Visualizing*Threats:*

KeyLines*for*Cyber*Security*

Corey*Lanum,*Cambridge*Intelligence*

Louie*Gasparini,*CyberFlow*AnalyCcs*

Part%1%'%Network%Visualiza3on%

•  Why*connected*data?*

•  Going*beyond*network*charts*

•  Protect,*detect,*invesCgate*

•  VisualizaCon*and*analysis*techniques*

**

Agenda*

Part%2%–%CyberFlow%Analy3cs%

•  Using*KeyLines*to*build*a*GUI*

•  Cyber*security*and*the*IoT*

•  Network*visualizaCon*for*beLer**cyber*security*

**

IntroducCon*to*KeyLines*

KeyLines*is*a*powerful*SDK*for*building*network**visualizaCon*web*applicaCons:*

•  Rapid*development*

•  Full*customizaCon*

•  Unrivalled*compaCbility*

•  Simple*deployment*

•  Easy*maintenance*

•  Powerful*funcConality*

A*wide*variety*of*use*cases*Intelligence*/*security* Law*enforcement*

Business*Intelligence*AnCRfraud*

Sales*/*MarkeCng*/*CRM* IT*management*

Cyber*security*

Compliance*

+*others*

•  Compliance*

•  AML*/*KYC*

•  PharmaceuCcals*

•  Data*discovery*

•  Process*management,*etc…*

Data*at*the*heart*of*Cyber*Security*

Keeping*bad*actors*out*of*networks**Finding*bad*actors*already*in*your*network**PostRaLack*forensics*to*close*the*loopholes**Data%is%your%best%weapon%%

Cyber&Security&Opera/ons&Center&

Why*network*visualizaCon?*

Understanding%connected%data%*****

%%

*****•  What*depends*on*what?*•  What*is*normal*network*behavior?*•  Where*are*the*vulnerabiliCes?*%Network%visualiza3on%is%the%most%intui3ve%way%to%answer%these%ques3ons.%

Protect*

Detect*

InvesCgate*

InvesCgate*

Techniques:*Dynamic*networks*

Techniques:*Mapping*

Security & The Industrial Internet of Things !Network Security ! Smart Buildings ! Smart Factories ! Smart Cities !

Policy Violations!

Continuous Threat Monitoring !

Segmentation !Operational !

Security (OpSec)!Advanced !

Security Threats!

Limit the Attack Surface !Network segmentation & containment !

Machine learn normal behavior of !client, server & protocol traffic. !

Identify ANY new behavior!Identify ANY change in existing !

behavior !

Maintain Security Hygiene!Identify, reprimand poor security hygiene!

Fix misconfigured devices, identify !Employee ‘jump drive, chrome sticks !

Unknown wi-fi edge devices, Employee !network scans, Peer-to-Peer Apps (TOR)

& other protocol misuse!

Operational Anomalies !Identify and alert on operational anomalies !in network traffic, direction, size, timing etc. !Recognize unusual server communications patterns, SNMP event storms, new activities

or unusual SCADA traffic!

Advanced Threats!Identify, alert and build case management !

tools on advanced security threats, !including port scanning, protocol tunneling or suspicious protocols, new connections to

SCADA sensors, data exfiltration !

High Velocity Data -> Streaming Analytics!•  Real-time, unstructured, data-in-motion!•  Operational information flow !•  Complexity: volume, performance, timing !

Big Data Pools -> Traditional Analytics!•  Batch processing, structured, data-at-rest !•  Historical transactions and events!•  Complexity: size of data pools !

Streaming Real-Time Analytics !

Analytics Positioning !

Traditional Big Data Analytics

!What happened?!

Why did it happen?!What might happen? !

How can we make it happen? !!

by looking at old, historic data!!

Descriptive, Diagnostic, !Predictive, Prescriptive !

Analytics !!!

CyberFlow Streaming Analytics

!What’s happening?!

Why is it happening?!How is it happening? !

Where is it happening? !Who’s making it happen? !

!

‘Anomalytics’ !

Solution outline

Continuous Data Monitoring!& Machine Learning via network tap or span port!

Apply multiple ‘stereoscopic’!machine learning algorithms and

policy framework in real time !

Provides Continuous, Contextual Awareness & Anomaly Detection across

all connected IP Devices!

Monitor ! Machine Learn ! ‘Anomalytics’ !

Solution: Continuous machine learning analytics that provides real-time infrastructure anomaly detection and contextual awareness of all IP connected devices, thus providing for better business

intelligence, operational intelligence and active situational awareness. !

•  Firewalls •  SIEM •  Anti-Virus

Target

Maintains it was PCI-DSS Compliant at the time of the breach.

Fazio Mechanical

Our system and security measures are in Full Compliance

with HVAC industry practices.

How could this occur?

•  IPS •  Industry Compliance •  PCI-DSS Compliance

Targeted!

•  Abnormal communications with a partner VPN

•  Internal Pivoting and Data Movement

•  Access to POS Terminals

•  Linking events together

•  Data Transfer from POS terminals to a central staging server

•  FTP from DMZ server to Internet server controlled by Rescator

What was missed?

Targeted!

FlowScape !

Internal Threat Detection

Internet!

WAN!

