cyber security for financial services · security breach goes unnoticed 70%-80% of breaches are...

1 © Hortonworks Inc. 2011 – 2017. All Rights Reserved

Cyber Security for Financial Services

Carolyn Duby, Cyber Security SMESolutions Engineer, Northeast

April 2017


Disclaimer

This document may contain product features and technology directions that are under development, may be under development in the future or may ultimately not be developed.

Project capabilities are based on information that is publicly available within the Apache Software Foundation project websites ("Apache"). Progress of the project capabilities can be tracked from inception to release through Apache, however, technical feasibility, market demand, user feedback and the overarching Apache Software Foundation community development process can all effect timing and final delivery.

This document’s description of these features and technology directions does not represent a contractual commitment, promise or obligation from Hortonworks to deliver these features in any generally available product.

Product features and technology directions are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

Since this document contains an outline of general product development plans, customers should not rely upon it when making purchasing decisions.


Agenda

• Outlook for Cyber Security Financial Services

• Trends over past year

• Challenges going forward

• New Hortonworks Solutions to Address Challenges


Outlook for Financial Services

• Financial Services is a big target

• Hackers are more sophisticated

• Increased complexity of landscape

• Existing security tools can’t keep up

• Consequences are high

• New solutions needed to secure the enterprise

Introducing Hortonworks Cyber Security Package (HCP)


Hortonworks Cyber Security Package

Hortonworks Cyber Security Package Capabilities:

▪ Single view of all relevant data including new sources

▪ Dynamic ingestion and enrichment of data customized for your enterprise

▪ Cost effective storage enables longer context

▪ Advanced statistical and machine learning models to detect cyber security attacks

▪ Integration with existing SIEMs and enterprise assets

Apache MetronCyber Security Data Ingestion

Package

Cyber Security Analytics Exchange

Advanced Cyber Analytics

The Hortonworks Cyber Security Package accelerates organizations abilities to deploy and integrate advanced Cyber Security capabilities within their enterprise environment


Foundation for HCP


Data Se

rvices an

d In

tegratio

n Laye

r

ModulesReal-time ProcessingCyber Security Engine

TelemetryParsers Enrichment

ThreatIntel

AlertTriage

Indexersand

Writers

Cyber SecurityStream Processing Pipeline

Apache Metron: Incubating Project

Tele

metry In

gest B

uffe

r

TelemetryData Collectors

Real-timeEnrich / ThreatIntel Streams

PerformanceNetwork

IngestProbes

/ OtherMachine Generated Logs(AD, App / Web Server,

firewall, VPN, etc.)

Security Endpoint Devices (Fireye, Palo Alto,

BlueCoat, etc.)

Network Data(PCAP, Netflow, Bro, etc.)

IDS(Suricata, Snort, etc.)

Threat Intelligence Feeds(Soltra, OpenTaxi,third-party feeds)

TelemetryData Sources

Data Vault

Real-Time Search

Evidentiary Store

Threat Intelligence Platform

Model as a Service

Community Models

Data Science Workbench

PCAP Forensics


SOC Efficiency Challenges

• Short staffed (1 M openings)

• Too many disparate tools

• Too many alerts to process

• Too much noise

• How to connect the dots of the relevant data points together?


Problems in Investigating a Phishing Attack

Challenge

✕ The analyst had to jump from the SIEM to more than 7 different tools that took up valuable time.

✕ It took more than 24 hours across 2 SOC shifts to investigate, determine scope, remediate and do further forensics/investigation.

✕ Half of my time spent getting the context needed for me to create the story

✕ The threat was detected too late. Instead of detecting the incident on 4/9, the threat should have been detected on 3/20 when the attacker spoofed Sonja’s email address

Need

✓ Want a Centralized View of my data so I don’t have to jump around and learn other tools Eliminate manual tasks to investigate a case

✓ Need to discover bad stuff quicker

✓ Need the System to create the context for me in real-time

✓ The current static rules in the SIEM didn’t detect the threat. Need smart analytics based on:

✓ User Sonja hasn’t used corp gmail in the last 3 months

✓ User Sonja can’t login from Ireland and Southern Cali at the same time


Faster, Better Alert Triage with HCP

• Bring all security data together into data lake

• Automatically enrich data with geocodes and whois

• Factor in asset and threat intelligence

• Triage using complete view of alert

• Result

➢ Focus on highest priority threats

➢ Streamline incident investigation

➢ Reduce time to detection


PCAP

NETFLOW

DPI

Network Tap

IDS

AV

EMAIL

FIREWALL

HOST LOGS

PARSE

NORMALIZE

USER

ASSET

GEO

WHOIS

CONN

TAG

VALIDATE

PROCESS

ENRICH

STIX

Flat Files

Aggregators

Model As AService

Cloud Services

LABEL

Real-TimeSearch

InteractiveDashboards

DataModelling

KnowledgeGraphs

PCAPStore

IntegrationLayer

PCAPReplay

SecurityLayer

WorkflowEngine

RulesEngine

Apache Metron

AnalyticsExchange


Existing Cyber Security Solutions Don’t Scale to the Challenge

82% of breaches happened in minutes

8 months: Average time an advanced

security breach goes unnoticed

70%-80% of breaches are first

detected by a 3rd party.

