Академический Документы
Профессиональный Документы
Культура Документы
Big security
for big data
Table of contents
3 Big security for big data
3 Data explosion
3 Data collection
5 Data integration
5 Data analytics
5 In real time versus the past
6 Born for faster speed
6 Real-time threat evaluation
7 Pattern matching
7 Statistical correlation
7 Monitor and respond
8 Conclusion
8 About HP Enterprise Security
8 Protect your business
Scribd.
SmugMug
Amazon
Finance
salesforce.com
AppFog
Travel
Urban
Facebook
Parse
Xactly
PingMe
Dragon Diction
GoGrid LinkedIn
Reference
UPS Mobile
Atlassian
Bromium
buzzd
Lifestyl e
Amazon Web Services
Splunk
Sport
Scanner Pro LimeLight
ScaleXtreme
box.net
Foursquare
Taleo
Education Pinterest
iHandy
DCC
Product
Congurator
HP
Bills of Material
Quality Control
Unisys
Ariba
Datapipe
Billing
Payroll
Training
Commissions
PLM
PPM
Kenexa
Saba
IntraLinks
News
BrainPOP
Sonar6
Sonar6
Exact Online
FinancialForce.com
Volusion
Games
Atlassian
Baidu
YouTube
Navigation
Mixi
cloudability
Workday
Yandex
Photo & Video
Tw itter
Heroku
Yammer
Zillabyte
SuccessFactors Entertainment Viber
Answ
ers.com
Atlassian
Social Networking
CYw orld
Jive Software
Business
Qzone
Tumblr.
dotCloud
Amazon
Mozy
New Relic
PingMe
Zynga
Util ities
RightScale
MobileFrame.com
myHomew ork
Toggl
Fring
NetSuite
Softscape
Softscape
Khan Academy
Renren
Kinaxis
CloudSigma
Yandex
nebula
Workbrain Zynga
iSchedule
Elemica
SugarCRM
Quadrem
Intacct
Cornerstone onDemand
Hootsuite
HP ePrint
CyberShift
Yahoo
Microsoft
Saba
DocuSign
PaperHost
SLI Systems
SCM
Corel
Adobe
Mobile, social,
big data & the cloud
NetSuite
Yahoo!
Serif
Avid
ADP VirtualEdge
Time &
Rostering
Attendance
Database Service
Hyland
Sage
CyberShift
Xerox
Microsoft
OpSource
Receivable
Activity
Management
Zoho
Qvidian
The Internet
Client/server
Costing
Alterian
OpenText
Workscape
MRM
Order Entry
Cash Management
ERP
HCM
Time and Expense
Fixed Assets
Accounts
Bull
Fijitsu
NetReach
Quickbooks
NetDocuments
Inventory
Manufacturing Projects
Mainframe
NEC
Hosting.com
Tata Communications
EMC
HCM
Cost Management
Hitachi
IBM
CCC
Engineering
SCM
Burroughs
eBay
SAP
CRM
SuperCam
Snapsh
Plex Systems
Joyent
Pandora
SolidFire
Cookie Doodle
MailChimp
Ah! Fasion Girl
Associatedcontent
SmugMug
Rackspace
BeyondCore
MobilieIron
Flickr
Paint.NET
400,710 ad
requests
Every
60 seconds
2000 lyrics played
on Tunewiki
1500 pings
sent on PingMe
34,597 people
using Zinio
208,333 minutes of
Angry Birds played
Productivity
Fed Ex Mobile
Tw itter
98,000
tweets
23,148 apps
downloaded
TripIt
format, so that real-time alerting and reporting can take place. The
first step is to establish complete visibility so that your data and who
accesses the data can be monitored. Next, you need to understand
the context, so that you can focus on the valued assets, which are
critical to your business. Finally, utilize the intelligence gathered so
that you can harden your attack surface and stop attacks before the
data is exfiltrated. So, how do we get started?
Data explosion
Data collection
HP ArcSight Correlation
Optimized Retention and
Retrieval (CORR) Engine
serves as a foundation for
threat detection,
security analysis, and
log data management.
