2. Introduction – Addressing Cyber Security (2013)
Managing Cyber Threats (2013)
Big Data Analytics in SIEM
Managing Cyber Threats (2016)
Cyber Security Control Model
Conclusion
Agenda
3. Previous presentation on Cyber Security http://www.slideshare.net/fashaye/addressing-cyber-security-26632216
addressed approach required to deal with Cyber threats in mid 2013 – threat landscape in 2016 has increased
and evolved.
Risk based approach of 2013 is still relevant, utilising relevant, but more linear, ISO 27001 processes and
activities (Plan->Do->Check->Act->Check->Act->Check->Act->Check->.... ):
Risk Assessments conducted to understand likelihood of threats and vulnerabilities and impact to the
organisation (Plan & Check)
Prevent, detect and respond to security incidents, reviewing existing state of security (Check & Act)
Measurement of control effectiveness and maturity of overall security to enable when, where and how to
improve overall security posture (Check & Act)
SIEM provides recording of security incidents and risk related information such as:
Malicious traffic to specific systems
Suspicious activity across domain boundaries
User session activity.. and more...
Outcome is that the approach is required to understand the scale and impact of Cyber Threats.
Indicators for risk exposure and control effectiveness identifies key risks over time.
Data and system centric processes and key controls already exists for dealing with Cyber Threats.
Might require help from other disciplines such as criminologists, sociologists, psychologists. lawyers etc..
leading to people and behaviour centric controls.
Introduction – Addressing Cyber Security (2013)
4. Managing Cyber Threats (2013)
Threat
Firewall
Identity and Access Manager
DLP
Vulnerability
Vulnerability Scanner
Asset
Preventative and Detective Controls
IDS/IPS
Suspicious Login or
Access Event
Malicious Port
Scanning Event
Malware
Event
Data Theft
Event
Mitigates or stop
attack against...
Discovers attack
against..
Suspicious Network
Access Event
Application; DB and OS
etc.. information
Asset
Inventory and
compliance
Information
Un-patched
OS/Application
Denial of
Service Event
Mounts attack
on..
Can be
exploited to
attack
Discovers and
protects
against
Discovers
and
protects
against.
Threat Correlation/Aggregation
Vulnerability Correlation/Aggregation
Asset Correlation/Aggregation
Event Logging and Reporting
Risk Information
SIEM & Logger
AV Gateway
ALARM Security Incidents
5. Digitalisation (specifically Internet-of-things) and business ecosystems introducing proliferation and disparate
connected systems and devices, means variety of security data are creeping up to higher volumes now more so
than ever (Gartner – Security data expect to slowly double up every year through to 2016, since 2014).
Threat landscape in 2016 has evolved, and is increasing. Cyber criminals typically blend into background
operational noise, performing undetected reconnaissance of networks over long period of time, before carrying
out attacks. Identifying these threats amongst the growing volumes of security data presents greater challenges
Data centric controls outlined, but not detailed, in 2013 approach is now more relevant. Big Data analytics
applied to Cyber Security provides another level of context. It identifies threat anomalies, patterns and predict
threats not typically derived from the traditional risk-based context.
Traditional SIEM not able to capture proliferation of new data - New generation of SIEM tools incorporate Big
Data Analytics to provide Security Analytics.
Security analytics will better consolidate all security data from disparate security tools, business applications, IT
applications, cloud applications, digital business ecosystems and business processes to deal with enterprise
level threats at real-time.
Security analytics will have the capabilities to seamlessly mine data, structured and unstructured, to enhance
threat landscape analysis and provide better visualisation of such data to further aid forensics capabilities.
Security Analyst skillset requires high level of data science and big data analytics expertise
Big Data Analytics in SIEM
6. Managing Cyber Threats (2016)
Threat
Firewall
Identity and Access Manager
DLP
Vulnerability
Vulnerability Scanner
Asset
Preventative, Predictive and Detective
Control
IDS/IPS
Suspicious Login or
Access Event
Malicious Port
Scanning Event
Malware
Event
Data Theft
Event
Mitigates or stop
attack against...
Discovers attack
against..
Suspicious Network
Access Event
Application; DB and OS
etc.. information
Asset
Inventory and
compliance
Information
Un-patched OS/Application
Denial of
Service Event
Mounts attack
on..
Can be
exploited to
attack
Discovers and
protects
against
Discovers
and
protects
against.
Unstructured Security Event Correlation/Aggregation
Threat Correlation/Aggregation
Vulnerability Correlation/Aggregation
Asset Correlation/Aggregation
Event Logging and Reporting
Predictive Modelling
Risk Information
SIEM w/Security Analytics
AV Gateway
ALARM Security Incidents
Business & IT application
Unstructured
security
events
Cloud systems
Context aware
identity data
Predicted Threats
7. Cyber Security Control Model
THREATS
INCIDENTS
COMPLIANCE
NEGATIVE BUSINESS
IMPACT
PREDICTIVE
CONTROLS
DETERRENT
CONTROLS
PREVENTATIVE
CONTROLS
CONTAINMENT
CONTROLS
ASSURANCE
CONTROLS
EVIDENTIAL
CONTROL
CORRECTIVE
CONTROLS
DETECTIVE
CONTROLS
VALUE
ASSETS
Demonstrates
Reduce
Have
Results in
VULNERABILITIES
Triggers
Triggers
Triggers
The model illustrates the basic relationships between Risks and Countermeasures driven by the control capabilities
of Security Analytics. It demonstrates how prediction and detection of threats enables proactive response to
definitive, and potential risk scenarios.
Exploit
Causing
Affecting
CountermeasuresRisk Model
Informs
8. Conclusion
Big data driven security enables organisations to gain richer context for assessing Cyber threats against their
specific business and compliance requirements
Enables a more data centric approach to traditional risk-based security intelligence
Enables a more agile approach to traditional risk-based security intelligence
Address Advanced Persistent Threats
Improve security monitoring
Data architecture to incorporate and catalogue all relevant security information across the business required for
Security Analytics
Future security strategy will feature investment and alignment of security tools enhanced with big data analytics
capabilities – This is the next challenge
Security Analytics currently addresses Cyber Threats by combining traditional human led risk analysis with
machine led data-driven, behavioural analysis - This will evolve to a machine only led, risk and data driven, Security
Analytics.
Thank You!!