Page 1
1© Copyright 2014 EMC Corporation. All rights reserved.
Applying the Power of Data Analytics to Cyber SecurityDr. Robert W. GriffinChief Security ArchitectRSA, the Security Division of EMC
[email protected] /author/griffinblog.emc2.de/executive-world/project-sparks.eu/blog/@RobtWesGriffin www.linkedin.com/pub/robert-griffin/0/4a1/608
Page 2
2© Copyright 2014 EMC Corporation. All rights reserved.
Disruption and Transformation
Infrastructure Transformation
Mobile Cloud
Less control over access device and back-end
infrastructure
Threat LandscapeTransformation
APTs
SophisticatedFraud
Fundamentallydifferent tactics, more formidable than ever
Business and LegalTransformation
More hyper-extended, more digital
ExtendedWorkforce
NetworkedValueChains
BigData
http://www.emc.com/collateral/industry-overview/h11391-rpt-information-security-shake-up.pdf?pid=sbiclandingpage-sbicspecialreport-122112
Page 3
3© Copyright 2014 EMC Corporation. All rights reserved.
TIME 2007 2013
Evolving Attack Goals and Methods
Worms/Viruses
SimpleDDoS
PhishingPharming
APTs
Multi-Stage
HackerCollaboration
DisruptiveAttacks
2020
DestructiveAttacks
IntrusiveAttacks
AdvancedDDoS
SophisticatedMobileAttacks
IoT Attacks
Page 4
4© Copyright 2014 EMC Corporation. All rights reserved.
Traditional Security Is Not Working
Source: Verizon 2013 Data Breach Investigations Report
97% of breaches led to compromise within “days” or less
with 72% leading to data exfiltration in the same time
78% of breaches took “weeks” or more to
discover66% took “months or
more”
Page 5
5© Copyright 2014 EMC Corporation. All rights reserved.
Intelligence is the Game Changer
Page 6
6© Copyright 2014 EMC Corporation. All rights reserved.
P
E
L
N
Visibility
Capture Time Data Enrichment
Packets, Logs, Endpoints, NetFlow
Business & Compliance Context
Data Collection and Rationalization
Page 7
7© Copyright 2014 EMC Corporation. All rights reserved.
Analysis
Endpoint Threat Detection
Correlate Multiple Data
Sources
Out-of-the-box Content
Generating Information
Big Data & Data Science
Page 8
8© Copyright 2014 EMC Corporation. All rights reserved.
Action
Prioritized & Unified Analyst Workflow
Investigate down to finest details
Integrate SOC Best Practices
Investigation and Remediation
Page 9
9© Copyright 2014 EMC Corporation. All rights reserved.
Communication Valley Reply (Italy) Leveraging Intelligence-Driven Security
• Requirements:• Efficient, cost-effective management and
reporting of security • Reduce cost of services delivery• Improved MSSP service as competitive
advantage• Solution:
• Automatically tracked and reported on client risk and compliance
• Enhanced incident triage• Improved event analysis
http://www.emc.com/collateral/customer-profiles/h11982-reply-cp.pdf
Page 10
10© Copyright 2014 EMC Corporation. All rights reserved.
© Copyright 2014 EMC Corporation. All rights reserved.
Domain A
RISK SCORE
Traffic content types Suspicious domains often host many services on the same server.
Number of IP addresses Malicious domains use many IP addresses to evade static IP watchlists.
Number of domain name owners associated with an IP address
A high number of domain owners associated with a system is suspicious
GETS vs PUT/POSTs Domains where the ratio of POSTs to GETs is high are more likely malicious.
Number of users hitting a domain relative to complexity A complex domain that few people access is more likely to be malicious.Low Risk
Domain A Low Risk
Domain A High Risk
Example: Detect suspicious domain connections
Identifying suspicious domains is difficult – and identifying hosts that have ever communicated with one is even harder.
Page 11
11© Copyright 2014 EMC Corporation. All rights reserved.
© Copyright 2014 EMC Corporation. All rights reserved.
Domain A
RISK SCORE
Use of cookiesMalicious sessions seldom use cookies.
Bytes uploaded vs. downloadedMalicious sessions often upload far more than just a URL request.
Use of referrer stringsMost web sessions come from clicking on
another link, resulting in a “referrer string”. Malicious sessions seldom do.
OtherRSA uses several other identifiers to determine the risk score.
URL lengthsMalicious attacks often embed themselves deep in web servers, resulting in unusually long URL lengths.Low Risk
Domain A Medium Risk
Domain A High Risk
Example: Discover beaconing hosts
Traffic from hosts ‘beaconing’ to command and control hosts can look like normal traffic. Data science helps identify outliers.
Page 12
12© Copyright 2014 EMC Corporation. All rights reserved.
© Copyright 2014 EMC Corporation. All rights reserved.
Capture, enrich and analyze data from across your network.
Threat Intelligence | Rules | Parsers | Feeds | Reports | RSA ResearchLIVEINTELLIGENCE
Investigation
Advanced Analytics
Compliance
Endpoint Analysis
Session Reconstruction
Incident Management
ACTIONANALYSIS
LIVE
VISIBILITY
Capture Time Meta-Data Enrichment
LIVE
Security analytics architecture
LOGS
PACKETS
ENDPOINT
NETFLOW
ENRICH
Page 13
13© Copyright 2014 EMC Corporation. All rights reserved.
© Copyright 2014 EMC Corporation. All rights reserved.
Dallas
Mexico City
EMEA HQ
Singapore DC
Network Collection
Log Collection
Network Collection
Pivotal
Pivotal
Network Collection
2nd Pivotal Cluster
1st Pivotal Cluster
Cap
ture
Tim
e
Str
eam
ing
Str
eam
ing
Str
eam
ing
Context
Assets
Identities
Vulns
Log Collection
Cap
ture
Tim
eLog
Collection
Cap
ture
Tim
e
Network Collection
Log Collection
Cap
ture
Tim
e
Local Archive
Local Archive
Central Archive
Scalable, enterprise-wide deployment
Efficient data collection and enrichment
Streaming analytics close to the source
Centralized, deep-analytics across the enterprise
Sample enterprise deployment
Captures data from across data centers and feeds enriched data to the analytics platform
Page 14
14© Copyright 2014 EMC Corporation. All rights reserved.
Balancing Security and Privacy
Information Sprawl
Mobility of End Users
More Threats
More Regulations
Business Challenge
Security Privacy
Meet Regulations
Mitigate Emerging Threats
Self-Service
Secure Account Access
and Use
Protect Information
Ease of Use
Page 15
15© Copyright 2014 EMC Corporation. All rights reserved.
15
The Internet of ThingsTransformation in Opportunity and Risk
Security Management
User Interface
Data Collection
Data StorageData Integration
Data Management
Page 16
16© Copyright 2014 EMC Corporation. All rights reserved.
Planning Your Journey
Compliance OpportunityRisk
Siloedcompliance focus,
disconnected risk, basic reporting
Managedautomated compliance,
expanded risk focus, improved analysis/metrics
Advantagedfully risk aware, exploit
opportunity
Reducecompliance cost
Gainresource & risk visibility
Manageknown & unknown risks
Identifynew business opportunities
Page 17
17© Copyright 2014 EMC Corporation. All rights reserved.
Thank [email protected] /author/griffinblog.emc2.de/executive-world/project-sparks.eu/blog/@RobtWesGriffin www.linkedin.com/pub/robert-griffin/0/4a1/608