Presentation is loading. Please wait.

Presentation is loading. Please wait.

Continuous Monitoring: A Big data Challenge

Published byMadlyn Flynn Modified over 6 years ago

Similar presentations

Presentation on theme: "Continuous Monitoring: A Big data Challenge"— Presentation transcript:

1 Continuous Monitoring: A Big data Challenge
VA Tech IT Security Office Randy Marchany (c) Marchany 2011

2 Who Am I? Been working in IT Security since 1992 ISO at VA Tech
40K node network. dual stack IPV4, IPV6 network since 2006 Multi-national – Main campus (Blacksburg, VA), Remote campuses (Arlington, Norfolk, VA), Swiss, Indian, Egyptian campuses My IT Security Philosophy All Security is Local Empower the local departmental IT staff The Business Process trumps the Security Process if there’s a conflict Learn the business process before imposing security requirements Restrictive security practices cause worse problems overall (c) Marchany 2011

3

4 VT Cyber Security Strategy
University has 3 main business processes Academic, Administrative, Research Academic Open access needed – THE ISP MODEL Administrative Traditional corporate security model Research Hybrid Open access Restricted research, e.g. ITAR Must design a strategy that covers all 3 areas

5 VA Tech IT Security Strategy
Based on ISO 27002, NIST Standards Implementing the 20 Critical Controls Continuous Monitoring based on NIST BYOD All students required to purchase their own computers, bring their own smartphones. We’ve been doing this since 1984 Protect sensitive data regardless of location Don’t care what comes in the net. Worry about what leaves the net. (c) Marchany 2011

6 (c) Marchany 2011

7 The awful truth Keeping someone from getting inside has failed miserably Firewalls are not effective PROTECTION devices. They are effective DETECTION devices Change the strategy Assume they are in so go hunt for the compromised hosts Monitor outbound traffic Prevent their command and control communication Inbound monitors server side attacks; outbound monitors client side attacks (c) Marchany 2011

8 A Horse by any other name
Network Security Monitoring aka Extrusion Detection aka Continuous Monitoring Use your most powerful defense tool The Network Collection Detection Analysis (c) Marchany 2011

9 Device Driven vs. Data Driven
Protecting the device is useless Protecting the data is key. It’s not a breach until it leaves your network  There are no device breach notification laws  Protect the data so who cares where it’s stored (c) Marchany 2011

10 Attacker Strategy – Get in, Stay In, Damage
Initial compromise Phishing Software vulnerability DEFENSE: harden endpoints, patch systems, user awareness Maintain communication with the mother ship command and control of compromised machines DEFENSE: Protect root/admin access, identify access patterns Cause damage DEFENSE: interrupt communication channels to bad sites (c) Marchany 2011

11 Collection (c) Marchany 2011

12

13

14

15

16

17 Intrusion vs. Extrusion
Intrusion detection is the process of identifying unauthorized activity by inspecting inbound network traffic Extrusion detection is the process of identifying unauthorized activity by inspecting outbound network traffic Network forensics is the art of collecting, protecting, analyzing and presenting network traffic to support remediation or prosecution (c) Marchany 2011

18 CM Security PRinciples
Some intruders are smarter than you Many intruders are unpredictable Prevention eventually fails Defensible networks can be watched; they are monitored Defensible networks limit an intruder’s freedom to maneuver; they are controlled Defensible networks offer a minimum number of services and client-side applications; they are minimized Defensible networks can be kept current source: Extrusion Detection, R. Betjlich (c) Marchany 2011

19 Nsm principles Intruders who communicate with victims can be detected Detection through sampling is better than no detection at all Traffic analysis determines who’s talking, for how long and when It is NOT security event mgt, network based forensics or intrusion prevention NSM data forms Full content data – header and application data Session data – aka flows, streams, conversations Statistical data – net activity highlighting deviation from norms Alert data – judgment by device about an event (c) Marchany 2011

20 Proposed Implementation
(c) Marchany 2011

21 implementation (c) Marchany 2011

22

23 Detection (c) Marchany 2011

24 (c) Marchany 2011

25 (c) Marchany 2011

26 Response steps to Malware infection
FireEye monitors for suspicious callbacks (COLLECTION) malware callback detected (DETECTION) isolate compromised host PII on the host? Encrypted? Yes – wipe, reinstall. No – potential PII breach ANALYSIS query: “when was the earliest comm between bad domain & compromised host?” Purpose: try to determine extent of breach query: “What other VT hosts communicated with bad domain?” Purpose: determine extent of breach (CONTAINMENT) Speed is essential (c) Marchany 2011

27 (c) Marchany 2011

28 Analysis Challenges Data collection from various sensors 75GB netflow data daily 6 months of binary Argus data , ~25 fields 3-5 months CSV SQL data – structured DB, 7 fields 6 months CSV Hadoop – flat file 19 fields Snort sensor, IPS, IDS, host based firewall Big data analysis techniques needed Organizing database Optimizing search techniques - Vendor solutions aren’t enough (c) Marchany 2011

29 Analysis: the Databases
Flat files Traditional databases - Oracle, Postgres, SQL not designed to deal with log data Designed for data integrity not performance No SQL ( Hadoop) The right data system A function of the volume of data stored, the type of data and who’s analyzing it Analysis requires repetitive searches (c) Marchany 2011

30 Analysis – RDBMS vs. Log data
Ensures data integrity Constant data queries so the system spends a lot of time tracking transactions Users will asynchronously update existing contents Log data doesn’t change An event occurs, the log data is never updated Sensors are the only things that write to disk. Users only read from disk. (c) Marchany 2011

