Security - Situational awareness

Situational Awareness

raffael marty - pixlcloud december 2011

Is this useful for Situational Awareness?

OverviewNetwork Security Sit Awareness Today

Where we should be Challenges Resources

Raffael Marty

•SaaS business expert•Data visualization practitioner•Security data analyst

Applied Security VisualizationPublisher: Addison Wesley (August, 2008)

ISBN: 0321510100

pixlcloud

IBM Research

Cyber Security

Forensics / IR

Information Security

Authentication Authorization AccountingBCM / DROS SecurityPolicies and Procedures...

Network Security

Situational Awareness

Reporting

AlertingNeglected!!!

Data Collection

Reactive Pro-Active

Situational Awareness“Situational Awareness is the ability to identify, process, and comprehend the critical elements of information about what is happening to the team with regards to the mission. More simply, it’s knowing what is going on around you.”

‣ find air force viz images

IWViz - IDS Situational Awareness

Sit Awareness Is Visualization‣Visualization - because machine centered approaches have failed‣Leverage human cognitive capabilities ‣Pattern recognition‣Pre-attentive processing‣Context memory

Data Sources for Sit Awareness‣Flow records

‣Firewalls

‣IDS/IPSs

‣What about: PCAP, DNS, BGP, OS, Proxies, User behavior ??‣Context information - Hosts, Users, ...

1.1.1.1 10.0.0.2

9.4.242.10

1.1.1.1 10.0.0.2

9.4.242.10

1.1.1.1 10.0.0.2

9.4.242.10

Todays Visualization Tools‣Based on specific data source‣Hard to use‣Limited interactivity‣Not real-time‣Slow‣Ugly

‣ Gephi‣ R‣ Matlab‣ Mondrian

‣ PicViz‣ Treemap 4.1‣ Google Earth

Take the Blinders Off!

Visualization Maturity‣Data Collection‣Data Analysis‣Context Integration‣Visualization‣Visual Analytics‣Collaboration‣Dissemination

Data Sources (Data Store) Structured Data

filesdatabase

filteringaggregationcleansing

Contextual Data

Visual Representation

visualization

iterations

parsingfeature selection

Security Visualization Dichotomy

‣ security data‣ networking protocols‣ routing protocols (the Internet)‣ security impact‣ security policy‣ jargon‣ use-cases‣ are the end-users

‣ types of data‣ perception‣ optics‣ color theory‣ depth cue theory‣ interaction theory ‣ types of graphs‣ human computer interaction

Security Visualization

Landscape Changes

• from fame to financial gain• from audacious to “low and slow”

• from indiscriminate to targeted• from manual to automated

• from disruptive to disastrous

• from infrastructure to applications

Threat Landscape Technology• Big Data

• NoSQL• Column-based data stores• Map Reduce (hadoop)

• Cloud• on demand computing

We have technology to attack the threats!BUT we don’t know what to do with it!

The Public Sector‣Currently using a lot of Excel‣Big data technologies (e.g., Datameer, Karmasphere, Cloudera)‣ Incremental improvements to SIEM tools (e.g., ArcSight, etc.)‣Using non security / network tools (e.g., Advizor, Cognos)

‣Working with blacklists and whitelists‣Not understanding the data intrinsically

The GovernmentEverything is different from Industry

Scalee.g., DISA has 5 million live hosts

Types of attacks Adversaries

Data sources

e.g., Nation states

e.g., ASIM CIDS

I have no example ....

We Need

What we Need‣Leverage advanced technologies (big data, etc.)‣Build for the actual users, not programmers!‣End to end tools, not yet another library‣ Interactive, not static!‣Multiple data sources at once‣Leverage context, not just event data‣Decouple data from the tools ‣Crowd intelligence

Make it This Simple!

Challenges

Maturity Challenge

Companies and products are stuck on the left hand side!

Data Challenges‣No data - no insights - no sit awareness‣We don’t even have / collect the data‣ It is too hard to collect data‣We don’t understand our data!‣Data silos‣Large amounts of semi-structured data‣Parsing data is extremely hard

Tool Challenges‣Same old - all over ‣Does your SIEM support visual analytics?

