Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Cyber Liability Insurance:
A proactive approach to
managing risk
A NEW SAAS MODEL TO ADDRESS CYBER INSURANCE RISK
MANAGEME...
Our Presentation on Cyber Risk
• The Adaptive Solutions SaaS model in strategic alliance withWillisTowersWatson
• The Cybe...
SaaS based cyber liability risk management
• Adaptive Solutions LLC has announced a new cyber risk management program for ...
Key elements of the Adaptive SaaS offering –
what is involved ?
• Adaptive Metadata Manager, highest risk business unit fi...
The Cyber Risk Insurance Market - background
and current state
A quick background on the pervasive nature of Cyber Risk
• Cyber attacks are a constant threat to businesses around the wo...
Cyber Risk Coverage – Market Players
• U.S. insurers are cautiously underwriting cyber coverage
• The biggest challenge is...
Cyber Risk Insurance Market – Background
• Cyber coverage represents a significant area of opportunity for underwriters
• ...
The Cyber Risk Insurance Market
• Cyber insurance has emerged as a response to growing number of data
breaches worldwide a...
Cyber Insurance Market – current state
• In 2014, 54 percent of global companies were insured against loss of income due t...
Cyber Insurance Market - current state
• In the United States, 33 percent of companies owned cyber liability insurance in ...
Cyber Insurance - Challenges
• S&P said that cyber risk presents a “unique challenge” for underwriters
because neither fre...
Cyber Attacks… some current statistics
Statistics
and facts
about
businesses
and cyber
crime in the
U.S.
• According to the IC3, the monetary damage caused by re...
Statistics
and facts
about
businesses
and cyber
crime in the
U.S.
• Despite these efforts to protect the company from outs...
Total Cost of Cyber Crime
The statistic shows the amount of damages caused
by cyber crime reported to the IC3 from 2001 to...
Type of Cybercrime and Loss
This statistic presents the types of
cyber crime with the highest amount
of victim losses in 2...
Types of Cyber
Attacks
This statistic shows the types
of cyber crime attacks most
commonly experienced by
companies in the...
Average cost of a breach
The statistic shows the average
organizational cost to business in the
United States after a data...
Average annual costs
related to Cyber Attacks- by
Industry
This statistic shows the average
annualized costs caused by cyb...
Cybercrime Loss Given a
Successful Attack
This statistic shows the estimated
damage a successful cyber attack will
cost a ...
Number of days to
resolve a Cyber Attack
This statistic shows the average
number of days necessary to
resolve a cyber atta...
IT Environments and
Cyber Attacks
This statistic gives
information on the IT
environments targeted by
cyber attacks worldw...
Largest Data
Breaches revealed
to-date
What do these
statistics tell us
about the
evolution of
Cyber Threats ?
• Threats posed by internal actors is the most sig...
Preparation of the “To Be” State: The
Adaptive Cyber Security SaaS Platform
How does Adaptive Solutions propose to
revolutionize Cyber Liability Underwriting?
• Rudimentary underwriting
• Lack of de...
Cyber Liability Insurance – Underwriting
Considerations
• What EXACTLY is being protected ? Or what exactly was affected
b...
The End State must specifically address the Threat Matrix
• External actor
• Access through a vendor
• Through ISP
• Throu...
Manta
Adaptive
Library
Data Model
Databases
Messages
Event Logs
Big Data
Enterprise
Database
“To Be” State - Cyber Risk Ma...
How does it work ?
• We combine the disciplines of robust data governance and cyber
security through the application of wo...
Cyber Liability
Insurance –
Pre-SaaS
Underwriting
Review
• Understand the data environment
• By Business Unit
• By Data So...
Cloud ServicesBig Data Platform
Metadata Connector
ODBC
RESTful
Custom SDK
Security
Semantic Layer
Templates
Data Store
Sc...
Legacy systems and cyber risk management
• Legacy systems pose a unique risk to an organization
• Failure to migrate to mo...
Data governance and lineage tracing –
A live client example
Bank Client – establishing data governance and lineage with
huge amounts of data
• The technical truth of architecture and...
Page 38
In this example, assume for a moment you’ve been hacked… and you need to identify
all the affected data - In this ...
Presentation
Layer
Search
Results II
Page 39
Filter to Relational.Column reduces to 8,243
Presentation
Layer
Search Results
III
Page 40
Classification “Data Store” equal Group Data Pool reduces to 524
Presentation Layer /
Search Results IV
Page 41
Classification “Table Layer” equal Business Data reduces to 123… now its ma...
Presentation Layer / Classifications
Page 42
How to manually classify, track and trace lineage for > 300,00 Objects? You c...
Presentation
Layer
-
Virtual business
layers for lineage
Page 43
Although restrictions for data
flow are defined, lineage ...
Zoom of Lineage
Page 44
And tracing lineage can become overwhelming – the majority of expense post
cyber attack is identif...
Managing the Presentation Layer /
Virtual business layers for lineage
Page 45
Adaptive uses smart algorithms to traverse t...
Investigation one – identify the affected data
Page 46
1. Locate the desired data
element (in this case, a
COGNOS Field)
2...
Investigation two /
establish and understand the lineage
Page 47
Source Code: Insert Statement at given line number.
Linea...
