How Cyberflow Analytics have used KeyLines’ network visualization functionality to develop the next generation of cyber security analytics platform – built for the scope and scale of the Internet of Things.
14. Security & The Industrial Internet of Things !
Network Security ! Smart Buildings ! Smart Factories ! Smart Cities !
Policy Violations!
Continuous Threat Monitoring !
Segmentation !
Operational !
Security (OpSec)!
Advanced !
Security Threats!
Limit the Attack Surface!
Network segmentation & containment!
Machine learn normal behavior of !
client, server & protocol traffic. !
Identify ANY new behavior!
Identify ANY change in existing !
behavior !
Maintain Security Hygiene!
Identify, reprimand poor security hygiene!
Fix misconfigured devices, identify !
Employee ‘jump drive, chrome sticks !
Unknown wi-fi edge devices, Employee !
network scans, Peer-to-Peer Apps (TOR)
& other protocol misuse!
Operational Anomalies!
Identify and alert on operational anomalies !
in network traffic, direction, size, timing etc. !
Recognize unusual server communications
patterns, SNMP event storms, new activities
or unusual SCADA traffic!
Advanced Threats!
Identify, alert and build case management !
tools on advanced security threats, !
including port scanning, protocol tunneling
or suspicious protocols, new connections to
SCADA sensors, data exfiltration!
15. High Velocity Data -> Streaming Analytics
!
• Real-time, unstructured, data-in-motion!
• Operational information flow !
• Complexity: volume, performance, timing!
Big Data Pools -> Traditional Analytics
!
• Batch processing, structured, data-at-rest!
• Historical transactions and events!
• Complexity: size of data pools!
Streaming Real-Time Analytics!
Analytics Positioning !
Traditional
Big Data Analytics
!
What happened?!
Why did it happen?!
What might happen? !
How can we make it happen?!
!
by looking at old, historic data!
!
Descriptive, Diagnostic, !
Predictive, Prescriptive !
Analytics !
!
!
CyberFlow
Streaming Analytics
!
What’s happening?!
Why is it happening?!
How is it happening?!
Where is it happening? !
Who’s making it happen?!
!
16. ‘Anomalytics’ !
Solution outline
Continuous Data Monitoring!
& Machine Learning via
network tap or span port!
Apply multiple ‘stereoscopic’!
machine learning algorithms and
policy framework in real time !
Provides Continuous, Contextual
Awareness & Anomaly Detection across
all connected IP Devices!
Monitor ! Machine Learn ! ‘Anomalytics’ !
Solution: Continuous machine learning analytics that provides real-time infrastructure anomaly
detection and contextual awareness of all IP connected devices, thus providing for better business
intelligence, operational intelligence and active situational awareness. !
17. • Firewalls
• SIEM
• Anti-Virus
Target
Maintains it was PCI-DSS Compliant at the time of the
breach.
Fazio Mechanical
Our system and security measures are in Full Compliance
with HVAC industry practices.
How could this occur?
• IPS
• Industry Compliance
• PCI-DSS Compliance
Targeted!
18. • Abnormal communications with a partner VPN
• Internal Pivoting and Data Movement
• Access to POS Terminals
• Linking events together
• Data Transfer from POS terminals to a central staging
server
• FTP from DMZ server to Internet server controlled by
Rescator
What was missed?
Targeted!
24. M111!M10!M4!M3!M2!
Flowscape: Anomalytic Processes, Engines & Models
M6!M5! M8!M7!M1! M9! M..!
Multi-Behavioral, Real-Time, Contextual Analytical Algorithm Models !
Device !
Packets!
Device !
Payloads!
Session in !
Progress!
IP X !
IP Pairs!
Server!
by Port!
Port!
Activity!
IP X!
Port!
IP X IP!
X Port!
Client !
Port!
Server !
IP X Port!
Protocol !
Anomalies!
Other …!
Anomaly Fusion & Machine Learning Engine!
Threat Assessment Visualization !
!
Policy Frameworks !
‘Anomalytics’ !
Continuous CyberFlow Machine Learning!
‘Anomalytics’ !
TM!
Confidential - Not for distribution!
25. Finding unknown threats & reducing false positives
Analytical Engines !
Behavioral Models!
Self Organizing Maps !
Binocular Fusion !
StereoscopicFusion!
Tuning & Policy Engine !
“Anomalytics” - event/case manager !
ContinuousReal-TimeAnalyticsusingbehavioralselforganizingmaps!
Payload !
Server by Port!
IP X IP X Port!
Protocol Anomalies!
Client Port!
Automation of Clustering !
Breach Behaviors!
!
Confidential - Not for distribution!
26. Cyberflow Analytics: Patent Pending Research !
Binocular Fusion ‘SOM’ Modeling for Anomaly Detection!
Reduction of n-space anomalies detection !Clustering analytics using “Self Organizing Maps”!
Cluster Machine Learning using ‘SOM’ !
27. Customer Case Study!
Network Topology!
Data Center
• FlowScape was installed in data
center at the Environmental Services
Department, where most domains
pass through to go external!
• SPAN ports were configured to collect
raw packets from Cisco switches!
• FlowScape providers Real Time
analytics and dashboards!
Infrastructure
• 1200+ network devices!
• 12,000+ workstations!
• 1000+ servers !
• 500+ printers!
!
Customer Benefits!
• Customer spends $600/infected
device @100/month = $720K/year!
• FlowScape reduces detection and
recovery by 50% saving the customer
an estimated $360K/year!
28. Machine Learning
Day 1! Events! Steady State!
Painting the network topology !
!
Machine learning all traffic!
“everything is new” !
!
Fireworks!
!
Machine Learn!
Command & Control Events!
Good vs Bad events !
(Security Scan vs DDoS)!
‘Anomalytics’!
!
Real-time continuous!
Anomaly detection !
29. Clusters of activity form an APT case!Smart City Case Study!
FlowScape is deployed in large Custiomer Network
Deployment - 1200+ network devices, 12,000+
workstations, 1000+ servers, 500+ printers…!
Custom IoT Server Apps !
Backup Servers!
SNMP agents!
DNS Servers!
NetBIOS traffic !
30. Clusters of activity form an APT case!Smart City Case Study!
Detection of BitTorrent and other anomalies – non-standard high risk communication that is not normally
found on the network – BYOD VPN connection!
19
19!Confidential - Not for distribution!
31. Clusters of activity form an APT case!Smart City Case Study!
Cyber Security Breach: Sality Botnet Command & Control Attack!
20
http://www.pcworld.com/article/2139460/sality-malware-growing-old-takes-on-a-new-trick.html
1. attacker scan's internet to find specific (home) router models
2. attempt login using default credentials
3. If successful, change router's DNS server to attacker controlled DNS
4. Route user to compromised servers
5. Once user downloads malware cover tracks by changing router's DNS
to 8.8.8.8 (google DNS)
20!
32. Clusters of activity form an APT case!Smart City Case Study!
Cyber Security Breach Activity, Malware/MetaSploit from Croatia!
Confidential - Not for distribution!
33.
34. Clusters of activity form an APT case!Smart City Case Study!
FlowScape Detection of Cyber Breach
activity that their current Security
tools did not catch:
• They weren't able to catch/aggregate
bittorrent users w/ Palo Alto.!
• They weren't able to catch the Onion
Tor traffic with current security tools!
• They missed the Sality Botnet which
was a BYOD remote device coming in
through VPN!
• Palo Alto did not detect compromised
device and they were informed of the
breach by an outside agency (e.g.
FBI)!
• Palo Alto missed port 137 to India !