Protecting Your Intellectual Property with Microsoft BI at IntelGrant BabbProgram ManagerIntel Corporation

SESSION CODE: BIC304

AgendaIntel and Risk ManagementThe Risk Management ProcessIntellectual Property Protection BI for Proactive MonitoringDemoBI Support for Whole Disk EncryptionBI for Risk ManagementDoing it at Your CompanyQ&A

Intel Corporation:The World’s Largest Semiconductor ManufacturerManufacturer of Computer, Networking & Communications Products

300 Facilities in 50 Countries

Over $35B in Annual Revenues from Customers in Over 120 Countries

23 Consecutive Years of Positive Net Income

Approximately 80,000 Employees

43,000 technical degrees, 12,000 Masters in Science, 4,000 PhD’s, 4,000 MBA’s

One of the Top Ten Most Valuable Brands in the World for 10 Consecutive Years

Invests $100 Million Each Year in Education Across More than 50 Countries

The Single-Largest Corporate Purchaser of Green Power in the United States

One Million Hours of Volunteer Service in Our Communities in 2008

Risk Management @Intel

Risk Management Goals:Keep Intel legalAvailability of InformationProtection of Information Cost effectiveness of controls

Open Access

Locked Down

Security & Controls increase cost &

constrains use of data & systems

Balancing Interests

Information assets should be

reasonably PROTECTED

Information assets should be fully protected

A reasonably protected digital environment is necessary for a strong digital future

The Risk Management Process

Steps in Risk ManagementStep Goal

Identify Risk Build a list of what could probably go wrong

Assess Risk Assign values to items in the list based on how likely they are to happen and how bad things will be if they do happen

Rank Risk Put the list of items in order of “how bad”

Mitigate RiskTake an action or spend some money; the goal is to make the

risk less likely to happen or decrease how bad things will be if it does happen

Accept Risk When the risk improvement is smaller than the cost of making the improvement, monitor and rely on other protections instead

Business need: put risks into a consistent language that management can use to make decisions

The Risk Management Process

L * I = RRISK

The relative level of “bad”. This is stated as a number or some logical

output of High, Medium, and Low combinations

LIKELIHOODHow likely is it something

bad will happen?Usually a subjective probability based on

recent experience. Might be a number or

High/Medium/Low

IMPACTThe fallout if something bad happens. Could be

tied to revenue lost, reputation hit, litigation costs, or fines. Might be

a number or High/Medium/Low

Protecting Intellectual PropertyWhat information do you need to protect at your company?Among other information, Intel needs to protect its intellectual property

Intellectual Property (IP) is what gives a company its competitive advantage.You can only call it IP if you safeguard it

Two possible ways that IP can be lost:The data is lost when a laptop is lost or stolenMisuse of the data by accessing the system

Two potential solutions to manage risk:Encrypt hard drives in laptops to minimize data lossImplement proactive monitoring of systems that contain IP

Proactive MonitoringWe wanted to monitor access to systems containing IP, and correlate that with other contextual data sources in the organization In 2009 our project team explored multiple approaches to monitoring across different industries:

Intrusion detection systems for networksFraud detection systems for financeBalanced scorecards in BI

Business Intelligence was selected as the candidate approachBalanced scorecard was a better way to look at multiple risk indicators over a rule-based approachSuccessful benchmark of Risk Management concepts to BI

BI-RM Benchmark

Comparison of Concepts in Risk Management to Business Intelligence

Risk Management Term Business Intelligence Term

Security Goal: Will our intellectual property be safeguarded?

Business Goal: Will we hit our revenue target?

Risk: unauthorized access to controlled technology

KPI: Internet Sales

Failure Condition: Someone in a restricted country accesses a controlled technology file

Value: Total amount of product sales from Internet accounts

Likelihood: 0% or 100% for a single person, or total failures as a percentage of total users

Goal: $25 million total sales for this quarter

Impact: Low impact for an HPC country, medium for a controlled country, high for an embargoed country

Weight: Ranked at 3 because Internet sales are expected to grow faster than other streams this quarter

Business Advantage Risk ModelWe needed to build a risk model that would detect unusual activity in systems containing IP, activity that might point to misuse for personal gainKey input was a CERT Study conducted in 2008, looking at the statistics behind misappropriated IP:

70% took place within 3 weeks of resignation80% had access to the information71% held technical jobs; 29% occupied sales positions

The resulting risk model consists of measures and KPI’s in a UDM that measure and report unusual activity in an IP system

Business Advantage Risk ModelMeasures to calculate unusual patterns of access: more access than usual, outside of the usual hours, etc.Measures to relate context to access: employees that have non-technical job descriptions with their patterns of accessThe measure itself becomes the KPI ValueThe KPI Goal is our threshold for unusual