Investigation Three:
Repeat for other 3 Targeted Fields
Page 48
Investigating the
interconnection of the
target data element
Page 49
This graphic shows the lineage of
just one of these d...
As a result of this work, our Client
gained a deeper understanding and
tangible simplification of their data
lineage.
In t...
DarkLight Solutions
-
Enhanced Cybersecurity through ontology driven
Artificial Intelligence
AI-Driven Analytics and Automation
► Timeline
 2009: PNNL funded research
 2013: Company founded to transfer technology ...
► Scarcity/high turnover of seasoned cyber analysts
 Outnumbered and overworked - projected shortfall of 1.5 million Anal...
Challenges in the SOC
 Not enough analysts to address the volume of alerts  New or junior Analysts not productive enough...
Drowning in Data vs. DarkLight
Source: “The Cost of Malware Containment,” Ponemon Institute, January 2015 Survey of 630 IT...
A Force-Multiplier for your Analysts
The Cybersecurity “Big Data” Problem
Wisdom
Operational
Cybersecurity
Knowledge
StructuredCybersecurity
Information
Cybers...
DarkLight™ - Human-quality analytics, at scale
Fuses data from disparate intelligence sources
Unifies network sensors + th...
DarkLight Reference Model
Alerts Events
Adversarial Knowledge
Threat Intelligence - Internal/External
Feeds Incident Respo...
► Results
 Improved ROI: Doing more with 30% fewer analysts by reducing false positive alerts
 Improved Situational Awar...
Product Walkthrough
DarkLight PROs (Programmable Reasoning Objects) analyzing data
Once data is ingested into DarkLight, the Programmable
Reas...
Results: Summary and Graph View
Several views work together to provide
the full picture about a single event. The
Working ...
Graph View of Event with full attribution
In this example, DarkLight correlates a FireEye event with a vulnerable host, at...
DarkLight Event Orchestration
PROs do the heavy lifting to reason and analyze, saving time
…and based on the results, can ...
Semantic Technology 101
• Semantic Graph Databases
• Description Logic Reasoners
Graph Databases – Big Data
• A graph is a data
structure
• A graph holds data
• Schema (ontologies)
• Facts (assertions)
K...
Automated Reasoning
• Also known as an Inference Engine
• DARKLIGHT is a framework for
supporting multiple reasoners
• Eac...
Old Ineffective Method:
• Read all facts into a single
monolithic graph
• Manage the logical consistency
of the large grap...
Our Innovative Method:
• Read all facts into a single
monolithic graph
• Manage the logical consistency
of small subgraphs...
Hierarchy of PROs
Contextual
Memory
Graphs
DARKLIGHT Configuration
Working Memory
(Main Semantic Graph)
Known Facts Known ...
Contextual Memory
Working Memory
1. Trigger
2. Collect
3. Reason
4. Publish
The PRO Lifecycle
PRO Memory
5. Clear
DarkLight PROs in Use
False-Positive
Reduction
Insider Threat
Alerts
Data Enrichment
& Enhancement
Data Exfiltration
Suspi...
DarkLight
-
Description
• DarkLight is the only patented system that embraces the human
decision making process and knowle...
Applying DarkLight PROs to Detect Insider Threat
• By representing common sense knowledge from the cybersecurity
community...
Ontologies and Threat detection
• Thought leaders at the CERT InsiderThreat Center at Carnegie Mellon's Software
Engineeri...
Applying DarkLight PROs to Detect Insider
Threat
Examples of InsiderThreat PROs:
• Track group membership over time
• Dete...
Superior performance through reasoning
• DarkLight approaches the Cyber Security problem by allowing analysts to
explicitl...
Operationalizing the ITIO
• You can put CERT’s ITIO (as well as models like STIX,CybOX, OpenIOC and others) to work today ...
Next Steps – when
do we start ?
Page 83
Thank you for your
attention!
Cyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and Preparation
Nächste SlideShare
Wird geladen in …5
×

Cyber Liability - Insurance Risk Management and Preparation

See how Adaptive Solutions is delivering leading cyber risk management solutions through its strategic alliance with Willis Towers Watson and Darklight Technologies.

  • Loggen Sie sich ein, um Kommentare anzuzeigen.

