Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.

Slides:

Advertisements

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

Advertisements

Marc Grégoire, DRDC Ottawa Luc Beaudoin, Bologik Inc.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

Copyright © 2012, SAS Institute Inc. All rights reserved. Cyber Security threats to Open Government Data Vishal Marria April 2014.

The Most Analytical and Comprehensive Defense Network in a Box.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

Information Security Policies and Standards

The State of Security Management By Jim Reavis January 2003.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Information Security– SNO International Zanzibar, Tanzania Joe Beaulac, Sr. Manager – Cyber Defense Center & Risk/Vulnerability Management 23 September.

Topological Vulnerability Analysis

Test Organization and Management

Thursday, January 23, :00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.

Next-Generation IDS: A CEP Use Case in 10 Minutes 3rd Draft – November 8, nd Event Processing Symposium Redwood Shores, California Tim Bass, CISSP.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Computer Forensics in Practice Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

INTERACTIVE ANALYSIS OF COMPUTER CRIMES PRESENTED FOR CS-689 ON 10/12/2000 BY NAGAKALYANA ESKALA.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

Lesson 3. Communicating In an Emergency

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Ali Alhamdan, PhD National Information Center Ministry of Interior

1 9/14/2010 Cloud Network Defense Tom Byrnes Founder & CEO x4242 Cloud Network Defense.

Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)

Cryptography and Network Security Sixth Edition by William Stallings.

Governor’s Office of Homeland Security and Emergency Response State Directors Meeting February 24, 2014 Bruce A. Davis, Ph.D. Senior Program Manager Resilient.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

SRS Kickoff Meeting, Arlington, VA, July 21, 2004

1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.

Role Of Network IDS in Network Perimeter Defense.

IS3220 Information Technology Infrastructure Security

GRC: Aligning Policy, Risk and Compliance

Cognitive & Organizational Challenges of Big Data in Cyber Defence. YALAVARTHI ANUSHA 1.

Information Security tools for records managers Frank Rankin.

Incident Response Christian Seifert IMT st October 2007.

2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC The Anatomy of a Breach Phillip Naples, Pritchard & Jerden, Inc. Jeremy Henley, ID Experts.

Palindrome Technologies all rights reserved © 2016 – PG: Palindrome Technologies all rights reserved © 2016 – PG: 1 Peter Thermos President & CTO Tel:

Welcome Information Security Office Services Available to Counties Security Operations Center Questions.

Best Cyber Security Practices for Counties An introduction to cybersecurity framework.

Proactive Incident Response

SIEM Rotem Mesika System security engineering

Agenda Enterprise Situational Awareness Active Defense

Brian Thompson1,2, James Morris-King1,2, and Hasan Cam1

Cybersecurity - What’s Next? June 2017

Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.

Detection and Analysis of Threats to the Energy Sector (DATES)

Topological Vulnerability Analysis

Wenjing Lou Complex Networks and Security Research (CNSR) Lab

Security Automation Standards Landscape

Security Operations Without Going Blind

How to Operationalize Big Data Security Analytics

Security Operations Without Going Blind

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Multi-Step Attack Defense Operating Point Estimation via Bayesian Modeling under Parameter Uncertainty Peng Liu, Jun Dai, Xiaoyan Sun, Robert Cole Penn.

The University of Adelaide, School of Computer Science

Shifting from “Incident” to “Continuous” Response

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Enhanced alerting and collaborative incident management

Overview UA has formed is forming a Security Operations Center (SOC) with Students supporting Tier 1 Activities. The SOC provides benefits to the University.

