BAE SYSTEMS CYBERREVEAL - G-CLOUD SERVICE DEFINITION

Page created by Carolyn Glover
 
CONTINUE READING
BAE SYSTEMS CYBERREVEAL - G-CLOUD SERVICE DEFINITION
BAE SYSTEMS
CYBERREVEAL ®
G-CLOUD SERVICE DEFINITION

                 20
BAE SYSTEMS CYBERREVEAL - G-CLOUD SERVICE DEFINITION
Table of contents

1          Introduction .....................................................................................................................2

2          CyberReveal Overview ...................................................................................................3
    2.1      CyberReveal Platform ..................................................................................................3
    2.2      CyberReveal Analytics .................................................................................................5
    2.3      CyberReveal Investigator .............................................................................................7
3          Technical Requirements .................................................................................................9
    3.1      CyberReveal Platform ..................................................................................................9
    3.2      CyberReveal Analytics .................................................................................................9
    3.3      CyberReveal Investigator ...........................................................................................10
4          Service Delivery ............................................................................................................11
    4.1      Evaluation ..................................................................................................................11
    4.2      Training ......................................................................................................................11
    4.3      Professional services ..................................................................................................11
    4.4      Onboarding.................................................................................................................12
5          Applied Intelligence: Information Intelligence ............................................................13

BAE Systems CyberReveal®                                                                                                      Page 1 of 14
BAE SYSTEMS CYBERREVEAL - G-CLOUD SERVICE DEFINITION
BAE Systems Applied Intelligence

1          Introduction
           Enterprises today face a range of cyber adversaries. Amongst the most sophisticated are
           criminal organisations and foreign governments determined to steal high-value
           information or disrupt critical services in order to inflict damage or gain unfair competitive
           advantage.
           It is almost impossible to prevent a determined, knowledgeable and well-resourced
           attacker from compromising an organisation. They will modify and re-modify their attack
           over weeks, months or even years to eventually defeat an organisation’s security
           controls. Their actions may go undetected for some time, but the damage can be
           considerable and lasting.
           Many organisations have responded by proactively monitoring their infrastructure to
           detect attackers that have successfully gained access. The objective is simple: to find,
           investigate and respond effectively to attacks before lasting damage is done.
           Conventional security monitoring products are not effective. Enterprises that develop an
           in-house monitoring capability, by investing in technology and security analysts, often find
           their efforts hampered by the limitations of traditional monitoring products:
              Efficiency: Analysts and tools are overwhelmed by security alert data.

              Threat: New types of attack may go undetected by products that only recognise
               previously encountered attacks.

              Scale: The cost of processing increasing volumes of alert data becomes prohibitive.

              Decision making: The contextual information needed to assess alerts is distributed
               across several toolsets.
           To effectively manage the sophisticated cyber-attacks we face now, and will face in the
           future, a more sophisticated security monitoring platform is clearly needed. CyberReveal
           is a ‘true’ big data security analytics and investigation platform. It brings together our
           heritage in network intelligence, big data analytics and cyber threat research into a unique
           enterprise-scale product.

BAE Systems CyberReveal®                                                                      Page 2 of 14
BAE SYSTEMS CYBERREVEAL - G-CLOUD SERVICE DEFINITION
BAE Systems Applied Intelligence

2          CyberReveal Overview
           CyberReveal is a highly scalable, modular product stack for the detection and
           investigation of advanced security threats against an infrastructure. By utilizing the latest
           big data technologies and advanced security analytics, CyberReveal provides effective
           protection against targeted cyber-attacks. CyberReveal provides more sophisticated
           threat detection than traditional signatures and rules-based methods as the CyberReveal
           Analytics are behavioural based. This enables the analytics to find previously unknown
           threats due to anomalous behaviour, rather than just finding the subset of known threats
           that signatures provide. By combining and correlating multiple sources of data and alert
           sources, CyberReveal significantly increases analyst efficiency allowing analysts to make
           more informed decisions, quicker.
           Our solution was built for analysts, by analysts, and is the same technology which is
           deployed and proven in our managed security service, providing protection for over
           150,000 endpoints across the globe.
           CyberReveal currently contains three core components, which can be split into:
                   Platform: Big data platform that can store and process billions of events.

                   Analytics: Advanced behavioural security analytics for the detection of the most
                   sophisticated threats.

                   Investigator: An intuitive investigation and response tool providing a single view
                   of threats to the organization to support security and threat analyst workflows.

