cyber security for financial services · security breach goes unnoticed 70%-80% of breaches are...
TRANSCRIPT
1 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Cyber Security for Financial Services
Carolyn Duby, Cyber Security SMESolutions Engineer, Northeast
April 2017
2 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Disclaimer
This document may contain product features and technology directions that are under development, may be under development in the future or may ultimately not be developed.
Project capabilities are based on information that is publicly available within the Apache Software Foundation project websites ("Apache"). Progress of the project capabilities can be tracked from inception to release through Apache, however, technical feasibility, market demand, user feedback and the overarching Apache Software Foundation community development process can all effect timing and final delivery.
This document’s description of these features and technology directions does not represent a contractual commitment, promise or obligation from Hortonworks to deliver these features in any generally available product.
Product features and technology directions are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
Since this document contains an outline of general product development plans, customers should not rely upon it when making purchasing decisions.
3 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Agenda
• Outlook for Cyber Security Financial Services
• Trends over past year
• Challenges going forward
• New Hortonworks Solutions to Address Challenges
4 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Outlook for Financial Services
• Financial Services is a big target
• Hackers are more sophisticated
• Increased complexity of landscape
• Existing security tools can’t keep up
• Consequences are high
• New solutions needed to secure the enterprise
Introducing Hortonworks Cyber Security Package (HCP)
6 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Hortonworks Cyber Security Package
Hortonworks Cyber Security Package Capabilities:
▪ Single view of all relevant data including new sources
▪ Dynamic ingestion and enrichment of data customized for your enterprise
▪ Cost effective storage enables longer context
▪ Advanced statistical and machine learning models to detect cyber security attacks
▪ Integration with existing SIEMs and enterprise assets
Apache MetronCyber Security Data Ingestion
Package
Cyber Security Analytics Exchange
Advanced Cyber Analytics
The Hortonworks Cyber Security Package accelerates organizations abilities to deploy and integrate advanced Cyber Security capabilities within their enterprise environment
7 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Foundation for HCP
8 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Data Se
rvices an
d In
tegratio
n Laye
r
ModulesReal-time ProcessingCyber Security Engine
TelemetryParsers Enrichment
ThreatIntel
AlertTriage
Indexersand
Writers
Cyber SecurityStream Processing Pipeline
Apache Metron: Incubating Project
Tele
metry In
gest B
uffe
r
TelemetryData Collectors
Real-timeEnrich / ThreatIntel Streams
PerformanceNetwork
IngestProbes
/ OtherMachine Generated Logs(AD, App / Web Server,
firewall, VPN, etc.)
Security Endpoint Devices (Fireye, Palo Alto,
BlueCoat, etc.)
Network Data(PCAP, Netflow, Bro, etc.)
IDS(Suricata, Snort, etc.)
Threat Intelligence Feeds(Soltra, OpenTaxi,third-party feeds)
TelemetryData Sources
Data Vault
Real-Time Search
Evidentiary Store
Threat Intelligence Platform
Model as a Service
Community Models
Data Science Workbench
PCAP Forensics
9 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
SOC Efficiency Challenges
• Short staffed (1 M openings)
• Too many disparate tools
• Too many alerts to process
• Too much noise
• How to connect the dots of the relevant data points together?
10 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Problems in Investigating a Phishing Attack
Challenge
✕ The analyst had to jump from the SIEM to more than 7 different tools that took up valuable time.
✕ It took more than 24 hours across 2 SOC shifts to investigate, determine scope, remediate and do further forensics/investigation.