Results
Security event monitoring is
simple, intelligent, efficient,
and manageable
HP ArcSight Security Event
Information Management (SIEM)
processes events faster making
security information available
in real time
Analysis:
Normalize / Categorize
Figure 2. Analysis:
Normalize/Categorize
Without normalization
Jun 17 2009 12:16:03: %PIX-6-106015: Deny TCP (no connection) from 10.50.215.102/15605 to 204.110.227.16/443 ags
FIN ACK on interface outside
Jun 17 2009 14:53:16 drop gw.foobar.com >eth0 product VPN-1 & Firewall-1 src xxx.xxx.146.12 s_port 2523 dst
xxx.xxx.10.2 service ms-sql-m proto udp rule 49
With normalization
Time (Event Time)
name
Device
Vendor
Device Product
Category
Behavior
Category
Device Group
Category
Outcome
Category
Signicance
6/17/2009 12:16:03
Deny
Cisco
PIX
/Access
/Firewall
/Failure
/Informational/
Warning
6/17/2009 14:53:16
Drop
Checkpoint
Firewall-1/VPN-1
/Access/Start
/Firewall
/Failure
/Informational/
Warning
Data integration
Data analytics
Figure 3. Performance improvements of ESM with CORR-Engine over ESM with Oracle
20
Detect
more incidents
Detect more
incidents
Oracle
CORR
15
15
10
3
1
0
Storage
EPS
Query
History
Session
Privileged user
Anomaly
Role
Location
Asset
Action
Transactions
IP address
Pattern matching
HP ArcSight has an expansion pack: Threat Detector which allows
customers to mine through archived data looking for relationships
between events that would have been missed by real-time correlation.
As an example, a low-and-slow attack takes place when an attacker
purposely lowers the threshold on their attack to avoid detection.
Such an evasive technique might be when the attacker is using a
dictionary attack to guess a users password. They would not try
to brute-force the authentication system all at once, as the system
would lock out the users account after a series of unsuccessful login
attempts. So the attacker uses a scripted stealth method of only
attempting to login twice while trying to guess the password, then
sleeps for five minutes and continues to invoke two attempts every
five minutes. This means there would be 576 unsuccessful login
attempts daily, but since most correlation rules look for brute-force
methods, only a routine that would mine through historical data
would be able to match this pattern. Threat Detector would detect
this attack and then allow customers to introduce new rules that
would block the attacker going forward.
Statistical correlation
HP ArcSights multidimensional correlation engine combines real time,
in memory event log data with asset awareness, asset vulnerability, and
identity correlation to assist operating teams with immediate detection
of threats. The powerful correlation engine allows you to maintain a
state of situational awareness by processing millions of log events
in real time. We help to prioritize critical events so that your security
administrator can review only those events that need specialized
attention. With built-in network asset and user models, HP ArcSight is
uniquely able to understand who is on the network, what data they are
seeing, and which actions they are taking with that data.
HP ArcSight Enterprise Security Manager (ESM) uses a heuristic
analytics model to keep a baseline of activity from events
receivedby ESM and monitors any increases in attack, target,
protocol, or user activity using a percentage threshold. The
statistics that are calculated are used by ESM to determine spikes
in the baseline average as well as other deterministic activity such
as anomalous behavior, session reconciliation, effectiveness of
IDS and firewalls as well as monitoring DHCP lease activity. This
statistical baseline is also used for determining anomalous user or
application-usage behavior.
Detect
Who
(User roles)
What
(Logs)
Better
visibility;
superior threat
detection
Respond
Conclusion
HP Services
Source: Advanced Data Exfiltration, Iftach Ian Amit, VP Consulting, Security Art, Israel,
September 2011. http://www.iamit.org/blog/wp-content/uploads/2012/01/
Advanced-data-exfiltration-%E2%80%93-the-way-Q-would-have-done-it.pdf
Source: ESM 6.0c Beta-Test, HP ArcSight QA and Dev team, August 2012
Get connected
hp.com/go/getconnected
Get the insider view on tech trends,
support alerts, and HP solutions.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and
services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors
or omissions contained herein.
Oracle is a registered trademark of Oracle and/or its affiliates. Microsoft is a U.S. registered trademark of Microsoft Corporation.
4AA4-4051ENW, Created December 2012