Cyber Liability - Insurance Risk Management and Preparation

  1. 1. Cyber Liability Insurance: A proactive approach to managing risk A NEW SAAS MODEL TO ADDRESS CYBER INSURANCE RISK MANAGEMENT FROM ADAPTIVE SOLUTIONS
  2. 2. Our Presentation on Cyber Risk • The Adaptive Solutions SaaS model in strategic alliance withWillisTowersWatson • The Cyber Risk Insurance Market - background and current state • Cyber Attacks… some current statistics • Preparation of the “To Be” State: The Adaptive Cyber Security SaaS Platform • DarkLight – enhanced cyber security effectiveness through ontology driven machine learning
  3. 3. SaaS based cyber liability risk management • Adaptive Solutions LLC has announced a new cyber risk management program for enterprise class clients • Working withWillisTowersWatson, the largest broker of cyber insurance in the US, we will develop programs for both insured and insurer • Our solution will let you visualize data governance, lineage, traceability, retention, and management throughout your organization with the Adaptive Metadata Management™ suite • We will improve the effectiveness of cyber security efforts through analysis, deconstruction and prediction of cyber attacks with our strategic partner DarkLight™ • These tools will better address the challenges of your operating environment with targeted savings in insurance premium throughWillis • We will provide post-attack analysis for leading insurance carriers and proactively prepare digital assets to better withstand and recover from cyber attacks and further reduce expense
  4. 4. Key elements of the Adaptive SaaS offering – what is involved ? • Adaptive Metadata Manager, highest risk business unit first • DarkLight Cybersecurity • Implementation by Adaptive Solutions and Meta Informatics • In partnership with WillisTowers Watson to design and deliver actual insurance products with demonstrable effectiveness for Insurance carriers AND clients
  5. 5. The Cyber Risk Insurance Market - background and current state
  6. 6. A quick background on the pervasive nature of Cyber Risk • Cyber attacks are a constant threat to businesses around the world with vast sums of money being spent to protect against them. • While in 2015, 40 percent of attacks stemmed from ‘outsiders’, a surprising 60 percent were actually perpetrated by company insiders. • IBM, who produced the figures based on information from over 8,000 of their clients devices, revealed that although 15.5 percent of such ‘attacks’ were caused inadvertently, 44.5 percent were deemed to have been malicious. • An insider is defined as anyone who has physical or remote access to a company’s assets. IBM noted that although this would often be an employee, it can also mean business partners or maintenance contractors – people you trust enough to grant system access to. • Insiders not only have this access, they may also be aware of your weaknesses and thus exploit them more effectively than an outside agent might be able to.
  7. 7. Cyber Risk Coverage – Market Players • U.S. insurers are cautiously underwriting cyber coverage • The biggest challenge is to understand the true nature of the underlying risk • While there are about 50 insurers that are writing some cyber coverage, the market is dominated by five underwriters: • Ace Ltd. • American International Group Inc. • Beazley P.L.C. • Chubb Corp. • Zurich Insurance Group Ltd.
  8. 8. Cyber Risk Insurance Market – Background • Cyber coverage represents a significant area of opportunity for underwriters • Some analysts predicting that the size of the cyber insurance market will grow to $10 billion in the next five to 10 years • Although this market is immature at the moment, there is still value to be found if insurers properly underwrite risk • Currently, cyber coverage predominantly is written on a claims-made basis and primarily covers third-party liability in the United States • About 90% of the premium volume for cyber — estimated by Lloyd's of London to be $2.5 billion in 2014 — covers U.S. risks • The market will increasingly demand tools to mitigate risk and manage claims adjustment expenses post attack
  9. 9. The Cyber Risk Insurance Market • Cyber insurance has emerged as a response to growing number of data breaches worldwide and the extent of damage that they cause to businesses. Data breaches are perceived as one of the leading risks to businesses as, among other factors, they can have a huge influence on the company earnings. • In the United States, the average cost of cyber crime amounted to 12.69 million U.S. dollars in 2014. As well as financial costs, cyber crime has a negative impact on employee morale, business reputation and relations with the clients. It is not surprising, then, that companies have started to look for ways of protecting themselves against cyber threats.
  10. 10. Cyber Insurance Market – current state • In 2014, 54 percent of global companies were insured against loss of income due to data breach, while more than half of the companies without cyber liability insurance considered purchasing it. • The share of businesses with cyber insurance worldwide increased with company revenue. Only 3.8 percent of companies with revenues lower than 2.5 million U.S. dollars owned cyber insurance. • Among companies with revenues exceeding five billion U.S. dollars, this number was equal to 25.9 percent.
  11. 11. Cyber Insurance Market - current state • In the United States, 33 percent of companies owned cyber liability insurance in 2014. In that year, the U.S. industry sector with highest share of companies purchasing the insurance was the financial services sector. • The average limit of purchased cyber liability insurance by the U.S. financial institutions sector amounted to 23.5 million U.S. dollars. More than 82 percent of U.S. companies reported that they were able to buy cyber insurance that met their needs in 2014. • The companies not protected by cyber insurance cited a lack of insurance fitting their needs on the market, as well as low policy limits or too high costs, as the reason for their lack of protection.
  12. 12. Cyber Insurance - Challenges • S&P said that cyber risk presents a “unique challenge” for underwriters because neither frequency nor severity is predictable. • Reliable Actuarial data is also unavailable. • Metrics for cyber risk also are in the early stages of development, and probabilistic models pose high levels of uncertainty, mostly because of the unpredictable human behaviors associated with cyber attacks” the report said. • Other challenges for underwriters include limited and insufficient disclosures about cyber attacks, the report said.
  13. 13. Cyber Attacks… some current statistics
  14. 14. Statistics and facts about businesses and cyber crime in the U.S. • According to the IC3, the monetary damage caused by reported cyber crime in 2014 amounted to more than 800 million U.S. dollars. • That year, the U.S. state with the highest amount of losses was California with over 131 million U.S. dollars in reported cyber crime damages. • The average cost of a company-directed cyber crime attack in the United States was 15.42 million U.S. dollars. • Based on the type of attack, industry figures estimate the number of days necessary to solve a cyber attack on a company can take up to 62.7 days. • The most common types of cyber attacks experienced by U.S. companies as ofAugust 2015 were viruses and malware. • According to a 2015 survey of U.S. companies, the most popular cyber securities deployed were advanced perimeter controls, firewall technologies, and extensive usage of encryption technologies.
