Advanced threat protection and big data

Peter WoodChief Executive Officer

First•Base Technologies

Advanced Threat Protectionand Big Data

An Ethical Hacker’s View

Slide 2 © First Base Technologies 2013

Who is Peter Wood?

Worked in computers & electronics since 1969

Founded First Base in 1989 (one of the first ethical hacking firms)

CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’

Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupUK Chair, Corporate Executive Programme

FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa


Agenda

• Big Data elevator pitch

• Advanced Threats – really?

• Why Big Data for security?

• How can Big Data help?

• Can we do it now?

• Summing up


Big Data elevator pitch


Big Data is quite large

Every day, we create 2.5 quintillion bytes of data — so much that 90% of the data in the world today has been created in the last two years alone. This data comes from everywhere: sensors used to gather climate information, posts to social media sites, digital pictures and videos, purchase transaction records, and cell phone GPS signals to name a few.

http://www-01.ibm.com/software/data/bigdata/

2.5 quintillion = 2.5 exabytes = 2.5x1018 bytes

IDC projects that the digital universe will reach 40 zettabytes by 2020, resulting in a 50-fold growth from the beginning of 2010

http://uk.emc.com/about/news/press/2012/20121211-01.htm

40 zettabytes = 40x1021 bytes = 57 times all the grains of sand on all the beaches on earth


Big Data can be useful

• Creating transparency by making relevant data more accessible

• Enabling experimentation to discover needs, expose variability and improve performance - use data to analyse variability in performance and understand the root causes

• Segmenting populations to customise actions and tailor products and services to meet specific needs

• Replacing/supporting human decision-making with automated algorithms in order to minimise risk

• Innovating new business models, products and services

McKinsey Global Institute: “Big data: The next frontier for innovation, competition, and productivity”, May 2011


Where are we with Big Data in general?

• Mainstream adoption? Early days

• Skills and risks underestimated

• IT professionals say:

- Over-hyped

- Has a lot of potential

- Vendors may not deliver on promises


Advanced Threats – really?


Advanced Threats

• Massive increase in advanced malware bypassing

traditional security defenses

• Volumes vary substantially among different industries

• Email-based attacks are growing, with link- and

attachment-based malware presenting significant risks

• Cybercriminals are increasingly employing limited-use

domains in their spear phishing emails

• Malicious email attachments growing more diverse,

evading traditional security defenses

FireEye Advanced Threat Report – 1H 2012

Weekly count from FireEye Web MPS appliances across global customer base

These levels reflect the number of Web-based malware attacks that originated outside the target organization, successfully evaded traditional filters, and were blocked or infected target systems

The Post Breach Boom, Ponemon Institute, February 2013

Survey of 3,529 IT and IT security practitioners in US, Canada, UK, Australia, Brazil, Japan, Singapore and UAE

The Post Breach Boom, Ponemon Institute, February 2013

Survey of 3,529 IT and IT security practitioners in US, Canada, UK, Australia, Brazil, Japan, Singapore and UAE

The Post Breach BoomPonemon Institute, February 2013

The Post Breach BoomPonemon Institute, February 2013


Why Big Data for security?


The tipping point

• Complex threat landscape

• Avalanche of new technology and challenges

• Skills shortages?

• Financial pressures, especially for headcount

• Large organisations can’t rely on “traditional” defences:- Preventative controls

- Siloed security solutions

- Hardening

- Processes and procedures


The tipping point inputs

Complex threat landscape:

• Stealth malware

• Targeted attacks

• Social engineering

New technologies and challenges:

• Social networking

• Cloud

• BYOD / consumerisation

• Virtualisation


What do we do today?

Traditional defences:

• Signature-based anti-virus

• Signature-based IDS/IDP

• Firewalls and perimeter devices

Traditional approach:

• Data collection for compliance

• Check-list mindset

• Tactical thinking


SANS says …

SANS Annual Log and Event Management Survey, May 2012


How can Big Data help?


How can Big Data help?

• SIEM on steroids?

• Fraud detection

• APT detection?

• Integration of IT and physical security?

• SIEM + IDS/IPS?

• Predictive analysis


Big Data to Collect

• Logs

• Network traffic

• IT assets

• Senstitive / valuable information

• Vulnerabilities

• Threat intelligence

• Application behaviour

• User behaviour


Big Data Analytics

• Real-time updates

• Behaviour models

• Correlation

• Heuristic capability

• Interoperability

• … advising the analysts?

• … active defence?


Can we do it now?


Big Data = Big Investment, but …

• Today: Big Data for Big Organisations with Big Budgets

News from RSA Conference 2013:

• HP say about 3% of companies are doing this today

• Analysts expect 40% adoption by 2016

• Cloud-based Big Data may enhance existing SIEM

• … and overcome the skills gap

• Enhancing SIEM with threat intelligence

• Augmenting SIEM with IT asset information

More Improvements To SIEM Than Big Data – DarkReading.com, 22/02/2013


Big Data Last Year

Gartner said:

Sourcefire's FireAMP technology and the technology from Prevx (acquired

by Webroot in 2010) are examples of security providers that determine

malicious intent by analysing vast amounts of observed executable

behaviors and metadata

Vendors such as NetWitness (acquired by RSA), Global DataGuard, Narus

(acquired by Boeing), Solera and Fidelus Technologies, and network

behavior analysis solutions, such as Lancope, collect large amounts of

network packets and/or flows to support the analysis for anomalous

activities

In addition, some SIEM vendors, such as Q1 Labs (acquired by IBM) and

HP ArcSight, can directly consume and analyze NetFlow data

Information Security Is Becoming a Big Data Analytics Problem – Gartner, 23/03/2012


Big Data Tomorrow

RSA says:

Within the next two years, we predict big data analytics will disrupt the status quo in most information security product segments, including SIEM; network monitoring; user authentication and authorization; identity management; fraud detection; and governance, risk & compliance.

Big Data Holds Big Promise For Security – RSA Security Brief, January 2013


Big Data Skills

• Big Data is more about the processing techniques and

outputs than the size of the data set itself, so specific

skills are required to use Big Data effectively

• There is a general shortage of specialist skills for Big

Data analysis, in particular when it comes to using some

of the less mature technologies


Summary

• All organisations need to invest in research and study of

the emerging Big Data Security Analytics landscape

• Big Data has the potential to defend against advanced

threats, but requires a Big Re-think of approach

• Relevant skills are key to successful deployment, only

the largest organisations can invest in this now

• Offerings exist for the other 97% that can enhance

existing technologies using cloud-based solutions


Peter WoodChief Executive Officer

First Base Technologies LLP

[email protected]

http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com

Twitter: peterwoodx

Need more information?

Technology

Advanced threat protection and big data