Cyber Security for Financial Services · Cyber Security for Financial Services Carolyn Duby, Cyber Security SME Solutions Engineer, Northeast ... through Apache, however, technical

1 © Hortonworks Inc. 2011 – 2017. All Rights Reserved

Cyber Security for Financial Services

Carolyn Duby, Cyber Security SMESolutions Engineer, Northeast

April 2017


Disclaimer

This document may contain product features and technology directions that are under development, may be under development in the future or may ultimately not be developed.

Project capabilities are based on information that is publicly available within the Apache Software Foundation project websites ("Apache"). Progress of the project capabilities can be tracked from inception to release through Apache, however, technical feasibility, market demand, user feedback and the overarching Apache Software Foundation community development process can all effect timing and final delivery.

This document’s description of these features and technology directions does not represent a contractual commitment, promise or obligation from Hortonworks to deliver these features in any generally available product.

Product features and technology directions are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

Since this document contains an outline of general product development plans, customers should not rely upon it when making purchasing decisions.


Agenda

• Outlook for Cyber Security Financial Services

• Trends over past year

• Challenges going forward

• New Hortonworks Solutions to Address Challenges


Outlook for Financial Services

• Financial Services is a big target

• Hackers are more sophisticated

• Increased complexity of landscape

• Existing security tools can’t keep up

• Consequences are high

• New solutions needed to secure the enterprise


Hackers Go Where the Money Is

Willie “The Actor” Sutton

Why do hackers target Financial Services

Companies?

Because that’s where the money is.

Source: https://www.fbi.gov/history/famous-cases/willie-sutton


Cybercrime Underground Market

• Information and Services for Sale• Credit card account numbers

• Email and social media credentials

• Bank account credentials

• Russian business dossiers

• DDOS attacks

• Exploit kits

• Increasingly professional service

• Available 24 x 7

• Guaranteed results

Source: Secureworks Underground Hacker Markets Annual Report – April 2016


State Sponsored Hackers

• Capable, Well Compensated Hackers

• Sophisticated, effective attacks

• Difficult to detect

• Fly ”under the RADAR” longer


Insiders are the weak link

• Tight security undermined by insiders

• Curious, Helpful, Conscientious Victims• 91 percent of cyberattacks start with phishing email

• Yahoo! breach of 500 million user accounts

• Whistleblowers and Hacktivists• Edward Snowden and Chelsea Manning

• Wikileaks, Panama Papers

• Disaffected• Citibank employee disables routers after bad review

• Targeted for bribery and outside influenceWikileaks

Edward Snowden and Chelsea Manning

ABC News

http://abcnews.go.com/Politics/chelsea-mannings-commutation-leniency-edward-snowden/story?id=44852612


Increased Complexity and Attack Surface

• Bring Your Own Device

• Cloud

• Network enabled Internet of Things

• Mirai Botnet disables online services

• Russian banks

• Dyn Domain Name Service


Not in Control of your own Destiny

• Great security does not guarantee success

• External services

• DNS redirect at Brazilian Bank sends customers to fake site

• External trading networks

• Breaches of unrelated sites require action

• Users reuse passwords

• Replace credit cards affected by other company’s breach

• Security of new acquisitions


Consequences

• Direct costs of incident and remediation

• Fines

• Consumer Litigation

• Wendy’s and Yahoo! Suits

• Loss of Consumer Confidence

• Opportunity cost


Existing Cyber Security Solutions Don’t Scale to the Challenge

82% of breaches happened in minutes

8 months: Average time an advanced

security breach goes unnoticed

70%-80% of breaches are first

detected by a 3rd party.

2016 Verizon Data Breach Investigations Report

Current security tools installed in the data center can’t handle volume of data & threats from everywhere


Problem Posed For Security Analysts

• Short staffed (1 M openings)

• Too many disparate tools

• Too many alerts to process

• Too much noise

• How to connect the dots of the relevant data points together?


Problems in Investigating a Phishing Attack

Challenge

✕ The analyst had to jump from the SIEM to more than 7 different tools that took up valuable time.

✕ It took more than 24 hours across 2 SOC shifts to investigate, determine scope, remediate and do further forensics/investigation.

✕ Half of my time spent getting the context needed for me to create the story

✕ The threat was detected too late. Instead of detecting the incident on 4/9, the threat should have been detected on 3/20 when the attacker spoofed Sonja’s email address

Need

✓ Want a Centralized View of my data so I don’t have to jump around and learn other tools Eliminate manual tasks to investigate a case

✓ Need to discover bad stuff quicker

✓ Need the System to create the context for me in real-time

✓ The current static rules in the SIEM didn’t detect the threat. Need smart analytics based on:

✓ User Sonja hasn’t used corp gmail in the last 3 months

✓ User Sonja can’t login from Ireland and Southern Cali at the same time

Introducing Hortonworks Cyber Security Package (HCP)


Hortonworks Cyber Security Package

Hortonworks Cyber Security Package Capabilities:

▪ Single view of all relevant data including new sources

▪ Dynamic ingestion and enrichment of data customized for your enterprise

▪ Cost effective storage enables longer context

▪ Advanced statistical and machine learning models to detect cyber security attacks

▪ Integration with existing SIEMs and enterprise assets

Apache MetronCyber Security Data Ingestion

Package

Cyber Security Analytics Exchange

Advanced Cyber Analytics

The Hortonworks Cyber Security Package accelerates organizations abilities to deploy and integrate advanced Cyber Security capabilities within their enterprise environment


Why Hortonworks Cybersecurity Package?