Strategic threat assessment

Fortify YOUR Defense with CyberSponse Adaptive Security

Presentation transcript:

Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc. com

2 WHAT DO CYBER DEFENDERS DO? HOW CAN VISUAL ANALYTICS HELP?

3 Incident response team activities (Killcrece, Alberts, CMU studies)  Reactive  Triggered by an event, such as an IDS alert  Examples: Reviewing log files, correlating alerts  Proactive  Prepare, protect and secure for future attacks  Examples: Prediction of upcoming attacks and techniques  Security Quality Management  IT services in support of general information security  Examples: Training, recovery planning, product evaluation Cognitive and decision analyses show: Very little effort on proactive

4 Interesting Activity Raw Data Suspicious Activity Events Incidents Problem Sets Visual analytics can help network defenders transform raw data into meaning

5 Triage analysis  Weed out false positives  Escalate suspicious activity for further analysis Escalation analysis  Analyze data over longer time than Triage  Incorporate multiple data sources (more than Triage) Correlation analysis  Look for patterns and trends  Assess similarity to related incidents – internal & external Incident response  Recommend, implement Courses of Action  Support law enforcement investigation Malware analysis  Reverse-engineer malware  Develop defenses against malware Forensic analysis  Collect and preserve evidence  Support law enforcement investigation Threat analysis  Characterize attackers: identification, modus operandi, motivation, location Vulnerability analysis  Identify and prioritize vulnerabilities  Manage remediation of vulnerabilities Sensor management  Develop signatures, tune sensors  Modify placement of sensors (from 2005 D’Amico & Whitley CTA, and other Secure Decisions decision analyses)

6 Mission impact analysis

7 Escalation, Correlation Comprehension Stages of Situational Awareness (SA) Perception Types of Analysis Triage, Vulnerability Threat, Response Projection Uses of Visualization ORIENT attention REPORT and EXPLAIN what has been observed EXPLORE data (for patterns, anomalies) PREDICT ForensicMalware Visualization should support all stages of SA, types of CND analysis, and uses

8 How do Alan Turner’s VA primitives apply? Perception Types of Analysis Triage, Vulnerability Escalation, Correlation Threat, Response ProjectionComprehension Turner’s Primitives ORIENT CHARACTERIZE QUANTIFY TEST DISCOVER ForensicMalware

9  Old way doesn’t work, and they know it  Never feel totally successful  Hard to estimate the level of effort needed  Not clear when they’re done How do cyber defenders differ from Alan’s users?

10 Coordinated attack to exfiltrate Analysts think about data from perspective of attacker’s goals, methods, and timing. First instance of attacker’s appearance is an important marker. Attack Timeline CND analysts see the world in red and blue; They attend to timing and sequence

11 CYBER SECURITY VISUAL ANALYTICS CHALLENGES

12 Incomplete, inaccurate and ephemeral data Public Networks Missions/ Business Functions Mission -to- Network Mapping Adversaries disappear and re-appear, and can be co-located with friendlies. Wireless networks increase transitory nature of data. Defender Patch Status Dynamic Topology Sensor Location & Status Enterprise

13 Visual analytics is an unfulfilled promise in cyber operations  Failure to transition, to deliver – Lots of R&D; little operational deployment of visual analytics systems  “Lack of information” visualization and analytics – rare  Visual interface to security automation – rare  Process visualization – rare  Visual analytics to augment training – rare  Visual analytics to evaluate tactics – rare

imagine, create, deliver Visual analytics systems  Data import, normalization and aggregation  Non-viz features to reduce “tool time”  Importing, filtering “hot IPs”, authorized devices, and users  Automated report builders  Annotations and personal notes  Diverse media  Workstations, big-board, PDA, in-vehicle displays  Robust, secure, certifiable code base

15 Staying ahead of the adversary  How do we use visual analytics make the cyber defense process more proactive?  How do we enhance information sharing within an organization, and across organizations?  Portable, shareable datasets and visual analytics  Collaborative tools

16 Mapping network assets to organizational missions Need information and visual analytics to discover:  Vulnerabilities of organization’s highest-priority goals  Network assets that must be assured for continuity of mission-critical functions  Organizational impact of an attack, or of a defensive COA

17 Anita D’Amico Secure Decisions division of Applied Visions, Inc. com