Foundational Security Architecture & Unknown Threat Detection

(1)

Foundational Security Architecture

& Unknown Threat Detection

Combined for Optimal Defense

Kent

Noyes

Gene

Geddess

Principal

Architect

Chief

Scientist

(2)

(3)

Verizon Data Breach Investigation Report

• 2015:

70 orgs,

79790

incidents,

2122

breaches

• 2014:

50 orgs,

63000

incidents,

1367

breaches

• Phishing:

23%

of

recipients

open,

11%

click

on

attachments

• 99.9%

of

exploited

vulnerabilities

compromised

year+

after

CVE

• 75%

of

attacks

spread

from

victim

0 to

victim

1 within

24 hours

•

70 ‐

90%

of

malware

samples

UNIQUE

TO

AN

ORGANIZATION

• “…attackers

have

finally

learned

a

thing

or

two

from

the

bounty

of

their

enterprise

breaches

and

may

even

have

adopted

a

Lean

Six

(4)

(5)

(6)

(7)

(8)

WWT Security Practice

SECURITY

PROGRAMS

ADVISORY

SERVICES

• Governance

Management

• Risk

Management

• Compliance

Management

ASSESSMENTS

• Risk

Assessments

• Vulnerability

Assessments

• Readiness

Assessments

• Architecture

Assessments

• Penetration

Testing

AWARENESS

• Training

and

Awareness

SECURITY

OPERATIONS

SECURITY

TECHNOLOGIES

• Security

Architectures

• Advanced

Analytics

• Network

and

Data

Center

• Mobile

and

Collab

Security

MALWARE

• Analysis

• Reverse

Engineering

LAB

SERVICES

• Technology

Evaluations

• Proofs

of

Concepts

ACTION

PLAN

1. Analysis

‐

Workshop,

Assessment

2. Selection

‐

Product

Overviews,

ATC

POCs,

Demonstrations

3. Implementation

4. Transition

(9)

njRAT

• Intuitive,

easy

‐

to

‐

use

GUI

to

run

by

the

attacker

• Primary

functions:

• Generate

the

RAT

• Command

and

control

• Upload

plug

‐

in

modules

• Update

an

installed

RAT

(10)

(11)

Reversing the executable

(12)

Flexible

security

model

for

the

enterprise

demonstrating

security

best

practices

including:

• Security

Architecture

Design

• Central

Visibility

• Correlation/Analytics

• Governance,

Risk,

and

Compliance

Processes

and

Tools

• Use

of

multiple

data

types

• Big

Data

Integration

Multi

‐

vendor

integrated

security

solutions

(13)

INTERNET

CAMPUS

DATA

CENTER

REMOTE

SITES

DMZ

INTERNET

EDGE

100%

Valid

credentials

used

209 Median

#

of

days

before

detection

40 Average

#

of

systems

accessed

67%

Victims

notified

by

external

entity

ADVANCED

THREATS

ARE

HARD

TO

DETECT

• Scattered

Approach

• Limited

Visibility

• Inefficient

• Error

Prone

• No

business

context

• Limited

Historical

Data

• Limited

Data

Types

• Signature

Dependence

(14)

LEVEL

2 LEVEL

1 LEVEL

3 LEVEL

4 LEVEL

5 SE

CURITY

CAP

A

BILITIE

S

ARCHITECTURAL

MATURITY

• Distributed

Point

Sensors

• Manual

Analytic

Processes

• No

Correlation

or

Analytics

• Correlation

between

Sensors

• Ability

to

Identify

Known

Signature

‐

based

Threats

• Relevance

to

the

Business/Mission

Owners

• Priority

‐

based

Analysis

and

Mitigation

• Anomaly

Detection

Capabilities

• Ability

to

Identify

Unknown

Threats

• Correlation

of

Anomalies

to

Enterprise

Context

• Real

time

identification

of

known

threats

and

unknown

anomalies

• Full

enterprise

context

and

prioritization

CORRELATION

DISTRIBUTED

ENTERPRISE

CONTEXT

ADVANCED

ANALYTICS

REAL

TIME

ANALYTICS

Application

of

CMMI

maturity

models

to

Information

Security

(15)

