Counteract Cyberattacks and Fraud with Streaming Analytics

In this video, Stephanie Balaouras, Forrester Vice President and Research Director serving Security and Risk professionals, and Steve Wilkes, co-founder and CTO of Striim discuss the following:

  • Discuss why today’s security challenges are really an analytics challenge
  • Describe how streaming analytics solutions are combating external attacks, malicious insiders, and fraud
  • Distill the benefits of streaming analytics solutions to security and other initiatives in the organization

Real-world case studies of how streaming analytics is being used to prevent fraud and cyberattacks are also shared.


Unedited Transcript:

Welcome and thank you for joining us for today’s Webinar. My name is Katherine and I will be serving as your moderator. The presentation today is entitled Counteract Cyber Attacks and fraud with streaming analytics. We are honored to have as our guest speaker today, Stephanie Valores. Stephanie is Vice President and research director for Forrester research serving security and risk professionals. Joining Stephanie is Steve Wills co-founder and CTO of Striim. Throughout the event, please feel free to submit your questions in either the chat or Q and A panel located on the right hand side of your screen. We will answer as many questions as possible after the presentation. With that, it is my pleasure to introduce Stephanie Valores. Stephanie,

Speaker 2: Great. Thank you so much Katherine for the introduction and thank you everyone for joining today. So with my presentation, there’s a couple of key areas that I wanted to go over today. I’m going to go over the state of cybersecurity and then I want to talk about how security analytics and a variety of analytics tools, both what we know today as been platforms which were evolving security analytics platform as well as, um, related analytics solutions that likely are being used within other parts of your business. Um, so just streaming analytics and the role that they play in detecting attacks, responding to attack, um, as well as other types of malicious behaviors such as fraud. And then I want to give you a couple of wrap up pieces of advice that I usually share with, with fourth years old clients. And so would that, we will, we will get started.

Speaker 2: I just wanted to start off with a call, which I think many of you will, will relate to in the security profession, which, you know, conveys the, the inherent unfairness in security today, which is, you know, we as security professionals, we have to execute our jobs perfectly every single day. Umm, fail one and cyber criminals were able to exploit that one failure, that one vulnerability or that one flaw. Um, and they’ve fallen away as the environment where they be able to exfiltrate data. So it’s the central unfairness of a basic metrics fight against cyber criminals. And it also speaks to the fact that, um, we can layer as many preventative solutions as possible in our environment, but ultimately at the end of the day, we’re not going to be able to stop every single attack, every single breach. So it’s become imperative that we’re able to detect those infiltrations in the breaches as quickly as possible and respond to them immediately.

Speaker 2: In some instances, you can actually contain the breach itself, stop the exfiltration in process. And in other instances we can limit the impact of what’s this done. Um, boulder are critically important, both prevention and detection. But what I find in most clients, even some of the largest enterprise clients that we have, is that we don’t have a lot of detection and automated response capabilities and just share some of the data that we have. Um, according to our surveys. And we wrote a lot of, we run a very massive security survey every single year that hits thousands of security decision makers. And influencers across North American Europe, about 55% of firms have one breach during the last 12 months. And that’s a very conservative number. It’s self reporting. Uh, there’s a lot of firms that likely have a breach but just haven’t been able to detect it. And that’s a common issue that we have in our profession today, which is most breaches are actually, uh, detected by a third party.

Speaker 2: That third party could be a partner. Uh, that third party could be, uh, law enforcement agencies like here in the United States. It could be someone like the FBI in the course of another investigation determining that you have a breach and contacting you. Incredibly common scenario. Uh, it could actually be a customer. Um, or again, it could be somebody else. It can even be as a security researcher conducting dark web research. It could be a financial institution that notices a lot of fraud is coming from customers who do visits with a particular merchant. But all in all, it’s, um, it speaks to the fact that many companies can’t actually detect that they had an incident or had a specific type of breach. Some other interesting pieces of information about this is there’s a lot of incidents are actually the results of insiders. Uh, these could be malicious insiders who are deliberately stealing data for a variety of motivations.

Speaker 2: It could be monetary or retaliatory. Um, it could be insiders who are actually working in conjunction with cyber criminals. Or in some instances you have individuals that might deliberately violate a policy, um, like emailing themselves sensitive data to personal accounts so they could work from home. That’s actually pretty typical. It’s actually very typical in the healthcare industry that has a lot of, um, strict data handling, uh, policies around patient data. But with the best of intentions, you’ll find that healthcare workers will violate some of those policies so they can work from home, for example. Um, and then in some instances you just have people making silly decisions that put the company’s data at rest. The other thing that I would point out here is we have a large number of incidents that actually involve a third party. And at a typical large enterprise you have, and this is an exaggeration, might actually have several hundred third party relationships, 200, 300, 303rd party relationships.

Speaker 2: Not all of them are strategic to the company, but you’d be surprised how many of them actually have access to your systems and your data in the course of doing business with you is this third party relationships from anyone like front end payment processor to on your back end. It could be cloud providers, it could even be, um, supply chain partners. It could be other types of partners. So ultimately it also could be your partner organization that’s targeted, uh, because of their privilege, um, access to your systems and the data. Ultimately your reach as well. So a lot of interesting points there. It’s not always just about the pure external attacks. It’s insider threats. It’s, it’s a tax levy that your partners and oftentimes it’s a blend of internal and external. Uh, what, what are the NLS on? My team actually has the same. That’s all attacks are an inside job because even with your external attacks, once they’ve breached the initial perimeter, unless you have a highly segmented network, oftentimes they have free reign in the rest of your environment.

