13 Dec 2012

We are not SIEM

0 comments Permalink Thursday, December 13, 2012
Packetloop is not a Security Information and Event Management (SIEM) system. It's a (parser free) Big Data Security Analytics system and I just wanted to give you 10 ways they differ.
  1. Punishing us with Pie Charts - SIEM's have been punishing us with pie charts and meaningless alerts. Instead of quality analytics they generally throw up a pie chart (High, Medium, Low - Red, Orange, Green) and a spreadsheet (row and column) view of the world. They don't allow you to explore and explain your attack data. Packetloop specializes in security analytics providing multiple ways to quickly visualize, interact, explore and explain security events.
  2. Low fidelity input - SIEM's operate on and are required to parse device log data. They deal with a digest of the original incident as seen by a device, and as configured by the device administrator. Like a cryptographic hash you can't get the original data back after a device has interpreted and produced a log. Packetloop operates on Full Packet Captures and is able to analyse all information in the stream. This provides full fidelity data that can be analysed, stored, searched and filtered, repeatedly and from different perspectives if required. Operating on full packet captures gives your organisation the greatest percentage of options when it comes to detecting and managing a breach.
  3. You can't find incidents you don't log - SIEM is blink and you miss it technology. If you aren’t logging the information you don’t see it. If you don’t have the a signature set to alert to the incident it can’t possibly reach the SIEM. You are faced with a problem of silent evidence. You are never hearing about the attacks that are being perpetrated against your network. Packetloop doesn't rely on parsers and includes multiple sensors to produce indicators and warnings. Packetloop continually scans all network data for Zero Day attacks. Finding attacks in past data is exceptionally valuable for establishing a time line related to a breach or targeted attackers.
  4. Aggregation for scale removes precision - SIEM's aggregate data over time. Security events are grouped by hours then grouped by days, then weeks, then years. The details of the original incident are lost over time and are difficult to analyse. Packetloop stores terabytes of security event data and allows you to zoom from years to seconds with no loss of the original information. Any arbitrary time window can be analysed allowing you to Play, Pause and Rewind network data.
  5. Parsing, Parsing, Parsing - SIEM's are only as effective as the logs they are forwarded and can parse. The configuration of the device forwarding the log determines how much information the SIEM receives. If the log is not verbose enough, or sends information that cannot be parsed the quality of the information is degraded. Packetloop operates on network packet captures taken from live network taps. It requires no parsers and has access to all security and protocol information through deep packet inspection. No configuration needs to be applied to devices, no parsers and no complex integration work.
  6. No ability to share metrics - SIEM's are not built for multi-tenancy and don't provide any ways to share key metrics in the terms of frequency, severity, attack life cycles and trends related to attacks. Within Packetloop almost every metric presented to you has the global version (all customers) presented it beside it. So you can quickly determine whether you are overly targeted or accurately targeted compared to other customers on the platform.
  7. More and more IT instead of Analysts -  SIEM's require experts to deploy, configure and maintain. This generally equates to a number of full time employees to manage the parsers, the flow of information, upgrades, downtime etc. Packetloop operates in the Cloud (and soon on premise) as a turn-key service. Why have employees to maintain the infrastructure when you could do with some  really smart analysts to explore and report on your data? Simply capture your network traffic and upload using the Web, SFTP, S3 Bucket Copy or Send us a Disk. You can encrypt all data and provide a pass phrase prior to us processing the data.
  8. Made for the Cloud - Packetloop was made for the Cloud and for the express purpose of providing greater security to cloud-based assets. Normally customers sacrifice security controls when they deploy systems in the Cloud however through leveraging Packetloop a customer can have greater analysis, detection and incident response capabilities than they currently have on-site using their SIEM. 
  9. Bang for Buck - Packetloop is cost effective and will always provide overwhelming value for money. It's a stand against the expensive solutions we see rolled into customers every day. Solutions that cost $100,000's but provide very little benefit. We only charge you for the data you process and we will launch with a price that makes it an easy decision to upload.
  10. The future is bright - SIEM is a waning technology and due to the low feature space (quality of the input records) it's difficult for it to innovate. Sure there will be SIEM 2.0 which uses Big Data to scale but new insights and analytics will be difficult to conjure. Packetloop can extract information from any part of the network communication giving it a extremely dense feature space. The amount of interesting information is so vast that we are finding new ways to apply statistical analysis and machine learning every day.



6 Dec 2012

What is Big Data Security Analytics? Part One: Visualization

0 comments Permalink Thursday, December 06, 2012

Recently we were showcased in GigaOM's article "6 ways big data is helping reinvent enterprise security". The area of Packetloop they focused on was visualization and the nexus of Big Data, NoSQL and it's ability to power visualisations. This nexus is incredible and I believe will drive a lot of really awesome work. The idea of navigating large data sets effortlessly allows an analyst to explore and explain the data. However I see this as only the first in a set of powerful features that Big Data Security Analytics will deliver.

So what is Big Data Security Analytics?

It's delivering knowledge and intelligence in relation to security events with the highest fidelity and context possible. Knowledge and intelligence drives informed decisions based on real evidence that increases the security effectiveness of an organisation. I also think it's important to view the subject after you remove the benefits Big Data Security Analytics gives you in terms of size and speed. I was challenged to do this recently by Scott Crawford a leading industry analyst and although at first disarming it forced me to explain our work in terms of the subjects in the figure below.


