Manufacturer of Computer, Networking & Communications Products 300 Facilities in 50 Countries Over...
-
Upload
posy-gardner -
Category
Documents
-
view
213 -
download
0
Transcript of Manufacturer of Computer, Networking & Communications Products 300 Facilities in 50 Countries Over...
Protecting Your Intellectual Property with Microsoft BI at IntelGrant BabbProgram ManagerIntel Corporation
SESSION CODE: BIC304
AgendaIntel and Risk ManagementThe Risk Management ProcessIntellectual Property Protection BI for Proactive MonitoringDemoBI Support for Whole Disk EncryptionBI for Risk ManagementDoing it at Your CompanyQ&A
Intel Corporation:The World’s Largest Semiconductor ManufacturerManufacturer of Computer, Networking & Communications Products
300 Facilities in 50 Countries
Over $35B in Annual Revenues from Customers in Over 120 Countries
23 Consecutive Years of Positive Net Income
Approximately 80,000 Employees
43,000 technical degrees, 12,000 Masters in Science, 4,000 PhD’s, 4,000 MBA’s
One of the Top Ten Most Valuable Brands in the World for 10 Consecutive Years
Invests $100 Million Each Year in Education Across More than 50 Countries
The Single-Largest Corporate Purchaser of Green Power in the United States
One Million Hours of Volunteer Service in Our Communities in 2008
Risk Management @Intel
Risk Management Goals:Keep Intel legalAvailability of InformationProtection of Information Cost effectiveness of controls
Open Access
Locked Down
Security & Controls increase cost &
constrains use of data & systems
Balancing Interests
Information assets should be
reasonably PROTECTED
Information assets should be fully protected
A reasonably protected digital environment is necessary for a strong digital future
The Risk Management Process
Steps in Risk ManagementStep Goal
Identify Risk Build a list of what could probably go wrong
Assess Risk Assign values to items in the list based on how likely they are to happen and how bad things will be if they do happen
Rank Risk Put the list of items in order of “how bad”
Mitigate RiskTake an action or spend some money; the goal is to make the
risk less likely to happen or decrease how bad things will be if it does happen
Accept Risk When the risk improvement is smaller than the cost of making the improvement, monitor and rely on other protections instead
Business need: put risks into a consistent language that management can use to make decisions
The Risk Management Process
L * I = RRISK
The relative level of “bad”. This is stated as a number or some logical
output of High, Medium, and Low combinations
LIKELIHOODHow likely is it something
bad will happen?Usually a subjective probability based on
recent experience. Might be a number or
High/Medium/Low
IMPACTThe fallout if something bad happens. Could be
tied to revenue lost, reputation hit, litigation costs, or fines. Might be
a number or High/Medium/Low
Protecting Intellectual PropertyWhat information do you need to protect at your company?Among other information, Intel needs to protect its intellectual property
Intellectual Property (IP) is what gives a company its competitive advantage.You can only call it IP if you safeguard it
Two possible ways that IP can be lost:The data is lost when a laptop is lost or stolenMisuse of the data by accessing the system
Two potential solutions to manage risk:Encrypt hard drives in laptops to minimize data lossImplement proactive monitoring of systems that contain IP
Proactive MonitoringWe wanted to monitor access to systems containing IP, and correlate that with other contextual data sources in the organization In 2009 our project team explored multiple approaches to monitoring across different industries:
Intrusion detection systems for networksFraud detection systems for financeBalanced scorecards in BI
Business Intelligence was selected as the candidate approachBalanced scorecard was a better way to look at multiple risk indicators over a rule-based approachSuccessful benchmark of Risk Management concepts to BI
BI-RM Benchmark
Comparison of Concepts in Risk Management to Business Intelligence
Risk Management Term Business Intelligence Term
Security Goal: Will our intellectual property be safeguarded?
Business Goal: Will we hit our revenue target?