                                       Figure 1. CyberReveal Product Overview

2.1        CyberReveal Platform

           The CyberReveal big data platform is built from the ground up around the massively
           scalable Hadoop ecosystem. In our specific use case, Hadoop provides the scalability to
           store, process and rapidly query billions of infrastructure events per day and do so cost-
           effectively on commodity hardware.

BAE Systems CyberReveal®                                                                     Page 3 of 14
BAE SYSTEMS CYBERREVEAL - G-CLOUD SERVICE DEFINITION
BAE Systems Applied Intelligence

                                           Figure 2. CyberReveal Platform

           CyberReveal aims to align with Apache releases of Hadoop and supports a range of
           distributions including HortonWorks, Cloudera and Greenplum Pivotal HD. If a Hadoop
           cluster already exists on the deployment environment, depending on the distribution,
           CyberReveal can leverage this existing infrastructure without requiring exclusive access
           to the cluster.
           CyberReveal provides an abstraction layer at the ingress of data, meaning that the
           CyberReveal Platform is agnostic to the specific data source and format being ingested.
           All data is normalized into standardized formats which can later be used in the analytics
           stage of the solution.
           The platform can leverage log data from existing monitoring infrastructure, or Applied
           Intelligence can provide the capability to collect the data using our network probes and
           host agents. The typical types of data that we envisage being ingested for detecting and
           investigating advanced threats include:
           -   HTTP: Commonly collected from web proxies or network probes at the network
               perimeter, CyberReveal analyses HTTP transaction metadata records. CyberReveal
               supports many common proxy vendors such as Blue Coat.

           -   Email: CyberReveal can collect log data from email gateways such as IronPort. The
               SMTP metadata is useful for detecting spear-phishing attacks (scheduled for release
               in version 1.2), which is a common form of infiltration.

           -   Host: Integrating CyberReveal with either a third-party agent or the Detica Host Agent
               installed on each client machine or server can provide a richer view of the activities on

BAE Systems CyberReveal®                                                                     Page 4 of 14
BAE SYSTEMS CYBERREVEAL - G-CLOUD SERVICE DEFINITION
BAE Systems Applied Intelligence

               the infrastructure. Host agents can record details such as running processes, login
               attempts and user activity which can be correlated against network events.

           -   Network: CyberReveal can also integrate with other network log data such as DNS,
               firewall or net-flow data.

           -   Enrichment: CyberReveal also has the ability to bring in numerous sources of data
               which provide context to an investigation. Examples of this include asset databases,
               third party data such as Alexa rankings and WHOIS information.

           -   Threat Intelligence: CyberReveal has the capability to ingest threat intelligence from
               numerous threat intelligence sources such as iSight and extract meaningful
               signatures from them. These signatures can then be used within CyberReveal to
               detect threats or exported to network devices such as firewalls or intrusion prevention
               systems.

           Once the data has been ingested, the CyberReveal Platform relies on Apache Accumulo,
           which is built on top of the Hadoop File System, to store the data with granular, cell-level
           security. By using Accumulo to index the normalized data into key/value pairs, a subset of
           events can be retrieved from the whole dataset (which could scale to billions of records)
           in a matter of seconds. Accumulo provides a cost-effective, high performance and secure
           infrastructure for unified logging.

2.2        CyberReveal Analytics

           After the events have been ingested, the CyberReveal Analytics can be run across the
           entire breadth of the data stored in the platform. The CyberReveal Analytics can identify
           malicious behaviour within your IT infrastructure and raise alerts to CyberReveal
           Investigator. CyberReveal’s behavioural analytics are able to find new attack methods
           and zero day exploits, where traditional rules or signature engines are commonly
           restricted to detecting known malicious activity.
           CyberReveal Analytics are driven by current threat intelligence gathered and created by
           Detica’s Threat Intelligence team. The analytics are tested, refined and proven in Detica’s
           managed security service which is run across a range of clients varying in sizes and
           industries.
           The CyberReveal Analytics are based on an extensible framework that provides the
           foundations for clients to write their own analytics to address their priority threats. Part of
           our offering also includes the opportunity to co-create analytics with CyberReveal’s
           analytics development team to be able to design and create new analytics to meet the
           needs of the client. Training and Collaborative Analytics Services help clients become
           productive quickly.

