Pro-I Open Source Security Monitoring Grant Babb Technical Program Manager Intel Information Risk and Security March 3, 2011

Legal Notices TThis presentation is for informational purposes only. INTEL MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors.  Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions.  Any change to any of those factors may cause the results to vary.  You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products.  For more complete information about performance and benchmark results, visit www.intel.com/benchmarks BunnyPeople, Celeron, Celeron Inside, Centrino, Centrino Atom, Centrino Atom Inside, Centrino Inside, Centrino logo, Core Inside, FlashFile, i960, InstantIP, Intel, Intel logo, Intel386, Intel486, IntelDX2, IntelDX4, IntelSX2, Intel Atom, Intel Atom Inside, Intel Core, Intel Inside, Intel Inside logo, Intel NetBurst, Intel NetMerge, Intel NetStructure, Intel SingleDriver, Intel SpeedStep, Intel StrataFlash, Intel Viiv, Intel vPro, Intel XScale, Itanium, Itanium Inside, MCS, MMX, Oplus, OverDrive, PDCharm, Pentium, Pentium Inside, skoool, Sound Mark, The Journey Inside, Viiv Inside, vPro Inside, VTune, Xeon, and Xeon Inside are trademarks of Intel Corporation in the U.S. and other countries. * Other names and brands may be claimed as the property of others. Copyright © 2011, Intel Corporation. All rights reserved. 2

Agenda Insider Threat: Yesterday, Today, and Tomorrow Pro-I : A Technical Overview Proactive Monitoring of Threats with Pro-I 2008 US Secret Service and Carnegie Mellon study on Insider Threat in IT and Telecom   49% of the cases involved leaving the company 76% were full-time employees of the affected organizations 63% of the insiders were employed in technical positions Insiders were a wide variety of ages and backgrounds

Insider Threat 2008 2008 US Secret Service and Carnegie Mellon study on Insider Threat in IT and Telecom: 49% of cases involved leaving the company 76% were full-time employees 63% employed in technical positions Wide variety of ages and backgrounds 37% were terminations, 12% were employment at a new company

Planned or unplanned, leaks are going to happen. Insider Threat Today High unemployment rate for the nation, negative employment rate for some jobs Engineers are actively recruited from their jobs Go to work at competitor, gather intel, then “Start your new job” Everyone could be an insider threat USB drives make a career portable Contacts, old slides, job collateral all mixed together The longer you’re there, the more likely the leak Compute continuum – using the cloud to share data across devices, mixing personal/private 37% were terminations, 12% were employment at a new company Planned or unplanned, leaks are going to happen.

Insider Threat Tomorrow Headcount in standalone IT roles will likely shrink to 25% or less of current totals by 2015 The Future of Corporate IT, 2010, Corporate Executive Board Almost 75% of employees would steal company secrets if they were fired and had clear plans to take something with them if they left. Imperva Survey in November 2010 Cloud traffic will be 33% of data centers by 2015 2011 Cisco Study By 2014, 90% of organizations will support corporate applications on personal devices. Gartner Top Predictions 2011 2008 US Secret Service and Carnegie Mellon study on Insider Threat in IT and Telecom   49% of the cases involved leaving the company 76% were full-time employees of the affected organizations 63% of the insiders were employed in technical positions Insiders were a wide variety of ages and backgrounds

Proactive Monitoring Benchmarked approaches to monitoring across different industries: Intrusion detection systems for networks Fraud detection systems for finance Balanced scorecards in BI Business Intelligence was selected as the approach Now an End-to-end capability around the solution (people/process/tools) known as Proactive Investigations (Pro-I) http://www.msteched.com/2010/NorthAmerica/BIC304 BI Conference 2010 Presentation Balanced scorecard was a better way to look at multiple risk indicators over a rule-based approach Successful benchmark of Risk Management concepts to BI Pro-I now has a GPL (GNU Public License) and both source and binaries will be available in CodePlex and other repositories in March