Risk: unauthorized access to controlled technology
KPI: Internet Sales
Failure Condition: Someone in a restricted country accesses a controlled technology file
Value: Total amount of product sales from Internet accounts
Likelihood: 0% or 100% for a single person, or total failures as a percentage of total users
Goal: $25 million total sales for this quarter
Impact: Low impact for an HPC country, medium for a controlled country, high for an embargoed country
Weight: Ranked at 3 because Internet sales are expected to grow faster than other streams this quarter
Business Advantage Risk ModelWe needed to build a risk model that would detect unusual activity in systems containing IP, activity that might point to misuse for personal gainKey input was a CERT Study conducted in 2008, looking at the statistics behind misappropriated IP:
70% took place within 3 weeks of resignation80% had access to the information71% held technical jobs; 29% occupied sales positions
The resulting risk model consists of measures and KPI’s in a UDM that measure and report unusual activity in an IP system
Business Advantage Risk ModelMeasures to calculate unusual patterns of access: more access than usual, outside of the usual hours, etc.Measures to relate context to access: employees that have non-technical job descriptions with their patterns of accessThe measure itself becomes the KPI ValueThe KPI Goal is our threshold for unusual
Might be based on statistical comparison (filter for outliers)Might be 0 (no filter)
The KPI Status tells if we passed the threshold (1=yes, 0=no)KPI Weight gives us a way to differentiate with more context: 1 if 14-day notice to leave, 3 or 5 if notice is shorterKPI Status * KPI Weight roll up to a parent KPI, the risk score
XMLA: KPI’s used in a risk model<Kpi><ID>KPI 1</ID><Name>Business Advantage</Name> <Value> (KPISTATUS("Access By Non-Technical")*KPIWEIGHT("Access By Non-Technical")) + (KPISTATUS("Outlier Access")*KPIWEIGHT("Outlier Access")) + (KPISTATUS("Outlier Access - Docs")*KPIWEIGHT("Outlier Access - Docs")) + (KPISTATUS("Outlier Access - Hours")*KPIWEIGHT("Outlier Access - Hours")) + (KPISTATUS("Non-Reg Access")*KPIWEIGHT("Non-Reg Access")) </Value><Goal>10</Goal> <ID>KPI 6</ID><Name>Access By Non-Technical</Name> <Value> ([Measures].[Access Count],[Employee].[Job Code].&[0031])+ ([Measures].[Access Count],[Employee].[Job Code].&[0576])+ ([Measures].[Access Count],[Employee].[Job Code].&[0121])+ ([Measures].[Access Count],[Employee].[Job Code].&[4027])+ ([Measures].[Access Count],[Employee].[Job Code].&[0014])+ ([Measures].[Access Count],[Employee].[Job Code].&[ADMIN])+ </Value> <Goal>0</Goal> <Status> IIf (KPIValue( "Access By Non-Technical" ) - KPIGoal( "Access By Non-Technical" ) <=
0, 0, 1 ) </Status> <Weight>1</Weight></Kpi>
MDX: Risk Model Querywithset [EmployeeAccess] AS NonEmpty([Employee].[EmpNo].[EmpNo]*[Time].[Year-Week].[Week].&[2010-06-06T00:00:00],{[Measures].[Access Ct]})Select{[Measures].[Access Ct], [Measures].[Distinct Ct],KPIValue(“Risk Trend"),KPIValue(“Outlier Access"),KPIStatus("Outlier Access"),KPIWeight("Outlier Access"),KPIValue(“Outlier Distinct"),KPIStatus("Outlier Distinct"),KPIWeight(“Outlier Distinct"),KPIValue(“Outlier Hours"),KPIStatus(“Outlier Hours"),KPIWeight(“Outlier Hours")} on 0, // pull all the KPI components, and the access aggregates [EmployeeAccess] having(KPIValue(“Risk Trend") > 0) AND (KPIStatus(“Outlier Access") > 0OR KPIStatus(“Outlier Distinct") > 0OR KPIStatus(“Outlier Hours") > 0) on 1 //slice by employees from [IPMonitoringCube]
IP Access Monitoring With Microsoft BIGrant BabbProgram ManagerIntel Corporation
DEMO
Solution Elements - Hardware
Hardware used in Solution ArchitectureType Component
CPU 4 X Intel® Xeon® MP Nehalem-EX X7560 2.26Ghz 24M 6.4 GT/s
Memory 16 X 1GB 133MHz Reg ECC DDR3
HD 6 X 300GB 10K RPM (MIRRORED)
• Data Warehouse is in one SQL Server Cluster• Analysis Services, Reporting, and Web Apps are in a second cluster
Solution Elements - Software
BI Support for Proactive Monitoring
Component Function
SQL Server Integration Services 2008 (SSIS)
ETL: extract from DB, web service, and unstructured source; add time and other de-normalized columns; load from stage to DWAnalysis: process dimensions and fact tables in the UDM; run risk model query; transform and load model results into reporting DB
SQL Server 2008 Relational Database for Data Warehouse; reporting DB, workflow application DB, workflow persistence DB
SQL Server Analysis Services 2008 (SSAS)
Unified Dimensional Model for each risk model; measures drive KPI values, which roll up into a parent KPI, the risk model score; data mining models based on risk model queries
SQL Server Reporting Services 2008 (SSRS)
Reports based on UDM and relational DB - risk reports and drilldown reports; automated rendering of reports
Windows Workflow Foundation Risk events are entered into a workflow process for investigation and follow up
Windows Communication Foundation
Data and workflow components are wrapped in .Net TCP service bindings for security and performance
Combining the Data
Data SourcesAccess Logs
Content SourcesLDAP, Lookups
Data Warehouse
Cube for each Risk Model and ProgramDimensions, Facts, Measures, KPIs
ETL PackagesSource System Pulls
Delivering the Value
Data Warehouse
ETL PackagesRisk Model Queries
Cube for each Risk Model and Program
ReportsTrend, Drilldown
Workflow AppsUI and workflow tracking
Data Mining ModelsAssociation, Cluster, Neural Network, Naïve Bayesian, Decision Tree
Challenges Using Security Data in BIAccess logs are network-centric information: timestamps and IP addresses are common fieldsThe time of access in a log is not the time on the clock where it is being accessed Access patterns vary significantly from user to userPossibilities for slicing and dicing can be exponential (IP address, all the software on all the computers)We needed to transform and measure security data in a way that matched up data indirectly , comprehended variation, and was still usable for reporting
BI Challenge #1Problem: Access logs use fields like timestamps and IP addresses. We needed to convert these into more UDM-friendly formats so we can optimize slicing and dicing of the data.Solution: During the ETL step, add a column that converts the field into an int or bigint type. Use that to relate dimensions to facts.
