hortonworks sqrrl webinar v5.pptx
DESCRIPTION
Almost every week, news of a proprietary or customer data breach hits the news wave. While attackers have increased the level of sophistication in their tactics, so too have organizations advanced in their ability to build a robust, data-driven defense. Join Hortonworks and Sqrrl to learn how a Modern Data Architecture with Hortonworks Data Platform (HDP) and Sqrrl Enterprise enables intuitive exploration, discovery, and pattern recognition over your big cybersecurity data. In this webinar you will learn: --How Apache Hadoop makes it the perfect fit to accumulate cybersecurity data and diagnose the latest attacks --The effective ways for pinpointing and reasoning about correlated events within your data, and assessing your network security posture. --How a Modern Data Architecture that includes the power of Hadoop with Hortonworks Data Platform with the massive, secure, entity-centric data models in Sqrrl Enterprise can discover hidden patterns and detect anomalies within your data using linked data analysis.TRANSCRIPT
Page 1 © Hortonworks Inc. 2014
Cyber Pattern Discovery using Linked Data Analysis
November 12, 2014
Webinar with Hortonworks and Sqrrl
Page 2 © Hortonworks Inc. 2014
Webinar with Hortonworks and Sqrrl Cyber Pattern Discovery using Linked Data Analysis November 12, 2014
Joe Travaglini Director of Products Sqrrl
John Kreisa VP Strategic Marketing Hortonworks
Page 3 © Hortonworks Inc. 2014
The Modern Data Architecture Hortonworks. We do Hadoop.
John Kreisa, VP Strategic Marketing Hortonworks
Page 4 © Hortonworks Inc. 2014
Agenda
• Apache Hadoop and a Modern Data Architecture • Security in a comprehensive data management platform
• Security Analytics using (Big) Cybersecurity Data
• Case study: Internal network breach
Page 5 © Hortonworks Inc. 2014
Our Mission: Power your Modern Data Architecture with HDP and Enterprise Apache Hadoop
Who we are June 2011: Original 24 architects, developers, operators of Hadoop from Yahoo! June 2014: An enterprise software company with 420+ Employees
Key Partners
Our model Innovate and deliver Apache Hadoop as a complete enterprise data platform completely in the open, backed by a world class support organization
Page 6 © Hortonworks Inc. 2014
LIMITATIONS Silos & Expensive
Single Purpose
APP
LIC
ATIO
NS
DAT
A S
YSTE
M
Business Analytics
Custom Applications
Packaged Applications
Why a Modern Data Architecture?
RDBMS EDW MPP
MDA: Key Drivers
1. Leverage new types of data 2. IT optimization 3. Enable a data lake GOALS • Extend new data sets across
existing data platforms • Common data platform, multiple
processing engines • Batch, interactive and real time
on a single data platform EXISTING Systems
Clickstream Web &Social
Geoloca9on Sensor & Machine
Server Logs
Unstructured
SOU
RC
ES
Page 7 © Hortonworks Inc. 2014
A Modern Data Architecture Includes Hadoop
Hadoop compliments and enhances existing technologies
Common data set, multiple applications • Optionally land all data in a single cluster
• Batch, interactive & real-time use cases
• Support multi-tenant access, processing & segmentation of data
YARN: Architectural center of Hadoop • Consistent security, governance & operations • Ecosystem applications certified �
by Hortonworks to run natively in Hadoop
SOU
RC
ES
EXISTING Systems
Clickstream Web &Social
Geoloca9on Sensor & Machine
Server Logs
Unstructured
APP
LIC
ATIO
NS
DAT
A S
YSTE
M
Business Analytics
Custom Applications
Packaged Applications
RDBMS EDW MPP YARN: Data Operating System
1 ° ° ° ° ° ° ° ° °
° ° ° ° ° ° ° ° ° N
HDFS (Hadoop Distributed File System)
Interactive Real-Time Batch
Page 8 © Hortonworks Inc. 2014
Unlock New Applications from New Types of Data INDUSTRY USE CASE Sentiment
& Web Clickstream & Behavior
Machine & Sensor Geographic Server Logs Structured &
Unstructured
Financial Services New Account Risk Screens ✔ ✔ Trading Risk ✔ Insurance Underwriting ✔ ✔ ✔
Telecom Call Detail Records (CDR) ✔ ✔ Infrastructure Investment ✔ ✔ Real-time Bandwidth Allocation ✔ ✔ ✔
Retail 360° View of the Customer ✔ ✔ ✔ Localized, Personalized Promotions ✔ Website Optimization ✔
Manufacturing Supply Chain and Logistics ✔ Assembly Line Quality Assurance ✔ Crowd-sourced Quality Assurance ✔
Healthcare Use Genomic Data in Medial Trials ✔ ✔ ✔ Monitor Patient Vitals in Real-Time ✔ ✔
Pharmaceuticals Recruit and Retain Patients for Drug Trials ✔ ✔ Improve Prescription Adherence ✔ ✔ ✔ ✔
Oil & Gas Unify Exploration & Production Data ✔ ✔ ✔ ✔ Monitor Rig Safety in Real-Time ✔ ✔ ✔
Government ETL Offload/Federal Budgetary Pressures ✔ ✔ Sentiment Analysis for Government Programs ✔
Page 9 © Hortonworks Inc. 2014
Break Down Silos with a Security Data Lake
SCA
LE
SCOPE
Unlocking the Data Lake
RDBMS
MPP
EDW
• Data Lake Enabled by YARN
• Single data repository, shared infrastructure
• Multiple security apps accessing all the data
• Enable a shift from reactive to proactive interactions
• Gain new insight across the entire enterprise
New Analytic Apps or IT Optimization
HDP 2.1
Gov
erna
nce
&
Inte
grat
ion
Secu
rity
Ope
ratio
ns
Data Access
Data Management
YARN
Page 10 © Hortonworks Inc. 2014
Big Data is Changing Cyber Security
“By 2016, more than 25 percent of global firms will adopt big data analytics for at least one security and fraud detection use case, up from current eight percent.”
