Threat analytics solution

Threat analytics

solution

Investigate

Detect

Respond

Comprehensive

protection

against all

cyber threats

Why do so many companies still find themselves the victims of successful cyber attacks, in spite of all the layers of protection they have put in place and the significant investments they have made in cyber security over the past few years?

Part of the explanation is that the cyber threat landscape is continually evolving and attackers are finding innovative new ways to circumvent network defences. Also, most security devices are programmed to recognise and alert on attacks by correlating activity against rules and signatures that indicate a known threat, an approach that will increasingly fail as the evolution of the threat accelerates and as attackers move to bespoke malware.

Additionally, even when security devices detect an attack and generate an alert, analysts often lack the information necessary to interpret the alert for what it tells them, or are too swamped with alert volumes to even process and respond to it.

So, how do you detect unknown threats: those that are new and for which signatures have not yet been created or that are designed to exploit a zero day vulnerability that no one else has yet reported? How do you enable your analysts to effectively process an unprecedented amount of information?

So what is the answer?

A new solution is required that helps security managers and analysts quickly find answers to some of the most important

security questions:

• What are the most significant cyber threats that my company is now facing, and where should I best focus and deploy my scarce IT security budget, resources and skills?

• Am I under attack or have I been attacked already? Can I tell if someone is making preparation for a cyber attack against us?

• What are the main cyber threats that exist today? Which ones pose the biggest threat to my business? How do these attacks take place and what signs should I look out for that indicate one is in progress? What can I do in advance to stop them? • How do I prioritise the alerts received from across

To find the new sophisticated cyber threats, the first step is to look for them. You must monitor your network and the activity on it and capture and record that data in such a way that you can then look at it, examine it and interrogate it. At first this may sound easy, but when you are dealing with massive volumes of data – ‘Big Data’ – all of which come in different shapes, sizes and formats, the challenge is to record and store that data in such a way that it is then easy to retrieve data, search it and query it.

But that in itself is not enough to detect malicious cyber activity. You also need to know what to look for, how to look, and where to look. Finally, when you find something, you have to be able to interpret what you see.

Not all ‘suspicious’ cyber activity is malicious: a lot of activity is benign or ‘normal’ even though it may fall under the spotlight of activity which could be indicative of a cyber threat. Different businesses do different things: activity which might be clearly anomalous on one network may be normal on another. Therefore, when automatically analysing massive data sets, additional intelligence needs to be built into the analytics to enable the solution to determine whether observed behaviour is truly indicative of a threat or is actually normal within the context of that network and the business operations it supports. Without this you may end up spending valuable resources chasing down one threat which is actually innocent, while another more potent threat goes uninvestigated.

According to security experts, SIEM is currently catching

<1% of successful advanced threat attacks.

RSA Security Conference California 2015, Keynote Speech

http://www.rsaconference.com/media/escaping-securitys-dark-ages

For each of the above challenges there are one or more solutions that may offer some help in their resolution. However, as the analysts who work in Security Operations Centres (SOC) will testify, their work often requires them to work with multiple security tools at once, necessitating the transfer or exchange of data from one system to another and often back again. Obviously this lack of efficiency reduces the effectiveness of any investigation, but the true impact is more significant. This time lost switching between systems and the disruption to the analyst’s thought process means that less time is spent on investigating alerts. Alerts may not be investigated, mistakes might be made and investigations may not be completed. A major attack could be successful even if it has been alerted upon.

The resolution to this further challenge is obvious, although not simple. Security operations need to be brought together and integrated into a single solution. A single workspace where all data, security alerts, threat intelligence and enrichment data can be accessed, managed, viewed and investigated and where the results of investigations can be quickly shared with those who need them.

BAE Systems has designed a Threat Analytics Solution to do all of this. And more.