Unified Network !Security Policy!

Console!

!LAN!

Network Edge!

Wireless!LAN!

Network Core!

Data!Center!

Remote!Offices and!Branches!

Virtual Machines!

Lateral Movement !

Wireless!LAN!

Network Core!

!LAN!

Network Edge!

Network Sensor

•  Smart Packet Inspection

•  Device on Demand Deep Packet Inspection

•  10 Gigabit Ethernet Connection

•  Tap or Span Port - Passive Connection

•  Appliance or VM Image

!!Net!Sensor! WAN!

!LAN!

Network Edge!

Wireless!LAN!

Network Core!

Network Sensor !

!!Net!Sensor!

!!Net!Sensor!

!!Net!Sensor!

Clusters of activity form an APT case!Automatically Group Events into a Case !

M111!M10!M4!M3!M2!

Flowscape: Anomalytic Processes, Engines & Models

M6!M5! M8!M7!M1! M9! M..!

Multi-Behavioral, Real-Time, Contextual Analytical Algorithm Models !

Device !Packets!

Device !Payloads!

Session in !Progress!

IP X !IP Pairs!

Server!by Port!

Port!Activity!

IP X!Port!

IP X IP!X Port!

Client !Port!

Server !IP X Port!

Protocol !Anomalies! Other …!

Anomaly Fusion & Machine Learning Engine!

Threat Assessment Visualization !

!

Policy Frameworks !

‘Anomalytics’ !

Continuous CyberFlow Machine Learning !‘Anomalytics’ !

TM!

Confidential - Not for distribution !

Finding unknown threats & reducing false positives Analytical Engines !Behavioral Models!

Self Organizing Maps !

Binocular Fusion !

Ster

eosc

opic

Fus

ion !

Tuning & Policy Engine !

“Anomalytics” - event/case manager !

Cont

inuo

us R

eal-T

ime

Anal

ytic

s us

ing

beha

viora

l sel

f org

anizi

ng m

aps

!

Payload !

Server by Port!

IP X IP X Port!

Protocol Anomalies !

Client Port!

Automation of Clustering !Breach Behaviors!

!

Confidential - Not for distribution !

Cyberflow Analytics: Patent Pending Research !

Binocular Fusion ‘SOM’ Modeling for Anomaly Detection !

Reduction of n-space anomalies detection !Clustering analytics using “Self Organizing Maps” !

Cluster Machine Learning using ‘SOM’ !

Customer Case Study!

Network Topology!Data Center

•  FlowScape was installed in data center at the Environmental Services Department, where most domains pass through to go external!

•  SPAN ports were configured to collect raw packets from Cisco switches !

•  FlowScape providers Real Time analytics and dashboards!

Infrastructure•  1200+ network devices !•  12,000+ workstations!•  1000+ servers !•  500+ printers !!Customer Benefits!•  Customer spends $600/infected

device @100/month = $720K/year !

•  FlowScape reduces detection and recovery by 50% saving the customer an estimated $360K/year!

Machine Learning

Day 1 ! Events! Steady State !

Painting the network topology !!

Machine learning all traffic !“everything is new” !

!

Fireworks!!

Machine Learn !Command & Control Events!

Good vs Bad events !(Security Scan vs DDoS)!

‘Anomalytics’!!

Real-time continuous!Anomaly detection !

Clusters of activity form an APT case !Smart City Case Study !FlowScape is deployed in large Custiomer Network

Deployment - 1200+ network devices, 12,000+ workstations, 1000+ servers, 500+ printers… !

Custom IoT Server Apps !

Backup Servers!

SNMP agents!

DNS Servers!

NetBIOS traffic !

Clusters of activity form an APT case !Smart City Case Study !Detection of BitTorrent and other anomalies – non-standard high risk communication that is not normally

found on the network – BYOD VPN connection !

19 19!Confidential - Not for distribution !

Clusters of activity form an APT case !Smart City Case Study !Cyber Security Breach: Sality Botnet Command & Control Attack !

20 http://www.pcworld.com/article/2139460/sality-malware-growing-old-takes-on-a-new-trick.html

1. attacker scan's internet to find specific (home) router models 2. attempt login using default credentials

3. If successful, change router's DNS server to attacker controlled DNS 4. Route user to compromised servers

5. Once user downloads malware cover tracks by changing router's DNS to 8.8.8.8 (google DNS)

20!

Clusters of activity form an APT case !Smart City Case Study !Cyber Security Breach Activity, Malware/MetaSploit from Croatia !

Confidential - Not for distribution !

Clusters of activity form an APT case !Smart City Case Study !

FlowScape Detection of Cyber Breach activity that their current Security

tools did not catch:

•  They weren't able to catch/aggregate bittorrent users w/ Palo Alto.!

•  They weren't able to catch the Onion Tor traffic with current security tools!

•  They missed the Sality Botnet which was a BYOD remote device coming in through VPN!

•  Palo Alto did not detect compromised device and they were informed of the breach by an outside agency (e.g. FBI)!

•  Palo Alto missed port 137 to India !

Any*QuesCons?*

@Cambridgeintel* CambridgeRIntelligence.com*

corey@cambridgeRintelligence.com*louie@cyberflowanalyCcs.com*

*