– Gartner Cyber Security report Feb 2014
Gartner recommendations • Align security capabilities in a holistic security strategy tailored to the threats and risks • Target a single architecture to collect, index, normalize, analyze and share all information • Organizations should look for profile accounts, users or other entities, and look for
anomalous transactions against those profiles
Page 11 © Hortonworks Inc. 2014
How Can Big Data Analytics Help Cyber Security?
• To prioritize threats, vulnerabilities, and attacks • To control endpoints and mobile connections /devices • To prevent insecure devices from accessing secure systems • To provide intelligence about the threat land- scape • To reduce false positives
Page 12 © Hortonworks Inc. 2014
Securely explore your data
CYBER PATTERN DISCOVERY USING LINKED DATA ANALYSIS
A Big Data Solution with Hortonworks and Sqrrl Joe Travaglini, Director of Products, Sqrrl
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Page 13 © Hortonworks Inc. 2014
Who We Are
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Page 14 © Hortonworks Inc. 2014
Agenda
• Security Analytics using (Big) Cybersecurity Data • Dealing with the new security dilemma • Why Hadoop and HDP are the perfect fit • The ‘Linked Data’ Approach
• Case study: internal network breach • Overview of scenario • Data modeling with Sqrrl • Visual, contextual research and analysis
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Page 15 © Hortonworks Inc. 2014
229 87% 90% $12.7M
Source: Mandiant Source: Verizon
Source: Verizon Source: Ponemon
© 2014 Sqrrl Data, Inc. | All Rights Reserved
The Numbers Don’t Lie
Page 16 © Hortonworks Inc. 2014
Targeted Attacks Have Changed the Game
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Source: Battery Ventures
Page 17 © Hortonworks Inc. 2014
What Does This Mean For Us?
• You’ve been breached. Deal with it. • Empower the investigator • Research and respond: better, faster, smarter • It’s all about speed to understanding
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Dissolution of the Secure Perimeter
Page 18 © Hortonworks Inc. 2014
The Security Data Dilemma
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Detecting attacks requires more (i.e. BIG) data
But your tools can’t handle the big data wave
So attackers are spilling in
Page 19 © Hortonworks Inc. 2014
A Modern Data Architecture
• Hortonworks Data Platform at the core
• Sqrrl Enterprise stack at the app layer
Hadoop enables us to look at data differently
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Hortonworks and Sqrrl Solution
Page 20 © Hortonworks Inc. 2014
Sqrrl Enterprise Architecture
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Commodity Hardware HDFS + Accumulo
Raw Events Linked Data Model
Query Engine Bulk/Graph Processing
Visualization / API ML + Anomaly Detection
Physical
Data Storage
Data Model
Processing
Interface
Audit
Cryptography
Labeling + Policy
Security
Page 21 © Hortonworks Inc. 2014
Big Data Transformed
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Security Data
VPN FW
Network Data
Proxy NetFlow
Application Data
HR USB
Data Sources Linked Contextual Knowledge Analysis
Page 22 © Hortonworks Inc. 2014
Linked Data Analysis Adding structure to the noise
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Page 23 © Hortonworks Inc. 2014
Case Study: Compromised Network
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Page 24 © Hortonworks Inc. 2014
Breach Detection Scenario
© 2014 Sqrrl Data, Inc. | All Rights Reserved
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Page 25 © Hortonworks Inc. 2014
Case Study Model
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Data Sources
Users
Hosts
login
Linked Meta Model
flow
login
DNS records
Netflow
Host logs
Database logs
External Alerts
Page 26 © Hortonworks Inc. 2014
Case Study Example Mapping
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Netflow Records
startTime endTime sourceIP destIP sourcePort destPort protocol tcpFlags bytesIn bytesOut
10/22/14 8:58 10/22/14 8:58 10.0.2.15 192.168.0.123 37051 139 TCP ...RS. 100 3355
10/22/14 8:45 10/22/14 8:45 10.0.2.15 192.168.0.6 0 3328 ICMP ...... 40 100
10/22/14 8:59 10/22/14 8:59 192.168.0.119 10.0.2.15 139 60071 TCP .A..S. 46 351
10.0.2.15
192.168.0.123
Class=Flow, totalBytes = 3455
192.168.0.6 Class=Flow,
totalBytes = 140
Page 27 © Hortonworks Inc. 2014
Case Study Example Data
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Page 28 © Hortonworks Inc. 2014
Investigation Process
© 2014 Sqrrl Data, Inc. | All Rights Reserved
1. Set the Stage 2. Enable Search and Discovery
3. Automate Analysis
• Define the security-centric entity/relationship model
• Extract and maintain the model
• Visually navigate assets and actors in the network
• Drill down to the raw data seeding the model
• Use behavioral analytics to build expectations of ‘normal’
• Flag entities as potentially ‘abnormal’ and sniff them out
Page 29 © Hortonworks Inc. 2014
Visualizing the Threat
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Page 30 © Hortonworks Inc. 2014 © 2014 Sqrrl Data, Inc. | All Rights Reserved
Page 31 © Hortonworks Inc. 2014
Thanks!
© 2014 Sqrrl Data, Inc. | All Rights Reserved
Joe Travaglini Director of Products, Sqrrl Data, Inc.
@joe_travaglini [email protected]
http://www.sqrrl.com