Building a future-proof cyber security platform with Apache Metron
•Als PPTX, PDF herunterladen•
1 gefällt mir•1,038 views
Qsight IT gives you insight in how we use Metron in securing our customers by continuously analyzing and monitoring users, applications, data, and networks. We show you how we implemented Metron as a replacement for our former security platform based on rule-based security. Since we are dealing with a non-conventional use case “serving many customers with one platform,” we developed a business classification module that enables us to score threats according to the customer’s input. To be future ready, we are working on extending this rule-based way of detection with machine learning models like web defacement, suspicious URL’s, UEBA, and many more to come. In order to provide all the necessary information to the SOC analysts at a glance, we are developing a custom SOC application from where they can handle security alarms, analyze captured data, and have historical data at hand. We regard our new Metron based Security Platform as an emerging giant—a future-proof cyber security platform! Speaker Bas van de Lustgraaf, Big Data Engineer, QSight IT Machiel van Tilborg, BI Engineer, QSight IT
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Building a future-proof cyber security platform with Apache Metron
Ähnlich wie Building a future-proof cyber security platform with Apache Metron (20)
Mehr von DataWorks Summit
Mehr von DataWorks Summit (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Building a future-proof cyber security platform with Apache Metron
- 1. Building a future-proof cyber security platform Bas van de Lustgraaf Machiel van Tilborg
- 5. Threat intel Signature Description of a possible threat Detector Collection of signatures describing similar threats Directive Collection of detectors leading to the same risk Sensors Signatures Detectors Directives Blackhole Exploit Pack HCP Suricata (NIDS) Exploit Kit Malware Infection
- 6. Security as business driver Blackhole Exploit Pack HCP Suricata (NIDS) Exploit Kit Malware Infection Implementation Layer Threat Layer Business Layer
- 7. Classification critical, mitigate and notify customer immediatelyClassification informational, notify customer in monthly report Alert triage Exploit kit = Risk 10 Laptop CEO = Value 10Test laptop = Value 1
- 10. Detection mechanisms Third party feeds Machine learning models Behavioral analysis Rule based detection
- 11. Behavioral analysis Network Server Application User Data • Active hosts • Protocol used • Traffic flow (inbound vs. outbound) • Bandwidth usage • Active hours • Used by • Active hours • Location • Access patterns (download vs. upload) • Accessed from
- 12. Machine learning model • Typo squatting • DGA detection
- 13. Lessons learned • Tendency to gather lots of data • Benchmark your pipeline • Data visualization
- 14. Takeaways from QSight perspective • Risk based security • Opportunity to innovate • Multi tenancy solution • Scalable architecture • Data lake
Hinweis der Redaktion
- Bas
- Result of a merger between Onsight and QI ICT Onsight dedicated to security, selling security devices like firewalls and has a SOC for security monitoring and managing the security devices for customer QI ICT main focus was selling storage and network devices Merger in 2016: Qsight Cloud, networking and security Security monitoring and Managed Security We are recently acquired by KPN, a large dutch telecom provider R&D Develop solutions for the services A team of 15 persons, in different specialisms (DevOps, DS, BI, BD, Dev) We prefer Agile Scrum and Open Source
- We offer security as a service to our customers. Therefore we are confronted with their network configurations and security devices. Clients ask us to secure parts of the entire network for them and to apply their security policies. To a certain extend we can advise or force them which hardware/software configurations they should use and what policy is the best fit. However, we always have to consider the specific client situation as well as the knowledge they have about security. This makes it quite complex to standardize the way of working on our side Focus on the current architecture: see written notes
- Data collector Data transport from customer locations using a so called probe developed by us Probe consists of a Call home VPN functionality and can be deployed automatically with customer specific configurations Parser We enhanced the way Metron is parsing data Fully configurable parsers, no coding needed for semi complex structures All data ingested by the sensors is processed Enrichment Asset, append host information i.e. customer location and asset value. Asset value is use to calculate the risk score. Security domain, customer group their IP’s in security domains, like office automation or web portals, in order to apply different security policies. Threat intel Applying rule based security Alert triage Calculate risk and categorize in order the determine the response time. i.e. Information or Critical Output Elastic, HDFS, Service management system
- Machiel Sensors: detection (NIDS, HIDS), prevention (firewall), application (ERP, CRM), meta (DHCP, AD) Use Suricata (NIDS) as example Not sufficient for other log sources than detection or prevention. Therefore we need alternatives to link sensor data to detectors. Detector: possibility for Complex Event Processing
- Sensor and signature: implementation layer Detector and directive: Threat layer On top of that we have the business layer indicating real business risks like Being not compliant to laws and regulations Data Loss Business continuity Fraud & financial loss Reputational damage
- In the step Alert Triage we evaluate the importance of an event. At detector level we have set a risk level of this detector, say 10 for an Exploit kit very dangerous. Another variable is the system (asset) which is infected. In this example it is the laptop of the CEO, we have valuated this laptop with an importance of 10. We use this to calculate a risk score indicating a Critical situation. The SOC employee gets a ticket in the ticketing system with a SLA indicating short response times to the customer If the same detector is found on a test laptop which is used for a POC or testing some stuff then it is not neccessary to respond immediately. (could be of course, but for the sake of the example). The SOC engineer receives no ticket, the customer is notified in a monthly report
- Screens on the wall Several customers Real time insight in events/alarms Trending Visual
- Future: We will provide the SOC engineer with one interface where he can see his open tickets, have some details about the ticket he is currently working on, have some trend graphs available on the customer and the threats he is investigating, have the Use Case runook available what to do, see the last communication he had with the customer etc. Hand over to Bas, he wil tell you about how we will use Metron to enhance the way we do security.
- Bas Machine Learning Log events labels Feedback loop, integratie met ticket afhandeling Extra threat feeds i.e. STIX / TAXII Gedrags analyse (vervanging van statische rules)
- Bas
- Bas Tendency to gather lots of data Feel free to experiment to discover new use cases Solution: ‘log labelling tool’ for investigating unknown log sources Benchmark your pipeline Benchmark HW/SW as soon as possible and component by component to reduce complexity New way of working Challenges around new processes and software We just expect AlienVault 2.0 Data visualization To many tools, SOC analyst <> Data analyst Visualization for customer (the reason to look at risked based security) Different data consumers (roles: soc analysts, administrator, customer)
- Bas Risk based security From rules based (technical) towards risk based (business) Multi tenancy solution Adhering to customer specific situations Data lake Many tools to utilize your data (BI, DS, Long term storage, Statistical analysis)
- Bas