SILAS Network ComponentsNetwork Components Systems Systems Systems Apps/Svcs Apps/Svcs Users Users ArcSight Data Feeds Rules Reports/ Data SILAS Service HP Security Analytics VTM Model IAM Model Web Access Model SOC Process Model … Model Templates Long-term Predictions & Risk Assessment Elapsed Time - Current Deprovisioning Process 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 54 56 58 60 More Days Proportion Elapsed Time VTM IAM Other Sources (e.g HP TippingPoint, vulnerability DBs, etc.) Processing & Feeding Parameters into Security Analytics Models Dashboards
  • 18. © Copyright 2010 Hewlett-Packard Development Company, L.P.18 SILAS – Information Processing Configuration of ArcSight (Reports, ..) and External Sources Configuration of Data Sources In the Mapping System. Collection Of Data (Raw and Derived) Configuration of how to Process and Estimate Parameters within Models Actual Data Estimation of Security Analytics Parameters HP Security Analytics Simulation and generation of Long-term Risk Assessment outcomes Elapsed Time - Current Deprovisioning Process 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 54 56 58 60 More Days Proportion Elapsed Time Timestamp Patch Id SystemId PatchApprovalData PatchingDate Thu Sep 08 10:03:07 BST 2011 1990-2002 system041 Thu Sep 08 10:03:07 BST 2011 Thu Sep 08 10:03:07 BST2011 Mon Sep 12 00:38:35 BST 2011 1990-2004 system040 Fri Sep 09 07:34:35BST 2011 Mon Sep 12 00:38:35 BST 2011 Sun Sep 11 13:45:34 BST 2011 1990-2004 system042 Fri Sep 09 10:43:29BST 2011 Sun Sep 11 13:45:34 BST 2011
  • 19. © Copyright 2010 Hewlett-Packard Development Company, L.P.19 SILAS – Estimation of Metrics Historical Estimates Data Histograms And Distributions Statistics Previous Assumptions Fitting with Supported Distribution Curves Confidence Level Final Estimate
  • 20. © Copyright 2010 Hewlett-Packard Development Company, L.P.20 SILAS – Long-term Risk Predictions Elapsed Time - Current Deprovisioning Process 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 54 56 58 60 More Days Proportion Elapsed Time VTM – Risk Exposure by Protection (time to patch 95% systems) IAM – Risk Exposure due to Deprovisioning Processes (time to remove accounts)
  • 21. © Copyright 2010 Hewlett-Packard Development Company, L.P.21 Q&A
  • 22. © Copyright 2010 Hewlett-Packard Development Company, L.P.22 BACK-UP
  • 23. © Copyright 2010 Hewlett-Packard Development Company, L.P.2323 © Copyright 2010 Hewlett-Packard Development Company, L.P. Vulnerability and Threat Management Area
  • 24. © Copyright 2010 Hewlett-Packard Development Company, L.P.24 AREAS UNDER VTM • System patch management o How long systems stay unmitigated? o What would be the effect of a change in process or policy deadlines? • Defence in depth o What would be the state of protection across the environment at the time of malware appearing? o How this would differ with additional mitigations? • Web security o What is the malware infection risk across users in an organisation? o How risk can be minimizing with faster updates or website blocking?
  • 25. © Copyright 2010 Hewlett-Packard Development Company, L.P.25 RISK INDICATORS BASED ON VULNERABILITY TIMELINE Infection risk
  • 26. © Copyright 2010 Hewlett-Packard Development Company, L.P.26 OVERALL VTM MODEL: external environment, internal processes, and mitigations
  • 27. © Copyright 2010 Hewlett-Packard Development Company, L.P.27 • Extract values for parameters in a VTM model • Examples: – Up-to-date data on patch uptake • Regular scan of what patches installed across machines • Regular scan of vulnerabilities across machines – New AV signature file uptake/install timeline across machines • Event from AV software notifying when a new signature file was downloaded on a machine – Periodic effectiveness of Web Gateway • Event from gateway notifying what rule was triggered Security Incident and Event Management VTM Model with various parameter values Extract Relevant Parameters HP Labs Mapping System USING DATA FROM ArcSight Outcomes - Graphs
  • 28. © Copyright 2010 Hewlett-Packard Development Company, L.P.28 RISK EXPOSURE WINDOW BY PROTECTION IT Domain A IT Domain B IT Domain C
  • 29. © Copyright 2010 Hewlett-Packard Development Company, L.P.2929 © Copyright 2010 Hewlett-Packard Development Company, L.P. Identity and Access Management Area
  • 30. © Copyright 2010 Hewlett-Packard Development Company, L.P.30 Areas under Identity and Access Management - Users can Join & Leave the Organisation; Change their Roles - Different types of Accounts: Normal Users, Super Users, Shared Accounts … Access Management Processes Provisioning of Access Rights to a User Metrics • Time to Provision • # failures • # success • … Deprovisioning of Access Rights from a User Metrics • Time to Deprovision • # failures • # success • … Failures: Miscommunication, Misconfigurations, … Failures: Miscommunication, Misconfigurations, … - User Joining - User Changing Role - User Leaving - User Changing Role Approval Phase Approval Phase Configuration/ Deployment Phase Configuration/ Deployment Phase Deprovisioning Phase Deprovisioning Phase Configuration/ Deployment Phase Configuration/ Deployment Phase • Provisioning/Deprovisioning of Access Rights to Users -What is the risk exposure due to access mgmt processes? -What is the impact on productivity? • Compliance - How effective are the compliance checking controls to mitigate risks (e.g. due to hanging accounts?) - What are suitable trade-offs between investing in provisioning/ deprovisioning capabilities and monitoring/auditing controls?
