minimizing dwell time on networks in ir with tapio
Post on 30-Jul-2015
371 Views
Preview:
TRANSCRIPT
TAPIODistribution Statement A – Approved for Public Release, Distribution Unlimited
This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA). The views, opinions, and/or findings contained in this article/presentation are those of the author(s)/presenter(s)and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.
TAPIO
Distributed incident response and situational awareness
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Source: http://www.esecurityplanet.com/network-security/big-data-overwhelms-security-teams.html Distribution Statement A – Approved for Public Release, Distribution Unlimited
Distribution Statement A – Approved for Public Release, Distribution Unlimited
• Keep data where it is
• Provide visibility with the agent
• Link relevant data via a rich ontology
• Yield answers not pointers
• Give analysts access to all relevant data to reason over• Automatically bridge the gap between data access and reasoning
TAPIOGoal:Goal:Goal:Goal:
Approach:Approach:Approach:Approach:
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Target TAPIO User
•Technical staff, network defenders
•Incident responders
•System & network administrators
•Security engineers and operators
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Key Technologies
•Agent-based approach•RDF and SPARQL for reasoning
•Executable capability profiling
•Natural language processing
•Peer-to-peer networking•Passive and active network discovery
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Devices, aka endpoints &
infrastructure
TAPIO Query TAPIO Query NodeNode
Management/query node
TAPIO agent and protocol
TAPIO ComponentsDistribution Statement A – Approved for Public Release, Distribution Unlimited
TAPIO Paradigms
•Keep data at the edge, at rest, query in place
•Map everything possible, make available
•Secure access via an agent
Distribution Statement A – Approved for Public Release, Distribution Unlimited
TAPIO mgmt server
Firewall
Distribution Statement A – Approved for Public Release, Distribution Unlimited
TAPIO Agent Platforms
Distribution Statement A – Approved for Public Release, Distribution Unlimited
TM
TM
TM
Agent Benefits•Avoids backhaul
•Lower CPU, disk, bandwidth requirements
•Massively parallel
•Avoids a credential cache, enables higher security
•Wider area of discovery
•Multiple observations to detect compromises
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Target Investigator Questions
What executables were installed that were received via email?What programs that were installed an hour ago are now talking to the network?What newly registered domains were in chat links clicked by my employees?
Distribution Statement A – Approved for Public Release, Distribution Unlimited
TAPIO Features
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Natural Language Interface
•Lets defenders move at the speed of thought
•Ask the question instead of write a program
•Maps their natural language query to SPARQL for them
•Raw SPARQL queries still available
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Query assistance based on logical guesses
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Automatic query transformation
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Linked data in results Distribution Statement A – Approved for Public Release, Distribution Unlimited
TAPIO P2P Network
•Chose P2P
•Lighter network footprint
•Handles a dynamic network
•Future goal of agents checking agents
•Based on Chord
•Extended to allow for bridging and super nodes
Distribution Statement A – Approved for Public Release, Distribution Unlimited
ICAS Ontology
•Maps cybersecurity data, concepts, & world state into a common vocabulary
•Covers network and host data, not just security alerts and events
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Approved for Public Release, Distribution Unlimited
Why an Ontology?
•Linked data is natural
•Disparate sources, common language
•Facilitates reasoning
•Scale the analyst - millions of nodes and relationships
•Replication of analysis
•Hypothesis testing
25
Small excerpt from authentication and user
ontologies
Distribution Statement A – Approved for Public Release, Distribution Unlimited
TAPIO Integrations
•Discover devices
•Talk to devices
•Get data from devices
•Map data from devices
Make all security relevant data available to the analyst
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Non-Agent Platform Detection
Printers
IOT devices
Computing Devices
Routers
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Host display within management view
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Delegate proxy access to a specific agent
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Enterprise Data Sources
Local agent Remote interaction (web, SNMP, etc)
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Multiple Protocols Spoken
•Security and network appliances
•HTTP(S), SNMP, SSDP, mDNS, etc
•Hosts w/o agent
•SMB/NetBIOS, mDNS, ARP/NDP, SNMP, etc
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Two Step Data Mapping Process
Text Input
HTML Input
Structured RecordsStructured Records
Structured Record Detection
Schema mapping
Distribution Statement A – Approved for Public Release, Distribution Unlimited
<urn:x-tapio:561077c0-5ea7-11e4-a28c-705681c470ef#Alert-IDS+Alert+1> a controls:Alert, owl:NamedIndividual ; rdfs:label "IDS Alert 1"@en ; event:time <urn:x-tapio:561077c0-5ea7-11e4-a28c-705681c470ef#Instant-2014-05-12T09:29:22%2B05:00> ; controls:generatedBy :DetectiveSecurityControl-192.168.1.122 ; controls:hasSource :Connection-000000001 ; controls:triggeredByRule <urn:x-tapio:561077c0-5ea7-11e4-a28c-705681c470ef#Rule-EXPLOIT-KIT+Magnitude+exploit+kit+Microsoft+Internet+Explorer+Payload+request> ; rdfs:comment ""@en .
Distribution Statement A – Approved for Public Release, Distribution Unlimited
AuthEvent Example
:AuthEvent-000000033 a authentication:AuthEvent, owl:NamedIndividual ; rdfs:label "urn:x-tapio:1bcb1ff0-53cf-11e4-b823-08002703b1f5#AuthEvent-000000033"@en ; event:time <urn:x-tapio:1bcb1ff0-53cf-11e4-b823-08002703b1f5#Interval-2014-07-26T04:04:05-12:00> ; authentication:authBy :AuthProvider-AuthProvider-sshd.exe ; authentication:authStatus "success"^^xsd:string ; authentication:authToHost :Host-000000003 ; authentication:sessionId "0x113074"^^xsd:string ; authentication:usingCredential :LoginCredential-vagrant ;
<urn:x-tapio:1bcb1ff0-53cf-11e4-b823-08002703b1f5#Interval-2014-07-26T04:04:05-12:00> a owl:NamedIndividual, time:Interval ; rdfs:label "2014-07-26T04:04:05-12:00"@en ; rdfs:comment ""@en ; time:hasBeginning <urn:x-tapio:1bcb1ff0-53cf-11e4-b823-08002703b1f5#Instant-2014-07-26T04:04:05-12:00> ; time:hasEnd <urn:x-tapio:1bcb1ff0-53cf-11e4-b823-08002703b1f5#Instant-2014-07-26T04:04:17-12:00> .
Distribution Statement A – Approved for Public Release, Distribution Unlimited
Distribution Statement A – Approved for Public Release, Distribution Unlimited
TAPIO Agent
Host
Security Applianc
e
Marrying host observations and
device data
Distribution Statement A – Approved for Public Release, Distribution Unlimited
TAPIO Agent
Host
Security Applianc
e
Flow 5.6.7.8...4.3.2.1 Alert 1234
Distribution Statement A – Approved for Public Release, Distribution Unlimited
TAPIO Agent
Host
Security Applianc
e
Login from 4.3.2.1 Login at 2014-10-20T08:09:10 User AbcXyz Process Foo.exe [9876] Flow 5.6.7.8...4.3.2.1 Alert 1234
Distribution Statement A – Approved for Public Release, Distribution Unlimited
TAPIO
•Scaling incident response investigations
•Empowering analysts to do more, faster
Distribution Statement A – Approved for Public Release, Distribution Unlimited
top related