Speaker 2: And then, you know, not surprisingly, what they’re going to after is the most, uh, sensitive data that they can, they can find it stated that, um, in many instances they can monetize as black markets. So this is a lot of your personally identifiable information, name, address, social security numbers. Um, interestingly enough, um, any kind of customer record or patient record, I can say that includes medical information, those actually go for even more money on black markets. What are your typical, um, credit card numbers actually don’t go a lot because of supply and demand dynamics, but anything related to medical information that could be used to commit medical fraud, highly, highly valuable. It’s your intellectual property. You know, you might be targeted by us, um, a competitor within country from another country that’s motivated by corporate espionage. They want to get at your designs, your code, uh, your, your future product, road maps and plans.

Speaker 2: Anything that’ll sort of undercut your competitive advantage in the market. Um, and the interesting thing is that the first one there is authentication credentials. Obviously the killing the credentials means that they can, um, escalate access into your environment. Then they can go after higher and higher values targets they metal to be using these credentials in attacks against other enterprises as well. So it might not necessarily initially be about you, you might be the initial target of it. Really what they’re doing is they’re gathering a lot of credentials and personally get identifiable information that they can then use to target another organization. People reuse their passwords across environments. Uh, massive, huge amounts of personally identifiable information can be used to, um, undermine the identity verification, uh, logic and a lot of, uh, customers, citizen patient types of application. So there’s a lot of uses and a lot of ways that they can actually, uh, monetize, monetize the data.

Speaker 2: In fact, continue an example of how breaches are often part of a larger, more complex criminal initiatives. And in the U s there was a tax fraud against the IRS. The IRS had put out a, um, an application called get transcript that actually allowed citizens to create their own accounts and get access to a history of their tax returns. Well, cyber criminals use stolen PII that they had gathered from a number of prior breaches to actually hijack the customer identity verification process of that application to gain access to those historical tax returns. And then when they had that access, they used all of that valuable information to actually commit tax fraud, which is they filed for taxes and, and returns that weren’t there. Um, and so again, this is just an example of how oftentimes these breaches are part of the bigger criminal enterprise. And when, when it comes to the external, uh, breaches, there’s a lot of different ways that criminals can actually infiltrate the environment.

Speaker 2: The first one is the software vulnerability. And usually in security we think of these as the unintended flaw in software code that that leaves it open to a potential exploit. Um, you know, it can also be a business logic vulnerability. So what we’ve seen with the packers is they do target their organizations. It’s not indiscriminant, they’ll go after a particular enterprise. Um, they’ll learn their systems to learn the logic of assistance and they will look for opportunities to exploit the business logic of an application. So, uh, it might not necessarily just like the software code vulnerability, it’s not something you ever intended or anticipated, but because the creativity and the savvy of the criminals still find a way to actually exploit it and gain access to the system by circumventing the business logic in the application itself. Uh, and unfortunately I think this will become a lot worse before it gets better.

Speaker 2: I think every security person can relate to how difficult it is to actually include security testing for vulnerabilities into soft, into the software development life cycle. Um, whether that’s in development and staging and production and other requirements, it’s very, very difficult to integrate security into the access or DevOps process. And right now too, we’re in a situation because of how competitive most digital businesses are today, where they’re under an enormous amount of pressure to develop software solutions and services as quickly as they can. Um, and then in the IoT world, what we’ve seen is most IoT developers, the, they’re producing software and firmware on these devices that are missing from the most basic security considerations of protections. Um, and they also have no ingredient next mechanism, fraction patching any of these spots as well. So it’s going to get a lot worse before, before it gets better.

Speaker 2: And then of course as you see here on the slide, uh, against stolen credentials, always, always a target. And, and a lot of it has to do with the fact that passwords are terrible, they’re easy to crack, then uses, reuse them across systems in both their employee and their consumer lives. Uh, user interaction. The best of us will still, um, on occasion fall for efficient email as well as click on a malicious link, particularly not just through email, but also through social. Yeah. And then of course you have your, your standard kind of SQL sequel injection attacks for web-facing applications. I will make a prediction on this webinar today. That seat off tasks might go up to the number two or three potentially next year. And of course there’s some other ones, they’re on the list.

Speaker 2: So you know where we’re at today as it is, I kick things off, but the breaches are inevitable and I don’t mean that in a doom and gloom kind of way. This isn’t about spas. It’s actually a Webinar for me all about business enablement and it doesn’t mean that we should continue to invest, we shouldn’t continue to invest in preventative solutions. I know sometimes there’s, there’s this, um, what I would think of as an unnecessary debate about, um, prevention versus detection for me is, again, it’s both, but I do believe that we have to bolster our detection capabilities today cause it’s one of the weaker areas in security as well as the actual incident response itself. A lot of companies aren’t prepared for the incident response when they do detect a breach. And this is reflected in our data in 96%, which is national, obviously high number.

