Securing the Data in Big Data Security Analytics

Big data security analytics is an emerging approach to intrusion detection at the scale of a large organization. It involves a combination of automated and manual analysis of security logs and alerts from a wide and varying array of sources, often aggregated into a massive (“big”) data repository. Many of these sources are host facilities, such as intrusion-detection systems and syslog, that we generically call Security Analytics Sources (SASs). Security analytics are only as good as the data being analyzed. Yet nearly all SASs today lack even basic protections on data collection. An attacker can undetectably suppress or tamper with SAS messages to conceal attack evidence. Moreover, by merely monitoring network traffic they can discover sensitive SAS instrumentation and message-generation behaviors. We introduce PillarBox, a tool for securely relaying SAS messages in a security analytics system. PillarBox enforces integrity: It secures SAS messages against tampering, even against an attacker that controls the network and compromises a message-generating host. It also (optionally) offers stealth: It can conceal alert generation, hiding select SAS alerting rules and actions from an adversary. We present an implementation of PillarBox and show experimentally that it can secure messages against attacker suppression or tampering even in the most challenging environments where SASs generate real-time security alerts. We also show, based on data from a large enterprise and on-host performance measurements, that PillarBox has minimal overhead and is practical for real-world big data security analytics systems.

[1]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[2]  Gene Tsudik,et al.  A new approach to secure logging , 2008, TOS.

[3]  Brent Waters,et al.  Building an Encrypted and Searchable Audit Log , 2004, NDSS.

[4]  Paul A. Karger Securing virtual machine monitors: what is needed? , 2009, ASIACCS '09.

[5]  Tadayoshi Kohno,et al.  Privacy-Preserving Location Tracking of Lost or Stolen Devices: Cryptographic Techniques and Replacing Trusted Third Parties with DHTs , 2008, USENIX Security Symposium.

[6]  Dan S. Wallach,et al.  Efficient Data Structures For Tamper-Evident Logging , 2009, USENIX Security Symposium.

[7]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[8]  Yanpei Chen,et al.  What's New About Cloud Computing Security? , 2010 .

[9]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[10]  Peng Ning,et al.  Efficient, Compromise Resilient and Append-Only Cryptographic Schemes for Secure Audit Logging , 2012, Financial Cryptography.

[11]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[12]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[13]  Bertram Poettering,et al.  Practical Secure Logging: Seekable Sequential Key Generators , 2013, ESORICS.

[14]  Moti Yung,et al.  Funkspiel schemes: an alternative to conventional tamper resistance , 2000, CCS.

[15]  Bruce Schneier,et al.  Minimizing Bandwidth for Remote Access to Cryptographically Protected Audit Logs , 1999, Recent Advances in Intrusion Detection.

[16]  Bruce Schneier,et al.  Cryptographic Support for Secure Logs on Untrusted Machines , 1998, USENIX Security Symposium.

[17]  John Kelsey,et al.  Signed Syslog Messages , 2010, RFC.

[18]  Peng Ning,et al.  BAF: An Efficient Publicly Verifiable Secure Audit Logging Scheme for Distributed Systems , 2009, 2009 Annual Computer Security Applications Conference.

[19]  Mihir Bellare,et al.  Forward-Security in Private-Key Cryptography , 2003, CT-RSA.

[20]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.