Might be based on statistical comparison (filter for outliers)Might be 0 (no filter)

The KPI Status tells if we passed the threshold (1=yes, 0=no)KPI Weight gives us a way to differentiate with more context: 1 if 14-day notice to leave, 3 or 5 if notice is shorterKPI Status * KPI Weight roll up to a parent KPI, the risk score

XMLA: KPI’s used in a risk model<Kpi><ID>KPI 1</ID><Name>Business Advantage</Name> <Value> (KPISTATUS("Access By Non-Technical")*KPIWEIGHT("Access By Non-Technical")) + (KPISTATUS("Outlier Access")*KPIWEIGHT("Outlier Access")) + (KPISTATUS("Outlier Access - Docs")*KPIWEIGHT("Outlier Access - Docs")) + (KPISTATUS("Outlier Access - Hours")*KPIWEIGHT("Outlier Access - Hours")) + (KPISTATUS("Non-Reg Access")*KPIWEIGHT("Non-Reg Access")) </Value><Goal>10</Goal> <ID>KPI 6</ID><Name>Access By Non-Technical</Name> <Value> ([Measures].[Access Count],[Employee].[Job Code].&amp;[0031])+ ([Measures].[Access Count],[Employee].[Job Code].&amp;[0576])+ ([Measures].[Access Count],[Employee].[Job Code].&amp;[0121])+ ([Measures].[Access Count],[Employee].[Job Code].&amp;[4027])+ ([Measures].[Access Count],[Employee].[Job Code].&amp;[0014])+ ([Measures].[Access Count],[Employee].[Job Code].&amp;[ADMIN])+ </Value> <Goal>0</Goal> <Status> IIf (KPIValue( "Access By Non-Technical" ) - KPIGoal( "Access By Non-Technical" ) &lt;=

0, 0, 1 ) </Status> <Weight>1</Weight></Kpi>

MDX: Risk Model Querywithset [EmployeeAccess] AS NonEmpty([Employee].[EmpNo].[EmpNo]*[Time].[Year-Week].[Week].&[2010-06-06T00:00:00],{[Measures].[Access Ct]})Select{[Measures].[Access Ct], [Measures].[Distinct Ct],KPIValue(“Risk Trend"),KPIValue(“Outlier Access"),KPIStatus("Outlier Access"),KPIWeight("Outlier Access"),KPIValue(“Outlier Distinct"),KPIStatus("Outlier Distinct"),KPIWeight(“Outlier Distinct"),KPIValue(“Outlier Hours"),KPIStatus(“Outlier Hours"),KPIWeight(“Outlier Hours")} on 0, // pull all the KPI components, and the access aggregates [EmployeeAccess] having(KPIValue(“Risk Trend") > 0) AND (KPIStatus(“Outlier Access") > 0OR KPIStatus(“Outlier Distinct") > 0OR KPIStatus(“Outlier Hours") > 0) on 1 //slice by employees from [IPMonitoringCube]

IP Access Monitoring With Microsoft BIGrant BabbProgram ManagerIntel Corporation

DEMO

Solution Elements - Hardware

Hardware used in Solution ArchitectureType Component

CPU 4 X Intel® Xeon® MP Nehalem-EX X7560 2.26Ghz 24M 6.4 GT/s

Memory 16 X 1GB 133MHz Reg ECC DDR3

HD 6 X 300GB 10K RPM (MIRRORED)

• Data Warehouse is in one SQL Server Cluster• Analysis Services, Reporting, and Web Apps are in a second cluster

Solution Elements - Software

BI Support for Proactive Monitoring

Component Function

SQL Server Integration Services 2008 (SSIS)

ETL: extract from DB, web service, and unstructured source; add time and other de-normalized columns; load from stage to DWAnalysis: process dimensions and fact tables in the UDM; run risk model query; transform and load model results into reporting DB

SQL Server 2008 Relational Database for Data Warehouse; reporting DB, workflow application DB, workflow persistence DB

SQL Server Analysis Services 2008 (SSAS)

Unified Dimensional Model for each risk model; measures drive KPI values, which roll up into a parent KPI, the risk model score; data mining models based on risk model queries

SQL Server Reporting Services 2008 (SSRS)

Reports based on UDM and relational DB - risk reports and drilldown reports; automated rendering of reports

Windows Workflow Foundation Risk events are entered into a workflow process for investigation and follow up

Windows Communication Foundation

Data and workflow components are wrapped in .Net TCP service bindings for security and performance

Combining the Data

Data SourcesAccess Logs

Content SourcesLDAP, Lookups

Data Warehouse

Cube for each Risk Model and ProgramDimensions, Facts, Measures, KPIs

ETL PackagesSource System Pulls

Delivering the Value

Data Warehouse

ETL PackagesRisk Model Queries

Cube for each Risk Model and Program

ReportsTrend, Drilldown

Workflow AppsUI and workflow tracking

Data Mining ModelsAssociation, Cluster, Neural Network, Naïve Bayesian, Decision Tree

