Creating Near Real-Time and End-to-End Cyber …...2017/10/15 · • Identify vulnerabilities and...
Transcript of Creating Near Real-Time and End-to-End Cyber …...2017/10/15 · • Identify vulnerabilities and...
© Cyberspace Analytics
Creating Near Real-Time and End-to-End Cyber Situational Awareness of University Networks
Dr. Deepinder Sidhu - Professor of Computer Science - UMBCAaron Boteler - Cyberspace Analytics
Gunnar Engelbach – Cyberspace AnalyticsRandal Taylor – Cyberspace Analytics
POC - Email: [email protected]; Tel: 443-742-2210
1
The Gold Standard for Security
Internet2 2017 Technology Exchange, San Francisco, CA, October 15-18, 2017
© Cyberspace Analytics
1. Real-Time Network Mapping Analytics: vNOC
2. Cybersecurity & Compliance Analytics: CNOC
3. Real-Time Cyberspace Analytics: Intel NUC
2
Discuss significant advances for addressing cyberspace challenges of university networks innovatively, effectively and inexpensively
© Cyberspace Analytics
• Culture‒ Information sharing, collaboration, free flow of information
and ideas‒ Restrictions often viewed as impediments
• Plethora of valuable information‒ Credit cards, research data, intellectual property‒ Student and faculty personal information
• Major targets of attack‒ Extensive attack surface – mobile, wireless, etc.‒ Valuable resources mean attacks from everywhere
3
© Cyberspace Analytics
Real-Time Network Mapping AnalyticsReverse Engineering Raw Data
–Mapping Network
–Visualizing Network
– Identifying Features
–Reporting Problems
–Enabling
Cybersecurity & Compliance AnalyticsLarge Device Support
–Processing Compliance/Vulnerability
–Visualizing Health
– Identifying Features
–Reporting Problems
–Enabling
Big Data Analytic Fusion Engine Recreate Network Map
PCAP (OSPF/BGP), Router Configs, NMAP, Compliance Scores (DISA/PCI),
Flow Records, Firewall Logs, Nessus Scanner, Splunk Exports, etc…
Cisco Firewall/Router, Palo Alto Firewall, Checkpoint Firewall,
Windows-based OS/Servers, Linux-based OS/Servers, MAC-based
OS/Servers
Intel NUC Platform✓ Cost-effective Commodity Hardware✓ Minimal Power & Space Requirements✓ Low-cost, easy to deploy
4
3D Interactive EnvironmentMassive Scalability – 100K+
Animations, Interactive, Real-time
Firewalls, NATs, Tunnels, Port Forwards, IDS/IPS,
Phantom Devices, Mobile Devices, IoTIngress/Egress Connections,
Application/Service Properties,Flow Behaviors, Temporal Behaviors,
Compliance/Vulnerability Results
Configuration Collisions,Duplicate Physical Interfaces,
Phantom Devices,Unmanaged Network Nodes
Device Inventory ManagementIP Address Inventory Management
Subnet ManagementIP Threat Flow Overlays (Reputation)
DISA STIGS, USGCB, HIPPA Compliance, PCI Compliance, Vulnerability Scans,
Compliance/Vulnerability Score,Device Currency (Scan Age), Device Misconfigurations,
Compliance/Policy Violations
Compliance/Vulnerability Score,Device Currency (Scan Age),
Device Group/Cluster Summaries
Ticket System Integration (Remedy9),Health Reports,
Device Configuration Drift Reports
Full Cyber Situational Awareness
Export for Emulation
© Cyberspace Analytics
• Reverse engineer, map and visualize network
• Discover network blind spots
• Display real-time changes to network topology
• Identify network segmentations and boundary
• Identify misconfigurations, including duplicate IPs
• Optimize network to reduce attack surface
• Improve network hygiene
• Fingerprint network assets
• Baseline network configurations
• Create Virtual Network Operation Center (vNOC)
5
© Cyberspace Analytics6
Large Enterprise Network–Router Configs, NMAP Scans, Palo Alto Firewall Logs–Enriched by extracted Properties Very Large Enterprise
Network–Router Configs, NMAP Scans, Juniper Firewall Logs
R&D✓ Big Data Network Data Fusion Analytics✓ Big Data Network Mapping Analytics✓ Analytics Identify Anomalies across Network✓ Large-scale Correlation Logic✓ Generic Enrichment Engine
Real Discoveries✓ Duplicate Addresses✓ Phantom Devices✓ Phantom OSPF Interfaces✓ Unmanaged Devices (Security)✓ Back Channels (Tunnels)
© Cyberspace Analytics7
Simple & Advanced Network Node Search–IP/Name and/or any combination of generic properties–Any combination of Compliance/Vulnerability Results
–Aggregate score–Individual rule pass/fail
–Highlight/Mark results–Drill-down into the Nodes
Highlight All Hosts in the Network that passed a particular rule in the .NET 1.4 Framework STIG.
