Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at:

Thursday, December 13, 2012

More on SILAS: Security Intelligence-as-a-Service

In a previous blog post of mine I introduced our HPL/HP work on the Security Intelligence-as-a-Service (SILAS) solution and the fact we achieved an important milestone, in collaboration with HP business groups: a full working implementation is available.

Thanks for your questions. I am providing some additional details. The SILAS solution can now be showcases to HP customers and (potential) business partners.

As previously mentioned, SILAS consists, at the very base, of an Analytics Technology that provides: statistical analysis of data; predictions based on simulations.

There is currently a major gap in organizations’ security lifecycle management processes. On the one hand, organizations carry out strategic, long-term risk assessment activities - at the business level - to identify threats and mitigate them with suitable policies and controls. This involves periodic re-assessment of their security investments. On the other hand, they heavily invest in monitoring and Security Information and Event Management solutions (SIEM - e.g. HP ArcSight) to collect information from their IT infrastructure, for compliance and governance purposes. However information gathered at this level is seldom leveraged for higher-level strategic security risk assessment, except by means of expensive and manual processes. It is primarily used at the IT Operational levels. There is increasing demand for better integration and simplification of these processes in order to maximize investments and improve the overall risk assessment.

This gap is even more evident in the context of managed services and/or disaggregated IT in the Cloud, where the organisation further loses control on their IT along with related information flows. SILAS aims at addressing this gap.

A typical scenario (where SILAS can be deployed to add value) consists of a multitenant Security Operation Center (SOC), as shown in the following picture:

In this scenario the SOC manages incidents and IT operation issues for multiple customers. SILAS calculates and provides a wide variety of strategic metrics:

• customer metrics, reflecting the effectiveness of their processes (e.g. vulnerability and threat management - VTM, identity and access management - IAM, etc.), based on the data they shared with the SOC; metrics related to external threat environments (e.g. derived from information collected from HP ArchSight, HP TippingPoint, DV Labs, OSVDB, etc.);

• metrics providing an assessment of SOC processes, e.g. how effectively they identify incidents, close alerts, deal with false positives;

• what-if analysis and predictive metrics.

SILAS is meant to:

• provide estimation of strategic (security, risk and business) metrics to decision makers and customers, in multi-tenancy, multi-customer contexts, such as Security Operation Centers and Cloud Operation Centers

• use these metrics to enable predictive and what-if analysis, by leveraging the HP/HPL Security Analytics Solution (based on modelling and simulation techniques)

• provide customers with strategic reports - based on processed metrics and prediction - to illustrate historical trends and benchmarks

• leverage Cloud infrastructure for data processing and metric estimations

The following picture illustrates the SILAS core capabilities and high-level architecture:

SILAS is not meant to be a reactive, real-time analytic solution. It leverages existing solutions such as HP ArchSight, HP TippingPoint/ThreatLinq, OSVDB, etc. to gather the relevant data. As unique differentiation, it provides longer-term estimates of critical metrics and uses them to make predictions. It provides decision support capabilities to key stakeholders (risk management teams, customers, etc). As such it nicely complements current HP SW offerings.

We are currently trialling this solution in collaboration with HP business groups.

A few screenshots of a public version of SILAS (we use for demonstration purposes) follow:

Figure 1: SILAS main dashboard. Links to various metric processing, prediction and reporting capabilities

Figure 2: SILAS metric estimation. Example of estimation of "patch take-up curve" metric estimation (i.e. how quickly an organisation patches its systems against a vulnerability), over a period of time, calculated on data collected from HP ArcSight

Figure 3: SILAS predictions and "what-if" analysis. Example of prediction to vulnerability "risk exposure", calculated with HP/HPL Security Analytics models and related simulations. Models are instantiated with previously calculated SILAS metrics, e.g. the "patch take-up curve" metric.

Figure 4: SILAS Report. Example of customer report illustrating, for a given time period, the "patch take-up curve" metric and compareing it against an anonymised version of the same metrics (in the same time period)/benchmark,  calculated by using information collected from other customers (in a multi-tenant SOC).

Figure 5: SILAS Report. Another example of customer report showing the outcomes of various "what-if" analysis, calculated with HP/HPL Security Analytics models and related simulations. Models are are instantiated with both previously calculated SILAS metrics, e.g. the "patch take-up curve" metric and the various "what-if" assumption to be explored (e.g. using specific IT security controls).

Figure 6: SILAS Report. Another example of customer report showing the historical trends of some relevant SOC process metrics indicating how effectively a SOC handles customer's incidents (e.g. in terms of time to close an alert, identify false positives or identify an incident). The report shows historical trends and anonymised benchmarks against similar, aggregated metrics, obtained from other customers.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

No comments: