Qsight IT gives you insight in how we use Metron in securing our customers by continuously analyzing and monitoring users, applications, data, and networks. We show you how we implemented Metron as a replacement for our former security platform based on rule-based security. Since we are dealing with a non-conventional use case “serving many customers with one platform,” we developed a business classification module that enables us to score threats according to the customer’s input.
To be future ready, we are working on extending this rule-based way of detection with machine learning models like web defacement, suspicious URL’s, UEBA, and many more to come.
In order to provide all the necessary information to the SOC analysts at a glance, we are developing a custom SOC application from where they can handle security alarms, analyze captured data, and have historical data at hand. We regard our new Metron based Security Platform as an emerging giant—a future-proof cyber security platform!
Speaker
Bas van de Lustgraaf, Big Data Engineer, QSight IT
Machiel van Tilborg, BI Engineer, QSight IT
5. Threat intel
Signature
Description of a possible
threat
Detector
Collection of signatures
describing similar threats
Directive
Collection of detectors
leading to the same risk
Sensors
Signatures
Detectors
Directives
Blackhole Exploit Pack HCP
Suricata (NIDS)
Exploit Kit
Malware Infection
6. Security as business driver
Blackhole Exploit Pack HCP
Suricata (NIDS)
Exploit Kit
Malware Infection
Implementation Layer
Threat Layer
Business Layer
7. Classification critical, mitigate and notify customer immediatelyClassification informational, notify customer in monthly report
Alert triage
Exploit kit = Risk 10 Laptop CEO = Value 10Test laptop = Value 1
14. Takeaways from QSight perspective
• Risk based security
• Opportunity to innovate
• Multi tenancy solution
• Scalable architecture
• Data lake
Hinweis der Redaktion
Bas
Result of a merger between Onsight and QI ICT
Onsight dedicated to security, selling security devices like firewalls and has a SOC for security monitoring and managing the security devices for customer
QI ICT main focus was selling storage and network devices
Merger in 2016: Qsight
Cloud, networking and security
Security monitoring and Managed Security
We are recently acquired by KPN, a large dutch telecom provider
R&D
Develop solutions for the services
A team of 15 persons, in different specialisms (DevOps, DS, BI, BD, Dev)
We prefer Agile Scrum and Open Source
We offer security as a service to our customers. Therefore we are confronted with their network configurations and security devices. Clients ask us to secure parts of the entire network for them and to apply their security policies. To a certain extend we can advise or force them which hardware/software configurations they should use and what policy is the best fit. However, we always have to consider the specific client situation as well as the knowledge they have about security. This makes it quite complex to standardize the way of working on our side
Focus on the current architecture: see written notes
Data collector
Data transport from customer locations using a so called probe developed by us
Probe consists of a Call home VPN functionality and can be deployed automatically with customer specific configurations
Parser
We enhanced the way Metron is parsing data
Fully configurable parsers, no coding needed for semi complex structures
All data ingested by the sensors is processed
Enrichment
Asset, append host information i.e. customer location and asset value. Asset value is use to calculate the risk score.
Security domain, customer group their IP’s in security domains, like office automation or web portals, in order to apply different security policies.
Threat intel
Applying rule based security
Alert triage
Calculate risk and categorize in order the determine the response time. i.e. Information or Critical
Output
Elastic, HDFS, Service management system
Machiel
Sensors: detection (NIDS, HIDS), prevention (firewall), application (ERP, CRM), meta (DHCP, AD)
Use Suricata (NIDS) as example
Not sufficient for other log sources than detection or prevention. Therefore we need alternatives to link sensor data to detectors.
Detector: possibility for Complex Event Processing
Sensor and signature: implementation layer
Detector and directive: Threat layer
On top of that we have the business layer indicating real business risks like
Being not compliant to laws and regulations
Data Loss
Business continuity
Fraud & financial loss
Reputational damage
In the step Alert Triage we evaluate the importance of an event.
At detector level we have set a risk level of this detector, say 10 for an Exploit kit very dangerous.
Another variable is the system (asset) which is infected. In this example it is the laptop of the CEO, we have valuated this laptop with an importance of 10. We use this to calculate a risk score indicating a Critical situation. The SOC employee gets a ticket in the ticketing system with a SLA indicating short response times to the customer
If the same detector is found on a test laptop which is used for a POC or testing some stuff then it is not neccessary to respond immediately. (could be of course, but for the sake of the example). The SOC engineer receives no ticket, the customer is notified in a monthly report
Screens on the wall
Several customers
Real time insight in events/alarms
Trending
Visual
Future: We will provide the SOC engineer with one interface where he can see his open tickets, have some details about the ticket he is currently working on, have some trend graphs available on the customer and the threats he is investigating, have the Use Case runook available what to do, see the last communication he had with the customer etc.
Hand over to Bas, he wil tell you about how we will use Metron to enhance the way we do security.
Bas
Machine Learning
Log events labels
Feedback loop, integratie met ticket afhandeling
Extra threat feeds i.e. STIX / TAXII
Gedrags analyse (vervanging van statische rules)
Bas
Bas
Tendency to gather lots of data
Feel free to experiment to discover new use cases
Solution: ‘log labelling tool’ for investigating unknown log sources
Benchmark your pipeline
Benchmark HW/SW as soon as possible and component by component to reduce complexity
New way of working
Challenges around new processes and software
We just expect AlienVault 2.0
Data visualization
To many tools, SOC analyst <> Data analyst
Visualization for customer (the reason to look at risked based security)
Different data consumers (roles: soc analysts, administrator, customer)
Bas
Risk based security
From rules based (technical) towards risk based (business)
Multi tenancy solution
Adhering to customer specific situations
Data lake
Many tools to utilize your data (BI, DS, Long term storage, Statistical analysis)