BAE SYSTEMS CYBERREVEAL - G-CLOUD SERVICE DEFINITION
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
BAE SYSTEMS
CYBERREVEAL ®
G-CLOUD SERVICE DEFINITION
20
Table of contents
1 Introduction .....................................................................................................................2
2 CyberReveal Overview ...................................................................................................3
2.1 CyberReveal Platform ..................................................................................................3
2.2 CyberReveal Analytics .................................................................................................5
2.3 CyberReveal Investigator .............................................................................................7
3 Technical Requirements .................................................................................................9
3.1 CyberReveal Platform ..................................................................................................9
3.2 CyberReveal Analytics .................................................................................................9
3.3 CyberReveal Investigator ...........................................................................................10
4 Service Delivery ............................................................................................................11
4.1 Evaluation ..................................................................................................................11
4.2 Training ......................................................................................................................11
4.3 Professional services ..................................................................................................11
4.4 Onboarding.................................................................................................................12
5 Applied Intelligence: Information Intelligence ............................................................13
BAE Systems CyberReveal® Page 1 of 14
BAE Systems Applied Intelligence
1 Introduction
Enterprises today face a range of cyber adversaries. Amongst the most sophisticated are
criminal organisations and foreign governments determined to steal high-value
information or disrupt critical services in order to inflict damage or gain unfair competitive
advantage.
It is almost impossible to prevent a determined, knowledgeable and well-resourced
attacker from compromising an organisation. They will modify and re-modify their attack
over weeks, months or even years to eventually defeat an organisation’s security
controls. Their actions may go undetected for some time, but the damage can be
considerable and lasting.
Many organisations have responded by proactively monitoring their infrastructure to
detect attackers that have successfully gained access. The objective is simple: to find,
investigate and respond effectively to attacks before lasting damage is done.
Conventional security monitoring products are not effective. Enterprises that develop an
in-house monitoring capability, by investing in technology and security analysts, often find
their efforts hampered by the limitations of traditional monitoring products:
Efficiency: Analysts and tools are overwhelmed by security alert data.
Threat: New types of attack may go undetected by products that only recognise
previously encountered attacks.
Scale: The cost of processing increasing volumes of alert data becomes prohibitive.
Decision making: The contextual information needed to assess alerts is distributed
across several toolsets.
To effectively manage the sophisticated cyber-attacks we face now, and will face in the
future, a more sophisticated security monitoring platform is clearly needed. CyberReveal
is a ‘true’ big data security analytics and investigation platform. It brings together our
heritage in network intelligence, big data analytics and cyber threat research into a unique
enterprise-scale product.
BAE Systems CyberReveal® Page 2 of 14
BAE Systems Applied Intelligence
2 CyberReveal Overview
CyberReveal is a highly scalable, modular product stack for the detection and
investigation of advanced security threats against an infrastructure. By utilizing the latest
big data technologies and advanced security analytics, CyberReveal provides effective
protection against targeted cyber-attacks. CyberReveal provides more sophisticated
threat detection than traditional signatures and rules-based methods as the CyberReveal
Analytics are behavioural based. This enables the analytics to find previously unknown
threats due to anomalous behaviour, rather than just finding the subset of known threats
that signatures provide. By combining and correlating multiple sources of data and alert
sources, CyberReveal significantly increases analyst efficiency allowing analysts to make
more informed decisions, quicker.
Our solution was built for analysts, by analysts, and is the same technology which is
deployed and proven in our managed security service, providing protection for over
150,000 endpoints across the globe.
CyberReveal currently contains three core components, which can be split into:
Platform: Big data platform that can store and process billions of events.
Analytics: Advanced behavioural security analytics for the detection of the most
sophisticated threats.
Investigator: An intuitive investigation and response tool providing a single view
of threats to the organization to support security and threat analyst workflows.
Figure 1. CyberReveal Product Overview
2.1 CyberReveal Platform
The CyberReveal big data platform is built from the ground up around the massively
scalable Hadoop ecosystem. In our specific use case, Hadoop provides the scalability to
store, process and rapidly query billions of infrastructure events per day and do so cost-
effectively on commodity hardware.