SOC Efficiency

• Reducing false positive

• Single view of threat

• Integrated threat feeds and asset info

• Integrate and combine tools: not just another screen to watch

• Faster Triage

More data, better data

• More sources

• Longer term analyzable data storage

• Fully enriched data with relevant context

Real-time

• Find threats faster

• Find context easier

• Mitigate early

Finding Unknowns

• Probabilities not rules

• Real-time profiles for intelligent baselines

• Dynamic rules responding to behavior not static rules written by hand

Machine Learning

• UEBA

• Relevance

• Feedback loop

• Triage everything that comes in


Foundation for HCP


Data Se

rvices an

d In

tegratio

n Laye

r

ModulesReal-time ProcessingCyber Security Engine

TelemetryParsers Enrichment

ThreatIntel

AlertTriage

Indexersand

Writers

Cyber SecurityStream Processing Pipeline

Apache Metron: Incubating Project

Tele

metry In

gest B

uffe

r

TelemetryData Collectors

Real-timeEnrich / ThreatIntel Streams

PerformanceNetwork

IngestProbes

/ OtherMachine Generated Logs(AD, App / Web Server,

firewall, VPN, etc.)

Security Endpoint Devices (Fireye, Palo Alto,

BlueCoat, etc.)

Network Data(PCAP, Netflow, Bro, etc.)

IDS(Suricata, Snort, etc.)

Threat Intelligence Feeds(Soltra, OpenTaxi,third-party feeds)

TelemetryData Sources

Data Vault

Real-Time Search

Evidentiary Store

Threat Intelligence Platform

Model as a Service

Community Models

Data Science Workbench

PCAP Forensics


Cyber Security Journey

Single view into Cyber Security

Free data from security tools

Correlate and discover threats

Operational efficiency and governance

Predictive insights using machine learning

Single unified view of enterprise risk & security posture.

Innovate

Renovate

Single Holistic View

HistoricalRecords

OPEXReduction

SecurityTool

Ingest

DigitalProtection

FraudPrevention

PublicData

Capture

A C T I V EA R C H I V E

DATAD I S C O V E RY

P R E D I C T I V EA N A LY T I C S

CyberSecurity

MachineData

RiskModeling


Data Freedom through Active Archive

Innovate

Renovate


HistoricalRecords

OPEXReduction

SecurityTool

Ingest

DigitalProtection

FraudPrevention

PublicData

Capture




CyberSecurity

MachineData

RiskModeling

Data Freedom

Current security processes are manual as data is cut & paste from one security tool to another.

Tool-Centric security program creates incompatibility and inefficiency.

Leverage the Hadoop ecosystem to free data from vendor locked in security tools.

Gain ability to keep data in commodity storage for expense reduction

Reduce or eliminate expensive licensing costs for duplicative storage of same data.

Create automated efficient security processes & workflow.


Insights through Data Discovery

Innovate

Renovate


HistoricalRecords

OPEXReduction

SecurityTool

Ingest

DigitalProtection

FraudPrevention

PublicData

Capture




CyberSecurity

MachineData

RiskModeling

Data Discovery and Insight

Leverage consolidated & correlated data lake for insights.

Create consolidated automated processes & workflow for Opexreduction.

Gain increased protection of digital assets through holistic view of location, configuration, vulnerabilities, and threats for risk based prioritization of what matters most.

Ability to migrate from expensive suites of security tools with redundant features to open source alternatives that do exactly what you need.


Showing value through analytics

Innovate

Renovate


HistoricalRecords

OPEXReduction

SecurityTool

Ingest

DigitalProtection

FraudPrevention

PublicData

Capture




CyberSecurity

MachineData

RiskModeling

Risk based Analytics

Leverage machine learning techniques for a risk based security posture

Measure and visualize the value security brings to the organization.

Freedom from the avalanche of rules based alerting.

Move from a reactive to proactive security posture.



Innovate

Renovate


HistoricalRecords

OPEXReduction

SecurityTool

Ingest

DigitalProtection

FraudPrevention

PublicData

Capture




CyberSecurity

MachineData

RiskModeling


Single view of the risk posture of the organization.

Ability to drill down from enterprise risk to individual activity influencing risk.

Ability to extend to additional use-cases in agile and cost effective manner.