Speaker 2: They that improving security monitoring capability is one of their top priorities. And it’s because, again, we knew that we knew that some kind of infiltration or incident or breach is inevitable. But when it comes to detection, we also have to dramatically improve our response time because again, the goal is not just the detection but the ability to limit the impact of the breach before it turns into something, uh, enormous or particularly identified the infiltration in progress. Just because somebody reached your defenses and they infiltrated the network doesn’t mean that an actual creation of the data has actually happened yet. So still an opportunity to stop it before it actually because a lot of intellectual property, um, uh, high profile breaches gonna make the news, there’s still an opportunity to actually do something about it. Um, organic, the financial impact to the business. Some of these, uh, high profile breach events have cost companies hundreds of millions of dollars more than any cyber insurance could, could ultimately cover. And then as you’ll see later in the presentation, what fraud cost a company is also significant as well. So onto the, to the role of analytics and making smarter, rapid decision making.

Speaker 2: So you think about the sock today. So Security Operations Center, oh, analysts have to analyze large volumes of data in order to detect it. With the dress before the hamper the business and largely is, it is a human based process. Today. It’s the analysts, human analysts trying to determine which alerts are false positives, um, which ones they should prioritize and investigate is the analyst trying to look for patterns in the data and trying to make connections across that data that indicate a possible threat to the business. It’s, it’s, it’s very human based. Um, and the challenge with that is when you look at the volume of data that’s coming in and the volume of alerts that are being generated from all the different security products that you have deployed throughout the environment, there aren’t enough trained analysts in the SOC, um, to really do a reasonable job of analyzing those alerts. Um, it’s just a struggle to keep up with the, because the volumes are enormous. Um, and as I mentioned that there’s not enough stock analysts, um, and even if you practice, if you’re lucky to hire a lot of fucking, unless it’s very difficult to retain them. Um, so there’s, uh, it’s just an overall staffing issue, both, hopefully just the shortage of skill out there. Um,

Speaker 2: Someone who’s got the skills to work in a soc, those skills are, or trade craft. It’s, it’s not anywhere that you could go out and take a class in. Um, it’s something that you learned on the job and it takes years of experience. So there’s just not enough of those, those individuals. In fact, a lot of the notable breaches of the past, in some instances the indicators were there, but the fucking whole over looked up or they didn’t know which ones to prioritize in this day and age of information that hits every day, every week and every month.

Speaker 2: So this is where we really need better security analytics to help us, uh, ingest, correlate and analyze larger volumes of data. And Chris, our visibility across all types of device access method, uh, endpoints, mobile, um, IoT types of devices, uh, hosting models. Uh, most large enterprises are going to be in a hybrid environment. We didn’t have some applications on premise, some applications hosted in the cloud, some that burst back and forth depending on workload demand. Um, being able to look across any user population, your own employees, contractors, partners, and ultimately your customers as well. Um, you need more context security context as well as actual business context. We need workflow for actually orchestrating the overall response. Um, and then we actually need more security automation. So fortunately to me is the orchestration of the overall response. Automation is actually automating specific steps of the response.

Speaker 2: So it’s, you know, depending on if a certain threshold is reached and we have a high degree of confidence that a malicious activity is happening automatically black blocking that activity automatically blocking that transaction or it potentially might be, um, isolating a device. We setting passwords, doing memory captures. There’s a lot of paths that we can automate immediately upon detection of an event. I think historically we didn’t have enough good information to make the determination about whether it was something was legitimate business traffic or malicious and social security teams were always low to automatically take action because we might be stopping. And within that business transaction we have enough problems aligning with the business. We’re hesitant to do that. But I think because of the scale and the impact of today’s breaches, uh, on the company’s financials is brand and an open balance. And customers, both business and security teams are heavily looking into automating response.

Speaker 2: So the security tools that we’re looking at today are, are using data science test, suspicious behavior. They’re not solely relying on, on signatures and set patterns. They’re incorporating both internal and external threat Intel so that you can predict specific attacks to your industry or even to your given company doing a much better job of examining large amounts of historical data. As I mentioned, detecting the, both the infiltration and the exfiltration, giving more security context and enabling investigations and response. Now what is security analytics platforms? There’s a couple of categories of vendors. There’s a lot of your traditional sim vendors, which a lot of companies have made investment in for log management and compliance purposes, but didn’t get an enormous amount of value out of the, uhm, those same platforms are evolving into security analytics platforms. Um, and they’re doing that in a, in a variety of ways. First, a lot of them are really focusing on, um, the amount of data that they can ingest. You know, these tools, they’re now able to just potentially petabytes of information because there still been thick data infrastructure on the back end. They’re incorporating more types of data than they ever have in the past. So it was, it’s not just basic log information from other security products or logs from all your different types of systems. They’re actually incorporating other data, um, such as flow analysis tools, user behavior analytics data from your identity and governance solutions says from your vulnerability systems. Uh, as I mentioned, threatened tell. So they’re incorporating and analyzing a lot more data than we ever have in the past. Um, and I mentioned that they’re taking advantage of behavioral analysis so they’re not relying on signatures. They’re open, not necessarily always relying on, on known patterns to be able to identify a breach because you will know, every patterns can see in the future. So just being able to understand, um, what is a behavioral anomaly based on historical data to be hugely valuable. So that other, that’s how they’re changing. So they become really, there’s, there are three classes of vendors, I mentioned it to your historical sim solution. There’s also a new startups that are, that are targeting this space and actually really challenging a lot of the traditional 10 vendors. And then there’s also, um, analytics vendors who are general purpose analytics platforms that your company actually might be using for business intelligence and customer intelligence that um, you know, specialized in data science and big data as companies are applying or applying them to the security challenge.

