michael schiebel - security analytics journey - a year's lesson learned
TRANSCRIPT
1 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
A year's lesson learnedMichael SchiebelCybersecurity Strategist3/30/2016
Security analytics journey
2 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Today’s talk regards:Community Driven,Open Source Projects
3 © Hortonworks Inc. 2011 – 2016. All Rights ReservedPage 3 © Hortonworks Inc. 2011 – 2015. All Rights Reserved
To be 100% Open you must influence the roadmap
We Employ the Committers--one third of all committers to the Apache® Hadoop™ project, and a majority in other important projects
Our Committers Innovateand expand both Open Enterprise Hadoop and Apache NiFi
We Influence the Hadoop Roadmapby communicating important requirements to the community through our leaders
A PA C H E H A D O O P C O M M I T T E R S
4 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Agenda • Who am I?• A year in review• Core lessons• Apache Nifi• Apache Metron• Putting it all together• Next steps• Questions
5 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Who am I? +15 years information security experience
– Financial & Healthcare– Incident Response– Computer Forensics & Malware analysis– Application Security– Security Architecture– Security Executive
• Strategy• Business case development
Hortonworks Cybersecurity Strategist– Your Advocate– Hortonworks’ vision for Apache Metron– Evangelize an open source approach
Cybercrime is largest transfer of wealth in the history of civilization.We need an open solution available to everyone.
Only together can we solve this problem.
6 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
A year in review• Asked to create an open source organization• Met the Hortonworks folks• OpenSOC forked
• Apache Foundation accepted• 12/15 Apache (Incubating) Metron created• ~30 committers• Multi-company support
• Decided to join Hortonworks• Apache Nifi!
• The single (IMHO) most important open source project in 2015.
• WYSIWYG data ingest and transformation• Data Provenance(Chain of custody)
2015 Infosec Summ
it
7 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Core Lesson – Data Ingestion Finding and getting data is hard Secure delivery of data is hard
Traditional tools generate tons of data as signature based events.Analytics needs access to raw activity dataDon’t underestimate the challenge – it’s a people and process problem
8 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Core Lesson – Don’t be the new shiny
Focus on the value proposition– Show how it makes the job easier and more efficient at each phase of implementation.– How current state isn’t effective.– Metrics, Metrics, Metrics
Don’t hype the technology – this can be viewed as scary or untried– Analytics is mature – predates computers– Unlike other technologies, analytics shows the evidence the prediction is based on.– It’s just math.
“Why are you building some new Star Trek thing? We need to focus on the basics.”
9 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Core Lesson – Avoid YADB (Yet another dashboard)
It’s about the people– Make the tool fit the people and process– Does this make their job easier?
Integration and workflow are key Focus on automated detection and response
10 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Apache Nifi WYSIWYG Data Ingest Secure data
transmission Chain of custody Data enrichment
pipeline
11 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
PCAP
NETFLOW
DPI
Network Tap
IDS
AV
FIREWALL
HOST LOGS
PARSE
NORMALIZE
USER
ASSET
GEO
WHOIS
CONN
TAG
VALIDATE
PROCESS
ENRICH
STIX
Flat Files
Aggregators
Model As AService
Cloud Services
LABEL
Real-TimeSearch
InteractiveDashboards
DataModelling
KnowledgeGraphs
PCAPStore
IntegrationLayer
PCAPReplay
SecurityLayer
WorkflowEngine
RulesEngine
Apache Metron
12 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Putting it all together
13 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Next Steps Call to action:
– Continue to build community: Apache Metron, Apache Nifi– Become a committer– Help write documentation– Try out projects and provide feedback and suggestions
Help develop open data schema– How can we extend to solve other security problems? (FAIR actuarial tables…)
Other opens source projects– Workflow– UI– Sensors– Automated Response– Container/DevOps extensions
14 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Questions?Blog: http://www.hortonworks.com/blog/author/mschiebel/Email: [email protected]: @mgschiebel