Big data … for securityJames SalterHewlett Packard LabsDecember 3, 2015

This is what we are dealing with...

2

6 Next generation data centres

300K+Employees andcontractors

A massive IT operation

41K+servers

440K+ PCs deployed

15K+switches

1,500+enterprise routers140+

Windows Domain Controllers

Infrastructure

11.5M+ Internet mails per day sent/received

150K+ mobile devices39M

IP Addresses

1.2M devices

450K mailboxes managed

Connectivity

2.5Bsecurity events logged per day

2K+ managed firewalls

970K+devices scanned for vulnerabilities

450Kend points protected with anti-virus

Security

Security events data

HPE IT operates ArcSight internallyDeployment 25% larger than any other non-governmental installation by volume

1 2 3 4 5 61

10

100

1000

10000

100000

1000000

Even

ts p

er s

econ

d (lo

garit

hmic

sca

le)

DNS traffic per HPE data centre:– 120,000 events/second– ~64B events/day globally

Routers VPN AntiVirus Active Directory Web Proxy DNS

64 billionDNS events/day

whitelist/blacklist 99%

4

640 milliongreylisted events

Collection is just part of the storyAnalytics is where the power comes from

5

Correlation

Machine learning

Graph analytics

Anomaly detection

Advanced persistent threats

Data exfiltration

User behaviour analysis/insider threat

Endpoint visibility

Abuse caseBotnet command and control

Bot DNS server

akaajkajkajd.cn?xisyudnwuxu.ru?dfknwerpbnp.biz?mneyqslgyb.info?cspcicicipisjjew.hu?

C2 Server(mneyqslgyb.info)

Attacker can’t maintain C2 server at IP address for very long.

So it registers a random domain name temporarily.

Bot tries a bunch of random names until it finds one that

resolves.

AssetAsset

Abuse caseDNS tunneling (via subdomains)

Bot DNS server (Compromised) DNS server

(example.com)

93cc3daf.example.com4fac3215.example.coma86f4221.example.comddee9152.example.com8bd5ff12.example.comd4bb92a1.example.comef409132.example.com1bfa3207.example.com298c5b3a.example.com

Solution architecture: Overview

8

DNS server(s)

DNS packet capture

Whitelist

networktap

DNS queriesand responses

Blacklist

Event logging Correlation and alerting

Real-time processing

Near-time, historical analysis

DNS events:queries and replies

In use at HPE

Hewlett Packard EnterpriseCyber Defense Center, Palo Alto

9

From Labs … to HPE … to Customers

10

Screenshot from HPE DNS Malware Analytics

– HPE DNS Malware Analytics

– Cloud-based managed or self-service analytics with on-premises capture modules

The next challenges

11

? days ?

5 minutes

24 hours

Increase the correlation time window

Data exfiltration “hidden in the noise”

Exf

il

time

The next challenges

12

Security Events

DNS Outgoing ISP Packets

2.564

660B

illio

ns o

f Eve

nts

Per

Day

0

700

350

Complete packet capture for all outgoing ISP connections

13

Thank youjames.salter@hpe.com