Speaker 2: And there’s more and more data that the big companies are generating every day. Think about just the transactional data from all your internal apps, user behavior from web and mobile, social media of data. And I repeat, there’s going to be an explosion of sensor data. Um, and then just there’s a data in front of me to where as for for generating this information, they’re collecting it, they’re storing it, they’re transforming it, and then they’re sharing it with partners. And they’re also buying it and selling it for partners as well. So there’s this free flow of information between all these certain parties, but then, or even just more sources of data and this generated, all this information is being generated in real time. So there’s an importance to being able to ingest it quickly. But here’s what’s happening today with all of this information. We’re injecting it into these platforms and the analytics comes after, um, you know, into a data warehouse into aware of how specifically for customer intelligence, uh, into our security analytics platform.

Speaker 2: So we first ingested into these platforms and then we perform the analytics on it. So the challenge that I see with security analytics platforms and I am a to Dab market for them, but they don’t necessarily fault every child that we have in security. You know, they’re still relying heavily on data from other security controls in your environment. Um, from your endpoints, from your firewall, from your user behavior analytics solution that you just deployed, your identity and access management government solution. Ultimately, again, this is what’s referred to in the industry is batch processing analytics. They have to first ingest all the data from the sources into the platform. And then they’re using all types of data science and analysis techniques to detect and respond to the threats. Um, they’re not as quick to incorporate new sources of data at scale. So you think about all the different types of IoT use cases and the kinds of data that they generate. They don’t respond as quickly as other analytics platforms, people that do ingested this type of new data. Um, so these are some of the challenges. It is essentially, um, essentially batch that prophecy. So there is going to be a delay, um, in your ability to detect and respond to these, to these events and they’re not as quick to incorporate new sources of data at a massive scale.

Speaker 2: No. Again, I am a big advocate of these platforms. When you stop talking about solving those challenges in the stock, uh, let me to ingest threat intelligence. You need to understand what, what’s the first order your industry and how you might adapt your security platform. Uh, well your entire security architecture, if you’re hunting malicious insiders, you know, if you have a malicious insider that someone you suspect of committing fraud, you’re involving the HR and you’re going to look at their patterns of behavior. And you might have to collect a lot of forensic evidence if you’re actually planning to like prosecute or take any kind of legal actions. There’s water hunting, um, of malicious insiders that happens. Um, identifying meaningful disabilities. You’ve got to see Lisa’s events prioritizing based on contextual information about the business. You know, is this impacting your revenue generating system, uh, or a system that’s under heavy regulatory compliance. Um, again, if you can kind of have, um, a targeted attack where you’re worried about sophisticated criminals being really felt and already in your environment trying to go into detected, again, you’re all that kind of historical analysis that you can do on the volumes of data that you have in this platform. Really important for that workflow. A lot of these analytics packages are providing overall workflow for forensic investigations, making sure that you follow every single step. And then as I mentioned, starting to automate some of the responses across multiple security controls.

Speaker 2: But at the end of the day, it’s still after the fact. Um, it’s historical security analytics. This an analysis of historical data in some situations, uh, situations that are urgent. Um, it can be way too late. Um, particularly if it’s going to cost the money from a lot of money. Um, could be some of health or physical safety is at risk. There was some situations where you actually need a factor type of, of analytics. And this is where streaming analytics comes in before stir has definition of streaming analytics. So they, um, filter, aggregate and rich and analyze a high throughput of data from a variety of data sources. Uh, just again, other analytics solutions, the identified patterns, detective urgent situations that automate actions. Can you, what I’ve underlined here is the most important difference. They’re doing it in real time. And in this case real means milliseconds or seconds. It doesn’t mean a few hours, but again, pretty analytics, huge improvement over what we’ve been doing today. Um, but we’re still talking hours of response. And even if you, you’re improving it from the 245 days, but it takes most companies to detective reads today, the conversation is still hours a days. We’re talking about situations where you’ve got to meet that detection and response and milliseconds and that and that’s where you need a streaming analytics solution.

Speaker 2: So 1.7, this is the percentage of retailers rec revenue that it’s actually lost to fraudulent transactions every year. And there’s all types of fraudulent transactions from fraudulent payments to again, people taking advantage of the business logic in, in a web or mobile app. Um, you know, so the question for us as a security team, and those are both all to involve in prod prevention and how can we prevent this kind of, um, retail, this retail fraud that’s costing our company millions in profits every single year, $50 million. Uh, this is the amount of money that the IRS transferred, uh, before they realize that they were being defrauded by cyber cyber criminals in the get transcript reach $15 million. Um, again, every one of these transactions was taking advantage of the business logic in there. Get transcripts reached. It wasn’t about exporting software code. It wasn’t, um, you know, using any of the other traditional security methods and literally just using, going PII to undermine the business logic within the application. And 50 million gallons dollars has gone before the IRS realized woven what was happening in. And the case is healthcare. I mean, healthcare is going under enormous transformation today. You know, there’s, there’s robotics, there’s telepresence, there’s few types of medical devices, there’s mobile applications, there’s consumer wearables that are specifically for a medical or health application. Um, you know, in these situations, the ability to detect and respond to a threat has to be in those seconds because it’s actually crucial to the health and physical safety of the individual.

