Presentation is loading. Please wait.

Presentation is loading. Please wait.

Real-time Ingestion of telemetry into Hadoop to respond to Zero-Day Attacks Vipul Sawant, Pallav Jakhotiya.

Published byDarren Ball Modified over 8 years ago

Similar presentations

Presentation on theme: "Real-time Ingestion of telemetry into Hadoop to respond to Zero-Day Attacks Vipul Sawant, Pallav Jakhotiya."— Presentation transcript:

1

2 Real-time Ingestion of telemetry into Hadoop to respond to Zero-Day Attacks Vipul Sawant, Pallav Jakhotiya

3 Telemetry

4 Sputnik First man-made satellite Launched by Soviet Union in 1957 Altitude 500 km above the earth Transmitted telemetry as “beeps”

5 FIREWALLENDPOINT SERVER GATEWAY Blocked email/web attacks Email metadata Source email server identity Web connection history In/outbound attachments Gateway security settings Blocked attacks Network connections Successful / failed logins Process behaviors Compliance status (PCI, HIPAA) Server security settings Blocked attacks Network connections Successful / failed logins Sensitive documents accessed Process behaviors Endpoint security settings Blocked connections Inbound/outbound traffic Protocol tunneling activity Data ingress/egress volumes Accesses to cloud apps Firewall software settings Logs/Telemetry in the security world

6 Engineering Challenges Variety Structured and Unstructured formats Volume Terabytes of data generated every day Velocity Millions of events generated per second Latency Act on the events in near real time

7 TechniqueThroughputRemarks Streaming100K-110K events/second Works well for real time computations Batch230K-250K events/secondLatency of 3-4 hours before data is available Hybrid600K-620K events/secondUses streaming for computations and a periodic batch for ingestion Analyzing Ingestion techniques Environment – 8 node shared test cluster running HDFS, Map Reduce, Storm, Kafka

8 Hybrid Ingestion Real Time Applications Message Broker Distributed Real time computation system Telemetry Gateway Telemetry Generators Batch Ingestion Batch Applications HDFS

9 So what problems can we solve with this type of data

10 Identify targeted attacks Machine X logged into 15 other machines in the last hour… lateral movement? So what problems could we solve with this type of data? Help companies scope attacks and recover The attackers initially compromised machine A, then pivoted to B and G. They accessed employee-list.doc, but did not access customer.doc Help companies protect their information Lily usually accesses 2-4 sensitive documents/day, but today she’s already accessed 19 confidential documents! Hmm.

11 Batch Application Responding to Zero-Day Attacks Telemetry Archive Login Attempts Application Versions Application usage Pattern Login Time Running Process AV Detections Extract Features Compute Co-relations Pre- Processing Real-Time Telemetry Rules Engine Possible Attack incidents Real-Time Application Decision Tree

12 CENTRAL SECURITY BIG DATA STORE Known C&C Server Implicated in Targeted Attack Company 2 Company 1 Server 8 FEB MON

13 “Seed” Indicator

14 Questions?

15 Thank You!

Download ppt "Real-time Ingestion of telemetry into Hadoop to respond to Zero-Day Attacks Vipul Sawant, Pallav Jakhotiya."

Similar presentations

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
© 2014 Fair Isaac Corporation. Confidential. This presentation is provided for the recipient only and cannot be reproduced or shared without Fair Isaac.

© 2014 Fair Isaac Corporation. Confidential. This presentation is provided for the recipient only and cannot be reproduced or shared without Fair Isaac.
© 2009 VMware Inc. All rights reserved Big Data’s Virtualization Journey Andrew Yu Sr. Director, Big Data R&D VMware.

© 2009 VMware Inc. All rights reserved Big Data’s Virtualization Journey Andrew Yu Sr. Director, Big Data R&D VMware.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
Observation Pattern Theory Hypothesis What will happen? How can we make it happen? Predictive Analytics Prescriptive Analytics What happened? Why.

Observation Pattern Theory Hypothesis What will happen? How can we make it happen? Predictive Analytics Prescriptive Analytics What happened? Why.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Security Guidelines and Management

Security Guidelines and Management
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University

KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University
Apache Spark and the future of big data applications Eric Baldeschwieler.

Apache Spark and the future of big data applications Eric Baldeschwieler.
Protecting Customer Websites and Web Applications Web Application Security.

Protecting Customer Websites and Web Applications Web Application Security.
Cyber Basics and Big Data. 2 Semantic Extraction Sentiment Analysis Entity Extraction Link Analysis Temporal Analysis Geospatial Analysis Time Event Matrices.

Cyber Basics and Big Data. 2 Semantic Extraction Sentiment Analysis Entity Extraction Link Analysis Temporal Analysis Geospatial Analysis Time Event Matrices.

Similar presentations

Ads by Google