Visualizing Threats:

KeyLines for Cyber

Security
Corey Lanum, Cambridge
Intelligence Louie Gasparini,
CyberFlow AnalyCcs

Agenda
Part 1 ' Network
Visualiza3on
Why connected data?
Going beyond network charts
Protect, detect, invesCgate
VisualizaCon and analysis
techniques
Part 2 CyberFlow Analy3cs
Using KeyLines to build a GUI
Cyber security and the IoT
Network visualizaCon for

IntroducCon to
KeyLines

KeyLines is a powerful SDK for

building network visualizaCon
web applicaCons:
Rapid
development
Full
customizaCon
Unrivalled
compaCbility
Simple
deployment

A wide variety of use

cases
Law enforcement
Intelligence
/
Compliance
security

AnCRfraud

Sales / MarkeCng /
CRM

Cyber security

IT
management

Business
Intelligence

+ others

Complian
ce AML /
KYC
PharmaceuC
cals Data
discovery
Process

Data at the heart of Cyber

Security
Keeping bad actors
out of networks
Finding bad actors
already in your
network
PostRa L ack forensics
to close the loopholes
Data is your best
weapon

Cyber Security Opera/ ons Center

Why network
visualizaCon?

Understanding
connected data

What depends on what?

What is normal network behavior?
Where are the vulnerabiliCes?
Network visualiza3on is the most intui3ve way to

Protect

Detect

InvesCgate

InvesCgate

Techniques: Dynamic
networks

Techniques: Mapping

Security & The Industrial Internet of Things

Network Security

Smart Buildings

Smart

Smart Cities

Factories

Continuous Threat Monitoring

Segmentation

Policy Violations

Operational
Security (OpSec)

Limit the Attack Surface

Maintain Security Hygiene

Operational Anomalies

Identify, reprimand poor security hygiene

Fix misconfigured devices, identify
Employee jump drive, chrome sticks
Unknown wi-fi edge devices, Employee
network scans, Peer-to-Peer Apps (TOR)
& other protocol misuse

Identify and alert on operational anomalies

in network traffic, direction, size, timing etc.
Recognize unusual server communications
patterns, SNMP event storms, new activities
or unusual SCADA traffic

Network segmentation & containment

Machine learn normal behavior of
client, server & protocol traffic.
Identify ANY new behavior
Identify ANY change in existing
behavior

Advanced
Security Threats
Advanced Threats
Identify, alert and build case management
tools on advanced security threats,
including port scanning, protocol tunneling
or suspicious protocols, new connections to
SCADA sensors, data exfiltration

Analytics Positioning
CyberFlow
Streaming Analytics

High Velocity Data -> Streaming Analytics

Streaming Real-Time Analytics

Real-time, unstructured, data-in-motion

Operational information flow
Complexity: volume, performance, timing

Whats happening?
Why is it happening?
How is it happening?
Where is it happening?
Whos making it happen?

Traditional
Big Data Analytics
What happened?
Why did it happen?
What might happen?
How can we make it
happen?
by looking at old, historic
data

Big Data Pools -> Traditional Analytics

Batch processing, structured, data-at-rest

Historical transactions and events
Complexity: size of data pools

Descriptive,
Diagnostic, Predictive,
Prescriptive Analytics

Solution outline
Monitor

Machine Learn

Anomalytics

Anomalytics

Continuous Data Monitoring

& Machine Learning via
network tap or span port

Apply multiple stereoscopic

machine learning algorithms and
policy framework in real time

Provides Continuous, Contextual

Awareness & Anomaly Detection across
all connected IP Devices

Solution: Continuous machine learning analytics that provides real-time infrastructure anomaly
detection and contextual awareness of all IP connected devices, thus providing for better
business intelligence, operational intelligence and active situational awareness.

Targeted

How could this occur?

Target
Maintains it was PCI-DSS Compliant at the time of the
breach.

Fazio Mechanical
Our system and security measures are in Full
Compliance

with HVAC industry practices.

Firewalls
SIEM
Anti-Virus

IPS
Industry Compliance
PCI-DSS Compliance

Targeted

What was missed?

