1© Copyright 2014 EMC Corporation. All rights reserved. Applying the Power of Data Analytics to Cyber Security Dr. Robert W. Griffin Chief Security Architect.

1© Copyright 2014 EMC Corporation. All rights reserved.

Applying the Power of Data Analytics to Cyber SecurityDr. Robert W. GriffinChief Security ArchitectRSA, the Security Division of EMC

[email protected]/author/griffinblog.emc2.de/executive-world/project-sparks.eu/blog/@RobtWesGriffin www.linkedin.com/pub/robert-griffin/0/4a1/608

2© Copyright 2014 EMC Corporation. All rights reserved.

Disruption and Transformation

Infrastructure Transformation

Mobile Cloud

Less control over access device and back-end

infrastructure

Threat LandscapeTransformation

APTs

SophisticatedFraud

Fundamentallydifferent tactics, more formidable than ever

Business and LegalTransformation

More hyper-extended, more digital

ExtendedWorkforce

NetworkedValueChains

BigData

http://www.emc.com/collateral/industry-overview/h11391-rpt-information-security-shake-up.pdf?pid=sbiclandingpage-sbicspecialreport-122112

3© Copyright 2014 EMC Corporation. All rights reserved.

TIME 2007 2013

Evolving Attack Goals and Methods

Worms/Viruses

SimpleDDoS

PhishingPharming

APTs

Multi-Stage

HackerCollaboration

DisruptiveAttacks

2020

DestructiveAttacks

IntrusiveAttacks

AdvancedDDoS

SophisticatedMobileAttacks

IoT Attacks

4© Copyright 2014 EMC Corporation. All rights reserved.

Traditional Security Is Not Working

Source: Verizon 2013 Data Breach Investigations Report

97% of breaches led to compromise within “days” or less

with 72% leading to data exfiltration in the same time

78% of breaches took “weeks” or more to

discover66% took “months or

more”

5© Copyright 2014 EMC Corporation. All rights reserved.

Intelligence is the Game Changer

6© Copyright 2014 EMC Corporation. All rights reserved.

P

E

L

N

Visibility

Capture Time Data Enrichment

Packets, Logs, Endpoints, NetFlow

Business & Compliance Context

Data Collection and Rationalization

7© Copyright 2014 EMC Corporation. All rights reserved.

Analysis

Endpoint Threat Detection

Correlate Multiple Data

Sources

Out-of-the-box Content

Generating Information

Big Data & Data Science

8© Copyright 2014 EMC Corporation. All rights reserved.

Action

Prioritized & Unified Analyst Workflow

Investigate down to finest details

Integrate SOC Best Practices

Investigation and Remediation

9© Copyright 2014 EMC Corporation. All rights reserved.

Communication Valley Reply (Italy) Leveraging Intelligence-Driven Security

• Requirements:• Efficient, cost-effective management and

reporting of security • Reduce cost of services delivery• Improved MSSP service as competitive

advantage• Solution:

• Automatically tracked and reported on client risk and compliance

• Enhanced incident triage• Improved event analysis

http://www.emc.com/collateral/customer-profiles/h11982-reply-cp.pdf

10© Copyright 2014 EMC Corporation. All rights reserved.

© Copyright 2014 EMC Corporation. All rights reserved.

Domain A

RISK SCORE

Traffic content types Suspicious domains often host many services on the same server.

Number of IP addresses Malicious domains use many IP addresses to evade static IP watchlists.

Number of domain name owners associated with an IP address

A high number of domain owners associated with a system is suspicious

GETS vs PUT/POSTs Domains where the ratio of POSTs to GETs is high are more likely malicious.

Number of users hitting a domain relative to complexity A complex domain that few people access is more likely to be malicious.Low Risk

Domain A Low Risk

Domain A High Risk

Example: Detect suspicious domain connections

Identifying suspicious domains is difficult – and identifying hosts that have ever communicated with one is even harder.

11© Copyright 2014 EMC Corporation. All rights reserved.

© Copyright 2014 EMC Corporation. All rights reserved.

Domain A

RISK SCORE

Use of cookiesMalicious sessions seldom use cookies.

Bytes uploaded vs. downloadedMalicious sessions often upload far more than just a URL request.

Use of referrer stringsMost web sessions come from clicking on

another link, resulting in a “referrer string”. Malicious sessions seldom do.

OtherRSA uses several other identifiers to determine the risk score.

URL lengthsMalicious attacks often embed themselves deep in web servers, resulting in unusually long URL lengths.Low Risk

Domain A Medium Risk

Domain A High Risk

Example: Discover beaconing hosts

Traffic from hosts ‘beaconing’ to command and control hosts can look like normal traffic. Data science helps identify outliers.

12© Copyright 2014 EMC Corporation. All rights reserved.

© Copyright 2014 EMC Corporation. All rights reserved.

Capture, enrich and analyze data from across your network.

Threat Intelligence | Rules | Parsers | Feeds | Reports | RSA ResearchLIVEINTELLIGENCE

Investigation

Advanced Analytics

Compliance

Endpoint Analysis

Session Reconstruction

Incident Management

ACTIONANALYSIS

LIVE

VISIBILITY

Capture Time Meta-Data Enrichment

LIVE

Security analytics architecture

LOGS

PACKETS

ENDPOINT

NETFLOW

ENRICH

13© Copyright 2014 EMC Corporation. All rights reserved.

© Copyright 2014 EMC Corporation. All rights reserved.

Dallas

Mexico City

EMEA HQ

Singapore DC

Network Collection

Log Collection

Network Collection

Pivotal

Pivotal

Network Collection

2nd Pivotal Cluster

1st Pivotal Cluster

Cap

ture

Tim

e

Str

eam

ing

Str

eam

ing

Str

eam

ing

Context

Assets

Identities

Vulns

Log Collection

Cap

ture

Tim

eLog

Collection

Cap

ture

Tim

e

Network Collection

Log Collection

Cap

ture

Tim

e

Local Archive

Local Archive

Central Archive

Scalable, enterprise-wide deployment

Efficient data collection and enrichment

Streaming analytics close to the source

Centralized, deep-analytics across the enterprise

Sample enterprise deployment

Captures data from across data centers and feeds enriched data to the analytics platform

14© Copyright 2014 EMC Corporation. All rights reserved.

Balancing Security and Privacy

Information Sprawl

Mobility of End Users

More Threats

More Regulations

Business Challenge

Security Privacy

Meet Regulations

Mitigate Emerging Threats

Self-Service

Secure Account Access

and Use

Protect Information

Ease of Use

15© Copyright 2014 EMC Corporation. All rights reserved.

15

The Internet of ThingsTransformation in Opportunity and Risk

Security Management

User Interface

Data Collection

Data StorageData Integration

Data Management

16© Copyright 2014 EMC Corporation. All rights reserved.

Planning Your Journey

Compliance OpportunityRisk

Siloedcompliance focus,

disconnected risk, basic reporting

Managedautomated compliance,

expanded risk focus, improved analysis/metrics

Advantagedfully risk aware, exploit

opportunity

Reducecompliance cost

Gainresource & risk visibility

Manageknown & unknown risks

Identifynew business opportunities

17© Copyright 2014 EMC Corporation. All rights reserved.

Thank [email protected]/author/griffinblog.emc2.de/executive-world/project-sparks.eu/blog/@RobtWesGriffin www.linkedin.com/pub/robert-griffin/0/4a1/608