BAE Systems CyberReveal®                                                                      Page 5 of 14
BAE Systems Applied Intelligence

                                          Figure 3. CyberReveal Analytics

           We have defined attack models for APT (Advanced Persistent Threat). The APT pack is
           well established and proven within our managed security service. We employ multiple
           behavioural analytics to detect traits exhibited by the adversary at various stages of the
           attack. The APT attack model mainly focuses around covert information theft, although it
           is extensible to other malicious activity and the entire analytics framework is extensible to
           allow detection of other threats. The table below shows an example of various attack
           techniques that we look for within our APT analytics:

                              Figure 4. CyberReveal APT Attack Techniques

BAE Systems CyberReveal®                                                                     Page 6 of 14
BAE Systems Applied Intelligence

2.3        CyberReveal Investigator

           Once the CyberReveal Analytics have run, these are then forwarded to CyberReveal
           Investigator. CyberReveal Investigator is the front-end operational tool for efficiently
           investigating alerts from both CyberReveal Analytics as well as third-party monitoring
           devices that provide alerts, such as SIEMs like ArcSight. Our aim is to improve analysts’
           efficiency and effectiveness by providing their alert, incident or threat intelligence work
           queue in a single interface along with all contextual data and visualizations to enable
           them to quickly make accurate decisions.
           CyberReveal Investigator has an open architecture which enables quick and easy
           integration into the IT infrastructure. There are standard open APIs for the integration of
           alerting systems, threat intelligence, enrichment sources, ticketing as well as log sources
           for querying. Examples of some previous integrations with Investigator include CA
           Service Desk Manager and SharePoint for ticketing, ArcSight and Splunk for both alerting
           and querying, and asset directories and AV endpoint protections systems for enrichment.

                                         Figure 5. CyberReveal Investigator

2.3.1      Alerts and Threat Intelligence

           Investigator provides analysts unprecedented insight and efficiency through a unified view
           across the whole security infrastructure. It provides a single pane of glass into the
           security environment by integrating with the existing infrastructure to obtain greater
           operational benefits from them. For example, alerts from other monitoring systems as well
           as threat intelligence from multiple sources can be aggregated, correlated and
           investigated in one place.

2.3.2      Context and Visualizations

           CyberReveal Investigator has interactive tables and visualizations to enable investigators
           to effectively analyse information. This helps give the analyst more context and an
           intuitive understanding of the activity that is taking place. Within the visualisations,
           Investigator automatically links entities to provide a coherent graphical view of related
           entities in alerts or threat intelligence reports. These linked entities can come from a

BAE Systems CyberReveal®                                                                   Page 7 of 14
BAE Systems Applied Intelligence

           range of data sources and enrichment to easily investigate the full context of the activity
           and collate data from multiple sources.

           By standardising an interface to query the underlying data sources, analysts do not need
           technical knowledge to query each logging system. This not only means that querying
           any data source is quick and simple, but as it reduces the skill level required the team is
           more easily scaled. It also greatly improves efficiency as the analyst does not have to
           ‘swivel-chair’ between systems. CyberReveal Investigator can integrate with any query
           source including the system we use in our solution, i.e. CyberReveal Platform.
           Enrichment is automatically done for each entity, both on the graph and in the Enrichment
           panel. This information helps give the analyst context to the data being presented. This
           enrichment information can be from both internal databases such as threat intelligence
           repositories as well as open source information such as Alexa rankings and blacklists.

2.3.3      Incident/Knowledge Management

           CyberReveal Investigator has a myriad of knowledge store functionality that not only aids
           in operationalising the investigation of alerts and intelligence reports but also improved
           efficiency through reduced repetition of work.
           Investigator integrates with an incident management system to enable tickets/cases to be
           created from an alert or intelligence. The fields being submitted to the ticketing system
           are automatically populated with the information of the alert, which reduces the risk of
           human error. Additionally, visualisations of contextual data can also be attached to the
           ticket so that further investigation can continue, potentially with other analysts in different
           teams.
           In addition to this, CyberReveal Investigator has a feature to maintain and share an
           analyst knowledge base across the team. This functionality enables an analyst to make a
           note against any entity within Investigator. These notes are viewable by all analysts, who
           have the correct permissions, instantly, enabling quick and easy knowledge sharing
           between analysts, reducing the time needed to investigate. This enables the analyst to
           quickly understand whether previous incidents relate to the activity they are investigating
           and what remediation was taken at that time.