SQL : Changing key fields to int and bigint typesUPDATE dbo.accessrecords_factSET date_key = CAST(CAST(DATEPART(yyyy,event_time) as varchar(4)) + (CASE WHENLEN(DATEPART(mm, event_time)) > 1THEN CAST(DATEPART(mm, event_time) as varchar(2)) // converts a time stamp to an intELSE '0' + CAST(DATEPART(mm, event_time) as varchar(1)) // of format YYYYDDMMEND) + (CASE WHENLEN(DATEPART(dd, event_time)) > 1 // because day can be 1 digit or 2THEN CAST(DATEPART(dd, event_time) as varchar(2)) ELSE '0' + CAST(DATEPART(dd, event_time) as varchar(1))END) as int)WHERE date_key IS NULL
CREATE FUNCTION [dbo].[ConvertIPToBigint](@IP varchar(15))RETURNS bigintASBEGIN //this is a more novel way to parse the address than using a cursor or loop and string functions
DECLARE @retval bigintSET @retval = CONVERT(bigint, PARSENAME(@IP, 4)) * 256 * 256 * 256 +
CONVERT(bigint, PARSENAME(@IP, 3)) * 256 * 256 +CONVERT(bigint, PARSENAME(@IP, 2)) * 256 +CONVERT(bigint, PARSENAME(@IP, 1))
RETURN (@retval)END
BI Challenge #2Problem: Log time is often different from the time of access. We need to utilize local time for our risk model, but different geos make local time complexSolution: Use an employee database that gives you location, an intermediate table to lookup GMT offset for that location, and calculate local time from both lookups
SQL: Local Time instead of Log TimeSELECT
dateadd(hh,gmt.gmt_offset,[log_time]) as "local time"FROM [dbo].[accessrecords_fact] accLEFT JOIN [dbo].[Employee] empON .acc.empno = emp.empnoLEFT JOIN [dbo].[lkp_loc_offset] gmtON emp.loc = gmt.loc_code and emp.cntry_code=gmt.cntry_code
BI Challenge #3Problem: How do we implement statistical measures of access? Not everyone accesses a system the same way, we could create a lot of false positives or false negatives by choosing the wrong approach.Solution: Create measures based on average and standard deviation, but slice it by the individual user. This gives you measures that compare access records to the pattern of the individual , not the whole user population.
MDX: Statistical measures of accessCREATE SET CURRENTCUBE.[WorkerWeeks] AS NonEmpty([Employee].[EmpNo].[EmpNo]* ([Time].[Year-Week].[Week].&[2008-12-28T00:00:00]:[Time].[Year-Week].[Week].&[2009-12-27T00:00:00]),{[Measures].[Unlocker Access Ct]}); CREATE MEMBER CURRENTCUBE.[MEASURES].[AvgWeeklyAccess] AS Avg(exists([WorkerWeeks],{[Employee].[EmpNo].CurrentMember}),[Measures].[Access Ct]), VISIBLE = 1;
CREATE MEMBER CURRENTCUBE.[MEASURES].[STDWeeklyAccess] AS StdDev(exists([WorkerWeeks],{[Employee].[EmpNo].CurrentMember}),[Measures].[Access Ct]), FORMAT_STRING = "#.0", VISIBLE = 1;
CREATE MEMBER CURRENTCUBE.[MEASURES].[DevWeeklyAccess] AS ([Measures].[Access Ct] -[Measures].[AvgWeeklyAccess]) /[Measures].[STDWeeklyAccess], FORMAT_STRING = "#.0", VISIBLE = 1;
BI Challenge #4Problem: IP Addresses have 256*256*256*256 combinations. This is NOT a good dimension to use for slicing data. How do we optimize a dimension like this?Solution: It is likely that a much smaller subset of IP addresses will actually be in your access records. Use an ETL job that does a SELECT DISTINCT on IP addresses then join this set to relevant lookup data. Run the job anytime you add new fact table data.
