© Cyberspace Analytics

Creating Near Real-Time and End-to-End Cyber Situational Awareness of University Networks

Dr. Deepinder Sidhu - Professor of Computer Science - UMBCAaron Boteler - Cyberspace Analytics

Gunnar Engelbach – Cyberspace AnalyticsRandal Taylor – Cyberspace Analytics

POC - Email: dsidhu@CyberSpaceAnalytics.com; Tel: 443-742-2210

1

The Gold Standard for Security

Internet2 2017 Technology Exchange, San Francisco, CA, October 15-18, 2017

© Cyberspace Analytics

1. Real-Time Network Mapping Analytics: vNOC

2. Cybersecurity & Compliance Analytics: CNOC

3. Real-Time Cyberspace Analytics: Intel NUC

2

Discuss significant advances for addressing cyberspace challenges of university networks innovatively, effectively and inexpensively

© Cyberspace Analytics

• Culture‒ Information sharing, collaboration, free flow of information

and ideas‒ Restrictions often viewed as impediments

• Plethora of valuable information‒ Credit cards, research data, intellectual property‒ Student and faculty personal information

• Major targets of attack‒ Extensive attack surface – mobile, wireless, etc.‒ Valuable resources mean attacks from everywhere

3

© Cyberspace Analytics

Real-Time Network Mapping AnalyticsReverse Engineering Raw Data

–Mapping Network

–Visualizing Network

– Identifying Features

–Reporting Problems

–Enabling

Cybersecurity & Compliance AnalyticsLarge Device Support

–Processing Compliance/Vulnerability

–Visualizing Health

– Identifying Features

–Reporting Problems

–Enabling

Big Data Analytic Fusion Engine Recreate Network Map

PCAP (OSPF/BGP), Router Configs, NMAP, Compliance Scores (DISA/PCI),

Flow Records, Firewall Logs, Nessus Scanner, Splunk Exports, etc…

Cisco Firewall/Router, Palo Alto Firewall, Checkpoint Firewall,

Windows-based OS/Servers, Linux-based OS/Servers, MAC-based

OS/Servers

Intel NUC Platform✓ Cost-effective Commodity Hardware✓ Minimal Power & Space Requirements✓ Low-cost, easy to deploy

4

3D Interactive EnvironmentMassive Scalability – 100K+

Animations, Interactive, Real-time

Firewalls, NATs, Tunnels, Port Forwards, IDS/IPS,

Phantom Devices, Mobile Devices, IoTIngress/Egress Connections,

Application/Service Properties,Flow Behaviors, Temporal Behaviors,

Compliance/Vulnerability Results

Configuration Collisions,Duplicate Physical Interfaces,

Phantom Devices,Unmanaged Network Nodes

Device Inventory ManagementIP Address Inventory Management

Subnet ManagementIP Threat Flow Overlays (Reputation)

DISA STIGS, USGCB, HIPPA Compliance, PCI Compliance, Vulnerability Scans,

Compliance/Vulnerability Score,Device Currency (Scan Age), Device Misconfigurations,

Compliance/Policy Violations

Compliance/Vulnerability Score,Device Currency (Scan Age),

Device Group/Cluster Summaries

Ticket System Integration (Remedy9),Health Reports,

Device Configuration Drift Reports

Full Cyber Situational Awareness

Export for Emulation

© Cyberspace Analytics

• Reverse engineer, map and visualize network

• Discover network blind spots

• Display real-time changes to network topology

• Identify network segmentations and boundary

• Identify misconfigurations, including duplicate IPs

• Optimize network to reduce attack surface

• Improve network hygiene

• Fingerprint network assets

• Baseline network configurations

• Create Virtual Network Operation Center (vNOC)

5

© Cyberspace Analytics6

Large Enterprise Network–Router Configs, NMAP Scans, Palo Alto Firewall Logs–Enriched by extracted Properties Very Large Enterprise

Network–Router Configs, NMAP Scans, Juniper Firewall Logs

R&D✓ Big Data Network Data Fusion Analytics✓ Big Data Network Mapping Analytics✓ Analytics Identify Anomalies across Network✓ Large-scale Correlation Logic✓ Generic Enrichment Engine

Real Discoveries✓ Duplicate Addresses✓ Phantom Devices✓ Phantom OSPF Interfaces✓ Unmanaged Devices (Security)✓ Back Channels (Tunnels)

© Cyberspace Analytics7

Simple & Advanced Network Node Search–IP/Name and/or any combination of generic properties–Any combination of Compliance/Vulnerability Results

–Aggregate score–Individual rule pass/fail

–Highlight/Mark results–Drill-down into the Nodes

Highlight All Hosts in the Network that passed a particular rule in the .NET 1.4 Framework STIG.