BAE Systems Threat Analytics Solution

Detecting unknown threats

“Speed-of-thought”

Comprehensive

protection under a

single glass pane

Leveraging our rich heritage in data analytics and drawing upon our extensive experience gained in providing cyber protection to governments and businesses worldwide, we have developed an enterprise threat analytics solution - built by analysts for analysts - that uses a combination of threat intelligence and complex behavioural analytics to detect the unknown threats that your current security solutions cannot, and then provides unique capability to investigate those threats and turn derived knowledge into defensive power that you can immediately use to enhance network defences and mitigate any threats discovered. When planning and building their ‘ultimate’ cyber security solution - a new tool that would allow them to detect new and previously unseen threats and help security managers implement protection against them - our analysts focussed on four main areas:

• Data Storage and Querying Platform – A solution that allowed months of high-resolution metadata to be collected and queried at high speed.

• Threat Intelligence Manager – A tool that enabled analysts to collect and collate contemporary threat intelligence, and from it distil actionable insight that could be used to identify impending threats to the business, how to detect them and where to focus resources.

• Threat Detection – A system that facilitated the regular, large scale processing of data through a combination of statistical and probabilistic algorithms, that could be rapidly developed as new threats evolve, with the output prioritised and presented to the analyst alongside any information they need to interpret and understand a threat. • Alert/Incident Investigation – An innovative capability

that supported ‘speed-of-thought’ analysis, enabling analysts to rapidly follow a train of thought from initial conception through to a successful, informative conclusion: a capability that automatically enriched the data with other information that could be relevant, and that allowed an analyst to visualise the linkages between disparate data elements and historical investigations; a capability that allowed the indicators of compromise detected to be quickly released and fed into security devices to enable rapid mitigation of cyber risks.

In planning the solution components to address these key areas, the analysts and designers who developed the solution included the following additional considerations.

The challenge of

massive amounts of

data

How do you build a solution that is able to provide the ability to process, store and query the large volumes of data that modern networks produce? How do you build it so that it facilitates the querying and manipulation of such Big Data in reasonable timeframes? And how do you ensure that as any network grows and evolves, that the system is able to continue to process the data without degradation in performance, as the Big Data it processes becomes ‘Even Bigger Data’?

Our designers knew that basing a threat analytics solution on a scalable, platform that enabled rapid data querying was key. Although this posed an interesting challenge, it was ultimately resolved by basing the solution upon an open source (Apache Hadoop)

framework designed for highly distributed data storage and processing, which is spread across a cluster of commodity hardware.

This distributed approach meant that as the network evolved and data volumes grew, additional servers could be added to the cluster, each bringing with it additional data processing power, and thus ensuring that the processing capability of the platform grew in proportion to the data volumes being analysed.

Manage big data.

Use a distributed approach.

Threat

intelligence

management

When building a capability to defend yourself against a threat, a good starting point is to know as much as possible about the threat you actually face: ‘Know thine enemy’. In recent years, an increasing number of companies have responded to this challenge by gathering threat intelligence in the hope that having this information will help them focus their security resources on mitigating the threats that pose the greatest risk to their business. However, many organisations have found that in doing so they have replaced one challenge with another: they have gone from having too little threat intelligence to having too much – their analysts were soon swamped with information that they could not process effectively, and was too often ignored.

Furthermore, some organisations found that without an efficient process for handling threat intelligence, a significant proportion of their security resources were consumed trying to make sense of the threat information they were receiving, without effectively increasing their defensive capability. At significant cost, they discovered that in the same way that owning a set of medical books does not make you a doctor, that the possession of threat intelligence does not itself bolster your defensive capability: it’s what you do with the threat intelligence you receive that makes a difference.

With this in mind, our designers proposed a solution for processing threat intelligence which implemented a tried and tested workflow that they had developed over many years in handling threat intelligence in our SOCs.

Threat intelligence acquired by the system would be fed into a workflow that automatically processes, stores and triages it for analysis. When analysts view new threat intelligence it would automatically be enriched with links to other pieces of intelligence which the solution had already indexed. Analysts would also be able to build dossiers around specific themes or Indicators of Compromise (IOCs), and be able to share these with their peers, enabling action which could result in enhanced defensive capability against identified threats.