‣Missing: Brushing, Interactivity ‣Help the user understand the data!‣Highly scalable visualization systems are hard to build!‣What algorithms are useful? (e.g., clustering)‣Visualization expertise is missing‣Visualization AND security is an interdisciplinary problem

Overview first

Zoom and Filter

Details on demand

Visualization Challenges‣Skilled people are missing‣What are we even trying to look for?‣Anomaly detection is not working‣Academia is disconnected‣Use-cases and problems‣State of the art in industry‣Visualization is always an afterthought

Myths‣Real-time‣Do we really need real-time?

‣Hadoop‣Not everything that is big data needs to use Hadoop!‣Know your technologies!

‣Cloud‣Will we ever put security relevant data into the cloud?

Resources‣SecViz: http://secviz.org and @secviz‣CERT - NetSA: http://www.cert.org/netsa/‣Mainly a collection of papers and links to some tools (SiLK)

‣VizSec Conference: http://www.vizsec.org‣Applied Security VisualizationR. Marty, 2008

pixlcloudcreating big data stories

@raffaelmarty

buy now

Security - Situational awareness

Technology

Transcript of Security - Situational awareness

Analysis framework of network security situational awareness … · 2019. 8. 13. · REVIEW Open Access Analysis framework of network security situational awareness and comparison

SARA Automated alerting for situational awareness to ... · situational awareness with advancements continuing to be made. As the pioneering provider of enterprise situational awareness

Public Safety and Homeland Security Situational Awareness...Public safety functions achieve situational awareness by accessing information through a combination of manual and/or electronic

Security Architecture & Network Situational Awareness · Security Architecture & Network ... Firewall, Intrusion Prevention System, ... • Patch Management • Cloud Security Controls

Education - Situational Awareness

1 Situational Awareness Board. 2 Action Communicate a Situational Awareness Update.

Gaining the SITUATIONAL AWARENESS - GovLoop...a security perspective, it also provides clarity and improved network situational awareness. Still, understanding your data can be tough,

How to prioritize security controls for situational awareness in AWS · 2020. 9. 9. · AWS services that enhance situational awareness Identify Protect Detect Respond Recover Amazon

New German Space Situational Awareness Centre · 2011. 2. 17. · German Space Situational Awareness Centre – Functionality German Space Situational Awareness Centre Recognized

Public Safety and Homeland Security Situational Awareness

Enhancing Situational Awareness for Risk-Informed ... · Enhancing Situational Awareness for Risk-Informed, Intelligence-Driven Operations, 2015 Esri National Security Summit--Presentation,

NATIONAL SITUATIONAL AWARENESS AWARENESS SECURITY ... · geospatial intelligence systems situational awareness target acquisition & tailgating information authority management location

Data Aggregation, Curation and analytics for security and situational awareness

Situational Awareness Guide - combinedaw.comcombinedaw.com/.../mug15SituationalAwarenessGuide.pdf · Situational Awareness Guide 1. So, what is Situational Awareness? 2. How do I

Verint Situational Awareness Platform...Develop Security Visibility Through a Common Operating Picture As a centralized resource, Verint Situational Awareness Platform helps maximize

SITUATIONAL AWARENESS ANALYSIS TOOLS FOR AIDING … · 2011-05-13 · SITUATIONAL AWARENESS ANALYSIS TOOLS FOR AIDING DISCOVERY OF SECURITY EVENTS AND PATTERNS 6. AUTHOR(S) Vipin

Enhancing Situational Awareness - Maritime Symposium · PDF fileVersion 3.1.1 Enhancing Situational Awareness A research about improvement of situational awareness on board of vessels

Situational awareness

Hit ‘em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness

NIST Special Publication 1800-7B SITUATIONAL AWARENESS...NIST Special Publication 1800-7B. SITUATIONAL AWARENESS. For Electric Utilities. Volume B: Approach, Architecture, and Security