INTERNET

CAMPUS

DATA

CENTER

REMOTE

SITES

DMZ

INTERNET

EDGE

NETWORK

CORE

E‐Mail Security DLP Secure Remote Access Packet Capture Enterprise Services (AD, Exchange, etc)

Netflow Netflow End User Anti‐Virus Malware Protection Data Encryption Patch Mgmt End Users Web Security NGFW NGIPS Secure DNS Segmentation Anti‐Virus Malware Protection Patch Mgmt Data Encryption TrustSec/MacSEC Data Protection WIPS/WIDS Data Encryption MDM DMVPN ZBFW VRFs Segmentation Policy Optimization SDN Vulnerability Scanner ADC SSL Offload SSL Decrypt WAF Packet Capture Packet Capture Packet Capture ADC

(16)

Malware

Defense

Boundary

Defense

Wireless

Access

Control

Application

Software

Security

Inventory

&

Authorization

of

Devices

Inventory

&

Authorization

of

Software

Secure

Config of

Mobile

Devices,

Laptops,

Workstations,

Servers

Secure

configurations

for

network

devices

Continuous

Vulnerability

Assessment

&

Remediation

Limitation

&

Control

of

Network

Ports,

Protocols,

and

Services

Controlled

Use

of

Administrative

Privileges

Controlled

Access

Based

on

Need

to

Know

Account

Monitoring

and

Control

Secure

Network

Engineering

Data

Protection

(17)

LEVEL

2 LEVEL

1 LEVEL

3 LEVEL

4 LEVEL

5 SE

CURITY

CAP

A

BILITIE

S

ARCHITECTURAL

MATURITY

• Distributed

Point

Sensors

• Manual

Analytic

Processes

• No

Correlation

or

Analytics

• Correlation

between

Sensors

• Ability

to

Identify

Known

Signature

‐

based

Threats

• Relevance

to

the

Business/Mission

Owners

• Priority

‐

based

Analysis

and

Mitigation

• Anomaly

Detection

Capabilities

• Ability

to

Identify

Unknown

Threats

• Correlation

of

Anomalies

to

Enterprise

Context

• Real

time

identification

of

known

threats

and

unknown

anomalies

• Full

enterprise

context

and

prioritization

CORRELATION

DISTRIBUTED

ENTERPRISE

CONTEXT

ADVANCED

ANALYTICS

REAL

TIME

ANALYTICS

Application

of

CMMI

maturity

models

to

Information

Security

Maturing Security Architectures

(18)

INTERNET

CAMPUS

DATA

CENTER

REMOTE

SITES

DMZ

INTERNET

EDGE

NETWORK

CORE

SECURITY

ANALYTICS

&

OPERATIONS

1. Sensors

(19)

INTERNET

CAMPUS

DATA

CENTER

REMOTE

SITES

DMZ

INTERNET

EDGE

NETWORK

CORE

1. Sensors

2. Analytics

&

Operations

SECURITY

ANALYTICS

&

OPERATIONS

RSA

Security

Analytics

Splunk

_HP

(20)

LEVEL

2 LEVEL

1 LEVEL

3 LEVEL

4 LEVEL

5 SE

CURITY

CAP

A

BILITIE

S

ARCHITECTURAL

MATURITY

• Distributed

Point

Sensors

• Manual

Analytic

Processes

• No

Correlation

or

Analytics

• Correlation

between

Sensors

• Ability

to

Identify

Known

Signature

‐

based

Threats

• Relevance

to

the

Business/Mission

Owners

• Priority

‐

based

Analysis

and

Mitigation

• Anomaly

Detection

Capabilities

• Ability

to

Identify

Unknown

Threats

• Correlation

of

Anomalies

to

Enterprise

Context

• Real

time

identification

of

known

threats

and

unknown

anomalies

• Full

enterprise

context

and

prioritization

CORRELATION

DISTRIBUTED

ENTERPRISE

CONTEXT

ADVANCED

ANALYTICS

REAL

TIME

ANALYTICS

Application

of

CMMI

maturity

models

to

Information

Security

(21)