BAE Systems CyberReveal®                                                                      Page 8 of 14
BAE Systems Applied Intelligence

3          Technical Requirements
3.1        CyberReveal Platform
           Many large organisations already have a preferred Hadoop distribution and CyberReveal
           can be installed on top of an existing Hadoop cluster, as long as the hardware is sufficient
           and the Hadoop version and distribution are supported. As part of our associated
           professional services associated with CyberReveal deployment we can install
           HortonWorks HDP 1.3, our preferred distribution, on client hardware. CyberReveal runs
           on Hadoop versions 0.20.2, up to 1.2.
           To-date CyberReveal has been deployed on a variety of Hadoop distributions including
           Cloudera, GreenPlum and HortonWorks. Applied Intelligence has a Hadoop testing
           facility and a programme of work to test CyberReveal on the most popular distributions.
           The actual number of machines required in your cluster will depend on various factors:

           -   The size of the estate that you are monitoring

           -   The number and type of analytics that you are running

           -   The memory and CPU performance of the machines in the cluster

           -   Intensity of IT usage of the user community

           -   The data retention period, the HDFS replication factor and the data compression ratio

           We can estimate the number of machines required in your cluster based on your
           particular circumstances using our CyberReveal Cluster Sizing Model. As an example, a
           typical installation of CyberReveal in a 50,000 employee organisation might run on 15
           commodity servers.
           For more detailed information on CyberReveal Platform and its interaction with Hadoop
           please contact the CyberReveal team.

3.2        CyberReveal Analytics
           Each CyberReveal Analytics pack takes various data types as input. Each data source
           enables various analytics within the pack depending on what each algorithm is trying to
           detect. For example, our Advanced Persistent Threat (APT) pack primarily uses HTTP
           data, email metadata and host data. These data sources enable our CyberReveal
           Analytics to identify anomalous behaviour at each stage of the kill chain.
           The CyberReveal Platform provides an abstraction layer between the data sources and
           the CyberReveal Analytics. Therefore CyberReveal is not dependant on any particular
           brand of data source. You are free to create your own analytics in order to identify any
           threats in your environment. You will use your own knowledge of the threat and your
           environment in order to identify the data sources required.
           Full details of the data sources required for a specific analytics pack are available under
           NDA.

BAE Systems CyberReveal®                                                                     Page 9 of 14
BAE Systems Applied Intelligence

3.3        CyberReveal Investigator
           The CyberReveal Investigator front end component is a Java-based, web delivered
           application. Any reasonable business-grade specification PC or Mac will be able to run
           the software. It is envisaged that the analyst would have a dual monitor setup to derive
           the best use of the tool.

BAE Systems CyberReveal®                                                               Page 10 of 14
BAE Systems Applied Intelligence

4          Service Delivery
4.1        Evaluation
           Prior to a full deployment Applied Intelligence offer the option of evaluation. The
           evaluation period can last between one to three months, but is normally the full three
           months. During this period an information gathering exercise in undertaken to capture all
           relevant information relating to the Clients Business Drivers and Client Technology. Once
           this information has been gathered, to facilitate a smooth integration, we will install and
           configure the CyberReveal product
           During the evaluation period training will be provided to allow Client security analysts to
           exploit the tool. If the Client has chosen to take the analytics component of CyberReveal
           the evaluation period will include up to three workshops (one per month of the evaluation)
           to ensure the analytics are functioning appropriately. The output of these workshops will
           enable us to work together with the Client to build, test and refine analytics to prove and
           meet the Clients business requirements.
           Throughout this time, the Client will be able to evaluate the product against agreed
           success criteria and business objectives. We will provide assistance where required and
           are open to feedback on the product and where improvements could be made.

4.2        Training
           The CyberReveal product is specifically designed to ensure that the Clients Security
           Analysts will require no formal Software or programming training or skills to be able to
           operate the product. Once the CyberReveal product has been installed the Security
           Analysts will receive training in how to use and exploit the tool effectively and efficiently.
           This standard training provision is included in the cost of the CyberReveal licence.
           Should the client wish to generate their own Analytics, then an understanding of Java and
           MapReduce as well as the technical architecture of Hadoop will be necessary. If the client
           wishes to support their own Hadoop cluster then an understanding of Hadoop, Oozie,
           MapReduce and Accumulo will be needed. This bespoke training is available as a
           professional service and as such is charged in line with our SFIA rate card.

4.3        Professional services
           Deploying the full solution requires a team typically comprising the following roles:
           -   Technical Project Manager: A technical delivery and project manager from the
               CyberReveal team. They will be responsible for timely delivery of product evaluations
               and implementations.

           -   Business Analyst: A CyberReveal business analyst who will work with the client
               team to define the business requirements for a specific implementation. The business
               analyst will also help to shape the business case and benefits of a CyberReveal
               implementation.

