HPL Situational Awareness-as-a-Service, in the Cloud

In the context of the HPL Safe Cloud project, I have been working on an HP Labs R&D demonstrator, jointly with HP businesses, to illustrate:


• Next generation Business Operation Centers in Disaggregated IT scenarios, i.e. where an organisation relies on service providers (SaaS) and infrastructure providers (IaaS) in the Cloud to run their IT operation

• Information Sharing as a key requirement for the organisation to improve its (security, business, etc.) situational awareness, now that it has not anymore control over their IT operations- issues and trade-offs involving information sharing, involving the company and the other stakeholders, including SaaS and IaaS providers

• Next generation war rooms

• Our vision in the areas of Safe Cloud and controlled information sharing

We have achieved an important milestone: a full working implementation is available. Additional details and a few screenshots of the public, R&D version of the demonstrator are available online.

This demonstrator is now available and can be shown to HP customers and business partners. Below I attach, as an example, a screenshot:

We focus on a scenario involving a company that increasingly relies on SaaS and IaaS Cloud Providers to run their IT Operations. The demonstrator uses advanced visualisation and back-end processing techniques to show a futuristic, next generation Business Operation Center, supporting a company to monitor/manage their disaggregated IT.

The demonstrator provides an overview of the various company's SaaS providers along with the dependencies they have on IaaS Cloud providers and the high-level “health” status of their services.

We then use the demonstrator to illustrate the need that a company has for information sharing - to enable better situational awareness - now that the company has lost control on its IT Operations. We highlight the tension-points involved in information sharing, the trade-offs that are acceptable by the various stakeholders and the consequences of sharing data.

The demonstrator shows various view points, in terms of available information and what can be shared. For example it is possible to focus on a SaaS Provider and/or an IaaS Provider, show the locally available information and which information can actually be collected, processed and shared with the company - based on agreed policies. The demonstrator highlights some of the implications of sharing data, i.e. via live metrics, highlighting risk points and related alerts.

The demonstrator can also show the dependency on the IT infrastructure used in the Cloud and various types of metrics/information that can be exchanged with the company (right - as part of a mutual agreement). This include information on IT performance, security and incident management aspects.

A key capability of the demonstrator is to enable the audience to interactively play different roles, such as acting as the company or one of the SaaS providers. A player can interact with the system and the other players, decide which information to share (for example with other SaaS providers and/or the company) in order to accomplish common goals (e.g. dealing with an incident or an attack). We believe this creates further awareness about the importance of information sharing, the implications and tension-points in doing it, and the needs for information sharing controls.

In our HP Labs vision, HP could provide these capabilities (dashboards, controlled information sharing, analytics, etc.) as a (Security) Service to its customers, for example in the context of Managed Services and/or Next generation SOCs.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

HPL Security Intelligence-as-a-Service (SILAS)

As discussed in previous posts, our HPL Security Intelligence-as-a-Service (SILAS) solution consists, at the very base, of R&D Analytics Technology that provides: statistical analysis of data; predictions based on simulations.
We now have achieved an important milestone in collaboration with HP business groups: a full working implementation is available.

Additional details and a few screenshots of the public, R&D version of SILAS are available online. Below I attach a screenshot of the SILAS main dashboard.

A typical scenario (where SILAS can be deployed and add value) consists of a multitenant Security Operation Center (SOC),

In this scenario the SOC manages incidents and IT operation issues for multiple customers. SILAS calculates and provides a wide variety of strategic metrics: customer metrics, reflecting the effectiveness of their processes (e.g. vulnerability and threat management - VTM, identity and access management - IAM, etc.), based on the data they shared with the SOC; metrics related to external threat environments (e.g. derived from information collected from HP ArchSight, HP TippingPoint, DV Labs, OSVDB, etc.); metrics providing an assessment of SOC processes, e.g. how effectively they identify incidents, close alerts, deal with false positives; what-if analysis and predictive metrics. All these metrics can be conveyed to customers (and/or other stakeholders) via reports, by highlighting trend analysis and benchmarks.

