Securing the Data in Big Data Security Analytics
Abstract: Security analytics is a catchall term for vulnerability assessment in large organizations capturing a new emerging approach to intrusion detection. It leverages a combination of automated and manual analysis of security logs and alerts which originate from a wide and varying array of sources and are often aggregated into a massive data repository. Such log and alert sources include firewalls, VPNs, and endpoint instrumentation, such as intrusion-detection systems, syslog or other alerting host facilities, that we generically call Security Analytics Sources (SASs). Security analytics are only as good as the data being analyzed. Yet nearly all security analytics systems today suffer from a lack of even basic protections on data collection. By merely monitoring network traffic, an adversary can eavesdrop on SAS outputs to discover sensitive SAS instrumentation and security-alerting behaviors. Moreover, by using advance malware, an adversary can undetectably suppress or tamper with SAS messages to conceal attack evidence and disrupt intrusion detection. We introduce PillarBox, a tool for securely relaying SAS data in a security analytics system. PillarBox enforces integrity: It secures SAS data against tampering, even when such data is buffered on a compromised host within an adversarially controlled network. Additionally, PillarBox (optionally) offers stealth: It can conceal SAS data, alert-generation activity, and potentially even alerting rules on a compromised host, thus hiding select SAS alerting actions from an adversary. We present an implementation of PillarBox and show experimentally that it can secure messages against attacker suppression, tampering or discovery even in the most challenging environments where SASs generate real-time security alerts related to a host compromise directly targeting to diminish their alerting power. We also show, based on data from a large enterprise and on-host performance measurements, that PillarBox has minimal overhead and is practical for real-world security analytics systems.
Loading