In particular, by integrating this threat intelligence management capability into a Threat Analytics solution, analysts tasked with investigating incident alerts would have this information at their immediate disposal: their investigations would be enriched with vital threat intelligence, empowering them to relate their observations to external data and draw powerful conclusions about the data under investigation.

Threat information

fed into system

Shared informed

defence

Aquire Process Store Analyse Action

Intelligence

Engine

Centralised

Threat

detection

At the heart of the problem that the threat analytics solution addresses is a simple question, to which there is a not so simple answer: how do you detect new cyber threats for which no prior signatures exist?

From our rich heritage of providing security monitoring, threat intelligence services, government accredited incident response capabilities and penetration testing we have a huge amount of experience in understanding how cyber attackers think. This experience has allowed us to identify the architecture of a cyber attack and break it down into a framework of individual stages and components: the BAE Systems Threat Model. This model details the various stages an attacker may go through during a targeted attack and the high-level techniques an attacker may use to carry out each stage. Understanding this model we can look for signs which are indicative of the different stages of threatening cyber activity.

Regardless of the individual details of each new attack, they share common elements. A new form of cyber attack may use a new vulnerability or approach to bypass traditional security controls or detection systems, but it will still need to step through known stages. By using a combination of statistical and probabilistic algorithms to search for these stages, it is possible to detect anomalous behaviour associated with different stages and components of advanced threats.

In other words, whilst at a technical level the threat is constantly evolving, the overarching approaches and dependencies remain. By looking for activity that is indicative of these features that change more slowly, we are able to detect cyber activities which are indicative of the strategic stages of an attack. By doing this, security managers and analysts can detect an attack irrespective of whether it has been seen before or exploits a zero day vulnerability.

As new attack methods within these approaches are identified then the analytics can be quickly expanded using the open application program interface to supplement or adapt the existing algorithms, allowing for a truly future-proofed solution.

The BAE Systems threat model

Targeted attack Delivery Spear phishing Website compromise Malicious download Delivering malware on to the user’s machine via email,

USB, web, etc

Server exploits Client exploits Exploitation Exploiting a vulnerability to execute code on

the user estate

File installation Persistence Infection Installation Installing malware on the asset Beaconing Interactive C2 Internal reconnaissance Command and control Setting up a command channel for remote manipulation of infected target Data staging Data exflitration Action on Intent With access to the estate, attackers can accomplish their original goal

Empower your analysts.

Empower

analysts to

visualise data

A fundamental problem facing many analysts today is that they will receive large volumes of alerts which need investigating. When faced with a huge number of alerts, each prioritised according to the device that produced them, how do they know which ones are most urgent?

Furthermore, an analysts ability to subsequently comprehend what an alert is telling them about a cyber incident will depend upon their capability to see what other metadata is related to it, the relationships between those data points and the timelines between them.

To address these two points, and recollecting the prior vision of a solution being able to enable “Speed-of-Thought” analysis, an ideal threat analytics solution would:

• provide a single view of alerts from multiple sources across the security estate

• ensure that an analyst has all the data at their disposal in an easy to use format, and is able to quickly investigate relationships between large numbers of historical data sets

• provide an enhanced analyst methodology supporting simple and rapid click-through analysis of alerts with the ability to visualise and graph the dynamic relationships found between complex data, by simply clicking and dragging data elements into a defined visual workspace, with the system automatically alerting an analyst to any known linkages between data points under investigation. This will prompt analysts with information they may not otherwise have considered

• enable an analyst to quickly retrieve data from multiple historical log sources allowing exploration of the data underpinning an alert and helping an investigator to gain a fuller understanding of historical events related to an alert.