✕ Half of my time spent getting the context needed for me to create the story
✕ The threat was detected too late. Instead of detecting the incident on 4/9, the threat should have been detected on 3/20 when the attacker spoofed Sonja’s email address
Need
✓ Want a Centralized View of my data so I don’t have to jump around and learn other tools Eliminate manual tasks to investigate a case
✓ Need to discover bad stuff quicker
✓ Need the System to create the context for me in real-time
✓ The current static rules in the SIEM didn’t detect the threat. Need smart analytics based on:
✓ User Sonja hasn’t used corp gmail in the last 3 months
✓ User Sonja can’t login from Ireland and Southern Cali at the same time
11 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Faster, Better Alert Triage with HCP
• Bring all security data together into data lake
• Automatically enrich data with geocodes and whois
• Factor in asset and threat intelligence
• Triage using complete view of alert
• Result
➢ Focus on highest priority threats
➢ Streamline incident investigation
➢ Reduce time to detection
12 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
PCAP
NETFLOW
DPI
Network Tap
IDS
AV
FIREWALL
HOST LOGS
PARSE
NORMALIZE
USER
ASSET
GEO
WHOIS
CONN
TAG
VALIDATE
PROCESS
ENRICH
STIX
Flat Files
Aggregators
Model As AService
Cloud Services
LABEL
Real-TimeSearch
InteractiveDashboards
DataModelling
KnowledgeGraphs
PCAPStore
IntegrationLayer
PCAPReplay
SecurityLayer
WorkflowEngine
RulesEngine
Apache Metron
AnalyticsExchange
13 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Existing Cyber Security Solutions Don’t Scale to the Challenge
82% of breaches happened in minutes
8 months: Average time an advanced
security breach goes unnoticed
70%-80% of breaches are first
detected by a 3rd party.
2016 Verizon Data Breach Investigations Report
Current security tools installed in the data center can’t handle volume of data & threats from everywhere
14 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Scalability with HCP
Retain enriched security data longer– Offload historical data from space constrained tools
– Into cost effective, scalable Hadoop
Apply other non-security data– HR databases, IT inventory systems, social media, others
Result➢ More context for investigating incidents
➢ Identify scope of incident and response required
➢ Mine historical data for insights
➢ Cost savings
15 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Finding Unknowns – Rogue Insiders
• Tight security undermined by insiders
• Curious, Helpful, Conscientious Victims• 91 percent of cyberattacks start with phishing email
• Yahoo! breach of 500 million user accounts
• Whistleblowers and Hacktivists• Edward Snowden and Chelsea Manning
• Wikileaks, Panama Papers
• Disaffected• Citibank employee disables routers after bad review
• Targeted for bribery and outside influenceWikileaks
Edward Snowden and Chelsea Manning
ABC News
16 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Profiling
• User and Entity Behavior Analytics
• Establish normal behavior of entity
• Time series measurements of entities
• Anomaly detection
• Alert when outside of normal range
17 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Profiler: Lightweight behavior modeling over time
HBaseProfiler Bolt
• HyperLogLogPlus
• T-Digest
• Bloom filter
• MAD outlier
Cardinality
Statistics
Presence
Outliers
How many servers connected?
Average over different periods
Finding small needles in big haystacks
Detecting unusual events in streams
Triage Scoring Model features Aggregations over Time
Fast Cache
18 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Finding Unknowns – Investigation and Threat Hunting
19 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Machine Learning
Prioritize and analyze all the alerts using machine learning models
Move beyond signature based tools
Advanced techniques to detect more complex future attacks
Incorporate models from analytics exchange or develop your own
20 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
YARN
Model as a Service
Historical Data Store
Model ServiceREST interface
Model Store
ZookeeperStorm Enrichment Bolt Service Discovery
HDFS
Trai
n /
Up
dat
e
HBase
Metron JSON Object
Metron JSON Object with added score, confidence
etc. from model
21 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Cyber Security Journey
Single view into Cyber Security
Free data from security tools
Correlate and discover threats
Operational efficiency and governance
Predictive insights using machine learning
Single unified view of enterprise risk & security posture.
