ISF congress post 9: Extending security intelligence with big data

Extending security intelligence with big data

Presentation by Martin Borrett from IBM.

  • Why cyber security as a big data problem
  • How the diverse and rapidly changing set of both structured and unstructured data can play a key role in identifying the increasingly sophisticated threats that organisations face.
    • Move from reactive to a more proactive stance by actively searching for indicators that something could be amiss.

 

As an example, the attacks earlier this year on the New York times when it ran a story about China’s prime minister;

  • Not detected for 4 months
  • 45 different pieces of malware were used, with only 1 being picked up by AV
  • All employee passwords stolen
  • Computers of 53 employees accessed
  • University computers were used as proxies to hide the traffic source.

We have a greater need for security intelligence;

  • User identities
  • Assest discovery
  • Network flow
  • Vulnerabilities / risks
  • Security and threat feeds
  • Baselines of behaviour (system and user)
  • Unstructured data such as free text user inputs, feeds from social media, general news sources etc.

 

Attackers continuously adapting to leave minimal trace and hide their behaviour in the noise of ‘normal’ activity.  Due to the potential huge volumes of data, these systems must be very scalable.

Traditionally SIEM type solutions have focussed on real time alerting that is Proactive, Formalised (standard queries / searches) and fast.  This is great, but can it be in depth enough, and is real time attesting always required when searching for long term PAT style attacks?

Move towards adding more Asymmetric / Forensic type capabilities that are more Predictive, Inquisitive, and in depth.  These require considerably more skill and in depth understanding to create, and the searches will be much more ‘custom’, but this is the best (only?) way to find the subtle and clever attackers, especially if doing so in a timely manner is required (it is!).

Current SIEM type security processes may look like;

Screen Shot 2013-11-05 at 09.39.43

This has a heavy focus on structured data and performing real time correlation to get to a potential incident to investigate.

Moving more into the ‘big data’ world we will enrich this with a lot more data sources, much of it unstructured;

Screen Shot 2013-11-05 at 09.41.59

This will potentially also take outputs from the traditional SIEM tool as one of the feeds and enrich them with other data. An example may be where something that may be an issue, but where there isn’t enough detail to act on in the SIEM, this could be added to the ‘big data’ solution and correlated with a much wider data set to find out if it could be a real issue.

The top part of the above diagram (Real-time Processing and Security Operations) is relatively similar to existing SIEM solutions, focusing on real time analysis and processing, just with a potentially larger data set.

The bottom right (Big Data Warehouse, Big Data Analytics and Forensics) focuses on the much more advanced, not real time analysis and forensic type investigations.

Context is key.

  • You must be able to derive security relevant semantics from elements of the raw data.
  • There must be the capability to distil the huge volumes of data down to useful and real insights.
  • Human knowledge must ba able to be added to the solution to improve processing and automate more tasks.

Some key security questions a big data analysis solution will help your organisation answer include;

Screen Shot 2013-11-05 at 09.55.12

Another key area these tools can help with is in creating visualisations of attacks and suspicious behaviour.  As they will have data from all the systems in the enterprise, along with various external feeds, they can provide visual representations of the behaviour as it moves into that through the organisation.

For me the key consideration is to have one ‘Big Data’ solution that collects all the relevant data for your organisation from traditional log files, through corporate emails to social media and threat feeds.

This also needs to move out of the security realm as people are talking ‘Big Data’ but in reality still have the traditional SIEM mindset.  Running a tool like this for security, while the ops guys are also running logging and monitoring tools is massively wasteful in terms of cost, storage, management overhead, and also likely results in situations where some useful information only ends up in one tool, not both.

We need to move forwards to the mindset of an Enterprise ‘Big Data’ solution for sorting and correlating All the business data – logs, emails, external sources, user and system behaviours etc.etc.  This solution then has different dashboards, reporting solutions, search headers or whatever for the different use cases such as ops, business users (system performance, investigating transaction issues etc.) and ops.  Obviously areas like separation of duties and access controls must be considered here, but I believe this type of solution is the only way for this to really succeed and provide the best value for the business.

K

Further Cloud planning and BYOD reading

I have recently read a few interesting and useful papers relating to some of my previous posts that may also be of interest to some of the readers of this blog.  Feel free to let me know your thoughts!  Incidentally the first three papers below all originate from IBM, this is purely coincidental and I have no affiliation with IBM.

The first paper is titled ‘Defining a framework for cloud adoption’.  Please read previous posts if you need an overview of the benefits of cloud computing.  This paper introduces IBMs cloud adoption framework that is free for any organisation wishing to have a standardised reference to frame their discussions and planning around moving to the cloud.  This can be found here (free registration may be required);

http://research.itpro.co.uk/?option=com_categoryreport&task=viewabstract&pathway=no&title=20268&frmurl=http%3a%2f%2fforms.madisonlogic.com%2fForm.aspx%3fpub%3d220%26pgr%3d493%26frm%3d759%26autodn%3d1%26src%3d8644%26ctg%3d18%26ast%3d20268%26crv%3d0%26cmp%3d5941%26yld%3d0%26clk%3d5778290107730889220%26embed%3d1

The second paper worth reviewing is also around helping your company adopt cloud based services, this one is titled; ‘A logical approach to cloud adoption in your company’.  This paper seeks to aid the discussions around when and how to consider moving to the cloud and covers the fact that there isn’t actually ‘a cloud’, but multiple clouds and variations on the theme, these were covered in my previous post introducing the cloud.  This one can be found here (free registration may be required);

http://research.itpro.co.uk/?option=com_categoryreport&task=viewabstract&pathway=no&title=20770&frmurl=http%3a%2f%2fforms.madisonlogic.com%2fForm.aspx%3fpub%3d220%26pgr%3d493%26frm%3d759%26autodn%3d1%26src%3d8644%26ctg%3d1%26ast%3d20770%26crv%3d0%26cmp%3d6145%26yld%3d0%26clk%3d5778290107730954757%26embed%3d1

The third paper from IBM is titled ‘Building a successful roadmap to the cloud’.  This is a great companion to the above papers, as once you have the conversation started and people are on board with the benefits of utilising some cloud services the next step is to build the plan / roadmap for moving to and adopting these services.  This paper can be found here (free registration may be required);

http://research.itpro.co.uk/?option=com_categoryreport&task=viewabstract&pathway=no&title=20767&frmurl=http%3a%2f%2fforms.madisonlogic.com%2fForm.aspx%3fpub%3d220%26pgr%3d493%26frm%3d759%26autodn%3d1%26src%3d8644%26ctg%3d1%26ast%3d20767%26crv%3d0%26cmp%3d6145%26yld%3d0%26clk%3d5778290107731020294%26embed%3d1

All three of the above papers are definitely worth reading if your company is considering adopting cloud services, or if you want some ideas and terminology to get the conversation and planning started.

The final paper I’ll suggest you read is a balanced review of BYOD (Bring Your Own Device) that covers many of the pros and cons of this current trend.  I have briefly covered BYOD and what it is before, this paper will aid you in further understanding what BYOD is, what the potential pit falls are, and if BYOD may fit into your business at all.   This one if from PC pro, not IBM just for a bit of a change and can be found here (free registration may be required);

http://www.itpro.co.uk/641935/byod-friend-or-foe?utm_campaign=itpro_newsletter&utm_medium=email&utm_source=newsletter

Happy reading, I’ll be back soon with an update on my years progress so far.

K

Consumerism of IT 2..

Following from my previous post covering briefly what consumerism of IT and Bring Your Own Device (BYOD) are, I’ll now cover some of the things these trend mean for ICT departments.

For any IT business or IT department that thinks they do not need to consider the impacts of consumerism and BYOD – Think again!  Regardless of perceived business benefits such as cost savings or flexibility, or even the side benefits around the improved security and management of utilising VDI to centralise business owned user computing resources, as BYOD becomes more mainstream it will become and expected benefit / perk rather than the exception.

As an example of how this is already becoming more mainstream; several large companies such as IBM and Citrix are embracing this trend and have well established BYOD programs.

Ask yourself, do you want to attract the best talent? If the answer is yes then you need to ensure the working environment you offer is up there with the best of your competitors.  This includes offering things like BYOD programs across mobiles, tablets, laptops etc. and / or offering a wider variety of consumer type devices such as tablets and smartphones.

The challenge, as is often the case, will be to understand how these changes and trends can be harnessed to provide both business benefits and create an attractive working environment while still ensuring the security of your and your customers data and maintaining a stable and manageable ICT estate.

BOYD and consumerism of IT can and will make sweeping changes to how IT departments manage and provision user devices.  Whether this is due to supporting a wider variety of devices directly, or from relinquishing some control and embarking on a BYOD program, there will be changes.  What they are will depend on the route your company takes and how mature your company currently regarding technology such as desktop virtualisation and offering functionality via web services.  If you currently have little or no VDI type solution and most of your application access is via thick or dedicated client software the changes are likely to prove very challenging.  On the other hand, if you are at the other end of the scale with a large and mature VDI (Virtual Desktop Infrastructure) deployment along with most applications and processes being accessed via a browser, then the transition to more consumer or BYOD focussed end user IT will likely be relatively straight forward from a technical standpoint.

Without sounding like a broken record (well hopefully) the first thing you need to do before embarking on any sort of BYOD program is to get the right policies and procedures in place to ensure company data remains safe and that there are clear and agreed rules for how any devices can be used, how they can access data, how access, authentication and authorisation are managed, along with the companies requirements around things like encryption and remote wipe capabilities.