Speaker 2: Manufacturing. Um, when you think about manufacturing, you know, we’re streamlining manufacturing processes with robotics, with sensors into supply chain and in, in those, the manufacturing process, uh, security can compromise with these particular diets, devices back to, we’ll call it production and the company’s profits. And in certain situations we actually could still pose a, uh, physical safety issue. Well, one thing I wanted to point out with, with IoT is I feel like often times we talk about IoT in the abstract as if it’s still several years away, but, but actually forced, you identified several use cases where IoT is already reality and that these use cases are actually applicable across multiple industries. Everything from physical security and surveillance to fleet management and all these use cases dramatically increase the attack surface for the firms that leverage them. But also for everyone else. Uh, you know, so for example, in the recency doc, uh, attack against dime, um, he had pack productions used a botnet of compromised video cameras to launch the attack.

Speaker 2: But you have to think about IoT in two ways. You first you have to think about your firm is an operator of IoT devices. How will your firm use IoT to engage with customers? You’re engaging with them in brick and mortar locations or through wearables, how you might be streamlining business prophecies like supply chain, inventory, warehousing through, you know, improving physical security. Whoever as you’re implementing IoT, you have to worry about how someone will compromise those devices. To Stop Your Business, to feel IP, steal customer data, or even put someone in Heart’s way. You go have to think about how the rest of the world will be using IoT and how that will impact you. Could be one of your partners. It could be too much you don’t even have a relationship with, but go to market with incredibly insecure and secure products that again, somebody can compromise who are the front your button at.

Speaker 2: Army streaming analytics solutions are, are designed with IoT in mind, uh, to connect and just data from a variety of sources and data and hype, the analyzed in real time, your new pending no second, and then they can take action by interfacing with other systems in the environment. So to me this is one of the biggest distinctions that you’ll see with any kind of like back prep proxy analytics solution that we might use for security analytics. These are sort of, uh, it’s real time. It’s designed for IoT. It can take immediate action through other, through interfaces with other systems. So like to say whenever the situation is urgent, that’s when you want to employ security analytics. Uh, I’m sorry, the streaming analytics solution, that’s where it’s most appropriate. And again, you just, some of the key, the key features of it, it gets real time.

Speaker 2: As is ingesting that information is correlating it in real time. Um, it has other features to where it can, it can take into account, um, different characteristics of location, uh, time, windows, temporal pattern detection, um, and then the response that you take, um, you can, you can automate that response using all kinds of business logic is both through the tools. Um, so again, if you do an analysis of a particular behaviors, it meets a certain threshold of risk that so the organization’s not comfortable with. You can take an immediate action to block that transaction. So again, that that logic will be, you can build into these types of solutions that interfaces to other types of systems. It’s flexible. Um, so you might, it’s got its perfectly applicability to security, but we are also going to find is screaming nails. Literally solutions are also already used in your environment today. Um, cause it’s got a lot of business cases and business intelligence and customer intelligence. And as I mentioned, it’s designed for, for IoT.

Speaker 2: This is a quick wrap up here in the next few minutes we have to make better, faster security decisions. Security analytics can help make that happen. I think in fact, analytics, I think it’s core to us being able to keep up with the changing threat landscape. There’s always going to be new preventative solutions. We’re always gonna be able to layer more progressive solutions. But ultimately we’ve, we’ve got to improve our detection capabilities and our ability to take an automated response. Um, definitely we need to do the, the time we’re team’s worried about blocking out within the transaction, those are long gone. Um, there’s too much at stake for the business. And in the case of IoT, you know, it’s bridging the logical and physical divided a very visceral way where, you know, again, people tell them physical safety could be at the, at risk. So the automation is critical because security analytics is a spectrum of capabilities, not a single product.

Speaker 2: Security analytics does not equal stem. Stem are evolving into much more valuable security analytics solutions. And I do think within the corners of Bach, your core log management and compliance with possibilities plus everything I outlined on that previous slide, we’re analyzing historical data, uh, is critically important to hunting malicious insiders, being able to really uncover, um, stealth advance attacks. That’s the, that’s the core, but there’s going to be urgent situations where you need no second type of response. And that’s where these streaming analytics solutions comes into play. Um, and I would also say too, the streaming analytics solution, they’re, they’re being used by organizations today who need to build a context into their mobile applications, into their web applications, into a variety of ways. Um, we’re having intelligence about the customer can lead to valuable services and offers and all kinds of, uh, personalized marketing and other types of promotions. So there could be the streaming analytics solutions in use were already in your organization today and they’re highly relevant to you and they’re very flexible. Um, you have the opportunity to because we’ve worked with other counterparts to figure out how they’re, they’re relevant to security.

Speaker 2: So with that, here’s my contact information. I’m going to be sticking around to the end. Um, and I’m going to be a 15 over now.

