Big data ... for security
-
Upload
james-salter -
Category
Data & Analytics
-
view
227 -
download
0
Transcript of Big data ... for security
![Page 1: Big data ... for security](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ecbd951a28ab6e408b45cb/html5/thumbnails/1.jpg)
Big data … for securityJames SalterHewlett Packard LabsDecember 3, 2015
![Page 2: Big data ... for security](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ecbd951a28ab6e408b45cb/html5/thumbnails/2.jpg)
This is what we are dealing with...
2
6 Next generation data centres
300K+Employees andcontractors
A massive IT operation
41K+servers
440K+ PCs deployed
15K+switches
1,500+enterprise routers140+
Windows Domain Controllers
Infrastructure
11.5M+ Internet mails per day sent/received
150K+ mobile devices39M
IP Addresses
1.2M devices
450K mailboxes managed
Connectivity
2.5Bsecurity events logged per day
2K+ managed firewalls
970K+devices scanned for vulnerabilities
450Kend points protected with anti-virus
Security
![Page 3: Big data ... for security](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ecbd951a28ab6e408b45cb/html5/thumbnails/3.jpg)
Security events data
HPE IT operates ArcSight internallyDeployment 25% larger than any other non-governmental installation by volume
1 2 3 4 5 61
10
100
1000
10000
100000
1000000
Even
ts p
er s
econ
d (lo
garit
hmic
sca
le)
DNS traffic per HPE data centre:– 120,000 events/second– ~64B events/day globally
Routers VPN AntiVirus Active Directory Web Proxy DNS
![Page 4: Big data ... for security](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ecbd951a28ab6e408b45cb/html5/thumbnails/4.jpg)
64 billionDNS events/day
whitelist/blacklist 99%
4
640 milliongreylisted events
![Page 5: Big data ... for security](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ecbd951a28ab6e408b45cb/html5/thumbnails/5.jpg)
Collection is just part of the storyAnalytics is where the power comes from
5
Correlation
Machine learning
Graph analytics
Anomaly detection
Advanced persistent threats
Data exfiltration
User behaviour analysis/insider threat
Endpoint visibility
![Page 6: Big data ... for security](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ecbd951a28ab6e408b45cb/html5/thumbnails/6.jpg)
Abuse caseBotnet command and control
Bot DNS server
akaajkajkajd.cn?xisyudnwuxu.ru?dfknwerpbnp.biz?mneyqslgyb.info?cspcicicipisjjew.hu?
C2 Server(mneyqslgyb.info)
Attacker can’t maintain C2 server at IP address for very long.
So it registers a random domain name temporarily.
Bot tries a bunch of random names until it finds one that
resolves.
![Page 7: Big data ... for security](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ecbd951a28ab6e408b45cb/html5/thumbnails/7.jpg)
AssetAsset
Abuse caseDNS tunneling (via subdomains)
Bot DNS server (Compromised) DNS server
(example.com)
93cc3daf.example.com4fac3215.example.coma86f4221.example.comddee9152.example.com8bd5ff12.example.comd4bb92a1.example.comef409132.example.com1bfa3207.example.com298c5b3a.example.com
![Page 8: Big data ... for security](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ecbd951a28ab6e408b45cb/html5/thumbnails/8.jpg)
Solution architecture: Overview
8
DNS server(s)
DNS packet capture
Whitelist
networktap
DNS queriesand responses
Blacklist
Event logging Correlation and alerting
Real-time processing
Near-time, historical analysis
DNS events:queries and replies
![Page 9: Big data ... for security](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ecbd951a28ab6e408b45cb/html5/thumbnails/9.jpg)
In use at HPE
Hewlett Packard EnterpriseCyber Defense Center, Palo Alto
9
![Page 10: Big data ... for security](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ecbd951a28ab6e408b45cb/html5/thumbnails/10.jpg)
From Labs … to HPE … to Customers
10
Screenshot from HPE DNS Malware Analytics
– HPE DNS Malware Analytics
– Cloud-based managed or self-service analytics with on-premises capture modules
![Page 11: Big data ... for security](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ecbd951a28ab6e408b45cb/html5/thumbnails/11.jpg)
The next challenges
11
? days ?
5 minutes
24 hours
Increase the correlation time window
Data exfiltration “hidden in the noise”
Exf
il
time
![Page 12: Big data ... for security](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ecbd951a28ab6e408b45cb/html5/thumbnails/12.jpg)
The next challenges
12
Security Events
DNS Outgoing ISP Packets
2.564
660B
illio
ns o
f Eve
nts
Per
Day
0
700
350
Complete packet capture for all outgoing ISP connections