BAE Systems CyberReveal® Page 3 of 14
BAE Systems Applied Intelligence
Figure 2. CyberReveal Platform
CyberReveal aims to align with Apache releases of Hadoop and supports a range of
distributions including HortonWorks, Cloudera and Greenplum Pivotal HD. If a Hadoop
cluster already exists on the deployment environment, depending on the distribution,
CyberReveal can leverage this existing infrastructure without requiring exclusive access
to the cluster.
CyberReveal provides an abstraction layer at the ingress of data, meaning that the
CyberReveal Platform is agnostic to the specific data source and format being ingested.
All data is normalized into standardized formats which can later be used in the analytics
stage of the solution.
The platform can leverage log data from existing monitoring infrastructure, or Applied
Intelligence can provide the capability to collect the data using our network probes and
host agents. The typical types of data that we envisage being ingested for detecting and
investigating advanced threats include:
- HTTP: Commonly collected from web proxies or network probes at the network
perimeter, CyberReveal analyses HTTP transaction metadata records. CyberReveal
supports many common proxy vendors such as Blue Coat.
- Email: CyberReveal can collect log data from email gateways such as IronPort. The
SMTP metadata is useful for detecting spear-phishing attacks (scheduled for release
in version 1.2), which is a common form of infiltration.
- Host: Integrating CyberReveal with either a third-party agent or the Detica Host Agent
installed on each client machine or server can provide a richer view of the activities on
BAE Systems CyberReveal® Page 4 of 14
BAE Systems Applied Intelligence
the infrastructure. Host agents can record details such as running processes, login
attempts and user activity which can be correlated against network events.
- Network: CyberReveal can also integrate with other network log data such as DNS,
firewall or net-flow data.
- Enrichment: CyberReveal also has the ability to bring in numerous sources of data
which provide context to an investigation. Examples of this include asset databases,
third party data such as Alexa rankings and WHOIS information.
- Threat Intelligence: CyberReveal has the capability to ingest threat intelligence from
numerous threat intelligence sources such as iSight and extract meaningful
signatures from them. These signatures can then be used within CyberReveal to
detect threats or exported to network devices such as firewalls or intrusion prevention
systems.
Once the data has been ingested, the CyberReveal Platform relies on Apache Accumulo,
which is built on top of the Hadoop File System, to store the data with granular, cell-level
security. By using Accumulo to index the normalized data into key/value pairs, a subset of
events can be retrieved from the whole dataset (which could scale to billions of records)
in a matter of seconds. Accumulo provides a cost-effective, high performance and secure
infrastructure for unified logging.
2.2 CyberReveal Analytics
After the events have been ingested, the CyberReveal Analytics can be run across the
entire breadth of the data stored in the platform. The CyberReveal Analytics can identify
malicious behaviour within your IT infrastructure and raise alerts to CyberReveal
Investigator. CyberReveal’s behavioural analytics are able to find new attack methods
and zero day exploits, where traditional rules or signature engines are commonly
restricted to detecting known malicious activity.
CyberReveal Analytics are driven by current threat intelligence gathered and created by
Detica’s Threat Intelligence team. The analytics are tested, refined and proven in Detica’s
managed security service which is run across a range of clients varying in sizes and
industries.
The CyberReveal Analytics are based on an extensible framework that provides the
foundations for clients to write their own analytics to address their priority threats. Part of
our offering also includes the opportunity to co-create analytics with CyberReveal’s
analytics development team to be able to design and create new analytics to meet the
needs of the client. Training and Collaborative Analytics Services help clients become
productive quickly.