Speaker 5: Thank you. Stephanie. Hi, I’m Steve Books. I’m CTO and one of the founders of the Striim and I’m going to just very quickly walk you through the Striim platform and show you some use cases of how we actually apply a streaming analytics to security use cases in the real world. Striim is a full end to end streaming integration and intelligence platform that effectively does streaming analytics. And our goal is to enable organizations to make use of that data as being created. It’s a full end to end platform that enables you to collect data from lots of different sources, to process that data, to analyze it, to deliver it out to specific targets and to do all of this in a enterprise-grade fashion. And by that we mean that we’ve built the platform from the ground up to be scalable as a distributed system to handle recovery and failover and to ensure that we keep on going if you know, parts of the platform go down and so have security built into all aspects of our platform.

Speaker 5: So the data that we’re processing and the types of processing you’re doing are also secured. And when you’re using our platform, you work at a high level, you can use our UI to build data flows through a drag and drop interface or you can use our scripting language. You’re doing it in a declarative fashion where all of the processing is done through a secret light language. You don’t have to learn as a code to actually do any of this analytics. So I’m on top of all of this data processing. You can also build real time data visualizations and handle, uh, alerting and triggering external systems to actually take action when you see something interesting.

Speaker 5: The platform has been architected to be very modular. And so if we think about the forester definition of streaming analytics, you can see we do everything that’s needed. Um, we start off with streaming data collection where you can collect data from sensors or message cues or log files, um, and, and do this in a streaming fashion. So we’d like Bios, for example, one of the approaches that people are taking and kind of the big data world is to wait for files to be complete and then ship those, they pushed them into Hadoop or a big data lake and analyze them after the fact or throw them into a search index and analyze them after the fact. What we do is we listen to the end of the log file and the stream data assets being creative. So with, with everything, your data is real time.

Speaker 5: And with databases, most people think of databases as a historical record of what’s happened in the past. We use change data capture technology against databases. So we see the operations, the inserts, updates and deletes against that database as they’re happening in real time. So all of that stuff on the left on the site is collecting real time streaming data in milliseconds from lots and lots of different places. Once it’s in memory, in these data streams, you can process that data by filtering, transforming it. You can aggregate it within data windows, maybe the last minutes worth of data or last hours where the data, um, you can enrich that data. And this is actually quite crucial because quite often the source data does not have sufficient context for you to make decisions. So an example would be you’re getting data from an IoT device. It has a device id, you don’t know what that device is.

Speaker 5: But if you look in your device database or asset database and mowed that in his external context into memory, you now have some more information about that device. Maybe also includes its propensity for failure, what software release it’s on. Know a lot of different information that you can use to actually make decisions. Similarly with a database as you might have a customer id come in a database record change, you need to know about that customer. You need to have all the context, not just make decisions about that customer. So that external context and enriching the data in memory is a really crucial part of streaming analytics. When you’ve done all this processing, the processing happens in data flows. Okay. The results of that processing can be written as into databases, files pushed onto message queues in the cloud or big data. But crucially it can also be used to form the foundation for performing more detailed analytics.

Speaker 5: So it’s here where you’ll start to do things like complex event processing where you’re looking for sequences of events over time, across one or more data source that might indicate something interesting or you can do correlation. And Stephanie mentioned correlation, how important that is. And this can be tolerated correlation in time, it can be correlation in space and you’re looking for events that are related in some way. So in the security world, you may be looking for events in one or more security log or network activity or database activity that happen at the same time or in the same timeframe that might indicate that something bigger is going on. And so that correlation is, is crucial to almost all of this security on the six use cases that we’ve, we’ve been involved in. How’s, it also is a statistical analysis on a anomaly detection. So this is where you start looking at the data from a statistical perspective and you’re looking for deviations from what is normal that what is normal may not just be something as simple as a uh, you know, an average or standard deviations.

Speaker 5: It could be a model that you’ve created out of lots of historical data and you’re looking for deviations from that model. And so is there, you start to be able to kind of spot things even though you don’t know what it is you’re looking for. And all of the results of this analytics can be displayed in real time streaming dashboards that give you real insight into what’s happening right now. They can also be used to send alerts through email as some SMS and other means and to a trigger external things, et Cetera, workflows to actually take actions. The platform is a consistent end to end platform both from the architecture and all the pieces, but also from how you work with it. So you can use the UI to design data flows to build your analytics, to deploy and manage applications that are running within the cluster to create these streaming dashboards within the drag and drop and visualizations and to monitor the whole end to end and health of the platform.

Speaker 5: Yeah, so we see a lot of use cases because this is a general purpose streaming integration and analytics platform. We see a lot of use cases across a lot of different industries, whether it’s delivering data into a cloud or a quality of service management or working with IoT, right. But we have seen quite a lot of use cases that are around security risk and and fraud. And some of these are general purpose anomaly detection or more specific anti money laundering, fraud detection, uh, credential monitoring, looking at credentials that are being used across different aspects of the system. A lot of this involves a multicolored correlation where you’re looking across different logs to try and see something that that might be happening and we differ from a lot of the specific security points solutions in the, it’s much more of a custom business specific thing that you’re creating with that platform.

Speaker 5: So whereas the point solutions are kind of mostly batch, as Stephanie pointed out, Striim is always real time. It’s always acting within milliseconds. If the data being produced, instead of doing reactive detection where you’re saying, I’m going to do batch analysis and try and find out what happened, you can do proactive prevention, you can look for things while they’re happening and deal with them before they really have a massive impact. A lot of the point solutions also limited to a single data source or sources specifics of that solution. But with Striim you can correlate across data sources. So you can look across multiple security products. Oh, you can integrate security information with database activity or a weblog activity, so you’re not limited to what the security product wants you to do. And similarly because a security product wants to do a particular thing. If you’re building a solution using stream, it’s really your solution so you can customize it for your specific business requirements.