Paths and Components Collector Event Processor Data Warehouse ETL Loads events into a stream, stacks them into a queue, then streams the queue to the collector Event Processor Picks up queued event streams on remote servers, streams them into query engine, performs real-time continuous queries on the steams, then sends query streams to outputs (log files) Data Warehouse Stores billions of rows of security data, separated into multiple fact tables per source, each partitioned across multiple days. Fact tables include raw data plus added keys (date, hour, IP, location, etc) ETL Batch extract, transform, and loading of data to and from Data Warehouse, Cubes, and Reporting databases. Where possible, all extract, transform, and load occur in memory streams. Analytics Multidimensional structures are used to produce indicator matrix; cubes are organized by system risk model, are processed at least once daily, models are queried and results loaded into Reporting Reporting Used to store point-in-time indicator results for fast retrieval in analyst module Parallel Query Lightweight tool designed to maximize query performance for drilldown information. Uses multi-threaded architecture to query individual fact tables; expensive correlation and duplicate removal are done in memory via C# instead of SQL Pro-I Analyst Big data visualization, drilldown integration, and case management (workflow) all combined in one UI. Current version enables easy comparison and pattern analysis of over 25,000 data points at a time

Paths and Components Real-Time Path Analytics Path Collector WinOS File Share SQL Real-Time Path Events queue Event Processor Data Warehouse Analytics Reporting ETL ETL ETL batch batch batch Events queue Analytics Path Transaction SysA SysB Domain Controller Context HR Sec Incidents IP Location Data Warehouse Analytics Reporting ETL ETL ETL batch batch batch SQL query SQL Analyst UI query Parallel Query

Real-Time File Protection 1) Windows service installed on local server – queries event stream, pulls key fields out of each event and stacks smaller events on a queue listening on a port. 5) Complex event (“who deleted what”) is sent to alert output adapter which transforms event to email format 3) Input adapters connect to remote ports and queues events Into an input stream 6) All simple events are sent to CSV output adapter to spool to flat files, later loaded to DW and used by analytics 2) Windows service installed on remote server – watches network file shares and returns change event notifications. These are put into an event queue listening on a port. 4) Query combines events from two event streams (file delete, logon/logoff) to create complex event

Threats Become Indicators ! Entitled Engineer Ambitious Alpha $ Well-Informed Sys-Admin ? Settled-In Spy * Worker Data IP System Remote Access Domain Access Leaving Unusual/Excessive Access Excessive Upload/Download Unusual/Excessive Systems Technical Role Unusual/Excessive Hours Non-technical Role Access Denied ! $ ? ! ! $ ? ! ? ! $ ! ? ? $ $ $ ?

Multidimensional Models Problem #1: Log time is often different from the time of access. We need to utilize local time for our risk model, but different geo’s make local time complex Solution #1: Use an employee database that gives you location, an intermediate table to lookup GMT offset for that location, and calculate local time from both lookups Problem #2: How do we implement statistical measures of access? Not everyone accesses a system the same way, we could create a lot of false positives or false negatives by choosing the wrong approach. Solution #2: Create measures based on average and standard deviation, but slice it by the individual user. This gives you measures that compare access records to the pattern of the individual , not the whole user population. Problem # 3: There are limitations with how many different ways you can slice data. To answer many questions with only one MDX query can mean impossible fact tables, dimensions, or both. Solution # 3: Simplify your fact tables and dimensions for performance, use multiple MDX queries and combine them later in a reporting component.

Indicators Become Visualization

Implementing Pro-I Pro-I Collector can be implemented on VM’s or application servers Scale-out architecture, dependent on event streams and number of queries Skill needed: LINQ to write new query templates Pro-I Analytics requires dedicated hardware for Data Warehouse and Analysis components Scale-up: depending on event volume and response time Scale-out: parallel logic can use multiple SMP or one MPP Skill needed: ETL design for optimal loading, MDX for custom queries, BI design for worker context Pro-I Investigator tools are best on 64-bit clients Scale-up: may not be necessary Skill needed: InfoSec Investigator or Security Analyst

Conclusion Look for initial release in March Drafting press release and implementation guide Plan to publish Investigator’s Guide in 2012 Active Development will continue in 2012 Research partners for threat detection Still an enterprise solution at Intel Looking at possibilities in the Cloud Participation in development is welcome Opportunity to influence the security community to gain more insight on insider threat, whether malicious or unintentional Grant.Babb@Intel.com

Questions?