BAE Systems CyberReveal® Page 5 of 14BAE Systems Applied Intelligence
Figure 3. CyberReveal Analytics
We have defined attack models for APT (Advanced Persistent Threat). The APT pack is
well established and proven within our managed security service. We employ multiple
behavioural analytics to detect traits exhibited by the adversary at various stages of the
attack. The APT attack model mainly focuses around covert information theft, although it
is extensible to other malicious activity and the entire analytics framework is extensible to
allow detection of other threats. The table below shows an example of various attack
techniques that we look for within our APT analytics:
Figure 4. CyberReveal APT Attack Techniques
BAE Systems CyberReveal® Page 6 of 14BAE Systems Applied Intelligence
2.3 CyberReveal Investigator
Once the CyberReveal Analytics have run, these are then forwarded to CyberReveal
Investigator. CyberReveal Investigator is the front-end operational tool for efficiently
investigating alerts from both CyberReveal Analytics as well as third-party monitoring
devices that provide alerts, such as SIEMs like ArcSight. Our aim is to improve analysts’
efficiency and effectiveness by providing their alert, incident or threat intelligence work
queue in a single interface along with all contextual data and visualizations to enable
them to quickly make accurate decisions.
CyberReveal Investigator has an open architecture which enables quick and easy
integration into the IT infrastructure. There are standard open APIs for the integration of
alerting systems, threat intelligence, enrichment sources, ticketing as well as log sources
for querying. Examples of some previous integrations with Investigator include CA
Service Desk Manager and SharePoint for ticketing, ArcSight and Splunk for both alerting
and querying, and asset directories and AV endpoint protections systems for enrichment.
Figure 5. CyberReveal Investigator
2.3.1 Alerts and Threat Intelligence
Investigator provides analysts unprecedented insight and efficiency through a unified view
across the whole security infrastructure. It provides a single pane of glass into the
security environment by integrating with the existing infrastructure to obtain greater
operational benefits from them. For example, alerts from other monitoring systems as well
as threat intelligence from multiple sources can be aggregated, correlated and
investigated in one place.
2.3.2 Context and Visualizations
CyberReveal Investigator has interactive tables and visualizations to enable investigators
to effectively analyse information. This helps give the analyst more context and an
intuitive understanding of the activity that is taking place. Within the visualisations,
Investigator automatically links entities to provide a coherent graphical view of related
entities in alerts or threat intelligence reports. These linked entities can come from a
BAE Systems CyberReveal® Page 7 of 14BAE Systems Applied Intelligence
range of data sources and enrichment to easily investigate the full context of the activity
and collate data from multiple sources.
By standardising an interface to query the underlying data sources, analysts do not need
technical knowledge to query each logging system. This not only means that querying
any data source is quick and simple, but as it reduces the skill level required the team is
more easily scaled. It also greatly improves efficiency as the analyst does not have to
‘swivel-chair’ between systems. CyberReveal Investigator can integrate with any query
source including the system we use in our solution, i.e. CyberReveal Platform.
Enrichment is automatically done for each entity, both on the graph and in the Enrichment
panel. This information helps give the analyst context to the data being presented. This
enrichment information can be from both internal databases such as threat intelligence
repositories as well as open source information such as Alexa rankings and blacklists.
2.3.3 Incident/Knowledge Management
CyberReveal Investigator has a myriad of knowledge store functionality that not only aids
in operationalising the investigation of alerts and intelligence reports but also improved
efficiency through reduced repetition of work.
Investigator integrates with an incident management system to enable tickets/cases to be
created from an alert or intelligence. The fields being submitted to the ticketing system
are automatically populated with the information of the alert, which reduces the risk of
human error. Additionally, visualisations of contextual data can also be attached to the
ticket so that further investigation can continue, potentially with other analysts in different
teams.
In addition to this, CyberReveal Investigator has a feature to maintain and share an
analyst knowledge base across the team. This functionality enables an analyst to make a
note against any entity within Investigator. These notes are viewable by all analysts, who
have the correct permissions, instantly, enabling quick and easy knowledge sharing
between analysts, reducing the time needed to investigate. This enables the analyst to
quickly understand whether previous incidents relate to the activity they are investigating
and what remediation was taken at that time.
BAE Systems CyberReveal® Page 8 of 14BAE Systems Applied Intelligence
3 Technical Requirements
3.1 CyberReveal Platform
Many large organisations already have a preferred Hadoop distribution and CyberReveal
can be installed on top of an existing Hadoop cluster, as long as the hardware is sufficient
and the Hadoop version and distribution are supported. As part of our associated
professional services associated with CyberReveal deployment we can install
HortonWorks HDP 1.3, our preferred distribution, on client hardware. CyberReveal runs
on Hadoop versions 0.20.2, up to 1.2.