  15. 15. Statistics and facts about businesses and cyber crime in the U.S. • Despite these efforts to protect the company from outside cyber attacks, there are many employee activities that render a company vulnerable, such as mobile device usage or remote work access. • Other obstacles to implementing more robust cyber security solutions for businesses are the lack of funds as well as the lack of clarity regarding best practice. • Overall, 42 percent of SMB owners in the United States regarded cyber security expenditure as a cost of business with 36 percent of IT security layer spending being directed towards the network layer. • Furthermore, 27 percent of internal costs due to cyber crime were allocated towards detection.
  16. 16. Total Cost of Cyber Crime The statistic shows the amount of damages caused by cyber crime reported to the IC3 from 2001 to 2015. In the last reported period, the annual loss of complaints referred to the IC3 amounted to 1.07 billion U.S. dollars, up from 781.84 million U.S. dollars in 2013. In 2014, the United States accounted for 83.96 percent of complainant losses. No data available on reported cyber crime losses in 2010. The numbers refer to internet crimes reported to the governmental Internet Crime Complaint Center. Methodology of evaluating loss amounts: FBI IC3 Unit staff reviewed for validity all complaints that reported a loss of more than $100,000. Analysts also converted losses reported in foreign currencies to dollars. The final amounts of all reported losses above $100,000 for which the complaint information did not support the loss amount were excluded from the statistics.
  17. 17. Type of Cybercrime and Loss This statistic presents the types of cyber crime with the highest amount of victim losses in 2015. During the reported period, online confidence fraud accounted for 203.39 million U.S. dollars in reported victim losses. In 2014, the United States accounted for 83.96 percent of complainant losses.
  18. 18. Types of Cyber Attacks This statistic shows the types of cyber crime attacks most commonly experienced by companies in the United States. During a 2015 survey of 58 U.S. companies, it was found that 97 percent of respondents had experienced malware attacks. The most common type of attacks were viruses, worms and trojans.
  19. 19. Average cost of a breach The statistic shows the average organizational cost to business in the United States after a data breach. In 2016, the average cost to businesses affected by a data breach in the United States amounted to 7.01 million U.S. dollars. Total breach costs include: lost business resulting from diminished trust or confidence of customers; costs related to detection, escalation, and notification of the breach; and ex-post response activities, such as credit report monitoring.
  20. 20. Average annual costs related to Cyber Attacks- by Industry This statistic shows the average annualized costs caused by cyber crimes in the United States as August 2015, sorted by affected industry sector. That year, cyber crime caused an average annualized loss of 16.45 million U.S. dollars in the technology sector.
  21. 21. Cybercrime Loss Given a Successful Attack This statistic shows the estimated damage a successful cyber attack will cost a U.S. business. In 2015, the maximum total annualized cost of cyber crime committed against U.S. companies amounted to 65.05 million U.S. dollars.
  22. 22. Number of days to resolve a Cyber Attack This statistic shows the average number of days necessary to resolve a cyber attack in U.S. companies as of August 2015, sorted by type of attack. That year, U.S. companies need an average of 41.3 days to resolve web-based attacks.
  23. 23. IT Environments and Cyber Attacks This statistic gives information on the IT environments targeted by cyber attacks worldwide in 2015, sorted by industry. During the survey period, it was found that 34 percent of cyber attacks aimed at the professional service industry were targeted at corporate or internal network environments.
  24. 24. Largest Data Breaches revealed to-date
  25. 25. What do these statistics tell us about the evolution of Cyber Threats ? • Threats posed by internal actors is the most significant; in Finance and Insurance, this is effectively 100% of the source of cyber risk • E-Commerce is the largest threat to retail and travel; Point of Sale fraud is largest for Food & Beverage • Data breaches increasing in size and number of affected parties • Time to Resolution has improved, highlighting industry education and prevention • Most damaging attacks remain internal • Preparation is the best policy • So how to prepare ?