© Cyberspace Analytics8

Network Mapping Video–Real-time Mapping

–Incremental Add Data Sets–Dynamically Build Network Map–Interact with Network Map

© Cyberspace Analytics9

Router Degree Report

Node Attribute Report

Report Types• External Addresses• Internal Addresses• External Clients/Servers• Internal Client/Servers• Mapping Logs• End-Node Attributes• Router Degree• Sensor Logs• Configuration Drift• Compliance Scores

Advance Analytics – On-Demand Reports

External Servers(Overlays Threat Information)

• Review Mapping Log for Configuration Collisions

• Identify duplicate interfaces Identify Phantom Interfaces

© Cyberspace Analytics

• Display enhanced network map with data from –‒ Sensors (taps)‒ Scanning tools (Nessus, NMAP, …)‒ Threat intelligence feeds (Lashback, Geospatial, …)

• Display real-time network configuration changes• Identify vulnerabilities and security patches• Conduct attack vector analysis to harden network• Conduct regulatory/policy compliances for reports

‒ STIGs, FISMA, PCI, HIPAA, NERC, ---

• Test resiliency under‒ Cyber-attacks ‒ Catastrophic failures

• Create Cyber Network Operation Center (CNOC)10

Real Discoveries✓ Misconfigured tunnels✓ Firewall rules inconsistencies✓ Unauthorized web servers✓ Weak passwords✓ Unprotected wireless access points✓ Text files containing passwords to

sensitive systems✓ Unpatched software & firmware

© Cyberspace Analytics11

Network Map for Cyber Situational Awareness• Built from Lab Environment• Used PCAP and Compliance Results

• Aggregate of All Benchmarks• Average Score Bar Graph

• Palo Alto Firewall Device• Used for Drift Example

© Cyberspace Analytics12

Large Device Support–All types of Hosts–All types of Network Equipment–Integrates with Splunk, Remedy9

Compliance Standards–Continuous compliance analysis–Security Content Automation Protocol (SCAP)–Engine tested and validated by NIST–Verify and report on compliance status

–Organization configuration checking–PCI DSS, HIPPA, NERC, SOX, FISMA(USGCB), STIGs, CIS, etc.–Drill-Down

© Cyberspace Analytics13

Visualizing Health–Examine Composite/Vulnerability Score

–Group-basis–Daily Trending Scores

Device Analysis–Identify role and functionality –Baseline configuration and track drift –Quantify Security Posture–View Device Logs–Interact with the Device

© Cyberspace Analytics14

Network Drift Analytics–Compliance/Vulnerability/Config Samplesevery N number of days–Perform deep-diff on samples

© Cyberspace Analytics15

Regulatory Compliance – Configuration Drifts

© Cyberspace Analytics16

Regulatory Compliance – Security Dashboard Drill-Down

© Cyberspace Analytics17

Data Extraction and Reporting

© Cyberspace Analytics18

CONOP– Active & Passive Collection– Real-Time Taps– Real-Time Update– Visualize Deltas– Create Virtual Reality of the Network’s Data Space

• “The Matrix”

Intel NUC- vNOC/CNOC– Commodity Hardware– Light weight– Low Power– Portable

✓ Passive Collections✓ Automated Active Collections✓ Automated Alerting✓ Integration with Help Desk✓ Interact Virtually with the Network✓ Track Network Health/Map Changes

CNOC

© Cyberspace Analytics19

• Attacks are a given – knowledge is power‒ Must go beyond simple analytics, tables, raw storage

and expensive rack-mounted solutions‒ Turn massive amounts of data into actionable and

manageable information

• Merge network and cyber situational awareness

• This will only work if solutions are‒ Scalable‒ Affordable‒ Supportable‒ Effective

The Gold Standard for Security

CNOC

Deployed in enterprise networks to

implement robust security

© Cyberspace Analytics20

Discussion