ornl is managed by ut-battelle for the us department of energy situ: real-time situational...
TRANSCRIPT
ORNL is managed by UT-Battelle for the US Department of Energy
Situ: Real-Time Situational Understanding and Discovery of Cyber Attacks
David Sims, Commercialization Manager
John Goodall, Principle Investigator
SPARK! 2015 Technology Forum
March 25, 2015
2 Presentation_name
Problem
• Networked computing assets are regularly compromised.
• In 2014:– Target: 110 million accts – JP Morgan Chase: 83 million accts – Home Depot: 56 million accts – Sony: movies stolen, personal
information shared, millions of private emails published
– Other cyber attack victims: Neiman Marcus, Staples
http://www.newsweek.com/2014-year-cyber-attacks-295876http://www.bbc.com/news/technology-30692105
3 Presentation_name
Problem
• Worldwide, over 40 million cyber attacks, averaging over 117,000 attacks each day in 2014
• Average data security incident costs a company $720,000 in 2014
http://thehill.com/policy/cybersecurity/221936-study-cyber-attacks-up-48-percent-in-2014
• $400 billion cost to global economy from cybercrime in 2014
http://www.bloomberg.com/bw/articles/2014-06-09/the-global-cost-of-cybercrime-more-than-400-billion-per-year
4 Presentation_name
Solutions
• Signature-based network intrusion detection systems (IDS) work well against known types of attacks.– Cannot detect zero-day attacks (i.e., attacks exploiting
previously unknown vulnerabilities)
• Organized crime and nation states constantly developing novel, highly sophisticated methods of penetrating networks.
5 Presentation_name
Solutions
• Anomaly detection methods identify suspicious behavior that bypass signature-based systems
• Most anomaly detection systems operate with supervised algorithms (i.e., machine learning)– Issues:
• Large data sets of pre-labeled training data
• Training data from “normal” network traffic is difficult to obtain in real-world network environments
• A change in network environments or network services means “normal” traffic will also change
6 Presentation_name
Technology Description
• Situ is a scalable, real-time software platform for discovering and explaining suspicious computer network behavior that current technologies either cannot detect or have difficulty detecting.
• As data streams, data “events” are modeled in different contexts and scored by multiple anomaly detectors based on the probability of being anomalous. This enable Situ to identify different kinds of anomalous behavior.
8 Presentation_name
Technology Leadership
• Why this method is better:– Anomaly detection: not a signature-based system– Unsupervised learning: no labeling of datasets– Online training: data models always current– Operates on streaming data: minimizes time from
observation of “event” to reporting of event– Helps operators understand why something is
anomalous• Different behavior models capture different types of events
• Scoring feature enables selection of highest-rated events
• Examination of events’ contexts used in models provides understanding for why events are anomalous
9 Presentation_name
Technology Leadership
• Why this method is better:– Distribution agnostic: every network is different;
designed with no assumptions made about the network
– No special hardware required– Detection of anomalies (more than just attacks)
• Upside: More versatile (e.g., insider threats, policy violations, misconfigurations, etc.)
• Downside: Will also identify benign network changes, configuration changes, etc.
10 Presentation_name
Technology Opportunity
• Current: TRL 6, prototype successfully tested in relevant environment
• In a few weeks: TRL 7, prototype will be deployed on a large organization’s network
• No “show stoppers” known at present– Any known issues were resolved during previous
testing.
• Intellectual property:– 2 patent applications filed– 1 copyright assertion in progress
11 Presentation_name
Research and Development Plan
Remaining development: Visualization tool needs improving (current one is more of a development tool than an end-user tool).
Challenges to overcome: Minimal engineering to get data from the network into system
Any known issues were resolved during previous testing.
12 Presentation_name
Commercialization Plan
Completed:• Documentation • Design requirements• Software architecture
Business Case
Identification of initial target application
(1 month)
New Sensor
Integration
(1 month)
Validate Infrastructure
Stability
With commercial partner
(3 months)
Internal Testing(Alpha)
(3 months)
External Testing(Beta)
I.e. use with third-party software
(1 month)
Software Release
(3 months)
13 Presentation_name
Commercialization Plan
• Appropriate for start-up. – Could likely initiate the development process and then
form a partnership with a larger company to complete testing and commercialization.
• Level of Capital: between $250K - $1M
• Examples of potential commercial partners:
• Arxan• Check Point Software
Technologies• FireEye• McAfee• Oracle
• SAIC• SAP• SAS• Symantec• TIBCO
14 Presentation_name
Competitive Differentiation
• FireEye Threat Prevention Platform– Signature-less; anomaly detection– Appliance-based
• McAfee Network Security Platform– Signature-less; anomaly detection– Appliance-based
• Cisco IPS Systems– Signature-based; anomaly detection– Appliance-based
• LogRhythm Security Analytics Suite– Anomaly detection– Software-based
15 Presentation_name
Applications – Target Customers – Current Practice
Application Description
Target Customers Current Practice
Network anomaly detection
Commercial, healthcare, government
Signature-based and supervised intrusion detection
Fraud detection & prevention
Banking & financial services, government, healthcare
Transaction monitoring systems, human review, data analytics methods
Intelligence analysis
Intelligence community Data analytics methods, human review
16 Presentation_name
Market Opportunity• Overall cybersecurity market
– $96 billion in 2014– $156 billion by 2019– CAGR over 10%
• Global intrusion detection & prevention market– $2.7 billion in 2014– $5 billion by 2019– CAGR over 13%– North America the largest geographical segment
• Software solution component of market: 20% (Big Data market is 20%)
– 1% = $5.4 million (2014)
17 Presentation_name
Market Opportunity
• The cybersecurity market is in the early innings of a massive growth opportunity.
Daniel Ives, FBR Capital Markets analyst
• The window is wide open for cybersecurity companies. We have a perfect storm of opportunity.
Venky Ganesan, managing director
Silicon Valley venture capital firm Menlo Venture
http://www.reuters.com/article/2015/03/20/us-cybersecurity-ipo-exclusive-idUSKBN0MG2ET20150320
18 Presentation_name
Contact Information
Principle Investigator
• John Goodall
• 865-574-9778
Commercialization Manager
• David Sims
• 865-241-3808