View
228
Download
0
Category
Preview:
Citation preview
Big data … for securityJames SalterHewlett Packard LabsDecember 3, 2015
This is what we are dealing with...
2
6 Next generation data centres
300K+Employees andcontractors
A massive IT operation
41K+servers
440K+ PCs deployed
15K+switches
1,500+enterprise routers140+
Windows Domain Controllers
Infrastructure
11.5M+ Internet mails per day sent/received
150K+ mobile devices39M
IP Addresses
1.2M devices
450K mailboxes managed
Connectivity
2.5Bsecurity events logged per day
2K+ managed firewalls
970K+devices scanned for vulnerabilities
450Kend points protected with anti-virus
Security
Security events data
HPE IT operates ArcSight internallyDeployment 25% larger than any other non-governmental installation by volume
1 2 3 4 5 61
10
100
1000
10000
100000
1000000
Even
ts p
er s
econ
d (lo
garit
hmic
sca
le)
DNS traffic per HPE data centre:– 120,000 events/second– ~64B events/day globally
Routers VPN AntiVirus Active Directory Web Proxy DNS
64 billionDNS events/day
whitelist/blacklist 99%
4
640 milliongreylisted events
Collection is just part of the storyAnalytics is where the power comes from
5
Correlation
Machine learning
Graph analytics
Anomaly detection
Advanced persistent threats
Data exfiltration
User behaviour analysis/insider threat
Endpoint visibility
Abuse caseBotnet command and control
Bot DNS server
akaajkajkajd.cn?xisyudnwuxu.ru?dfknwerpbnp.biz?mneyqslgyb.info?cspcicicipisjjew.hu?
C2 Server(mneyqslgyb.info)
Attacker can’t maintain C2 server at IP address for very long.
So it registers a random domain name temporarily.
Bot tries a bunch of random names until it finds one that
resolves.
AssetAsset
Abuse caseDNS tunneling (via subdomains)
Bot DNS server (Compromised) DNS server
(example.com)
93cc3daf.example.com4fac3215.example.coma86f4221.example.comddee9152.example.com8bd5ff12.example.comd4bb92a1.example.comef409132.example.com1bfa3207.example.com298c5b3a.example.com
Solution architecture: Overview
8
DNS server(s)
DNS packet capture
Whitelist
networktap
DNS queriesand responses
Blacklist
Event logging Correlation and alerting
Real-time processing
Near-time, historical analysis
DNS events:queries and replies
In use at HPE
Hewlett Packard EnterpriseCyber Defense Center, Palo Alto
9
From Labs … to HPE … to Customers
10
Screenshot from HPE DNS Malware Analytics
– HPE DNS Malware Analytics
– Cloud-based managed or self-service analytics with on-premises capture modules
The next challenges
11
? days ?
5 minutes
24 hours
Increase the correlation time window
Data exfiltration “hidden in the noise”
Exf
il
time
The next challenges
12
Security Events
DNS Outgoing ISP Packets
2.564
660B
illio
ns o
f Eve
nts
Per
Day
0
700
350
Complete packet capture for all outgoing ISP connections
13
Thank youjames.salter@hpe.com
Recommended