31 Example: Flow Analysis
Network flows allow us to see a machine’s traffic history. At VT we use Argus. Pros: Open source (FREE) Well documented Great toolset Cons Runs off span port, not router flows* Steep learning curve VA SCAN Marchany

32 Argus VA SCAN Marchany

33 Flow Analysis – All Flows
How many phone home attempts were there? VA SCAN Marchany

34 Flow Analysis – Top Talkers
Who were the top talkers? VA SCAN Marchany

35 Flow Analysis – Traffic Graphs
Are there any traffic patterns? VA SCAN Marchany

36 Flow Analysis – C&C Graphs
How much data was transferred to the C&C server? VA SCAN Marchany

37 Bandwidth Analysis Argus observes and records traffic statistics for specific networks (departments) VA SCAN Marchany

38 Example: Where does data go?
(c) Marchany 2011

39 (c) Marchany 2011

40 Example: Top ports used
(c) Marchany 2011

41

42

43

44

45

46

47

48

49 partners? Security & Network groups
ITSO and Network mgt groups must closelycoordinate activities CM “disruptors” MPLS High speed (>10GB) backbones SSL, application layer encryption Span ports 10GB span on a 100GB backbone These will blind CM sensors Need to work within these constraints (c) Marchany 2011

50 Thoughts on Metrics Do you have this capability? Forensic How long does something take to occur? How long has it been happening? How widespread is it? Ratio What is leaving our net? Compromised hosts vs. total hosts

51 Security Metrics Executive Level
Compliance with University Policies and Federal, State regulations Summary graphs Operational Vulnerability scans, IDS/IPS data collection Incident Handling Volume, type, severity

52 Futures? The good Continuous monitoring increases the chances of successful detection and mitigation Can tailor defenses based on critical assets find repeat offenders create targeted training Provide justification for IT improvement Department and Enterprise staff, hardware, software, training Enhance university research work with researchers by providing anonymized raw data (c) Marchany 2011

53 Futures – The bad Edward Snowden effect Must take significant precautions to safeguard collected data Anonymize local source information Staffing need to hire data scientists (c) Marchany 2011

54 (c) Marchany 2011

55 Final THoughts Continuous Monitoring focus is assurance and not compliance Feed the right data to upper mgt for risk acceptance Allows you to find compromised hosts before it becomes a serious problem Requires a shift in security architecture design Books: Applied Network Security Monitoring, Sanders, & Smith, ISBN Extrusion Detection, Betjlich, ISBN — Network Security Through Data Analysis , Collins, ISBN Network Forensics, Davidoff & Ham, (c) Marchany 2011

56 Questions? Contact Information Randy Marchany University IT Security Officer VA Tech IT Security Office & Lab 1300 Torgersen Hall Blacksburg, VA (office) (lab) Blog: randymarchany.blogspot.com (c) Marchany 2011

57 Supplemental slides The following slides are for reference purposes only (c) Marchany 2011

58 Control Entity Relationship Diagram (ERD) #1
Control System Entity Relationship Diagram (ERD) In the above slide one will see a diagram known as an Entity Relationship Diagram (ERD), which can be helpful as we are trying to analyze the entities that must be used to implement and meet the goals behind this particular control. ERDs are one of nine different diagram types that are used in what is known as the Unified Modeling Language (UML). These nine UML diagram types were briefly described earlier in the course. Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to test the controls and identify where potential failures in the system might occur. Control System ERD Steps 1-8 A control system is a device or set of devices to manage, command, direct or regulate the behavior of other devices or systems. In this case, we are examining hardware devices on the organization’s network. These systems should be able to identify if new systems are introduced to the environment that have not been authorized by enterprise personnel. The following are the steps in the above diagram and shows how each entity works together to meet the business goal defined in this control. It also helps us to identify what each of the process steps are in an effort to help us identify potential failure points in the overall control. Step 1: Active Device Scanner Scans Network Systems The first step in this process is for an active scanner to scan the network for devices in order to establish an inventory of the devices that are present on the network at any given time. This is an active process of detecting devices and looking for new or unauthorized devices that might show themselves on the network at any given time.

59 Control Entity Relationship Diagram (ERD) #14
Control System Entity Relationship Diagram (ERD) In the above slide one will see a diagram known as an Entity Relationship Diagram (ERD) which can be helpful as we are trying to analyze the entities that must be used to implement and meet the goals behind this particular control. ERDs are one of nine different diagram types that are used in what is known as the Unified Modeling Language (UML). These nine UML diagram types were briefly described earlier in the course. Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control i5 will be easier to identify how to test the controls and identify where potential failures in the system might occur. Control System ERD Steps 1-4 A control system is a device or set of devices to manage, command, direct or regulate the behavior of other devices or systems. In this case, we are examining audit logs, the central log database system, the central time system, and log analysts. The following steps show how each entity works together to meet the business goal defined in this control. It also helps us to identify what each of the steps are in an effort to help us identify potential failure points in the overall control. Step 1: Production systems generate logs and send them to a centrally managed log database system Step 2: Production systems pull synchronize time with central time management systems Step 3: Logs are analyzed by a log analysis system Step 4: Log analysts analyze data generated by log analysis system

60 (c) Marchany 2011

61 (c) Marchany 2011

62 (c) Marchany 2011

Download ppt "Continuous Monitoring: A Big data Challenge"

Similar presentations

THE 20 CRITICAL CONTROLS: A SECURITY STRATEGY RANDY MARCHANY VA TECH IT SECURITY OFFICE 1 (C) MARCHANY 2011.

THE 20 CRITICAL CONTROLS: A SECURITY STRATEGY RANDY MARCHANY VA TECH IT SECURITY OFFICE 1 (C) MARCHANY 2011.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060

Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

Similar presentations

Ads by Google