1. IoT Security Part 2, The Malware
June, 2016
Angelo Brancato, CISSP, CISM. CCSK
Chief Technologist – HPE Security
Mobile: 

2. This Presentation is recorded:

3. HPE Secure IoT Application Lifecycle
Data, Applications, Communication, Users
IoT Platform
IoT Endpoints
Connectivity
Edge Computing
Visualization
IoT Cloud / Platform
HPE ADM (Application Delivery Management)
HPE ITOM (IT Operations Management)
HPE ADM, ITOM and Security solutions provide a secure IoT Application Lifecycle
HPE Security ArcSight (Security Intelligence)
HPE Security Fortify (Application Security)
HPE Security – Data Security (Voltage/Atalla)
HPE Aruba (Communication Security)

4. HPE Secure IoT Application Lifecycle
Data, Applications, Communication, Users
Replay Part 1, The Data
IoT Platform
IoT Endpoints
Connectivity
Edge Computing
Visualization
IoT Cloud / Platform
HPE ADM (Application Delivery Management)
HPE ITOM (IT Operations Management)
HPE ADM, ITOM and Security solutions provide a secure IoT Application Lifecycle
HPE Security ArcSight (Security Intelligence)
HPE Security Fortify (Application Security)
HPE Security – Data Security (Voltage/Atalla)
HPE Aruba (Communication Security)

5. HPE Secure IoT Application Lifecycle
IoT Platform
IoT Endpoints
Connectivity
Edge Computing
Visualization
IoT Cloud / Platform
HPE Security ArcSight (Security Intelligence)
HPE Security Fortify (Application Security)
HPE Security – Data Security (Voltage/Atalla)
HPE Aruba (Communication Security)
Data, Applications, Communication, Users
HPE ADM (Application Delivery Management)
HPE ITOM (IT Operations Management)
HPE ADM, ITOM and Security solutions provide a secure IoT Application Lifecycle

6. HPE Secure IoT Application Lifecycle – Security Intelligence
HPE Security Fortify (Application Security)
HPE Security – Data Security (Voltage/Atalla)
HPE Aruba (Communication Security)
Data, Applications, Communication, Users
IoT Platform
IoT Endpoints
Connectivity
Edge Computing
Visualization
IoT Cloud / Platform
HPE Security ArcSight (Security Intelligence)

7. HPE Secure IoT Application Lifecycle – Security Intelligence
IoT Platform
IoT Endpoints
Connectivity
Edge Computing
Visualization
IoT Cloud / Platform
HPE Security ArcSight (Security Intelligence)
Log Data

8. Security Intelligence - What is Security Analytics?
Rivers of Data
Ocean of Data /
Data Lake
Streams of Data

9. Security Intelligence - What is Security Analytics?

10. Security Intelligence - What is Security Analytics?
E.g.
Clients, Servers
Applications
Firewalls, IDS/IPS, VPN, Routers, WLAN
Users
IoT Edge Devices,
Sensors, Actuators
Tactical Level
Streams of Data

11. Security Intelligence - What is Security Analytics?
Operational Level
Streams of Data
Real-time correlation of known attack patterns
Sample ArcSight correlation rule
Rivers of Data

12. Security Intelligence - What is Security Analytics?
Operational Level
ArcSight Key Differentiators
True Real-Time and Contextual Correlation
Pre-Defined Use Cases (correlation rules) and Content Sharing Platform
400+ supported event sources
Flex-Connector
Normalization / Categorization
Guaranteed Event Delivery and Event Load-Balancing
Multi-Tenancy
some
ArcSight ESM
Streams of Data
Real-time correlation of known attack patterns
Rivers of Data

13. Security Intelligence - What is Security Analytics?
Tactical Level
Ubiquitous, reliable and scalable event collection and normalization, Remediation
Feed back to Operational Level, creation of real-time correlation rules
Operational Level
ArcSight ESM
Strategic Level
Hunt for yet unknown attack patterns in
the Big Data Lake
Hunt Team
Streams of Data
Rivers of Data
Ocean of Data /
Data Lake

14. Security Intelligence - What is Security Analytics?
Tactical Level
Ubiquitous, reliable and scalable event collection and normalization, Remediation
Feed back to Operational Level, creation of real-time correlation rules
Operational Level
Strategic Level
Hunt for yet unknown attack patterns in
the Big Data Lake
ArcSight ESM
Streams of Data
DMA
In-A-Box  ArcSight DNS Malware Analytics
Rivers of Data
Hunt Team
Ocean of Data /
Data Lake

15. HPE ArcSight DMA – DNS Malware Analytics
Overview

16. HPE ArcSight – DNS Malware Analytics (DMA)
IoT Platform
IoT Endpoints
Connectivity
Edge Computing
Visualization
IoT Cloud / Platform
HPE Security ArcSight (Security Intelligence)
HPE ArcSight
DNS Malware Analytics (DMA)
DNS Data
DMA

17. Challenges in Collecting & Monitoring DNS Data
Why is DNS monitoring this a hard problem for Enterprise Environments?
Case Study:
18-20 Billion DNS packets move through HPE’s core data centers every day
Logging impacts severely performance of the DNS Infrastructure
The right information is not logged
Every new employee, device, server etc. only adds to the total
Volume!
220,000
14,000
3,000
200 80 7
HPE –

18. HPE ArcSight – DNS Malware Analytics (DMA)!
Manual or automatic remediation
HPE Aruba ClearPass
ArcSight ADP/ESM
On-Site
Cloud
Visualization
Alerting (Infected Systems)
ArcSight REST connector, Secure communication
HPE Analytics Cloud
Secure communication
Network Tap
DNS Capture Module
IoT Cloud / Platform
IoT Platform
Connectivity
Constantly analyze DNS data for security threats
Data visualization & exploration
Web-based detail & visual drill down
Easy to install pre-configured appliance
Local DNS Pre-processing
Filter out 99% of traffic
Statistics and diagnostics
Edge Computing
IoT Endpoints

19. HPE ArcSight – DNS Malware Analytics (DMA)
Recap
DMA is a solution that:
provides high fidelity – very low to zero false-positive rate
enables Operational Staff (L1) to mitigate/remediate
fit into an existing SOC infrastructure without expansion
DMA is an automated service to detect and identify hosts (things) that:
are positively infected with malware, bots, or other unknown threats
are trying to contact Command and Control (C&C) Servers or exfiltrate data
other signature based perimeter or internal security products have not detected

20. HPE ArcSight DMA Live Demo

21. Live Demo

22. Thank You! Angelo Brancato, CISSP, CISM. CCSK
Chief Technologist – HPE Security
Mobile:  hpe.com/security