  26. 26. Preparation of the “To Be” State: The Adaptive Cyber Security SaaS Platform
  27. 27. How does Adaptive Solutions propose to revolutionize Cyber Liability Underwriting? • Rudimentary underwriting • Lack of defined risk metrics • No means of identifying affected data • No traceability or lineage for post- breach analysis and remediation “As Is” State • Identify and measure against key metrics impacting risk • Use preventative and analytical tools to understand depth of event and remediate/repair • Create a “data inventory” which catalogues both data and lineage Transform the approach • Inventory of key data assets and traceability/lineage for breach analysis • More effective cyber security infrastructure • “Learning” bots to assist with volume of attacks “To Be” State
  28. 28. Cyber Liability Insurance – Underwriting Considerations • What EXACTLY is being protected ? Or what exactly was affected by the breach ? • What are the key underwriting metrics ? • How is the risk priced ? How is this determined ? • What are typical policy exclusions ? Retention ? • What are typical loss scenarios ? Recovery scenarios ? This all needs to be discussed, documented, and linked to technology that offers actionable solutions
  29. 29. The End State must specifically address the Threat Matrix • External actor • Access through a vendor • Through ISP • Through DNS/Brute Force • Internal actor • Disgruntled employee • Actively placed sleeper mole • Internal incompetence (like passwords in a desktop Folder labeled “Passwords” – Come on man !) • Things in Common • Major Losses • Lasting Damage IMPACT MATRIX External to Firewall Internal to Firewall Malicious Insiders 82 95 Malicious Code 76 89 Web based attacks; phishing; email fraud 92 84
  30. 30. Manta Adaptive Library Data Model Databases Messages Event Logs Big Data Enterprise Database “To Be” State - Cyber Risk Management with the Adaptive Repository Orchestration Transform Business Glossary Metric Glossary BI Objects Data Objects Analytic Software Reports BITools Business Logic Model Data Logic Model Physical Model Business Verticals NoMagic Data Object ETL Metrics Business Process Model Terms Business Concepts Integration Process People Data Quality Applications Business Engagement Model DarkLight Environment
  31. 31. How does it work ? • We combine the disciplines of robust data governance and cyber security through the application of world class technology • Catalogue the key data assets by business unit and function • Inventory the data assets, establish lineage and relation • Implement an integrated cyber security solution • Our solution lets you understand the key risk metrics BEFORE the risk is assumed • How stable and “orderly” is the client data environment ? Data quality ? Points of access ?You better know before you bind the risk… • How do we do that ? Adaptive for lineage, governance, security, permissioning, versioning, and data tracing; DarkLight for cybersecurity enhancement
  32. 32. Cyber Liability Insurance – Pre-SaaS Underwriting Review • Understand the data environment • By Business Unit • By Data Source • Understand the network environment • Number of IP and Email addresses • Web Sites • IoT access • Create enterprise data lineage and traceablity to establish base case and identify data quality, loss, and retention issues • Catalogue the data assets being protected and identify the key stakeholders of each • Integrate the DarkLight cyber solution with the Adaptive Metadata Platform to enhance cybersecurity • Integrate the underwriting review to prepare the SaaS solution for the specific client
  33. 33. Cloud ServicesBig Data Platform Metadata Connector ODBC RESTful Custom SDK Security Semantic Layer Templates Data Store Scheduler Templates - DG Maturity - DM Compliance - DQ Maturity - DA Maturity - DG Ownership Data Landscape * Build customized UI by enhancing Adaptive’ s UI Templates SaaS “Hosted” Client’s Data Landscape Data Factory HostedSolutionExistingDF Client’s Virtual Data Excellence Internal Users - Data Stewards - Data Owners - CDO - CIO Reports - Scheduled Reports - Monthly DQ/DG Snapshots - Monthly Data Compliance - Alerts & Notifications - On Demand Reports Functional Data Architecture Supported - Data Modeling - Data Governance - Data Quality - Production Support Key elements of the Cyber Risk Management with the SaaS model 1 2 3 4 5 Client Service Provider Onsite Service Provider Offsite Data Owners Business Analyst Data Analyst Data Analyst Data Analyst
  34. 34. Legacy systems and cyber risk management • Legacy systems pose a unique risk to an organization • Failure to migrate to modern platforms complicate risk management and recovery post attack • Most firms delay migration due to theThree P’s: • pain, personnel, and price… • We greatly reduce theThree P’s in legacy migration and management with automated data discovery and documentation tools • We offer this on a SaaS basis using open standards
  35. 35. Data governance and lineage tracing – A live client example
  36. 36. Bank Client – establishing data governance and lineage with huge amounts of data • The technical truth of architecture and data flow within a large organization is nearly impossible to understand for any user without technical experience. • We automatically scan the dataflow to identify all of these objects and links. Because programs, procedures and scripts do refer to exactly these technical objects, this may cause a huge complexity in the meta data repository. • As for example, one Client’s Group Business Intelligence Repository holds over 320,000 tables, columns, views, entities, attributes, report fields and dimensions. • Approximately 10% are interesting from business view.The others are used for layer concept, arch. Principles, compliance, performance, Interfaces etc. Page 37 When scanning the raw technical data automatically to generate data models and data lineage, one very important aspect are considerations on how to manage the complexity for different users, and how that data is presented.
  37. 37. Page 38 In this example, assume for a moment you’ve been hacked… and you need to identify all the affected data - In this Client case, search for affected data elements with a name “customer” returns 45,315 Results (across all object types) Post intrusion data analysis... The impact across an organization can be daunting and difficulty to track down all of the affected data
  38. 38. Presentation Layer Search Results II Page 39 Filter to Relational.Column reduces to 8,243
  39. 39. Presentation Layer Search Results III Page 40 Classification “Data Store” equal Group Data Pool reduces to 524
  40. 40. Presentation Layer / Search Results IV Page 41 Classification “Table Layer” equal Business Data reduces to 123… now its manageable
  41. 41. Presentation Layer / Classifications Page 42 How to manually classify, track and trace lineage for > 300,00 Objects? You can’t… The “Rules Engine” can inherit classifications via CWM connection Type: Relational.Schema Name: LDDAPPL Data Store: LDD Type: Relational.View Name: ALL_CUST Data Store: LDD table layer: LDD Views Type: Relational.Column Name: id_customer Data Store: LDD Table: layer: LDD Views Type: Relational.Column Name: short_name Data Store: LDD Table layer: LDD Views
  42. 42. Presentation Layer - Virtual business layers for lineage Page 43 Although restrictions for data flow are defined, lineage can become very big and complex. The goal is to be able to automate the lineage tracing process and narrow presentation to mazimize effectiveness
  43. 43. Zoom of Lineage Page 44 And tracing lineage can become overwhelming – the majority of expense post cyber attack is identifying and tracing affected data…
  44. 44. Managing the Presentation Layer / Virtual business layers for lineage Page 45 Adaptive uses smart algorithms to traverse through the lineage and pick only defined columns to show them in a textual view: “Column is derived from CEE IF Fields” Rules can be based on - Classification - Owning Schema - OwningTable Rules allow the user define and manage their data environment from top to bottom
  45. 45. Investigation one – identify the affected data Page 46 1. Locate the desired data element (in this case, a COGNOS Field) 2. Display the reverse lineage 3. Identify the Source Field 4. Investigate single transformation steps further, if needed This allows the client to manage the complexity and volume of the data environment
  46. 46. Investigation two / establish and understand the lineage Page 47 Source Code: Insert Statement at given line number. Lineage SVG Graphic Selfmade “PLSQL” object view of column PLSQL object view. Gives line number.