Hortonworks Cyber Security Package (HCP)

Hortonworks Led Apache Project which provides a scalable advanced security ingestion and enrichment

framework built on top of HDP/HDF


A Hortonworks Led Apache Project of statistical and machine learning models and packs that represents the next generation defense for combating security

attacks

Real-Time Application and System log ingestion, indexing and visualization of cyber data, including

dashboards and cyber notebook templates

Phase 2

Phase 1

The Hortonworks Cyber Security Package can be implemented in an iterative manner to enable organizations to gain instant productivity for ingesting, processing and storing cyber data

Cyber Security Data Ingestion Package

Phase 3

Apache Metron


Summary

• Financial services organizations need effective security

• Threat landscape is evolving

• Hackers are more capable and motivated

• Hortonworks Cyber Security Package

• Single View into Cyber Security

• Built on cost effective HDF and HDP

• Faster detection, efficient investigation

• Dynamic detection algorithms


Questions?


Thank you

The Journey to Metron


Hortonworks Cyber Security Package (HCP)

Hortonworks Led Apache Project which provides a scalable advanced security ingestion and enrichment

framework built on top of HDP/HDF


A Hortonworks Led Apache Project of statistical and machine learning models and packs that represents the next generation defense for combating security

attacks

Real-Time Application and System log ingestion, indexing and visualization of cyber data, including

dashboards and cyber notebook templates

Phase 2

Phase 1

The Hortonworks Cyber Security Package can be implemented in an iterative manner to enable organizations to gain instant productivity for ingesting, processing and storing cyber data


Phase 3

Apache Metron


Cyber Security Deployment Overview

Enterprise AssetsN

iFi P

roce

sso

r(s)

Hortonworks provides customers the ability to iteratively deploy cyber security solutions based on required features in order to support real-time ingestion of enterprise logs, network data and instantly gain insights into cyber related data

Apache Metron

Real-Time Data Parsing and Correlation

Real-Time Data Enrichment and

Cyber Feeds

PCAP Replay and Evidence

Store

Cyber Dashboard and

workbench

Analytics Exchange

Cyber Analytics Packs


Syslog and Application Data Ingestion

Real-Time Search IndexCyber Dashboard and

workbench

Kaf

ka M

essa

ge B

us


Cyber Security – Phase 1: Data Ingestion Package

Enterprise AssetsN

iFi P

roce

sso

r(s)

The foundation of the Hortonworks Cyber Security Package is the Data Ingestion Package which provides the ability to ingest application and system logs for indexing, visualization along with cyber specific dashboards and notebooks




workbench

Kaf

ka M

essa

ge B

us


Cyber Security – Phase 2: Apache Metron

Enterprise AssetsN

iFi P

roce

sso

r(s)

Apache Metron adds the ability to consume pcap, NetFlow and real-time cyber feeds at scale to consume all netowrk related data in order to correlate and enrich cyber feeds and provide more relevant cyber alerts

Apache Metron



Cyber Feeds


Store

Cyber Dashboard and

workbench




workbench

Kaf

ka M

essa

ge B

us


Cyber Security – Phase 3: Analytics Exchange

Enterprise AssetsN

iFi P

roce

sso

r(s)

The Cyber Analytics Exchange introduces Cyber Security models developed using Machine Learning algorithms that are trained oncustomer data and then deployed for real-time integration with Apache Metron

Apache Metron



Cyber Feeds


Store

Cyber Dashboard and

workbench Analytics Exchange

Cyber Analytics PacksCyber Security Data Ingestion Package



workbench

Kaf

ka M

essa

ge B

us


PCAP

NETFLOW

DPI

Network Tap

IDS

AV

EMAIL

FIREWALL

HOST LOGS

PARSE

NORMALIZE

USER

ASSET

GEO

WHOIS

CONN

TAG

VALIDATE

PROCESS

ENRICH

STIX

Flat Files

Aggregators

Model As AService

Cloud Services

LABEL

Real-TimeSearch

InteractiveDashboards

DataModelling

KnowledgeGraphs

PCAPStore

IntegrationLayer

PCAPReplay

SecurityLayer

WorkflowEngine

RulesEngine

Apache Metron

AnalyticsExchange


YARN

Model as a Service

Historical Data Store

Model ServiceREST interface

Model Store

ZookeeperStorm Enrichment Bolt Service Discovery

HDFS

Trai

n /

Up

dat

e

HBase

Metron JSON Object

Metron JSON Object with added score, confidence

etc. from model


Profiler: Lightweight behavior modeling over time

HBaseProfiler Bolt

• HyperLogLogPlus

• T-Digest

• Bloom filter

• MAD outlier

Cardinality

Statistics

Presence

Outliers

How many servers connected?

Average over different periods

Finding small needles in big haystacks

Detecting unusual events in streams

Triage Scoring Model features Aggregations over Time

Fast Cache

Documents

Cyber Security for Financial Services · Cyber Security for Financial Services Carolyn Duby, Cyber Security SME Solutions Engineer, Northeast ... through Apache, however, technical