SQL: IP DimensionSELECT ip_address1 as “active_ip_address”, ip_address1_int as “active_ip_int”FROM dbo.dim_ip_framedUNIONSELECT CallingStationID, call_station_id_intFROM dbo.dim_ip_callstationUNIONSELECT Tunnel_Client_Endpoint, tunnel_client_id_intFROM dbo.dim_ip_tunnel
CREATE VIEW [dbo].[vw_dim_tunnel_ip]ASSELECT [active_ip_int]
,[active_ip_address] ,lkp.[loc_id] ,[ip_from] ,[ip_to] ,[country_code] ,[country_name] ,[region_name] ,[city_name] FROM [dbo].[dim_active_ip] dim INNER JOIN [dbo].[lkp_ip_location] lkpON dim.active_ip_int >= lkp.[ip_from] AND dim. active_ip_int <= lkp.[ip_to]
BI Support for Whole Disk EncryptionTo minimize the impact of a data loss, Intel started a program to encrypt the hard drives in laptops.Early in the program it became clear that we needed reporting that tied together disparate data sources
One system had the information on which machines were encryptedOne system told us which laptop belonged to which employeeOne system told us the organization to which an employee belonged
As we got further into the program, the task became more complexAccurate accounting for management: the numbers had to take into account a shifting base of assets and multiplying requirementsProgram decisions needed hard numbers for hard decisions
Solution Elements
BI Support for Whole Disk Encryption
Component Function
SQL Server Integration Services 2008 (SSIS)
ETL: copy flat files from shares; strip out headers and report decoration; extract to stage; transform and filter data in stage; load to production; Analysis: process dimensions and fact tables in the UDM; run risk model query; transform and load model results into reporting DB
SQL Server 2008 Relational Database for Data Warehouse and SSRS Reporting DB; views implement complex requirements from the program about what to count and where
SQL Server Analysis Services 2008 (SSAS) Unified Dimensional Model for decision support
SQL Server Reporting Services 2008 (SSRS)
Reports based on UDM and relational DB; some allow slicing and dicing of encryption statistics at higher levels, some are parameterized queries for detail at the lowest level
Excel 2007 Ad hoc reporting for program decisions
BI for Risk ManagementRisk Management TodayHow BI fits into Defense-in-DepthBI Solutions for Risk Management
Risk Management TodayRisk Assessment
Risk MitigationMight be tied to one or more risks, but each effort is tracked and measured with different data, rarely integrated
Risk AcceptanceAccepted as a low risk, but almost never measured or
validated after the acceptance decision
Risk = Likelihood*Impact
-OR-
LatherRinse
Repeat
BI for Defense-in-DepthPreventive controls like access control or authorization processes do a good job of only allowing access based on business needYou have to balance restricted access with the overhead of controlling it. Preventive controls can be
Cost ineffective if you lock down access too muchRisk ineffective you lock down access too little
BI can be a solid detective control to complement preventive controls.Lower risk while keeping cost in the “sweet spot”Offers additional protection because is not based on business need
Builds a new business case for Log Analysis
BI for Risk ManagementHow do we get from high, medium, and low to a realistic picture of risk?
BI is a natural fit for replacing high, medium, and low with percentages and numbersA multidimensional model enables us to look across multiple risks
How do we measure Security ROI, compare how much we spent with how much we reduced the risk?
Slicing measures by time gives a picture of risk before and after a control went into placeKPI Trends are an added way for management to evaluate ROI
How do we compare different approaches to manage risk without spending the money or effort first?
Data warehouses that integrate many sources of security data help us compare competing effects of mitigation effortsScenario dimensions and data mining can be used for advanced analytics
Doing it at Your CompanyMaintaining data quality can be a big challenge
Build in audit, logging, and reporting into your ETL packagesBudget for the appropriate level of support
Develop Security BI as a hybrid skill setBuild security and RM skills in BI developersBuild BI knowledge and skills in security staff
Value MDX and Data Mining as core skills - some problems can only be solved with these toolsStart with one business problem and build on that success
Q&A
Resources
CERT Insider Threat Research
Risk ManagementMicrosoft Security Risk Management GuideNIST 800-30: Risk Management Guide for Information Technology Systems
Related Content
Breakout SessionsBIE01-INT | Microsoft SQL Server Analysis Services Consolidation Best Practices and ConsiderationsBIE02-INT | Microsoft SQL Server Analysis Services Dimension Management with Master Data Services (MDS)
Product Demo StationsOffice 2010 Power Pivot; Business Intelligence – Intel BoothProtecting IP at Intel with MS BI – Intel Booth
Product Demo StationsBIE06-HOL | Microsoft SQL Server Integration Services: Logging and Errror Handling
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.