INTERNET

CAMPUS

DATA

CENTER

REMOTE

SITES

DMZ

INTERNET

EDGE

NETWORK

CORE

SECURITY

ANALYTICS

&

OPERATIONS

RSA SA

Splunk

HP

ArcSight

RSA

Archer

(GRC)

(22)

LEVEL

2 LEVEL

1 LEVEL

3 LEVEL

4 LEVEL

5 SE

CURITY

CAP

A

BILITIE

S

ARCHITECTURAL

MATURITY

• Distributed

Point

Sensors

• Manual

Analytic

Processes

• No

Correlation

or

Analytics

• Correlation

between

Sensors

• Ability

to

Identify

Known

Signature

‐

based

Threats

• Relevance

to

the

Business/Mission

Owners

• Priority

‐

based

Analysis

and

Mitigation

• Anomaly

Detection

Capabilities

• Ability

to

Identify

Unknown

Threats

• Correlation

of

Anomalies

to

Enterprise

Context

• Real

time

identification

of

known

threats

and

unknown

anomalies

• Full

enterprise

context

and

prioritization

CORRELATION

DISTRIBUTED

ENTERPRISE

CONTEXT

ADVANCED

ANALYTICS

REAL

TIME

ANALYTICS

Application

of

CMMI

maturity

models

to

Information

Security

Maturing Security Architectures

(23)

INTERNET

CAMPUS

DATA

CENTER

REMOTE

SITES

DMZ

INTERNET

EDGE

NETWORK

CORE

SECURITY

ANALYTICS

&

OPERATIONS

ATC

(24)

WWT Big Data Leadership Team

20 years of management

consulting and

entrepreneurial experience.

Expertise in financial services,

insurance and telecom. Prior

consulting experience with

Opera Solutions and A. T.

Kearney.

Ph.D. in Physics from Oxford

University.

James

Bigger

Principal

Consultant

15 years in management

consulting, analytics and

software experience.

Expertise in healthcare and

insurance. Prior experience

with Opera Solutions,

Mitchell Madison Group and

Broadlane.

Ph.D. in Physics from Stanford

University.

Brian

Vaughan

Principal

Consultant

20 years in management

consulting and executive

leadership. Expertise in retail,

marketing, hospitality &

financial services. Prior

consulting experience with

Opera Solutions and The

Boston Consulting Group. BA from Princeton University,

MBA from the University of

Virginia

Chris

Ward

Principal

Consultant

Over 20 years of experience

in a range of IT and security

disciplines. Responsible for

deploying large, secure,

Hadoop‐based platforms for

the U. S. Government. 10

year of international

experience implementing

networking and virtual data

center environments Undergraduate degree from

AIU.

Matt

DuBell

Principal

Systems

Engineer

Over 7 Years of experience in

management and analytics

consulting. Led engagements

in telecom at Opera Solutions.

Previous experience

performing predictive analytics

for NASA and USAF at The

Aerospace Corporation. Ph.D. in Mechanical

Engineering from Pennsylvania

State University.

Yoni

Malchi

Engagement

Manager

.

18 years of analytics and

software development

experience. Expertise in

financial services, healthcare,

insurance, retail and marketing

science. Prior analytics

development experience at

Opera Solutions, FICO and J.D.

Power and Associates. Ph.D. in Physics from Stanford

University. .

Jason

Lu

Chief

Scientist

Over 7 Years of management

consulting and entrepreneurial

experience. Expertize in

financial services, travel, and

retail sectors across US and

Europe. Led Big Data strategy

and analytical engagements at

Opera Solutions.

MSci in Astrophysics from the

University of Cambridge.

