4. SECURITY SCIENCE
4
Big Data?
Over-used buzzword.
Doug Laney defined 3Vs in 2001
Gartner promoted 3Vs in 2012
Google Trends
“Big Data” search interest over time
The 3Vs
Volume Velocity Variety Value Veracity
5. SECURITY SCIENCE
Big Data Disciplines
More useful to break Big Data down by activities you actually do:
• Decision Making
Data-Driven
Management
Data Science • Analytics, Sense-Making
• Technology, Nuts and Bolts
Data
Engineering
6. SECURITY SCIENCE
6
Data Lakes & CoEs
The data lake, an enterprise-wide Big Data platform, is emerging in
large scale businesses.
• Concentration of data
• Concentration of technology
Tends to be associated with Big Data “Centres of Excellence”.
• Concentration of Data Engineering skills
• Concentration of Data Science skills
• The CoEs are often hunting for well-defined early adopter Use
Cases to prove their value.
• The Data Lakes provide unexpected opportunities for ‘data
enrichment’ across organisational boundaries.
7. SECURITY SCIENCE
7
Why Big Data for Cyber Security?
Cyber Security is increasingly a data problem.
We are collecting, processing and analysing more and more data in
order to address the threat landscape.
• Known threat indicators
• Indicator targeted subsets of monitoring
data
• Assumes in advance what the risk is
• Near real-time analysis with limited memory
Network
Monitoring
using SIEM
8. SECURITY SCIENCE
8
What are the main Cyber Security use cases for Big Data?
Early adoption, provable ROI, vendor can develop a PoC without a
customer
• Probable matches to likely/possible threat
methods
• All the monitoring data over a longer period of
time
• Retroactive analysis using intelligence feeds
• Combining internal and external data sources
Network
Behavioural
Analytics
• More context and more data to investigate
• Single screen analysis
• Faster automated tooling for entity resolution and
event resolution
• Variety of visualisations available, timeline
visualisation especially key
Data-enabled
Investigation
9. SECURITY SCIENCE
Tools
• Hardware and
software
components
• Configuration
and utilization of
solution
components
People
• Skills of people
involved
• Engagement of
necessary
stakeholders
• Training
available
Process
• Essential
processes for
solution to work
• Includes
management of
tools,
knowledge,
intelligence and
people
Data
Sources
• The raw data
from a variety of
tools across the
environment.
• Includes
sensors, security
alerts and log
files.
Intelligence
• Data that
provides the
necessary
context to
enrich, interpret
and prioritize
analytic results
Knowledge
•The goal of the
data analysis
which is both
delivered to
stakeholders
and better
informs further
questions of the
data
9
What is a Big Data Security Analytics Capability?
10. SECURITY SCIENCE
10
What does a Big Data Security Analytics solution look like?
11. SECURITY SCIENCE
11
How does the Security Analytics team fit into an existing Security Team?
13. SECURITY SCIENCE
13
What is Situational Awareness?
Large body of academic work
A variety of different processual vs cognitive models suggested
Warning! The science is not robust in this area.
Dr Mica Endsley described the popular three stage model in 1995
Correlation with John Boyds OODA Loop.
SITUATIONAL AWARENESS
PERCEIVE UNDERSTAND PREDICT
14. SECURITY SCIENCE
14
How does Situational Awareness fit into Cyber Security?
OPERATIONAL CYBER SECURITY
OBSERVE ORIENTATE DECIDE ACT
SITUATIONAL AWARENESS
OPERATORS
HUNTERS
RESPONDERS
RESOLVERS
AUTOMATION?
15. SECURITY SCIENCE
15
How does Situational Awareness fit into Security Management?
SECURITY MANAGMENT
PLAN DO CHECK ACT
STUDY
SITUATION
SET GOALS
PLAN
ACTIVITIES
MEASURE
SUCCESS
STUDY
RESULTS
IMPROVE &
STANDARDISE
DELIVER
ACTIVITIES
SITUATIONAL
AWARENESS
SITUATIONAL AWARENESS AUTOMATION?
17. SECURITY SCIENCE
17
Why Data-Driven Security Management?
“The dearth of metrics and decision-making tools places the
determination of Information Security risk to the enterprise on the
judgment of IT security practitioners.” INFOSEC Research Council
“At present, the practice of measuring security is very ad-hoc. Many of
the processes for measurement and metric selection are mostly or
completely subjective or procedural.” Department of Homeland
Security
Most security decisions made in absence of good data.
Best/Good Practice is “cargo cult security”.
18. SECURITY SCIENCE
18
Low Hanging Fruit – Quantitative Security Management
Mixed Data Sources, Visualisation, Sets of Questions, Summary
Statistics
Trend Analysis, Security Posture, Perimeter View, Operational KPIs,
Controls Performance
Good indicator is large Excel sheets with complex pivot tables
• Multiple data sources; vuln scanners or probes,
hardware inventory, cmdb, patch servers, SOC
monitoring, external information feeds
• Multiple clear questions.
• Candidate for Question-Focused Dataset
Vulnerability
Management
• Multiple data sources; risk register, project
plans, incident reports, SOC feed, audit reports
• Multiple stakeholders with distinct interests
• Candidate for Interactive Visualisation
Executive
Dashboard
19. SECURITY SCIENCE
19
Big Data Security Analytics Opportunities
Once the Cyber use cases have been implemented there are
opportunities to operationalise and potentially automate some aspects
of security management activities
• Continuous monitoring, not just an annual
phishing exercise
• Enrich with HR data
• Report on trends and effectiveness of
awareness programs and training events
• Targeted training
Risky Staff
Behaviour
• Pre-Approved Change Controls at agreed
risk thresholds
• Firewall, network and server configuration
changes
• Increased targeted monitoring
• Distribution of IOCs to multiple endpoints
Automated
Incident
Response
20. SECURITY SCIENCE
20
The Future - Hypothesis-Driven Security Management
Experiments to identify the effectiveness of security activities and
controls in your environment
Multiple iterations following the Deming cycle
Replace Best/Good Practice with the Right Practice for You
Key skills:
1. Forming a useful, practical and measurable hypothesis
2. Achieving executive support for management experimentation
3. Understanding and applying the results to the business
• Some of these are Data Scientist skills, some are CISO skills.
• The CISO of the future will need to understand how to talk to Data
Scientists productively!
21. 21
Conclusion
There are no silver bullets!
We will still need humans in the loop but automation will allow us to
do more with less
Build open cyber big data analytics platforms
Invest in analytics skills now
Security is transforming from a subjective art to a data and
automation discipline