  • 31. © Copyright 2010 Hewlett-Packard Development Company, L.P.31 IAM: Example - Model of the Deprovisioning Process of Users for Critical Service(s) OVERALL IAM MODEL: external environment, internal processes, existing controls and impact of failures
  • 32. © Copyright 2010 Hewlett-Packard Development Company, L.P.32 • Extract values for parameters in a IAM model • Example of Parameters for the Model: • Frequency of people joining/leaving the organisation • Number and types of accounts (Super Users, Shared, etc.) • Likelihood that an account has not been correctly set-up (e.g. lock-out, password change, etc.) • Likelihood of an account being accessed by users not having the right to do it (e.g. user by user that has changed role) • … Security Incident and Event Management IAM Model with various parameter values Extract Relevant Parameters HP Labs Mapping System USING DATA FROM SIEM Elapsed Time - Current Deprovisioning Process 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 54 56 58 60 More Days Proportion Elapsed Time Outcomes - Graphs
  • 33. © Copyright 2010 Hewlett-Packard Development Company, L.P.33 Risk Exposure for the Organisation due to Deprovisioning Processes Average Number of Deprovisioning Requests (per Year): 129. Number of Failures (Hanging Accounts): 49 of which 7 involving Super Users and 5 involving Shared Accounts. Number of Locked-out Accounts (after 45 days) without Removal: 6 NOTE: 15% lock-out controls are set Elapsed Time - Current Deprovisioning Process 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 54 56 58 60 More Days Proportion Elapsed Time Metrics: -Time to remove users accounts - # hanging accounts - Impact of lock-out control - …

Editor's Notes

  • #3: At HP Labs, we’ve sharpened our focus from “let a 1,000 flowers bloom” to 8 areas of high-impact research. We have organized our research into 8 interconnected themes: Printing & Content Delivery Mobile & Immersive Experience Cloud & Security Information Analytics Intelligent Infrastructure Networking Services and Sustainability Consistent with the company strategy, we innovate at every touchpoint of information, from creation, capture, and management to delivery and collaboration. From nano-scale sensors that can collect massive amounts of data…to gesture-based intuitive interfaces that display it…to analyzing real-time consumer sentiment and trends in social media before that information is lost in a database…
  • #9: Today most security teams have good knowledge about IT and are working hard to align this with business knowledge. We are looking to take this further to make business aligned security decisions based on simulation and prediction. To support this we are using appropriate economic and mathematical tools
  • #11: Use this slide if running an actual demo proves to be too difficult logistically Stochastic model of threat environment Process model of organization’s protections Validate with experts and against known data sources Select a metric Time until “risk mitigated” Execute the model as a discrete event simulation ~100K vulnerabilities check for sensitivities in parameters Adjust the model to reflect proposed changes in policy and see how well the changes perform
  • #12: Use this slide if running an actual demo proves to be too difficult logistically Stochastic model of threat environment Process model of organization’s protections Validate with experts and against known data sources Select a metric Time until “risk mitigated” Execute the model as a discrete event simulation ~100K vulnerabilities check for sensitivities in parameters Adjust the model to reflect proposed changes in policy and see how well the changes perform
  • #13: Use this slide if running an actual demo proves to be too difficult logistically Stochastic model of threat environment Process model of organization’s protections Validate with experts and against known data sources Select a metric Time until “risk mitigated” Execute the model as a discrete event simulation ~100K vulnerabilities check for sensitivities in parameters Adjust the model to reflect proposed changes in policy and see how well the changes perform
  • #26: Just a reminder of this familiar timeline Describe the two metrics