Speaker 5: And, and that’s honestly why a lot of customers have used us for sure this type of scenario because they can do exactly what they want rather than what the security product wants them to do. And of course, because it’s easy to build this and it is easy to build because you have this whole uh, declarative way of building since you don’t have to do any coding. Yeah. The evolution of your solution doesn’t depend on event. They’re releasing a new release, which may or may not contain the things that you’ve asked for. You can evolve it yourself as needed and you can add to it, you can add additional rules, you can add additional logic into your data flows as you see more things that you need to look for from a security analytics perspective. And of course, it’s not a single purpose platform. It’s something that’s multipurpose that can also be used for other types of elements within your organization or multiple security analytics types of applications.

Speaker 5: So is streaming analytics helps provide security protection because it gives organizations really fast way to connect different types of events across different sources to detect threat patterns and risks and to monitor this in real time to really understand what’s going on in your organization. So here’s some of the use cases that we’ve seen. So this first one is looking at multiple security products, uh, to identify cross domain issues that you may not see from a single security products. So we take the logs from multiple security products and then we can correlate data in those bugs using correlation cases. So for example, it might be, uh, an IP address or a customer information or some credential, um, that you’re correlating against and you’re doing this within a certain amount of time. You’re saying, hey, if I see something in this one security log that might indicate something interesting.

Speaker 5: Is there something else going on in the other security logs that might indicate that it is something that is bigger? Yeah, I simple example, um, which they’re probably already solution set therefore would be, you know, if someone’s trying to access a single machine and they try and log in more than a certain number of times, they’ll be locked out. That’s the automatic part of that machine. But if they try and do that across a hundred different machines and the, to try and log in once, then you’re not going to see that on any one machine you start in, then it’d be flags as a violation. So you’d need to actually correlate the security logs across all those machines and say, okay, the same users trying to log in across all these machines. So that’s a very simple example, but you can see how that can be expanded to correlate across multiple security products. So of course you don’t have to limit yourself to the data from the security products. You can include. Yeah. Other things like, you know, and, and black lists or um, location that goes based on IP and that kind of thing, you know, to twice you get more detail into what you displaying.

Speaker 5: Another kind of very specific use case we had was correlating, uh, VPN logs to application activity. And so this was looking at the credentials used for both. And the reason this was important was because it’s already been identified that people can fish, they can obtain credentials, they can hack into a email, um, and once the, in the email they may be able to find, uh, the security credentials and it has been seen that people have security credentials in emails. Um, okay. So if you can get into the VPN then as Stephanie said, you have access to a lot of the organization. So what they were looking for was people that got into the VPN but then was trying to hack into the applications. So we’re trying different credentials in the applications and different credential and password combinations to try and get them to the applications. So to do this, they had to correlate using the internal IP address that was given from the VPN with the internal IP address that was used in the application on the user credentials that we used in both and try and spot when they were different. And to alert on that immediately and take action to Ivig, that person evict that and to stop the exploit from happening. Cause that was really the start of something bigger.

Speaker 5: A specific use case in, in front in finance, uh, was looking at, uh, transactions happening on ACM or point of sale devices. And this was actually so strong. Their database already had a database into which all these transactions landed. So we did change data capture on that database to see those transactions in real time as they were occurring, corresponded to actual ATM or point of sale transactions. And then we were looking at, uh, based on information we had about the acs and the kind of sales, what were the locations of those things and what was the distance between the two on the same account? So if you had activity from the same account, um, that was too far apart for you to have physically moved from ATB in the time between the transactions. The only was it flagged and alerted and you could see it in a dashboard, but it actually triggered a workflow that would request a secondary authentication, uh, in, in form of a text message that needed to be replied to on that second transaction before it did take place.

Speaker 5: Okay. And the final use case is actually looking for money laundering. So this is usually a combination of transaction information, market information, customer reference data, and there was a whole bunch of rules that were built up or brand activity that might indicate money laundering. So for example, if you have deposits from multiple locations into the same account over a period of time, short period of time, then that might indicate money laundry. If you didn’t have much activity on a camp and then suddenly there was a higher than average amount of activity going on on that campus, then that could also indicate money volunteering. If there were lots of deposits in small denominations and then a large, even number denomination withdrawal that could also indicate money monitoring. And there were a lot more rules like this. So not only was this, um, delivered through our dashboard and through the email alerts when something interesting was happening, there needs to look at all of the data that we accumulated and be information around whether it was my lunch or the novel was put into a enterprise data warehouse where they should do more modeling, they could do historical analysis and they could do reporting off that.

Speaker 5: And that was all done through our platform. So at this point I think we’ll open it up to questions. Um, and we probably have the questions already in the Q and. A

Speaker 4: thanks so much Steve.

Speaker 1: I’d like to remind everyone, submit your questions by the chat or QA panel on the right hand side of your screen. While we’re waiting, I’ll mention that the sides from today’s presentation as well as the recording of this webinar will be made available for download. Also all attendees of today’s Webinar will receive a copy of the December, 2016 forester data security benchmark report entitled understand the State of data security and privacy. 2016 to 2017 we will be sending out a followup email with links to these assets within the next few days. Now let’s get to the Q. And. A. Uh, the first question is for Stephanie is from Tony. He asked, do you see this converging into a single platform or keeping it separate where the sox systems monitor for known types of events? Was the l analytical system then mining and the same data for events for which rules signatures do not exist?

Speaker 2: Good question. I think there’s a slight you want to that. I think the SOC system, you know, those traditional platforms that are evolving, curing analytics platforms plus the pool of new competitors, I think they become the primary platform for the stock and they’re the primary platform for his storable data analysis. You know, keep in mind that like your log management requirements, your compliance requirements, they don’t go away. So you still do have an as facility to um, ingest and maintain those along those log for long periods of time. Um, those, those same platforms are also using data science techniques to do a better job of being able to detect a threat sets. Um, you know, the rule base in the signature base. Uh, threats can’t detect, um, you know, behavioral. Now the perfect example, whether that user or network or actually a combination of both of them, I’m just looking for abnormal activity.

Speaker 2: That’s a likely good indicator of some kind of compromise. But with would there what they don’t do well is, you know, in a situation, um, maybe with a teacher that presented here was that kind of talked about those urgent situations where um, the historical analysis is too late, have to make it in real time. You have to block the transaction that you know, is fraud, uh, before it completes. You have to stop the money transfer. You have to stop the medical device compromise. So I think the FDA platforms before in the core of the SOC, um, these other analytics who see analytics will be targeted at those urgent situations. You might even have them integrated back to that, that mean main a platform. But I think we’ll continue to turning separate a this the other place. And I picked it out at a couple of times.

Speaker 2: Security analytics going there, we’re going to focus a lot on org data. If you look at a lot of the investments that these vendors are making in, they’re trying to actually orchestrate the incident response process. So, um, you know, if anybody on the phone is in a US federal agency or, or working the defense industrial base or even does business, federal government, you have to comply with the incident response handling framework. And there’s other standards for other industries as well. So these solutions are also doing a better job of actually orchestrating that, respond to comply with those standards that you don’t actually miss the step, but you actually gather all the data in a forensic manage manner that’s legally defensible, that you don’t skip a notification step. Um, you know, and actually all the way all through like breach response. So I, I kind of also see them going in a, a different direction where, um, they’ll continue to prove their own detection and now capabilities, but they’re gonna stay focused on that historical analysis and then they’re going to do a lot more in orchestrating IRR.

Speaker 1: Excellent. Thanks for that detailed response. Stephanie, this next question is also for you, it’s from Dave. He’s asking about the definition of real time. Is He’s asking, is this after the transaction or during the process of data flowing throughout the network?

Speaker 2: Hey, it could be both. I mean, for me, I was using time-based, so as data is flowing through the network, you know, particularly if it’s a online transaction, you want to stop it before the transaction actually complete. Um, ideally, so you might be, um, taking into account all kinds of information about a user who’s attempting to complete the transaction. Um, their device dates, their location, um, historical information about their typical behavior you can do actually be as employing across the network. You’ll actually be correlating that and making a decision. Um, also based on the value of the transaction and how risky it is, whether or not you want that to this to actually please, that’s something that you would do before it actually there. There might also be instances where the transaction, the event goes complete.

Speaker 1: But again, you’re, you’re, you’re stopping, uh, additional events and activities of a similar nature in, in milliseconds. So to me it’s more about flowing through the network as opposed to already having, um, had an impact.

Speaker 1: Great. Thanks again. I think we have time for just one more question. This question is for you Steve. It’s from John and he’s asking what are some of the data sources you’ve been seeing your customers using for security analytics?,

Speaker 5: So we’ve seen a whole variety of different sources. It could be, uh, VPNs routers, decoders, uh, net flow. Uh, we’ve seen night cap use and other network logs. Um, but then also things I, you know, web server access logs and the error logs, uh, application server logs are, you know, the application logs, a database logs, um, and database activity through change, data capture. Um, and of course sensor data that may be coming in from IoT, uh, UDP, TCP, ACP, MQTT, we see a whole variety of different sources really depending on what the specific use case the customer’s trying to solve is. And now related to real time, everything really is as real time as the day that you can get. And the closer to that data creation you can get, the better. Um, if you are, you know, shipping logs to us that have been written and Arrigo, then we’re not going to be particularly real time, but if you can give us access to where those logs were originally being written or have the data delivered to us immediately through, I’m a messaging system rover, some, a network protocol, then we’re going to be able to, uh, get that, yeah, that day there and process it much, much faster.

Speaker 5: So, uh, yeah, the sources are continually expanding and as we see new requirements and those new protocols become popular, especially on the IoT side, we’re continually adding these. Um, so yeah, the associates are, you know, very varied from use case to use case. Um, but one thing that we do normally see and a lot of these use cases, there’s some degree of correlation across these sources and some degree of context and enrichment of the initial data as well.

Speaker 4: Okay.

Speaker 1: Right. Thanks so much Dave. Um, it looks like we’re out of time. I’m very sorry if we did not get to your specific question. We will follow up with you within the next few minutes and, and get you a answers. Thank you again for joining us today and have a great rest of your day.