Advanced

analysis for

business defence in the

Realising the dream: the

BAE Systems

Threat

Analytics Solution

Through careful consideration of the challenges and issues facing analysts and security managers today, and from years of investment and development within our own SOCs to create a threat analytics solution capable of supporting both governments and some of the largest and most targeted enterprise customers, BAE Systems has been able to realise the dream it had of building the ‘ultimate’ cyber security solution - a tool that would allow analysts to detect new and previously unseen threats and help security managers implement protection against them.

Signatures to security devices

Threat detection

Incident investigation

Action: respond

Response and mitigation

Threat Analytics Solution

“Speed-of-thought” analysis

?

Threat Intelligence Manager Threat Analytics Engine Threat Investigator Alerts

Data ingest

Events Alerts Threat intelligence

The BAE Systems threat analytics solution is a proven system which currently sits at the heart of our own SOCs and is now being made commercially available to organisations that recognise that their current security solutions are no longer sufficient.

Based upon a scalable, fast and robust data storage and querying platform, it comprises three main areas and addresses the concerns and challenges detailed. Fused together, they provide a comprehensive, integrated solution to address many of today’s outstanding security challenges:

• Threat Intelligence Manager - We facilitate the ingesting and management of multiple threat intelligence sources, enabling you to quickly transform threat intelligence into actions which inform and enhance your cyber defence. • Threat Analytics Engine - The solution uses

advanced behavioural analytics to analyse data on a massive scale and automatically detect threats. The solution generates customisable alerts on anomalous network activity which could be indicative of both known or new and evolving threats, and presents them for investigation by your existing team of security analysts.

• Threat Investigator (for Alert and Incident Investigation by Analysts) - We enable analysts to triage, investigate and manage large volumes of alerts under a single pane of glass, before recording their work in a ticket management system and sharing their conclusions with peers. Our recommendation is that companies should deploy the solution alongside their existing security solution, as shown in the diagram above.

For more information, please visit: www.baesystems.com/ analytics

Advanced

analysis for

business defence in the

new threat

landscape.

Threat detection

Detecting known threats

Incident investigation

Action

Enhanced defensive power

BAE Systems Threat Analytics Solution

Detecting unknown threats

“Speed-of-thought” analysis

?

SIEM

Data ingest

Events Alerts Threat intelligence Events Alerts

Copyright © BAE Systems plc 2015. All rights reserved.

BAE SYSTEMS, the BAE SYSTEMS Logo and the product names referenced herein are trademarks of BAE Systems plc. BAE Systems Applied Intelligence Limited registered in England &

Cyber Incident Response

Certified Service

Victim of a cyber attack? Contact our emergency response team on:

US: 1 (800) 417-2155 UK: 0808 168 6647 Australia: 1800 825 411 International: +44 1483 817491 E: [email protected] Global Headquarters BAE Systems Surrey Research Park Guildford Surrey GU2 7RQ United Kingdom T: +44 (0) 1483 816000 BAE Systems 265 Franklin Street Boston MA 02110 USA T: +1 (617) 737 4170 BAE Systems Level 12 20 Bridge Street Sydney NSW 2000 Australia T: +612 9240 4600 BAE Systems Arjaan Office Tower Suite 905

PO Box 500523 Dubai, U.A.E

T: +971 (0) 4 556 4700 BAE Systems

1 Raffles Place #23-03, Tower 1 Singapore 048616

Singapore T: +65 6499 5000

We are BAE Systems

BAE We help nations, governments and

businesses around the world defend themselves against cyber crime, reduce their risk in the connected world, comply with regulation, and transform their operations.

We do this using our unique set of solutions, systems, experience and processes - often collecting and analysing huge volumes of data. These, combined with our cyber special forces- some of the most skilled people in the world, enable us to defend against cyber attacks, fraud and financial crime, enable intelligence-led policing and solve complex data problems. We employ over 4,000 people across 18

countries in the Americas, APAC, UK and EMEA.

twitter.com/baesystems_ai

linkedin.com/company/baesystemsai

BAE Systems, Surrey Research Park, Guildford Surrey, GU2 7RQ, UK