  47. 47. Investigation Three: Repeat for other 3 Targeted Fields Page 48
  48. 48. Investigating the interconnection of the target data element Page 49 This graphic shows the lineage of just one of these data source columns in Reporting. Failing to understand internal data lineage is not a good idea. Our SaaS soultion will link data to business terms and concepts to trace data. Post Cyber Attack, this is the major driver of expense in post attack investigation, management and remediation.
  49. 49. As a result of this work, our Client gained a deeper understanding and tangible simplification of their data lineage. In this example, the Client used Adaptive to link business terms and concepts directly to source data to establish lineage and a governance framekwork for regulatory compliance and financial reporting. This To Be State allowed them to directly link business concepts and source data, using automated lineage tracing and data governance capabilities. Report Field Source Table Description B2 - COLL before HC: Resid. Real Estate S3_EXPOSURE Basel 2 figure. Collateral value from SAS BEFORE Haircuts (deductions) divided to Exposure-sets; Optimization after recoverability of collateral; COLL - Market Value allocated: Comm. Real Estate COAL_COLL_EX P_CRR Collateral value that considers all collaterals independent of B2 eligibilitiy. Collateral Market Value from SAS; distributed by SAS Coll Type; capped with Exposure B2 - COLL: Comm. Real Estate after Haircut S3_EXPOSURE Basel 2 figure; Collateral value from SAS AFTER Haircuts (deductions); divided to Exposure-sets; Optimization after recoverability of collateral. COLL – Accepted Value allocated: Resid. Real Estate COAL_COLL_EX P_CRR The distributed collateral acceptable value in the way of SAS CRR acceptable value algorithm in EUR. Page 50
  50. 50. DarkLight Solutions - Enhanced Cybersecurity through ontology driven Artificial Intelligence
  51. 51. AI-Driven Analytics and Automation ► Timeline  2009: PNNL funded research  2013: Company founded to transfer technology to market  2016: Commercial release, deployed in production ► Artificial Intelligence based on Semantic Graph Analytics  Patented Advanced Reasoning Platform; Two granted, several in process  Proprietary AI engine captures, automates and scales human expertise  Applicable to cybersecurity, fraud analysis, and the global movement of money, etc.
  52. 52. ► Scarcity/high turnover of seasoned cyber analysts  Outnumbered and overworked - projected shortfall of 1.5 million Analysts by 2019(1)  Enterprise knowledge leaves with analyst – 18 mo. ramp to get “proficient” ► Staggering volume of cyber attacks creating “big data” issue  Existing technology investments are underutilized while threats persist  Staff is “drowning in data” Challenges in the Market (1) http://www.csoonline.com/article/2953258/it-careers/cybersecurity-job-market-figures-2015-to-2019-indicate-severe-workforce-shortage.html
  53. 53. Challenges in the SOC  Not enough analysts to address the volume of alerts  New or junior Analysts not productive enough  Not enough analysts to address the volume of events  Can’t fill open requisitions for SecurityAnalysts  Knowledge leaves org when Analysts leave  Too much time spent monitoring rather than responding  Incident response time takes too long  No centralized process or tools OR  Too many tools, not enough coordination between  Analysts waste time manually attributing and documenting incident response  Analysts waste time chasing down false positives  No Analysts dedicated to hunting  Existing alerts or select security feeds are ignored  Other – domain specific
  54. 54. Drowning in Data vs. DarkLight Source: “The Cost of Malware Containment,” Ponemon Institute, January 2015 Survey of 630 IT / IT Security Practitioners in US responsible for detecting, evaluating and/ or containing malware infections. 17,000 ONLY 19% Malware alerts received on average by an organization in a typical week Alerts investigated; Only 705 Exposed to risk of remaining 15% Deemed “reliable” 4%WASTED: 395 Hours/week due to False positives/false negatives LOSTVALUE: $25K/week or $1.27 million/year/org Typical Industry Experience Customer, deployed in production 100% Alerts Examined n=9500 1,816 additional alerts/wk investigated Lowered Risk by investigating previously ignored alerts Improved IRR and increased utilization of existing security investments With 30%fewer staff,
  55. 55. A Force-Multiplier for your Analysts
  56. 56. The Cybersecurity “Big Data” Problem Wisdom Operational Cybersecurity Knowledge StructuredCybersecurity Information Cybersecurity Data Science of Security & Semantic Infrastructure Cybersecurity Measurement and Management Cyber Ecosystem Technology & Data Human Intelligence and Reasoning
