StudyDaddy Article Writing Assume that An agency has focused its system development and critical infrastructure data correlation efforts on separate engineering management systems for different types of assets and is working on

Assume that An agency has focused its system development and critical infrastructure data correlation efforts on separate engineering management systems for different types of assets and is working on

1 Copyright © 2012, Elsevier Inc. All Rights Reser ved Chapter 9 Correlation Cyber Attacks Protecting National Infrastructure, 1 st ed. 2 • Correlation is one of the most powerful analytic methods for threat investigation Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation Introduction 3 Fig. 9.1 – Profile - based activity anomaly Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation 4 • Comparing data determines what is normal and what is an anomaly Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation Introduction 5 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation Fig. 9.2 – Signature - based activity match 6 • Data comparison creates a clearer picture of adversary activity – Profile -based correlation – Signature -based correlation – Domain -based correlation – Time -based correlation • We rely on human analysis of data; no software can factor in relevant elements Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation Introduction 7 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation Fig. 9.3 – Domain - based correlation of a botnet attack at two targets 8 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation Fig. 9.4 – Time - based correlation of a botnet attack 9 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation Fig. 9.5 – Taxonomy of correlation scenarios 10 Conventional Security Correlation Methods • Threat management – data from multiple sources is correlated to identify patterns, trends, and relationships – The approach relies upon security information and event management (SIEM) • Commercial firewalls are underutilized • Correlation function can be decentralized, but that often complicates the process Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation 11 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation Fig. 9.6 – Correlating intrusion detection alarms with firewall policy rules 12 Quality and Reliability Issues in Data Correlation • Quality and reliability of data sources important to consider • Service level agreements – Service level agreements guarantee quality of data – Quality and reliability not guaranteed with volunteered data • Without consistent, predictable, and guaranteed data delivery, correlations likely to be incorrect and data likely missing Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation 13 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation Fig. 9.7 – Incorrect correlation result due to imperfect collection 14 • Network service providers have best vantage point for correlating data across multiple organizations, regions, etc. • Network service providers have view of network activity that allows them to see problems Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation Correlating Data to Detect a Worm 15 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation Fig. 9.8 – Time - based correlation to detect worm 16 • The context of carrier infrastructure may offer best chance to perform correlation relative to a botnet • Botnets are often widely distributed, geographically • Sharing information on botnet tactics might help others protect themselves Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation Correlating Data to Detect a Botnet 17 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation Fig. 9.9 – Correlative depiction of a typical botnet 18 • For national infrastructure protection, large -scale correlation of all -source data is complicated by several factors – Data formats – Collection targets – Competition • These can only be overcome with a deliberate correlation process Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation Large - Scale Correlation Process 19 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation Fig. 9.10 – Large - scale, multipass correlation process with feedback 20 • Organizations with national infrastructure responsibility should be encouraged to create and follow a local program of data correlation • National -level programs might be created to correlate collected data at the highest level. This approach requires the following – Transparent operations – Guaranteed data feeds – Clearly defined value proposition – Focus on situational awareness Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 9 – Correlation National Correlation Process

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!