To-date CyberReveal has been deployed on a variety of Hadoop distributions including
Cloudera, GreenPlum and HortonWorks. Applied Intelligence has a Hadoop testing
facility and a programme of work to test CyberReveal on the most popular distributions.
The actual number of machines required in your cluster will depend on various factors:
- The size of the estate that you are monitoring
- The number and type of analytics that you are running
- The memory and CPU performance of the machines in the cluster
- Intensity of IT usage of the user community
- The data retention period, the HDFS replication factor and the data compression ratio
We can estimate the number of machines required in your cluster based on your
particular circumstances using our CyberReveal Cluster Sizing Model. As an example, a
typical installation of CyberReveal in a 50,000 employee organisation might run on 15
commodity servers.
For more detailed information on CyberReveal Platform and its interaction with Hadoop
please contact the CyberReveal team.
3.2 CyberReveal Analytics
Each CyberReveal Analytics pack takes various data types as input. Each data source
enables various analytics within the pack depending on what each algorithm is trying to
detect. For example, our Advanced Persistent Threat (APT) pack primarily uses HTTP
data, email metadata and host data. These data sources enable our CyberReveal
Analytics to identify anomalous behaviour at each stage of the kill chain.
The CyberReveal Platform provides an abstraction layer between the data sources and
the CyberReveal Analytics. Therefore CyberReveal is not dependant on any particular
brand of data source. You are free to create your own analytics in order to identify any
threats in your environment. You will use your own knowledge of the threat and your
environment in order to identify the data sources required.
Full details of the data sources required for a specific analytics pack are available under
NDA.
BAE Systems CyberReveal® Page 9 of 14BAE Systems Applied Intelligence
3.3 CyberReveal Investigator
The CyberReveal Investigator front end component is a Java-based, web delivered
application. Any reasonable business-grade specification PC or Mac will be able to run
the software. It is envisaged that the analyst would have a dual monitor setup to derive
the best use of the tool.
BAE Systems CyberReveal® Page 10 of 14BAE Systems Applied Intelligence
4 Service Delivery
4.1 Evaluation
Prior to a full deployment Applied Intelligence offer the option of evaluation. The
evaluation period can last between one to three months, but is normally the full three
months. During this period an information gathering exercise in undertaken to capture all
relevant information relating to the Clients Business Drivers and Client Technology. Once
this information has been gathered, to facilitate a smooth integration, we will install and
configure the CyberReveal product
During the evaluation period training will be provided to allow Client security analysts to
exploit the tool. If the Client has chosen to take the analytics component of CyberReveal
the evaluation period will include up to three workshops (one per month of the evaluation)
to ensure the analytics are functioning appropriately. The output of these workshops will
enable us to work together with the Client to build, test and refine analytics to prove and
meet the Clients business requirements.
Throughout this time, the Client will be able to evaluate the product against agreed
success criteria and business objectives. We will provide assistance where required and
are open to feedback on the product and where improvements could be made.
4.2 Training
The CyberReveal product is specifically designed to ensure that the Clients Security
Analysts will require no formal Software or programming training or skills to be able to
operate the product. Once the CyberReveal product has been installed the Security
Analysts will receive training in how to use and exploit the tool effectively and efficiently.
This standard training provision is included in the cost of the CyberReveal licence.
Should the client wish to generate their own Analytics, then an understanding of Java and
MapReduce as well as the technical architecture of Hadoop will be necessary. If the client
wishes to support their own Hadoop cluster then an understanding of Hadoop, Oozie,
MapReduce and Accumulo will be needed. This bespoke training is available as a
professional service and as such is charged in line with our SFIA rate card.
4.3 Professional services
Deploying the full solution requires a team typically comprising the following roles:
- Technical Project Manager: A technical delivery and project manager from the
CyberReveal team. They will be responsible for timely delivery of product evaluations
and implementations.
- Business Analyst: A CyberReveal business analyst who will work with the client
team to define the business requirements for a specific implementation. The business
analyst will also help to shape the business case and benefits of a CyberReveal
implementation.