  57. 57. DarkLight™ - Human-quality analytics, at scale Fuses data from disparate intelligence sources Unifies network sensors + threat intelligence + enterprise context Improves IRR on existing security investments Captures analyst knowledge for retention by the enterprise Augments deductive and investigative skills Prevents “brain-drain” while accelerating training of new staff Force-multiplier which enhances human reasoning Acts as aVirtual Analyst, improving performance by 10X to 100X+ Advanced, AI-based reasoning able to infer conclusions
  58. 58. DarkLight Reference Model Alerts Events Adversarial Knowledge Threat Intelligence - Internal/External Feeds Incident Response System Cyber Ecosyste m Security: Firewall, Proxy, AV, IDS/IPS, Network Devices (Sensors) Enterprise Knowledge: AD, Legacy Data Sources, HRIS, etc. NotifiesAnalyst Directly TriggersOrchestration / Action in other product
  59. 59. ► Results  Improved ROI: Doing more with 30% fewer analysts by reducing false positive alerts  Improved Situational Awareness: Now analyzing 220 previously ignored data streams  Expanding to threat hunting Customer Success 5000 employees, One of 17 DoE National Labs; Performs classified and unclassified research for DoE, DoD, DHS and other government agencies. 100K+ alerts per day, 2.5B events/week through Splunk “Increased our effectiveness from 5-15% to 90-95%” BJ Stephan, Deputy CISO
  60. 60. Product Walkthrough
  61. 61. DarkLight PROs (Programmable Reasoning Objects) analyzing data Once data is ingested into DarkLight, the Programmable Reasoning Objects (PROs) go to work – in real time – analyzing thousands or tens of thousands of events in seconds. The purpose of these are to make inferences on sets of data whether contextual, working, or both. To put their use into perspective, each PRO acts something like an analyst assigned to finding correlations between different data sets and records ranging from thousands if not tens of thousands of logs. In order to find any disruptive or dangerous activity analysts must spend hours or days searching for these patterns. DarkLight alleviates this by incorporating PRO reasoners to do this daunting task for the analysts, leaving them with a condensed data set to work with.
  62. 62. Results: Summary and Graph View Several views work together to provide the full picture about a single event. The Working Memory view contains lists of PRO Output Types and indicates how many items are in each type. Clicking on a working memory type loads those events into the Events view where they can be sorted by date. Clicking on a single event populates the tabular Results view, the graphical Results Graph view, and the Processors View. Since different users prefer to see information in different ways, the user may select which views are shown – and save them as a perspective.
  63. 63. Graph View of Event with full attribution In this example, DarkLight correlates a FireEye event with a vulnerable host, attributing CVE, device and employee details. The ResultsGraph view is a node/link graph that describes the selected item in the Events view. It contains all of the properties and objects that have been attached to the event as it works its way through ingestors and PROs. Each new object gets a different color.
  64. 64. DarkLight Event Orchestration PROs do the heavy lifting to reason and analyze, saving time …and based on the results, can alert, notify or orchestrate other systems to take action
  65. 65. Semantic Technology 101 • Semantic Graph Databases • Description Logic Reasoners
  66. 66. Graph Databases – Big Data • A graph is a data structure • A graph holds data • Schema (ontologies) • Facts (assertions) King Line Manager 192.168.5.164 Edwards Jones Employee Employee Employee Log On Event rtedward rtjones hasAccountName Project Manager hasRole imking 4624
  67. 67. Automated Reasoning • Also known as an Inference Engine • DARKLIGHT is a framework for supporting multiple reasoners • Each DARKLIGHT Reasoner (called a PRO) examines the known facts and asserts new facts based on the axioms of cybersecurity. Karen Ryan Roger Known Fact Inferred Fact
  68. 68. Old Ineffective Method: • Read all facts into a single monolithic graph • Manage the logical consistency of the large graph • Use a single Reasoner over the entire graph Monolithic Reasoner Monolithic Graph WARNING: All facts asserted into a graph MUST be logically consistent or the Reasoner will not function. - AND - The larger the graph the harder it is to keep it logically consistent.
  69. 69. Our Innovative Method: • Read all facts into a single monolithic graph • Manage the logical consistency of small subgraphs as they need to be reasoned over • Use MULTIPLE Reasoners over the graph, not just one Monolithic Graph PRO PRO INNOVATION: It is easier to maintain consistency in many smaller graphs than one large graph.
