130 likes | 293 Views
Real-time Security Analytics: Automating the Discovery, Understanding, and Action Against Advanced Security Threats N eal Hartsell , Vice President Marketing. Today’s Security Dilemma. Modern attacks increase the risk gap. Increasing Threat Attack surface Attacker Motivation
E N D
Real-time Security Analytics: Automating the Discovery, Understanding, and Action Against Advanced Security ThreatsNeal Hartsell, Vice President Marketing
Today’s Security Dilemma Modern attacks increase the risk gap • Increasing Threat • Attack surface • Attacker Motivation • Attacker Skills/Tools Risk Risk Gap Verizon Data Breach Report 2012 • Current Approach • Point Products • More People • Big Data Time Click Security Confidential
We Have Big Data. We Don’t Understand It. Firewall Anti-Virus Advanced Malware Protection Web Proxy • One firewall = 1 billion events per day • Indicators of compromise are in the data • Analysts can’t piece them together fast enough Click Security Confidential
Click Vision Analytics Human Need Community • Analytics drive the data source • Multiple methods • Evergreen • Policy customized • Leverage investment • Automation • Interactive visualizations • Speed • Full context • Timeframe selectable • New analytics discovery • Info sharing • Best practice exchange • Threat intel exchange Next Generation Security Platform Click Security Confidential
Real-time Security Analytics (RtSA) RtSA Converts Big Security Data into Real-time Kill Chain Detection Kill Chain Early Stage Mid Stage Late Stage Early Indicators IIS OWA Spam Rare Event (Profiling) Actor Health Monitor Policy Violations Periodic Comms Vuln Sys Attack HTTP Redirect Catcher Suspicious File D/loads Authentication Anomalies Click Security Confidential
RtSA Solution Overview Help Desk Action Actor X Data View … 50% 30% 10% Files Traffic IT Security Action Fanout View 25% 30% Device 20% User 20% 30% HR Action Drill Down View Capture & Contextualize Automated Interaction Actor Drill down Directed Response • Layers of analytics • Associate to entities (actors) • Prioritized view • Who's system is it? • What data is there? • How far reaching is it? • Over what timeframe? • Update FW Rule • Wipe Machine • Notify HR Click Security Confidential
Example Real-time Security Analytic “User coming into a critical server from an Android device in Uganda that also has a connection to a blacklisted IP address in China, and this same user logged in from Dallas 30 minute ago…” Real-time Security Analytic Real-time Stream Processing Engine “Flow to a blacklisted IP address” “User tied to an unusual device” “Access from a strange location” Internet Threats Auth Activity User Activity Flow Activity Vulnerability Assessment Security Policy Enterprise Security Events Application Activity Big Security Data Click Security Confidential
RtSA Solution Technology • Click Labs Analytics Service (CLAS) • Optional Monitoring, Alerting, Reporting Service • Continuous R&D of new analytics CLAS • Real-time Analyst Interaction • Actor Context Graph (ACG) Interaction • Alerts, Reports, Visualizations, etc. Applications • Real-time Security Analytics • Machine Learning, Rule-based, Statistical, File Inspection, etc. • Continuous stream of new/modified analytics … Click Analytics • Real-time Stream Processing • Actor state • Auto-contextualizes each incremental event • Long window of persistence Stream Processing Engine Interpreters • Real-time feature extraction and optimization • Transform input data into a set of features • Can be rapidly modified based upon analytic needs Platform Miners • Real-time telemetry collection • Web proxy, IPS, Windows Auth, Bro, P0F, Snort, etc. Click Security Confidential Logs Packets
Key Solution Features Analytics Scalability • Purpose-built stream processing runs greatest # layered analytics • Layered analytics interact with one another • No limit to depth or breadth of analytic types Analytics Scalability Analyst Empowerment Rapid Adaptability Analyst Empowerment • Designed for dynamic human interaction with analytics • Dynamic Contextual Analysis / Augmentation • Visualization Ease and Speed Rapid Adaptability • Continuous insertion of new analytics • Dynamically drive data requirements - not the other way around Continuous Automation Expert Assistance Investment Leverage Expert Assistance • We can augment your staff with CLAS Investment Protection • Leverage existing infrastructure Continuous Automation • Each finding can be automated, enabling your analysts to move up-stack Click Security Confidential
Solution Value • Find and Stop Attack Activity – Early in the Kill Chain • Actorand File Analytics contextualize big data into prioritized, in-depth security visibility - automatically Security Analyst Reduce Time to Detect • Speed & Simplify Analysis / Incident Response Process • Real-time visualization, interactive data analysis, and results encoding Reduce Time to Understand Reduce Time to Respond Click Security Confidential
Deployment Premise-Centric Cloud-Centric Click Cloud Click Cloud Click Labs Click Labs RtSA Tracker Portal ArtifactR Cluster MPU Cluster Public or Private • Multi-location • Dynamically updated RtSA Tracker Portal MPU Cluster … … … … … • Data needs modified per analytic needs or Smart Miner(s) Smart Miner(s) Log-based Sources Packet-based Sources Log-based Sources Packet-based Sources Files Files Click Security Confidential
Complementary But Differentiated • Purpose-built stream processing engine • Real-time contextualization and alerting • Large # concurrent, multi-factor analytics • Real-time analyst visualization / interaction • Not optimized for LT data retention / compliance reporting Real-time Security Analytics • Good at ad hoc queries of known questions • Distributed map reduced tech beats SIEMs at log queries • Not designed for real-time performance or analytic flexibility Fast Search • Forensic • “Network VCR” focused • Deep “after the fact” analysis • Batch processing design • Not designed for real-time (early indicator) analytics performance Forensics • Malicious .exe’s • Command/Control • Often missing key contextual analysis • Limited analytics flexibility Advanced Malware • Log retention • Compliance • Simple alerting • Vanilla OOB • Performance bound • Fixed analytics, fixed data sources SIEM Click Security Confidential
REAL-TIME SECURITY ANALYTICS AUTOMATETHE ANALYSIS. Click Security Confidential