SILAS is meant to:

• provide estimation of strategic (security, risk and business) metrics to decision makers and customers, in multi-tenancy, multi-customer contexts, such as Security Operation Centers and Cloud Operation Centers

• use these metrics to enable predictive and what-if analysis, by leveraging the HP/HPL Security Analytics Solution (based on modelling and simulation techniques)

• provide customers with strategic reports - based on processed metrics and prediction - to illustrate historical trends and benchmarks

• leverage Cloud infrastructure for data processing and metric estimations

SILAS is not meant to be a reactive, real-time analytic solution. It leverages existing solutions such as HP ArchSight, HP TippingPoint/ThreatLinq, OSVDB, etc. to gather the relevant data. As unique differentiation, it provides longer-term estimates of critical metrics and uses them to make predictions. It provides decision support capabilities to key stakeholders (risk management teams, customers, etc.). As such it nicely complement current HP SW offerings.

We are currently trialling this solution in collaboration with HP business groups.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

On Security Analytics – Risk Analysis for Incident Management Processes

Thanks to all the people that contacted me with interest on how HP Labs has applied HP Security Analytics techniques for Risk Analysis in the context of Incident Management Processes. I would like to remind that this HP Labs capability (along with related technologies and know-how) have now been transferred to HP Enterprise Security Services (HP ESS). Please feel free to contact HP ESS representatives if you would like to use the service.




An example of the benefits and risk assessment capabilities that can be achieved with Security Analytics (specifically in the space of Security Operation Centers and their Incident Management Processes) has been docuemented in a recent HP Labs Technical Report has been recently called “Security Analytics – Risk Analysis for an Organisation’s Incident Management Processes”:



“This document is an example of the type of report an organisation would receive at the end of a HP Security Analytics engagement. The focus is on the analysis of the security risks and performance of the organisation’s Security Incident & Events Management (SIEM) Processes and related Security Operation Centre (SOC)’s activities. HP Labs carried out the underlying R&D work in collaboration with HP Enterprise Security Services and involved analysis of processes, probabilistic modeling, simulation and “what-if” analysis for some of HP’s key customers. The outcome of this was a set of case studies from which we have been able to create this more general anonymised report illustrating the richness of the risk assessment and “what-if” analysis that has been carried out.

The lifecycle management of security is critical for organisations to protect their key assets, ensure a correct security posture and deal with emerging risks and threats. It involves various steps, usually carried out on an ongoing, regular basis, including: risk assessment; policy definition; deployment of controls within the IT infrastructure; monitoring and governance. In this context, Security Incident & Events Management play a key role. Even the best information security practices and investments in security controls cannot guarantee that intrusions – accidental and criminal activities – and/or other malicious acts will not happen. Controls can fail, be bypassed or become inadequate over time; new threats emerge. Managing such incidents requires detective and corrective controls to minimise adverse impacts, gather evidence, and learn from previous situations in order to improve over time. These incident management processes are usually run in the context of a SOC and/or as part of specialised Computer Security Incident Response Teams (CSIRTS), built on top of SOCs.

Even with SIEM in place, a potential major risk for the organisation arises due to delays introduced in assessing and handling known incidents: this may postpone the successful resolution of critical security incidents (e.g. devices exposed on the Internet, exploitation of privileged accounts, deployed malware, etc.) and allow for further exploitation. Another related risk can be introduced by sudden and/or progressive changes of the threat landscape, due to changing economic and social scenarios, new business activities or process failings within the existing IT services. This might create unexpected volumes of new events and alerts to be processed by the security team and as such, introduce additional delays. Hence, it is important for an organisation to understand the risk exposure due to their Incident Management processes, explore potential future scenarios (e.g. changes in available resources or threats landscapes or adoption of Cloud solutions) and identify suitable ways to address related issues, e.g. by introducing process changes and/or making investments in security controls.

HP Security Analytics is uniquely positioned to provide the analysis of the involved risks, explore what-if scenarios and provide decision support for decision makers. This type of Security Analytics assessments is now available as a service, provided by HP ESS.”.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

On HP Secure Boardroom

You might be interested in learning more about HP Secure Boardroom:
“Data and information is your enterprise's most valuable assets. Are your current security polices fully protecting them? Gain insight into a comprehensive security strategy that is adaptive to new security threats, reduces risk, and lowers TCO. Watch now to learn the logistics of this innovative approach to enterprise security”

A Videocast is available here.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---