Challenges Using Security Data in BIAccess logs are network-centric information: timestamps and IP addresses are common fieldsThe time of access in a log is not the time on the clock where it is being accessed Access patterns vary significantly from user to userPossibilities for slicing and dicing can be exponential (IP address, all the software on all the computers)We needed to transform and measure security data in a way that matched up data indirectly , comprehended variation, and was still usable for reporting

BI Challenge #1Problem: Access logs use fields like timestamps and IP addresses. We needed to convert these into more UDM-friendly formats so we can optimize slicing and dicing of the data.Solution: During the ETL step, add a column that converts the field into an int or bigint type. Use that to relate dimensions to facts.

SQL : Changing key fields to int and bigint typesUPDATE dbo.accessrecords_factSET date_key = CAST(CAST(DATEPART(yyyy,event_time) as varchar(4)) + (CASE WHENLEN(DATEPART(mm, event_time)) > 1THEN CAST(DATEPART(mm, event_time) as varchar(2)) // converts a time stamp to an intELSE '0' + CAST(DATEPART(mm, event_time) as varchar(1)) // of format YYYYDDMMEND) + (CASE WHENLEN(DATEPART(dd, event_time)) > 1 // because day can be 1 digit or 2THEN CAST(DATEPART(dd, event_time) as varchar(2)) ELSE '0' + CAST(DATEPART(dd, event_time) as varchar(1))END) as int)WHERE date_key IS NULL

CREATE FUNCTION [dbo].[ConvertIPToBigint](@IP varchar(15))RETURNS bigintASBEGIN //this is a more novel way to parse the address than using a cursor or loop and string functions

DECLARE @retval bigintSET @retval = CONVERT(bigint, PARSENAME(@IP, 4)) * 256 * 256 * 256 +

CONVERT(bigint, PARSENAME(@IP, 3)) * 256 * 256 +CONVERT(bigint, PARSENAME(@IP, 2)) * 256 +CONVERT(bigint, PARSENAME(@IP, 1))

RETURN (@retval)END

BI Challenge #2Problem: Log time is often different from the time of access. We need to utilize local time for our risk model, but different geos make local time complexSolution: Use an employee database that gives you location, an intermediate table to lookup GMT offset for that location, and calculate local time from both lookups

SQL: Local Time instead of Log TimeSELECT

dateadd(hh,gmt.gmt_offset,[log_time]) as "local time"FROM [dbo].[accessrecords_fact] accLEFT JOIN [dbo].[Employee] empON .acc.empno = emp.empnoLEFT JOIN [dbo].[lkp_loc_offset] gmtON emp.loc = gmt.loc_code and emp.cntry_code=gmt.cntry_code

BI Challenge #3Problem: How do we implement statistical measures of access? Not everyone accesses a system the same way, we could create a lot of false positives or false negatives by choosing the wrong approach.Solution: Create measures based on average and standard deviation, but slice it by the individual user. This gives you measures that compare access records to the pattern of the individual , not the whole user population.

MDX: Statistical measures of accessCREATE SET CURRENTCUBE.[WorkerWeeks] AS NonEmpty([Employee].[EmpNo].[EmpNo]* ([Time].[Year-Week].[Week].&[2008-12-28T00:00:00]:[Time].[Year-Week].[Week].&[2009-12-27T00:00:00]),{[Measures].[Unlocker Access Ct]}); CREATE MEMBER CURRENTCUBE.[MEASURES].[AvgWeeklyAccess] AS Avg(exists([WorkerWeeks],{[Employee].[EmpNo].CurrentMember}),[Measures].[Access Ct]), VISIBLE = 1;

CREATE MEMBER CURRENTCUBE.[MEASURES].[STDWeeklyAccess] AS StdDev(exists([WorkerWeeks],{[Employee].[EmpNo].CurrentMember}),[Measures].[Access Ct]), FORMAT_STRING = "#.0", VISIBLE = 1;

CREATE MEMBER CURRENTCUBE.[MEASURES].[DevWeeklyAccess] AS ([Measures].[Access Ct] -[Measures].[AvgWeeklyAccess]) /[Measures].[STDWeeklyAccess], FORMAT_STRING = "#.0", VISIBLE = 1;

BI Challenge #4Problem: IP Addresses have 256*256*256*256 combinations. This is NOT a good dimension to use for slicing data. How do we optimize a dimension like this?Solution: It is likely that a much smaller subset of IP addresses will actually be in your access records. Use an ETL job that does a SELECT DISTINCT on IP addresses then join this set to relevant lookup data. Run the job anytime you add new fact table data.

SQL: IP DimensionSELECT ip_address1 as “active_ip_address”, ip_address1_int as “active_ip_int”FROM dbo.dim_ip_framedUNIONSELECT CallingStationID, call_station_id_intFROM dbo.dim_ip_callstationUNIONSELECT Tunnel_Client_Endpoint, tunnel_client_id_intFROM dbo.dim_ip_tunnel

CREATE VIEW [dbo].[vw_dim_tunnel_ip]ASSELECT [active_ip_int]

,[active_ip_address] ,lkp.[loc_id] ,[ip_from] ,[ip_to] ,[country_code] ,[country_name] ,[region_name] ,[city_name] FROM [dbo].[dim_active_ip] dim INNER JOIN [dbo].[lkp_ip_location] lkpON dim.active_ip_int >= lkp.[ip_from] AND dim. active_ip_int <= lkp.[ip_to]

BI Support for Whole Disk EncryptionTo minimize the impact of a data loss, Intel started a program to encrypt the hard drives in laptops.Early in the program it became clear that we needed reporting that tied together disparate data sources

One system had the information on which machines were encryptedOne system told us which laptop belonged to which employeeOne system told us the organization to which an employee belonged

As we got further into the program, the task became more complexAccurate accounting for management: the numbers had to take into account a shifting base of assets and multiplying requirementsProgram decisions needed hard numbers for hard decisions

Solution Elements

BI Support for Whole Disk Encryption

Component Function

SQL Server Integration Services 2008 (SSIS)

ETL: copy flat files from shares; strip out headers and report decoration; extract to stage; transform and filter data in stage; load to production; Analysis: process dimensions and fact tables in the UDM; run risk model query; transform and load model results into reporting DB

SQL Server 2008 Relational Database for Data Warehouse and SSRS Reporting DB; views implement complex requirements from the program about what to count and where

SQL Server Analysis Services 2008 (SSAS) Unified Dimensional Model for decision support

SQL Server Reporting Services 2008 (SSRS)

Reports based on UDM and relational DB; some allow slicing and dicing of encryption statistics at higher levels, some are parameterized queries for detail at the lowest level

Excel 2007 Ad hoc reporting for program decisions

BI for Risk ManagementRisk Management TodayHow BI fits into Defense-in-DepthBI Solutions for Risk Management

Risk Management TodayRisk Assessment

Risk MitigationMight be tied to one or more risks, but each effort is tracked and measured with different data, rarely integrated

Risk AcceptanceAccepted as a low risk, but almost never measured or

validated after the acceptance decision

Risk = Likelihood*Impact

-OR-

LatherRinse

Repeat

BI for Defense-in-DepthPreventive controls like access control or authorization processes do a good job of only allowing access based on business needYou have to balance restricted access with the overhead of controlling it. Preventive controls can be

Cost ineffective if you lock down access too muchRisk ineffective you lock down access too little

BI can be a solid detective control to complement preventive controls.Lower risk while keeping cost in the “sweet spot”Offers additional protection because is not based on business need

Builds a new business case for Log Analysis

BI for Risk ManagementHow do we get from high, medium, and low to a realistic picture of risk?

BI is a natural fit for replacing high, medium, and low with percentages and numbersA multidimensional model enables us to look across multiple risks

How do we measure Security ROI, compare how much we spent with how much we reduced the risk?

Slicing measures by time gives a picture of risk before and after a control went into placeKPI Trends are an added way for management to evaluate ROI

How do we compare different approaches to manage risk without spending the money or effort first?

Data warehouses that integrate many sources of security data help us compare competing effects of mitigation effortsScenario dimensions and data mining can be used for advanced analytics

Doing it at Your CompanyMaintaining data quality can be a big challenge

Build in audit, logging, and reporting into your ETL packagesBudget for the appropriate level of support

Develop Security BI as a hybrid skill setBuild security and RM skills in BI developersBuild BI knowledge and skills in security staff

Value MDX and Data Mining as core skills - some problems can only be solved with these toolsStart with one business problem and build on that success

Q&A

Resources

CERT Insider Threat Research

Risk ManagementMicrosoft Security Risk Management GuideNIST 800-30: Risk Management Guide for Information Technology Systems

Related Content

Breakout SessionsBIE01-INT | Microsoft SQL Server Analysis Services Consolidation Best Practices and ConsiderationsBIE02-INT | Microsoft SQL Server Analysis Services Dimension Management with Master Data Services (MDS)

Product Demo StationsOffice 2010 Power Pivot; Business Intelligence – Intel BoothProtecting IP at Intel with MS BI – Intel Booth

Product Demo StationsBIE06-HOL | Microsoft SQL Server Integration Services: Logging and Errror Handling

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.