           -   Technical Deployment: A CyberReveal technical architect who will work with client
               side technical team (network, IT and Security) to ensure a successful deployment of
               the product.
           -
               Analytics Lead: A CyberReveal cyber security analytics expert to work with your
               analytics team to create analytics relevant to your organisation.

BAE Systems CyberReveal®                                                                    Page 11 of 14
BAE Systems Applied Intelligence

           -   Systems Integration Partners: In addition, we have a number of our systems
               integration partners who can support the above roles.

           The exact compilation of the team and the amount of effort required for a successful
           deployment will depend on the complexity of the client network and number of
           integrations required. Our professional services are charged at the SFIA rate card
           attached.

4.4        Onboarding
           Deployment of the CyberReveal product to your network is an extensively defined and
           managed process to ensure a successful outcome that meets your business and security
           requirements. We use a framework process to identify and incorporate all relevant data
           sources and any legacy data stores you would like incorporating into the solution. The
           deployment process entails close working between our deployment engineers and your
           security operations staff and includes training on the product to enable your analysts to
           test and operate the system as quickly as possible.

BAE Systems CyberReveal®                                                                 Page 12 of 14
BAE Systems Applied Intelligence

5          Applied Intelligence: Information Intelligence
           BAE Systems Applied Intelligence is an information intelligence specialist. We help
           government and commercial organisations exploit information to deliver critical business
           services more effectively and economically. We also develop solutions to strengthen
           national security and resilience, enabling citizens to go about their lives freely and with
           confidence.
           By combining technical innovation and domain knowledge, we integrate and deliver
           world-class solutions — often based on our own unique intellectual property — to our
           customers’ most complex operational problems.
           We recognise the importance of Cloud services to the realisation of HMG’s IT Strategy
           and have optimised many of our most compelling IT service offerings for Government on
           G-Cloud. Through these offerings we are at the forefront of realising the full benefits of
           Information Technology for our customers. Below is a summary of our G-Cloud services.

            G-Cloud Service                Service Description
                                           Providing Business and IT strategy and transformation consultancy
            Consultancy                    services, including requirements management, organisational change, and
                                           business case & benefits management.
                                           Covering all aspects of SIAM services, from target operating model design,
            Service Integration and
                                           to service integration, supplier management, architecture and transition and
            Management (SIAM)
                                           transformation management.
                                           Cyber security assessments, architecture and testing services; Threat
                                           detection, protective monitoring and security management services; Cyber
            Information Security
                                           incident response, and Industrial Protection, Secure Web Gateway and
                                           Cross domain services.
                                           Services delivered using the Agile method for design and development,
            Agile Design and Delivery
                                           including Secure-by-Design services.

                                           The design of end-to-end architecture solutions, including infrastructure,
            Architecture
                                           operations, applications and service, as well as enterprise architecture.

                                           Data management, protection and exploitation services covering people,
            Data Services                  process, data and technologies. Includes maturity assessments,
                                           organisation design and provision of data analytics services.
                                           Provision of programme management and support experts to provide
            Programme Management
                                           delivery and/or assurance of internal and external programmes.
                                           Digital transformation, media development, including user experience, social
            Digital Media
                                           business and mobile media.
                                           From mobile strategy, through to development of your secure mobile
            Secure Mobility &
                                           proposition for your user base; Cloud based protection for your user base’
            MobileProtect
                                           portfolio of mobile devices.
            NetReveal® OnDemand       Cl   Cloud based delivery of the global leader in counter fraud software.

           For more details on our G-Cloud services for G-Cloud, visit
           www.baesystemsdetica.com/g-cloud or send us an email at gcloud@baesystems.com.
           Applied Intelligence is part of BAE Systems, the premier global defence, security and
           aerospace company. BAE Systems delivers a full range of products and services for air,
           land and naval forces, as well as advanced electronics, security, information technology
           solutions and customer support services.

BAE Systems CyberReveal®                                                                                   Page 13 of 14
BAE Systems Applied Intelligence

                                       Applied intelligence Limited is a BAE Systems company, trading as
                                       BAE Systems Applied Intelligence.
                                       Applied Intelligence Limited is registered in England (No.1337451)
                                       with its registered office at Surrey Research Park, Guildford, England, GU2 7YP.

                                       Copyright © BAE Systems plc 2014. All Rights Reserved.

                                       BAE SYSTEMS, APPLIED INTELLIGENCE and the names of the
                                       BAE Systems Applied Intelligence products referenced herein are trademarks of
                                       BAE Systems plc and are registered in certain
                                       jurisdictions.

BAE Systems CyberReveal®                                                                                  Page 14 of 14
You can also read