  70. 70. Hierarchy of PROs Contextual Memory Graphs DARKLIGHT Configuration Working Memory (Main Semantic Graph) Known Facts Known & Inferred Facts DARKLIGHT is a Framework for Reasoners
  71. 71. Contextual Memory Working Memory 1. Trigger 2. Collect 3. Reason 4. Publish The PRO Lifecycle PRO Memory 5. Clear
  72. 72. DarkLight PROs in Use False-Positive Reduction Insider Threat Alerts Data Enrichment & Enhancement Data Exfiltration Suspicious Command Execution Multiple Sensor Correlation Contextual Knowledge Maintenance AnalysisHeartbeat FilteredFEIPSAlert AttributedFEWebMalwareObject IPUserRecordCleanup AttributedFEEMPSAlert MaliciousDomainMatch AttributedFEEMPSAlertNotification MaliciousDomainMatchNotification AttributedFEMalwareCallbackAlert NonNameServerFEDomainMatchAlert AttributedFEMalwareCallbackAlertNotification NotifiedOnlyFEIPSAlert *AttributedFEWebInfectionAlert Attributes SuspectPing *AttributedFEWebInfectionAlertNotification SuspectPingNotification AttributedFEWebMalwareObjectObjectNotificatio n TypeCountNotification AttributedMaliciousProcess UnattributableEmailAddress AttributedMaliciousProcessNotification UnattributableIPAddress AttributedNetcat UnattributableUsername AttributedNetcatNotification UnattributedEventNotification BlockedFEIPSAlert WorkingTypeCountReport BlockedFEIPSAlertNotification 1102 – The audit log was cleared. ContextTypeCountReport 4672 – Special privileges assigned to new logon. DHCPRecordCleanup 4798 – A user’s local group membership was enumerated FEIPSAlertForVulnerableHost 4799 - Security-enabled local group membership enumerated FEIPSAlertForVulnerableHostNotification 5156 - Windows Filtering Platform has allowed a connection FEIPSAlertReport 5140 - A network share object was accessed FEIPSAlertReportNotification 7045 - A service was installed in the endpoint FEIPSAlertWithHostVulnerabilities 4624 - An account was successfully logged on FEIPSAlertWithVulnerability 4663 - Attempt was made to access an object, File or Registry Key Force-Multiplying “Virtual Analysts”
  73. 73. DarkLight - Description • DarkLight is the only patented system that embraces the human decision making process and knowledge to combat cyber threats. DarkLight was created, tested, and proven at one of the nation's most advanced research laboratories, spanning more than four years of R&D. • DarkLight intelligently processes the massive data streams from a current network and security appliances through a patented formal Description Logic Reasoning Framework and Semantic Graph Analytics. • Unlike all other workflow-driven or machine learning-based automation tools, this approach more effectively models normal and abnormal user and network behavior. • DarkLight’s Reasoning Engine is used to interpret and analyze facts using an analyst’s unique knowledge of cybersecurity and the enterprise, including the policies and compliance requirements of the organization they are protecting. By utilizing the analyst rather than black box or statistical models, the system becomes a true force multiplier of expert experience and knowledge.
  74. 74. Applying DarkLight PROs to Detect Insider Threat • By representing common sense knowledge from the cybersecurity community and the knowledge from your enterprise's cybersecurity analysts, tasks and data interpretation can be efficiently and intelligently automated. • Because the DarkLight PRO (Programmable Reasoning Object) is created by the security analyst themselves, it thinks and works like a human, and it can be created to find any correlations and patterns between data sets. • This gives your analyst the ability to create custom PRO's to track whatever activity they deem necessary to keep your enterprise secure.
  75. 75. Ontologies and Threat detection • Thought leaders at the CERT InsiderThreat Center at Carnegie Mellon's Software Engineering Institute (SEI) have recently released new model concepts to help insider threat programs to implement more effective controls. • Based on cases from more than 1000 organizations, the research paper and models have been several years in the making and provides a standardized method of expression for indicators of potential malicious insider activity. • They have identified an ontological approach to the problem and have provided the industry with an InsiderThreat Indicator Ontology (ITIO). • An ontological approach provides a standard common language with which to represent and share knowledge, a factor they have identified as currently lacking within the threat intelligence community.
  76. 76. Applying DarkLight PROs to Detect Insider Threat Examples of InsiderThreat PROs: • Track group membership over time • Detect off-hours system usage • Detect uploading to known file-storage locations • Detect unusual program execution • Detect unusual printing activity • Correlate when a member of a group decimated by layoffs uploads to a known location • The InsiderThreat Indicator Ontology
  77. 77. Superior performance through reasoning • DarkLight approaches the Cyber Security problem by allowing analysts to explicitly establish what is the "normal" user behavior baseline in the context of the enterprise business model and operations. • For example, a compensation specialist working in HR should not be downloading customer data; that is not part of the employee's normal user profile or approved behavior or UEBA. • Understanding every employee, vendor and customer profile and behavior is at the heart of what DarkLight gives the internal enterprise cyber security analysts, followed by the ability to alert and act quickly. • DarkLight offers the user a means to perpetuate their know-how via our exclusive PROs. Other UEBA providers require an entity to use their machine- learned models of the user and/or its peers.
  78. 78. Operationalizing the ITIO • You can put CERT’s ITIO (as well as models like STIX,CybOX, OpenIOC and others) to work today with DarkLight, for a force-multiplying, cyber analytic and automation platform. • Import the InsiderThreat Indicator Ontology to DarkLight and the general concepts of the ontology are mapped to real-time data of your organization. • As an example, data of the “Actors” are mapped to “People & Organizations” of the company, immediately leveraging the ITIO. Once this mapping has occurred, the hard problem of InsiderThreat-- identifying the subtle changes in an employee's behavior--can be identified much more easily. • DarkLight helps you: • Find the indicators • Identify exfiltration • Identify I.D. theft and fraud • Collect the intelligence needed to allow efficient forensic investigations of affected assets.
  79. 79. Next Steps – when do we start ?
  80. 80. Page 83 Thank you for your attention!

×