© Cyberspace Analytics8
Network Mapping Video–Real-time Mapping
–Incremental Add Data Sets–Dynamically Build Network Map–Interact with Network Map
© Cyberspace Analytics9
Router Degree Report
Node Attribute Report
Report Types• External Addresses• Internal Addresses• External Clients/Servers• Internal Client/Servers• Mapping Logs• End-Node Attributes• Router Degree• Sensor Logs• Configuration Drift• Compliance Scores
Advance Analytics – On-Demand Reports
External Servers(Overlays Threat Information)
• Review Mapping Log for Configuration Collisions
• Identify duplicate interfaces Identify Phantom Interfaces
© Cyberspace Analytics
• Display enhanced network map with data from –‒ Sensors (taps)‒ Scanning tools (Nessus, NMAP, …)‒ Threat intelligence feeds (Lashback, Geospatial, …)
• Display real-time network configuration changes• Identify vulnerabilities and security patches• Conduct attack vector analysis to harden network• Conduct regulatory/policy compliances for reports
‒ STIGs, FISMA, PCI, HIPAA, NERC, ---
• Test resiliency under‒ Cyber-attacks ‒ Catastrophic failures
• Create Cyber Network Operation Center (CNOC)10
Real Discoveries✓ Misconfigured tunnels✓ Firewall rules inconsistencies✓ Unauthorized web servers✓ Weak passwords✓ Unprotected wireless access points✓ Text files containing passwords to
sensitive systems✓ Unpatched software & firmware
© Cyberspace Analytics11
Network Map for Cyber Situational Awareness• Built from Lab Environment• Used PCAP and Compliance Results
• Aggregate of All Benchmarks• Average Score Bar Graph
• Palo Alto Firewall Device• Used for Drift Example
© Cyberspace Analytics12
Large Device Support–All types of Hosts–All types of Network Equipment–Integrates with Splunk, Remedy9
Compliance Standards–Continuous compliance analysis–Security Content Automation Protocol (SCAP)–Engine tested and validated by NIST–Verify and report on compliance status
–Organization configuration checking–PCI DSS, HIPPA, NERC, SOX, FISMA(USGCB), STIGs, CIS, etc.–Drill-Down
© Cyberspace Analytics13
Visualizing Health–Examine Composite/Vulnerability Score
–Group-basis–Daily Trending Scores
Device Analysis–Identify role and functionality –Baseline configuration and track drift –Quantify Security Posture–View Device Logs–Interact with the Device
© Cyberspace Analytics14
Network Drift Analytics–Compliance/Vulnerability/Config Samplesevery N number of days–Perform deep-diff on samples
© Cyberspace Analytics15
Regulatory Compliance – Configuration Drifts
© Cyberspace Analytics16
Regulatory Compliance – Security Dashboard Drill-Down
© Cyberspace Analytics17
Data Extraction and Reporting
© Cyberspace Analytics18
CONOP– Active & Passive Collection– Real-Time Taps– Real-Time Update– Visualize Deltas– Create Virtual Reality of the Network’s Data Space
• “The Matrix”
Intel NUC- vNOC/CNOC– Commodity Hardware– Light weight– Low Power– Portable
✓ Passive Collections✓ Automated Active Collections✓ Automated Alerting✓ Integration with Help Desk✓ Interact Virtually with the Network✓ Track Network Health/Map Changes
CNOC
© Cyberspace Analytics19
• Attacks are a given – knowledge is power‒ Must go beyond simple analytics, tables, raw storage
and expensive rack-mounted solutions‒ Turn massive amounts of data into actionable and
manageable information
• Merge network and cyber situational awareness
• This will only work if solutions are‒ Scalable‒ Affordable‒ Supportable‒ Effective
The Gold Standard for Security
CNOC
Deployed in enterprise networks to
implement robust security
© Cyberspace Analytics20
Discussion