So I was keen to discuss these subjects in a series of blog posts that showcased the real effectiveness of Big Data Security Analytics and what problems Packetloop can solve forgetting about size and speed.

Visualization

For us Visualization is all about encoding complex and densely featured information so that the best pattern matching system in the world can interpret it. The best pattern matching system in this case is you! We all have difficulty interpreting novelty, outliers, anomalies and trends when faced with a spreadsheet but as soon as we see it visually it's easy. A classic example of this is Anscombe's Quartet. Four data sets that have almost identical statistical features (sum, mean, variance etc.) and also exhibit very strong correlation. However as soon as you visualize the same information you can immediately see the differences in the datasets and the trends within each dataset.



http://visual.ly/anscombes-quartet
So how does this concept translate to security? In Packetloop's Threats module we have a stacked bar visualization. A great dataset to demonstrate and analyse is DARPA98. When you take away the size of the data set (3 months of time, 171K attacks and 64M packets) it's a basic Low, Medium and High severity visualization. Low attacks are shown in light blue, High/Critical attacks are shown in dark blue and Medium attacks in between those two shades.


Even in this simple visualization I can enable a single feature to help me find outliers. In the first example I am going to track "New Attacks" and see how that changes my analysis. New attacks are attacks that have never been seen before. 


After hiding the Legend drawer you can see that Frequency of Attacks is plotted against the left hand Y-Axis (y1) and the number of  New Attacks is plotted against the right hand Y-Axis (y2). Sharp spikes show periods of time where novel attacks were used against the organisation. They are areas of time I would want to investigate in greater detail. In the figure below you can see a sharp spike in the "New Attacks" line on June 15th. What immediately piques my interest is the fact that there's a number of new attacks in that period but the stacked bar is all Low and Medium attacks. This is a classic example of Severity not always being a good indicator of attacker behaviour and tactics but the "New Attacks" line definitely shows me that either an individual or group of attackers is trying a number of vectors that I haven't seen before in a relatively small time period.


So instead of viewing the information based on Severity (Low, Medium and High) let's pivot the data and view the same information through the Attack lens. In the visualization below each attack is allocated a colour and the height of the bar shows the frequency or number of times the attack was used.  If we focus on the peak of New Attacks on Tuesday the 16th the stacked bar visualization hides the nature and complexity of that period however the New Attacks line clearly shows there is interesting information hidden in there. Why is it hidden? In the first example overlaying novel attacks exposed the fact that severity is not always a good indicator. When we switched to viewing by attacks we still see a large jump in new attacks but they are dominated by the high number of other attacks that aren't new. Viewing the data as a 3 month period where each bar is 1 day is hiding the detail.


Packetloop has the ability to zoom in from years of data to one minute of data instantly. Zooming in from the 3 month view to the 24 hour view the detail is uncovered. In a single hour there a flurry of activity in relation to attacks that the organisation had never seen before.


Zooming in further to look at just 30 minutes from the original 3 months and each minute is laid out clearly. A mouseover allows you to see the Severity, Attack Type and Frequency.


Below our main visualization we have a series of data panels that allow you to see more detail than an annotation can provide. In this case I see the new attack "Finger/execution attempt" has all originated from a single Source IP address (152.169.215.104). This is a relatively innocuous attack and is obviously being used for information gathering prior to an exploit being used.


So what other attacks has this single Source IP Address been using, what is this attacker's timeline - throughout the current 30 minutes and then the entire 3 months. The Advanced Filter allows the IP to be selected that filters all attack data based on the Source being 152.169.215.104.


Once filtered you can see that there's a dozen attacks with numerous different attack vectors against a single destination (172.16.112.50) within that 30 minutes. All could be classed as methods of gaining specific information on the target. So obviously a lot of work is being done to enumerate the host but as yet there is no smoking gun.


Zooming out you can see the entire attack timeline for this attacker - 21 attacks using 10 different attack vectors over a period of 3 months.


Looking back at the filter I can see that the attacker has hit two destinations and by selecting one then the other I get his attack timeline for each. What's interesting about looking at the entire timeline is I now start to see indicators and warnings related to FTP and warez as well as actual exploit delivery in the form of x86 Shellcode.


If we filter by the destination 172.16.112.50 we can see the attack timeline between the attacker and the specific victim. There is a lot of information gathering on the June 15th and then a break of a week and then a number of warnings related to FTP and warez activity on the 22nd June and 23rd of June.


If we filter by the destination 172.16.114.50 the timeline is totally empty except for delivery of Shellcode over DNS 3 times within 7 minute period on July 23rd.


Zooming back into the exact time period you can see when the attacks were delivered. Two attacks at 12:33am and another occurrence of the same attack at 12:39am.


I will post a video of this soon but to give you a rough idea this analysis took less than a minute or two to perform against a dataset of 64 million packets that spanned 3 months of time.

Summary

Big Data and NoSQL enable the ability to process, store and query security event information at incredible size and scale. However Big Data Security Analytics is the intelligence that can be gleaned from this data. This blog demonstrated the strengths of visualization and specific overlays (New Attacks) that allow you to explore and explain the data. Changing the lens to view the same attack data from different perspectives and the ability to zoom from years to minutes and back again makes Big Data Security Analytics an extremely powerful analysis and intelligence tool.