The coming Internet of Everything (IoE) will add thousands if not millions of sensors, devices, and automated systems to enterprise networks. However, most of these endpoints will not support security capabilities, making them useful to hackers as a way to access and attack the connected network.
This IoE security challenge is reflected in two critical questions for information security departments:
● How can we protect our network, data, and applications from threats that could come from millions of endpoints, most of which can’t be secured?
● How will we be able to analyze the huge volume of status and operational data generated by IoE devices for potential attacks and risks?
“Security managers will need the ability to leverage IoE data not only to identify specific threats, but also to learn about what types of traffic or activity represent an actual risk,” says Logan Wilkins, program manager, Cisco InfoSec.
Building a Security Data Infrastructure
For Cisco IT, answering the questions about IoE security means first looking to the network level, which is the best place for getting security-related information and where security measures can have the most effect.
To gather IoE security information within Cisco, we are deploying a system to collect network traffic data that reaches a volume of billions of records per day. The initial focus of the system is Domain Name System (DNS) data, which as of mid-2015 means collecting up to three billion events daily, even before we’ve started to deploy massive numbers of IoE sensors. We started with DNS data because of these factors:
● The volume is large enough to validate that our data collection and processing systems will be adequate to handle the higher data volumes generated by IoE elements.
● DNS records provide an easy, fast way to find many security problems.
● DNS also provides an important foundation for deeper analysis into other protocols that may be involved in a breach or attack.
In the future, we plan to expand data collection to include NetFlow, which will help us automatically detect and handle more security threats.
Machine Learning for Data Filtering and Correlation
To make all of this information useful to Cisco® security teams, we are applying machine learning technology. Sophisticated learning algorithms classify and correlate the data to identify unusual events, outlier values, and unexpected behaviors. Examples of how we will apply machine learning to IoE security data include:
● Using advanced learning algorithms to recognize with a high degree of confidence those external hosts that are likely to have malicious intent.
● Analyzing the behavior of hosts and devices on our network to discern unusual activity that would indicate malware or unauthorized control of the device.
Security Data System Deployment
Cisco IT tested the new security data system in a proof-of-concept project that included the following elements:
● Cisco Unified Computing System™ (Cisco UCS®) servers for the data processing and access applications
● MapR file system for data storage as well as a time-based database for events that are generated as a time series
● Splunk for automated filtering and initial analysis of events, which creates more useful information for detailed assessment by the Cisco security team
● Lancope StealthWatch hardware for monitoring and ad hoc searches in the NetFlow data
Figure 1 presents a high-level architecture view of the data collection and processing system.
Figure 1. Cisco IT Architecture for Security Data Analysis
We know that defending the Cisco network as it connects more IoE sensors and devices will require the ability to quickly identify new threats. That’s why we’re focusing on two critical capabilities in the security data infrastructure: scalability and automation.
Scalability to Handle Huge Data Volumes
Scalability is first about handling an enormous and ever-growing volume of network data. “If we have the infrastructure to handle billions of events today, then we can be confident about handling the even higher volumes of data that come with IoE,” says Jeff Bollinger, senior investigator, Cisco InfoSec.
We also want a scalable infrastructure design that will allow us to collect and process log data from other IoE monitoring programs as well as data from sources outside the network.
Automated, Intelligent Event Processing
Continual improvement in the machine learning capabilities will allow our automated event processing to become more intelligent over time. Increasing automation will also reduce the number of events that will need to be evaluated by a Cisco security analyst, even as IoE brings more data and new threats.
We also apply automated event processing with machine learning to identifying risks in outbound network traffic. For example, our internally developed iCAM software analyzes user behavior (including outbound data transfers) and generates alerts when that behavior violates Cisco security policies.
However, “There will always be a place for human analysis because we can’t know for sure in some situations whether something is really bad or not, so we can’t set up all events for automated handling,” says Bollinger. “We need the knowledge of our security analysts to identify which events indicate a false positive and which indicate a true problem.”
For More Information
Cisco IT Case Study: How Cisco Automates Protection of Intellectual Property
Cisco IT Case Study: Using Lancope StealthWatch for Information Security Monitoring
Cisco Unified Computing System
To read additional Cisco IT case studies about a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT
To view Cisco IT webinars and events about related topics, visit Cisco on Cisco Webinars & Events
This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to the results and benefits described. Cisco does not guarantee comparable results elsewhere.
CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some jurisdictions do not allow disclaimer of express or implied warranties; therefore, this disclaimer may not apply to you.