2016 Verizon Data Breach Investigations Report

Current security tools installed in the data center can’t handle volume of data & threats from everywhere


Scalability with HCP

Retain enriched security data longer– Offload historical data from space constrained tools

– Into cost effective, scalable Hadoop

Apply other non-security data– HR databases, IT inventory systems, social media, others

Result➢ More context for investigating incidents

➢ Identify scope of incident and response required

➢ Mine historical data for insights

➢ Cost savings


Finding Unknowns – Rogue Insiders

• Tight security undermined by insiders

• Curious, Helpful, Conscientious Victims• 91 percent of cyberattacks start with phishing email

• Yahoo! breach of 500 million user accounts

• Whistleblowers and Hacktivists• Edward Snowden and Chelsea Manning

• Wikileaks, Panama Papers

• Disaffected• Citibank employee disables routers after bad review

• Targeted for bribery and outside influenceWikileaks

Edward Snowden and Chelsea Manning

ABC News

http://abcnews.go.com/Politics/chelsea-mannings-commutation-leniency-edward-snowden/story?id=44852612


Profiling

• User and Entity Behavior Analytics

• Establish normal behavior of entity

• Time series measurements of entities

• Anomaly detection

• Alert when outside of normal range


Profiler: Lightweight behavior modeling over time

HBaseProfiler Bolt

• HyperLogLogPlus

• T-Digest

• Bloom filter

• MAD outlier

Cardinality

Statistics

Presence

Outliers

How many servers connected?

Average over different periods

Finding small needles in big haystacks

Detecting unusual events in streams

Triage Scoring Model features Aggregations over Time

Fast Cache


Finding Unknowns – Investigation and Threat Hunting


Machine Learning

Prioritize and analyze all the alerts using machine learning models

Move beyond signature based tools

Advanced techniques to detect more complex future attacks

Incorporate models from analytics exchange or develop your own


YARN

Model as a Service

Historical Data Store

Model ServiceREST interface

Model Store

ZookeeperStorm Enrichment Bolt Service Discovery

HDFS

Trai

n /

Up

dat

e

HBase

Metron JSON Object

Metron JSON Object with added score, confidence

etc. from model


Cyber Security Journey

Single view into Cyber Security

Free data from security tools

Correlate and discover threats

Operational efficiency and governance

Predictive insights using machine learning

Single unified view of enterprise risk & security posture.

Innovate

Renovate

Single Holistic View

HistoricalRecords

OPEXReduction

SecurityTool

Ingest

DigitalProtection

FraudPrevention

PublicData

Capture

A C T I V EA R C H I V E

DATAD I S C O V E RY

P R E D I C T I V EA N A LY T I C S

CyberSecurity

MachineData

RiskModeling


Data Freedom through Active Archive

Innovate

Renovate


HistoricalRecords

OPEXReduction

SecurityTool

Ingest

DigitalProtection

FraudPrevention

PublicData

Capture




CyberSecurity

MachineData

RiskModeling

Data Freedom

Current security processes are manual as data is cut & paste from one security tool to another.

Tool-Centric security program creates incompatibility and inefficiency.

Leverage the Hadoop ecosystem to free data from vendor locked in security tools.

Gain ability to keep data in commodity storage for expense reduction

Reduce or eliminate expensive licensing costs for duplicative storage of same data.

Create automated efficient security processes & workflow.


Insights through Data Discovery

Innovate

Renovate


HistoricalRecords

OPEXReduction

SecurityTool

Ingest

DigitalProtection

FraudPrevention

PublicData

Capture




CyberSecurity

MachineData

RiskModeling

Data Discovery and Insight

Leverage consolidated & correlated data lake for insights.

Create consolidated automated processes & workflow for Opexreduction.

Gain increased protection of digital assets through holistic view of location, configuration, vulnerabilities, and threats for risk based prioritization of what matters most.

Ability to migrate from expensive suites of security tools with redundant features to open source alternatives that do exactly what you need.


Showing value through analytics

Innovate

Renovate


HistoricalRecords

OPEXReduction

SecurityTool

Ingest

DigitalProtection

FraudPrevention

PublicData

Capture




CyberSecurity

MachineData

RiskModeling

Risk based Analytics

Leverage machine learning techniques for a risk based security posture

Measure and visualize the value security brings to the organization.

Freedom from the avalanche of rules based alerting.

Move from a reactive to proactive security posture.



Innovate

Renovate


HistoricalRecords

OPEXReduction

SecurityTool

Ingest

DigitalProtection

FraudPrevention

PublicData

Capture




CyberSecurity

MachineData

RiskModeling


Single view of the risk posture of the organization.

Ability to drill down from enterprise risk to individual activity influencing risk.

Ability to extend to additional use-cases in agile and cost effective manner.


Hortonworks Cyber Security Package (HCP)

Hortonworks Led Apache Project which provides a scalable advanced security ingestion and enrichment

framework built on top of HDP/HDF

Cyber Security Analytics Exchange

A Hortonworks Led Apache Project of statistical and machine learning models and packs that represents the next generation defense for combating security

attacks

Real-Time Application and System log ingestion, indexing and visualization of cyber data, including

dashboards and cyber notebook templates

Phase 2

Phase 1

The Hortonworks Cyber Security Package can be implemented in an iterative manner to enable organizations to gain instant productivity for ingesting, processing and storing cyber data

Cyber Security Data Ingestion Package

Phase 3

Apache Metron


Why Hortonworks Cybersecurity Package?

SOC Efficiency

• Reducing false positive

• Single view of threat

• Integrated threat feeds and asset info

• Integrate and combine tools: not just another screen to watch

• Faster Triage

More data, better data

• More sources

• Longer term analyzable data storage

• Fully enriched data with relevant context

Real-time

• Find threats faster

• Find context easier

• Mitigate early

Finding Unknowns

• Probabilities not rules

• Real-time profiles for intelligent baselines

• Dynamic rules responding to behavior not static rules written by hand

Machine Learning

• UEBA

• Relevance

• Feedback loop

• Triage everything that comes in


Questions?


Thank you

cyber security for financial services · security breach goes unnoticed 70%-80% of breaches are...

Documents