NIST (National Institute of Standards and Technology) have recently released an updated draft policy around the managing and securing mobile devices such as smartphones and tablets.  This policy covers both company owned (Consumerism) and user owned (BYOD) devices.  This can be used as a great starting point for the creation of your own policies.  It’s worth noting that NIST highlights BYOD as being more risky than company owned devices even when the devices are the same.  The policy draft can be found here;

http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf

Once you have the policies in place you will need to assess the breadth of the program, this must include areas such as;

–         Will you allow BYOD, or only company supplied and owned equipment

–         Which devices are allowed

–         Which O/Ss and applications are permitted; this should include details of O/S minor versions and patch levels etc.

–         How will patching of devices and applications be managed and monitored

–         What levels of access will the users and devices be permitted

–         What architectural changes are required to the environment in order to manage and support the program

–         How will licenses be managed and accounted for

–         What are the impacts to everything from the network (LAN, WAN and internet access) to applications and storage to desk space (will users have more or less devices on their desks) to the provision of power (will there be more devices and chargers etc. on the floors)

This is by NO means an exhaustive list, the point of these posts is to get you thinking about what is coming along, and whether your company will embrace BYOD and the consumerism of IT.

CIO.com recently ran an article titled ‘7 Tips for Establishing a Successful BYOD Policy’ that covers some similar points and is worth a read;

http://www.cio.com/article/706560/7_Tips_for_Establishing_a_Successful_BYOD_Policy

There are several useful links from the CIO article that are also worth following.

It would be great to hear your thoughts and experiences on the impacts of consumerism and BYOD.

K

Homomorphic Encryption – Saviour of the cloud? Ready for prime time?

Homomorphic encryption has been around for a while (in fact it has been debated for around 30 years), but most systems that are Homomorphic are only partially homomorphic thus limiting their use in enabling real world distributed, including cloud based, systems.

I’ll start by briefly describing what the term homomorphic means when used to describe a cryptosystem.  If a mathematical operation can be performed on the encrypted data to produce an encrypted output that when decrypted gives the same result as if the operation had been performed on the plaintext.

I’m sure you can see how this removes one of the main barriers to the adoption of cloud computing.  If an efficient, proven and thoroughly tested homomorphic encryption system would potentially revolutionise the view of cloud computing security.  Currently it is easy to send data to and from the cloud in a secure encrypted manner, however if any computation is to be carried out in this data it has to be unencrypted at some point.  When the data is unencrypted in the cloud the risk that employees of the cloud provider, and potentially other customers, could access the data becomes a real concern.  It is this risk that is one of the key road blocks to companies moving their data to the cloud.

Additionally some legal / regulatory rules prevent certain unencrypted data types, such as personally identifiable information (PII), leaving countries / regions such as the EU.  A system that enabled data to remain encrypted would potentially get around these regulatory issues and allow data to be housed in the cloud (many cloud providers have data centres located in various global locations and can’t guarantee where data will reside.   In fact this is one of the benefits of the cloud – the high level of redundancy and resilience provided by multiple data centres in geographically diverse locations).

Some existing algorithms are partially homomorphic, this means that they are homomorphic with regards to one or maybe a couple of operations.  For example the RSA algorithm is homomorphic with regards to multiplication.

IBM has published some research in this area in 2009 they proposed fully homomorphic systems that are linked to from here;

http://domino.research.ibm.com/comm/research_projects.nsf/pages/security.homoenc.html

Currently fully homomorphic systems are too new and not yet practical enough to be implemented for production systems.  For any cryptographic algorithm to be recommended it requires considerably more time to be peer reviewed and tested by security and encryption researchers to allow a reasonable level of assurance that there are not attacks that could be used to unencrypt the data.  In terms of practicality currently proposed homomorphic encryption systems, the complexity of the system grows enormously as the number of actions you need to perform on the encrypted data increases.  This leads to a massive increase in the computational power required to run the system, this is a non-trivial increase that will not be solved by Moore’s law anytime in the near future.

So homomorphic encryption has now been proven to be possible which is a huge step forwards, and the work done by people like Craig Gentry and the guys at IBM and MIT must be hugely applauded.

Microsoft researchers published a paper in May of this year (2011) titled ‘Can Homomorphic Encyption be Practical’ that can be found here;

http://research.microsoft.com/apps/pubs/default.aspx?id=148825

This provides an overview of a proposed partially homomorphic implementation along with thoughts on how it could be made fully homomorphic and how the efficiency could be improved.  The page also contains some useful links to cloud and lattice based cryptography.

However the reality is that we need several more years for a broader range of cryptographers to examine the cryptosystem to be assured it is secure, and for further work to go into making the system much more efficient.

These are definitely interesting times, and over the next few years I would hope to see homomorphic cryptosystems removing some of today’s key barriers to the adoption of cloud computing services!

K