CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro /...
Transcript of CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro /...
![Page 1: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/1.jpg)
![Page 2: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/2.jpg)
CERN’s COMPUTERSECURITY OPERATIONS CENTREStatus Update
![Page 3: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/3.jpg)
System architecture
3
![Page 4: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/4.jpg)
Technology Stack used
Telemetry Capture Layer:Data Bus (Transport):Analytics:Long-Term Data Store:Real-Time Index & Search:Visualisation: Intrusion Detection:Web frontends:
4
Apache FlumeApache KafkaGoHadoop HDFSElasticsearchKibana & CLIBro (Zeek) & SnortOpenShift
![Page 5: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/5.jpg)
Data ingestion rates (1-7 Feb 2018)
Network (Bro / Zeek):1078 GB / day in HDFS (raw json)761 GB / day in ES2.3 billion events / day
System (other):451 GB / day in HDFS (raw json)256 GB / day in ES1.1 billion events / day
5
![Page 6: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/6.jpg)
Threat Intelligence
6
![Page 7: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/7.jpg)
Threat IntelligenceMalware Information Sharing Platform (MISP) as the sole threat intelligence platform at CERN Automatic sharing of intelligence data with trusted peers
CERN is currently operating 4 different instances: Main CERN instance (> 1.1 M IoCs) Worldwide LHC Computing Grid (WLCG) central MISP
instance (>600 K IoCs) Development MISP instance used for MISP development
(CERN is an active contributor) and for validating new MISP releases
Special purpose MISP instance7
![Page 8: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/8.jpg)
Network based Intrusion Detection
10
![Page 9: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/9.jpg)
Network traffic aggregator and splitter
13
![Page 10: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/10.jpg)
Kafka Data Backbone
23
![Page 11: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/11.jpg)
Kafka Data BackboneNew Kafka cluster6 Kafka brokers, 3 Zookeeper nodes
70,000 messages / sec on average 72 hours retention period Replication factor of 3 Data compressed using snappy
24
![Page 12: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/12.jpg)
Inline processing
31
![Page 13: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/13.jpg)
Inline processingCustom code written in golang
Jobs launched and monitored using Nomad Running distributed on Nomad clients
Data ingested from KafkaTypes of jobs:
Data enrichment: DNS (forward and reverse DNS resolutions) GeoIP
Intrusion detection: Based on IoCs from MISP Custom, advanced rules
Monitoring More to come
32
![Page 14: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/14.jpg)
Data EnrichmentVery fast, not guaranteed to be 100% accurate
DNS resolution Golang routines: highly asynchronous ~1-3 sec delay for entries that can not be resolved Filtering what messages to enrich
33
![Page 15: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/15.jpg)
Using Machine Learning for Intrusion DetectionHas the potential of detecting security incidents that can’t be easily detected using signature based techniques
The model is trying to learn what is normal activity and detecting potential deviations from it
Challenges:No tagged dataHigh rate of false positivesVery challenging to define a baseline
38
![Page 16: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/16.jpg)
Machine Learning Pipeline
39
Log Entries
Log Preprocessing Conv
ReNN
Encoding oflog windowsEncoding oflog windows
Log Encoding
300 log entries with max reconstruction error
300 log entries with max reconstruction error
time, server1, srcip [[0.1,0.2], [0.2,0.45],
… , ][0.22, 0.44, 0.55, 0.12…]
ReNNLog Entries
Attention
Multi LayerPerceptron
![Page 17: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/17.jpg)
Anomaly based Intrusion Detection Uses Apache Spark, written in Scala Input from Apache Parquet files on HDFS 3 different anomaly detection algorithms being used:
Isolation Forest K-means Local Outlier Factor
Recall and precision evaluation even without labelled test sets
40
![Page 18: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/18.jpg)
Anomaly based Intrusion Detection
41
![Page 19: CERN COMPUTER SECURITY OPERATIONS CENTRE · Data ingestion rates (1-7 Feb 2018) Network (Bro / Zeek): 1078 GB / day in HDFS (raw json) 761 GB / day in ES 2.3 billion events / day](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec7e3b2b0c02f053a34baab/html5/thumbnails/19.jpg)
42