- Technical Deployment: A CyberReveal technical architect who will work with client
side technical team (network, IT and Security) to ensure a successful deployment of
the product.
-
Analytics Lead: A CyberReveal cyber security analytics expert to work with your
analytics team to create analytics relevant to your organisation.
BAE Systems CyberReveal® Page 11 of 14BAE Systems Applied Intelligence
- Systems Integration Partners: In addition, we have a number of our systems
integration partners who can support the above roles.
The exact compilation of the team and the amount of effort required for a successful
deployment will depend on the complexity of the client network and number of
integrations required. Our professional services are charged at the SFIA rate card
attached.
4.4 Onboarding
Deployment of the CyberReveal product to your network is an extensively defined and
managed process to ensure a successful outcome that meets your business and security
requirements. We use a framework process to identify and incorporate all relevant data
sources and any legacy data stores you would like incorporating into the solution. The
deployment process entails close working between our deployment engineers and your
security operations staff and includes training on the product to enable your analysts to
test and operate the system as quickly as possible.
BAE Systems CyberReveal® Page 12 of 14BAE Systems Applied Intelligence
5 Applied Intelligence: Information Intelligence
BAE Systems Applied Intelligence is an information intelligence specialist. We help
government and commercial organisations exploit information to deliver critical business
services more effectively and economically. We also develop solutions to strengthen
national security and resilience, enabling citizens to go about their lives freely and with
confidence.
By combining technical innovation and domain knowledge, we integrate and deliver
world-class solutions — often based on our own unique intellectual property — to our
customers’ most complex operational problems.
We recognise the importance of Cloud services to the realisation of HMG’s IT Strategy
and have optimised many of our most compelling IT service offerings for Government on
G-Cloud. Through these offerings we are at the forefront of realising the full benefits of
Information Technology for our customers. Below is a summary of our G-Cloud services.
G-Cloud Service Service Description
Providing Business and IT strategy and transformation consultancy
Consultancy services, including requirements management, organisational change, and
business case & benefits management.
Covering all aspects of SIAM services, from target operating model design,
Service Integration and
to service integration, supplier management, architecture and transition and
Management (SIAM)
transformation management.
Cyber security assessments, architecture and testing services; Threat
detection, protective monitoring and security management services; Cyber
Information Security
incident response, and Industrial Protection, Secure Web Gateway and
Cross domain services.
Services delivered using the Agile method for design and development,
Agile Design and Delivery
including Secure-by-Design services.
The design of end-to-end architecture solutions, including infrastructure,
Architecture
operations, applications and service, as well as enterprise architecture.
Data management, protection and exploitation services covering people,
Data Services process, data and technologies. Includes maturity assessments,
organisation design and provision of data analytics services.
Provision of programme management and support experts to provide
Programme Management
delivery and/or assurance of internal and external programmes.
Digital transformation, media development, including user experience, social
Digital Media
business and mobile media.
From mobile strategy, through to development of your secure mobile
Secure Mobility &
proposition for your user base; Cloud based protection for your user base’
MobileProtect
portfolio of mobile devices.
NetReveal® OnDemand Cl Cloud based delivery of the global leader in counter fraud software.
For more details on our G-Cloud services for G-Cloud, visit
www.baesystemsdetica.com/g-cloud or send us an email at gcloud@baesystems.com.
Applied Intelligence is part of BAE Systems, the premier global defence, security and
aerospace company. BAE Systems delivers a full range of products and services for air,
land and naval forces, as well as advanced electronics, security, information technology
solutions and customer support services.
BAE Systems CyberReveal® Page 13 of 14BAE Systems Applied Intelligence
Applied intelligence Limited is a BAE Systems company, trading as
BAE Systems Applied Intelligence.
Applied Intelligence Limited is registered in England (No.1337451)
with its registered office at Surrey Research Park, Guildford, England, GU2 7YP.
Copyright © BAE Systems plc 2014. All Rights Reserved.
BAE SYSTEMS, APPLIED INTELLIGENCE and the names of the
BAE Systems Applied Intelligence products referenced herein are trademarks of
BAE Systems plc and are registered in certain
jurisdictions.
BAE Systems CyberReveal® Page 14 of 14You can also read