Abnormal communications with a partner VPN
Internal Pivoting and Data Movement
Access to POS Terminals
Linking events together
Data Transfer from POS terminals to a central staging
server
FTP from DMZ server to Internet server controlled by
Rescator

Internal Threat Detection

FlowScape

Lateral Movement

Data
Center

WAN

Wireless
LAN

Network Core

LAN

ge
Network Ed

Internet

Wireless
LAN

Network Core

LAN

ge
Network Ed

Network Sensor
Net
Sensor

Net
Sensor
Net
Sensor

WAN

Net
Sensor

Wireless
LAN

Network Core

LAN

ge
Network Ed

Network Sensor
Smart Packet Inspection
Device on Demand Deep Packet Inspection
10 Gigabit Ethernet Connection
Tap or Span Port -

Passive Connection

Appliance or VM Image

Automatically Group Events into a

Flowscape: Anomalytic Processes, Engines & Models

Multi-Behavioral, Real-Time, Contextual Analytical Algorithm
Models
M1

M2

M3

M4

M5

M6

M7

M8

M9

M10

M111

Device

Device

Session in

IP X

Server

Port

IP X

IP X IP

Client

Server

Protocol

Packets

Payloads

Progress

IP Pairs

by Port

Activity

Port

X Port

Port

IP X Port

Anomalies

Anomaly Fusion & Machine Learning Engine

Policy Frameworks

Threat Assessment Visualization

Confidential - Not for distribution

Continuous CyberFlow Machine Learning

Anomalytics

M..
Other

Finding unknown threats & reducing false positives

Analytical Engines
Behavioral Models

Self Organizing Maps

Stereoscopic Fusion

Server by Port

IP X IP X Port

Client Port

Protocol Anomalies

Continuous Real-Time Analytics using behavioral self organizing maps

Payload

Binocular Fusion

Tuning & Policy Engine

Automation of Clustering
Breach Behaviors

Anomalytics - event/case manager

Confidential - Not for distribution

Cyberflow Analytics: Patent Pending Research

Binocular Fusion SOM Modeling for Anomaly Detection

Clustering analytics using Self Organizing Maps

Cluster Machine Learning using SOM

Reduction of n-space anomalies detection

Customer Case Study

Network Topology

Data Center
FlowScape was installed in data
center at the Environmental Services
Department, where most domains
pass through to go external
SPAN ports were configured to collect
raw packets from Cisco switches
FlowScape providers Real Time
analytics and dashboards
Infrastructure
1200+ network devices
12,000+ workstations
1000+ servers
500+ printers
Customer Benefits
Customer spends $600/infected
device @100/month =
$720K/year

FlowScape reduces detection and

recovery by 50% saving the customer
an estimated $360K/year

Machine Learning

Day 1

Events

Steady State

Painting the network topology

Fireworks

Anomalytics

Machine learning all traffic

everything is new

Machine Learn
Command & Control Events
Good vs Bad events
(Security Scan vs
DDoS)

Real-time continuous
Anomaly detection

Smart City Case Study

FlowScape is deployed in large Custiomer Network
Deployment - 1200+ network devices, 12,000+
workstations, 1000+ servers, 500+ printers

Custom IoT Server Apps

Backup Servers

NetBIOS traffic

SNMP agents

DNS Servers

Smart City Case Study

Detection of BitTorrent and other anomalies non-standard high risk communication that is not
normally found on the network BYOD VPN connection

Confidential - Not for distribution

19

19

Smart City Case Study

Cyber Security Breach: Sality Botnet Command & Control Attack

1. attacker scan's internet to find specific (home) router models

2. attempt login using default credentials
3. If successful, change router's DNS server to attacker controlled DNS
4. Route user to compromised servers
5. Once user downloads malware cover tracks by changing router's DNS
to 8.8.8.8 (google DNS)

http://www.pcworld.com/article/2139460/sality-malware-growing-old-takes-on-a-new-trick.html

20

20

Smart City Case Study

Cyber Security Breach Activity, Malware/MetaSploit from Croatia

Confidential - Not for distribution

Smart City Case Study

FlowScape Detection of Cyber Breach
activity that their current Security
tools did not catch:
They weren't able to catch/aggregate
bittorrent users w/ Palo Alto.
They weren't able to catch the
Onion Tor traffic with current security
tools
They missed the Sality Botnet which
was a BYOD remote device coming in
through VPN
Palo Alto did not detect
compromised device and they were
informed of the breach by an outside
agency (e.g. FBI)
Palo Alto missed port 137 to India

Any
QuesCons?
corey@cambridgeRintelligen
ce.com louie@cyberowan
alyCcs.com

@Cambridgei

CambridgeRIntelligenc