Jamie

Milne

Engagement

Manager

Over 8 years of experience in

analytics consulting and

delivery management. Ran

engagements in wealth

management, corporate

security, marketing, education

and transportation at Opera

Solutions and IBM Global

Business Services. BS in Mathematics from Georgetown University.

Chris

Infanti

Engagement

Manager

29+ years in information

security, 20+ years at NSA,

data modeling, malware

analysis, network attack. Development of next‐

generation cyber systems;

real‐time systems, situational

awareness tools, and

command and control

capabilities. Holds two

Masters in Advanced

Mathematics & Analytics.

Gene

Geddes

Chief

Scientist

25 years of government

service at the National

Security Agency. At the NSA

Mike led the design and

development of next‐

generation cyber systems;

real‐time systems, situational

awareness tools, and

command and control

capabilities. M.S. in Computer

Science from Johns Hopkins.

B.S. in Mathematics

Mike

McGlynn

VP

Security

(25)

SIEM

Security Information Event Management

Big Data

Structured

Data

Unstructured/Semi

‐

structured

Storage

Measured

in

GB

(Days/Weeks)

Storage

Measured

in

PB

and

EB

(Months/Years)

Owned

By

Individual

Team

Potential

Shared Resource

Security Data Perfect Fit for Big Data Æ

Volume, Velocity, Variety

(26)

LEVEL

2 LEVEL

1 LEVEL

3 LEVEL

4 LEVEL

5 SE

CURITY

CAP

A

BILITIE

S

ARCHITECTURAL

MATURITY

• Distributed

Point

Sensors

• Manual

Analytic

Processes

• No

Correlation

or

Analytics

• Correlation

between

Sensors

• Ability

to

Identify

Known

Signature

‐

based

Threats

• Relevance

to

the

Business/Mission

Owners

• Priority

‐

based

Analysis

and

Mitigation

• Anomaly

Detection

Capabilities

• Ability

to

Identify

Unknown

Threats

• Correlation

of

Anomalies

to

Enterprise

Context

• Real

time

identification

of

known

threats

and

unknown

anomalies

• Full

enterprise

context

and

prioritization

CORRELATION

DISTRIBUTED

ENTERPRISE

CONTEXT

ADVANCED

ANALYTICS

REAL

TIME

ANALYTICS

Application

of

CMMI

maturity

models

to

Information

Security

(27)

CARA Advanced Analytics

Known threat and anomaly detection

|

Real time, near real time, historical

Security

Sensor

1 Security

Sensor

2 Message

Broker

Scalable Parser

(Storm)

(Real Time)

In Memory DB

(Cassandra)

(Near Real Time)

Big Data

(Historical)

SIEM

(Near Real-Time/ Historical)

GRC

Analytics (Using Threat Intel & Anomaly Detection)

API

(28)

CYBERSECURITY

ANALYTICS

REFERENCE

ARCHITECTURE

INTERNET

CAMPUS

DATA

CENTER

REMOTE

SITES

DMZ

INTERNET

EDGE

NETWORK

CORE

Netflow Netflow End User Anti‐Virus Malware Protection Data Encryption Patch Mgmt End Users Web Security NGFW NGIPS Secure DNS Segmentation Anti‐Virus Malware Protection Patch Mgmt Data Encryption TrustSec/MacSEC Data Protection WIPS/WIDS Data Encryption MDM DMVPN ZBFW VRFs Segmentation Policy Optimization SDN SIEM

Ops & Incident Response

Identity Services

CYBERSECURITY

ANALYTICS

&

OPERATIONS

Real Time Analytics

Netflow Analysis Data Encryption Packet Analysis

Threat

Intel

Vuln Scanners Vulnerability Scanner Policy Mgmt AAA

Network Access Control

GRC Mobility Services ADC SSL Offload SSL Decrypt WAF Inventory Discovery Packet Capture Packet Capture Packet Capture ADC App Whitelisting Network Config Mgmt

(29)