Innovate
Renovate
Single Holistic View
HistoricalRecords
OPEXReduction
SecurityTool
Ingest
DigitalProtection
FraudPrevention
PublicData
Capture
A C T I V EA R C H I V E
DATAD I S C O V E RY
P R E D I C T I V EA N A LY T I C S
CyberSecurity
MachineData
RiskModeling
22 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Data Freedom through Active Archive
Innovate
Renovate
Single Holistic View
HistoricalRecords
OPEXReduction
SecurityTool
Ingest
DigitalProtection
FraudPrevention
PublicData
Capture
A C T I V EA R C H I V E
DATAD I S C O V E RY
P R E D I C T I V EA N A LY T I C S
CyberSecurity
MachineData
RiskModeling
Data Freedom
Current security processes are manual as data is cut & paste from one security tool to another.
Tool-Centric security program creates incompatibility and inefficiency.
Leverage the Hadoop ecosystem to free data from vendor locked in security tools.
Gain ability to keep data in commodity storage for expense reduction
Reduce or eliminate expensive licensing costs for duplicative storage of same data.
Create automated efficient security processes & workflow.
23 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Insights through Data Discovery
Innovate
Renovate
Single Holistic View
HistoricalRecords
OPEXReduction
SecurityTool
Ingest
DigitalProtection
FraudPrevention
PublicData
Capture
A C T I V EA R C H I V E
DATAD I S C O V E RY
P R E D I C T I V EA N A LY T I C S
CyberSecurity
MachineData
RiskModeling
Data Discovery and Insight
Leverage consolidated & correlated data lake for insights.
Create consolidated automated processes & workflow for Opexreduction.
Gain increased protection of digital assets through holistic view of location, configuration, vulnerabilities, and threats for risk based prioritization of what matters most.
Ability to migrate from expensive suites of security tools with redundant features to open source alternatives that do exactly what you need.
24 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Showing value through analytics
Innovate
Renovate
Single Holistic View
HistoricalRecords
OPEXReduction
SecurityTool
Ingest
DigitalProtection
FraudPrevention
PublicData
Capture
A C T I V EA R C H I V E
DATAD I S C O V E RY
P R E D I C T I V EA N A LY T I C S
CyberSecurity
MachineData
RiskModeling
Risk based Analytics
Leverage machine learning techniques for a risk based security posture
Measure and visualize the value security brings to the organization.
Freedom from the avalanche of rules based alerting.
Move from a reactive to proactive security posture.
25 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Single Holistic View
Innovate
Renovate
Single Holistic View
HistoricalRecords
OPEXReduction
SecurityTool
Ingest
DigitalProtection
FraudPrevention
PublicData
Capture
A C T I V EA R C H I V E
DATAD I S C O V E RY
P R E D I C T I V EA N A LY T I C S
CyberSecurity
MachineData
RiskModeling
Single Holistic View
Single view of the risk posture of the organization.
Ability to drill down from enterprise risk to individual activity influencing risk.
Ability to extend to additional use-cases in agile and cost effective manner.
26 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Hortonworks Cyber Security Package (HCP)
Hortonworks Led Apache Project which provides a scalable advanced security ingestion and enrichment
framework built on top of HDP/HDF
Cyber Security Analytics Exchange
A Hortonworks Led Apache Project of statistical and machine learning models and packs that represents the next generation defense for combating security
attacks
Real-Time Application and System log ingestion, indexing and visualization of cyber data, including
dashboards and cyber notebook templates
Phase 2
Phase 1
The Hortonworks Cyber Security Package can be implemented in an iterative manner to enable organizations to gain instant productivity for ingesting, processing and storing cyber data
Cyber Security Data Ingestion Package
Phase 3
Apache Metron
27 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Why Hortonworks Cybersecurity Package?
SOC Efficiency
• Reducing false positive
• Single view of threat
• Integrated threat feeds and asset info
• Integrate and combine tools: not just another screen to watch
• Faster Triage
More data, better data
• More sources
• Longer term analyzable data storage
• Fully enriched data with relevant context
Real-time
• Find threats faster
• Find context easier
• Mitigate early
Finding Unknowns
• Probabilities not rules
• Real-time profiles for intelligent baselines
• Dynamic rules responding to behavior not static rules written by hand
Machine Learning
• UEBA
• Relevance
• Feedback loop
• Triage everything that comes in
28 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Questions?
29 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Thank you