Estimated reading time: 5 minutes
With the advent of big data platforms, IT security companies can now make guided decisions on how to protect their assets. By recording network traffic and network flows, it is possible to get an idea of the channels on which company information flows. To facilitate the integration of data between the various applications and to develop new analytical functionalities, we the Apache Open Data Model meets.
The common Open Data Model for networks, endpoints and users has several advantages. For example, easier integration between various security applications, but companies are also made it easier to share analytics in case new threats are detected.
Hadoop offers adequate tools to manage a Security Data Lake (SDL) and big data analysis. It can also detect events that are usually difficult to identify, such as lateral movement , data leaks, internal problems or stealth behavior in general. Thanks to the technologies behind the SDL it is possible to collect the data of the SIEM to be able to exploit them through SOCaaS since, being a free Open Data Model, the logs are stored in such a way that they can be used by anyone.
What is Hadoop Open Data Model
Apache Hadoop is free and open source software that helps companies gain insight into their network environments. The analysis of the collected data leads to the identification of potential security threats or any attacks that take place between the resources in the cloud.
While traditional Cyber Threat Intelligence tools help identify threats and attacks in general, an Open Data Model provides a tool that allow companies to detect suspicious connections using flow and packet analysis.
H adoop Open Data Model combines all security-related data (events, users, networks, etc.) into a single visual area that can be used to identify threats effectively. It is You can also use them to create new analytical models. In fact, an Open Data Model allows the sharing and reuse of threat detection models.
An Open Data Model also provides a common taxonomy to describe the security telemetry data used to detect threats. Using data structures and schemas in the Hadoop platform it is possible to collect, store and analyze security-related data.
Open Data Model Hadoop, the advantages for companies
- – Archive a copy of the data security telemetry
- – Leverage out-of-the-box analytics to detect threats targeting DNS, Flow and Proxy
- – Build custom analytics based on your needs
- – Allows third parties to interact with ‘Open Data Model
- – Share and reuse models of threat detection, algorithms, visualizations and analysis from the community Apache Spot .
- – Leverage security telemetry data to better detect threats
- – Using security logs
- – Obtain data from users , endpoints and network entities
- – Obtain threat intelligence data
Open Data Model: types of data collected
To provide a complete security picture and to effectively analyze cyber threat data, you need to collect and analyze all logs and alerts regarding security events and contextual data related to the entities you are dealing with referenced in these logs . The most common entities include the network, users and endpoints, but there are actually many more, such as files and certificates.
Due to the need to collect and analyze security alerts, logs and contextual data, the following types of data are included in the Open Data Model.
Security Event Alerts in Open Data Model
These are event logs from common data sources used to identify threats and better understand network flows. For example operating system logs, IPS logs, firewall logs, proxy logs, web and many more.
Network context data
These include network information that is accessible to anyone from the Whois directory, as well as resource databases and other similar data sources.
User context data
This type of data includes all information relating to the management of users and their identity. Also included are Active Directory, Centrify and other similar systems.
Endpoint context data
Includes all information about endpoint systems (server, router, switch). They can come from asset management systems, vulnerability scanners and detection systems.
Contextual threat data
This data contains contextual information on URLs, domains, websites, files and much more, always related to known threats.
Contextual data on vulnerabilities
This data includes information on vulnerabilities and vulnerability management systems.
Articles from the RoadMap
This is file context data, certificates, naming convention.
Name of attributes
A naming convention is required for an Open Data Model in order to represent attributes between the vendor’s products and technologies. The naming convention consists of prefixes (net, http, src, dst, etc) and common attribute names (ip4, usarname, etc).
It is still a good idea to use multiple prefixes in combination with one attribute.
We have seen what the Hadoop Open Data Model is and how it can be used thanks to its ability to filter traffic and highlight potential cyber attacks by listing suspicious flows, threats to users, threats to endpoints and major network threats.
If you have any doubts or would like further clarification, do not hesitate to contact us by pressing the button below, we will be happy to answer any question.
A common definition of data exfiltration is the theft, removal, or unauthorized movement of any data from a device. Data exfiltration typically involves a cybercriminal stealing data from personal or corporate devices, such as computers and cell phones, through various cyberattack methods.
Failure to control information security can lead to data loss which can cause financial and reputational damage to an organization.
How does a data exfiltration happen?
Data exfiltration occurs in two ways, through attacks from outsiders and through threats from within. Both are major risks, and organizations need to ensure their data is protected by detecting and preventing data exfiltration at all times.
An attack from outside the organization occurs when an individual infiltrates a network to steal corporate data or user credentials. This is typically the result of a cybercriminal injecting malware into a device connected to a corporate network.
Some malware strands are designed to spread across an organization’s network and infiltrate others, seeking sensitive data in an attempt to extract. Other types of malware remain dormant on a network to avoid being detected by organizations’ security systems until data is subversively extracted or information is gradually collected over a period of time.
Attacks can result from malicious insiders stealing your organization’s data and sending documents to your personal email address. Typically the data is then sold to cyber criminals. They can also be caused by inattentive employee behavior that sees corporate data fall into the hands of bad actors.
Types of Data Exfiltration
Data exfiltration occurs in various ways and through multiple attack methods, mostly on the Internet or on a corporate network.
The techniques cybercriminals use to extract data from organizations’ networks and systems are becoming increasingly sophisticated. These include: anonymous connections to servers, Domain Name System (DNS) attacks, Hypertext Transfer Protocol (HTTP) tunneling, Direct Internet Protocol (IP) addresses, fileless attacks, and remote code execution.
Let’s see in detail some attack techniques to know what we are talking about specifically.
1. Social engineering and phishing attacks
Social engineering attacks and phishing attacks are popular network attack vectors. They are used to trick victims into downloading malware and entering their account credentials.
Phishing attacks consist of emails designed to appear legitimate and often appear to come from trusted senders. They usually contain an attachment that injects malware into the device. Other types contain a link to a website that appears legitimate but is forged to steal the login credentials entered. Some attackers even launch targeted phishing attacks to steal data from a specific user. Often the targets are the executives of a company or known individuals.
To defend against these types of attacks, it’s best to recognize them immediately and trash the emails. In a company it is possible to help the process through an ad hoc training course, based on data collected internally by the company through a controlled test. SOD also offers this service, if you are interested, you will find more information on the page of the service itself.
2. Outgoing email
Cybercriminals check e-mails to retrieve any data coming out of organizations’ e-mail systems. The recovered data can be calendars, databases, images and planning documents. These provide sensitive information of value or information that is useful for recovering valuable data.
3. Download to unsafe devices
This method of data exfiltration is a common form of accidental insider threat. The attacker accesses sensitive corporate information on his trusted device, then transfers the data to an insecure device. The insecure device could be an external drive or smartphone that is not protected by corporate security solutions or policies, which puts it at risk of data exfiltration.
Smartphones are also susceptible to data exfiltration. Android devices are vulnerable to the installation of malware that take control of the phone to download applications without the user’s consent.
4. Upload to external devices
This type of data exfiltration typically comes from bad guys. The internal attacker can extract data by downloading the information from a secure device, then uploading it to an external (insecure) device. This external device could be a laptop, smartphone, tablet or USB stick.
5. Human error and unsafe behavior on the network
The cloud provides users and businesses with a multitude of benefits, but together there are significant risks of data exfiltration. For example, when an authorized user accesses cloud services in an insecure way, it allows an attacker an access route from which he can retrieve data and take it off the secure network. Human error also plays a role in data mining, because appropriate protection may no longer be in place.
How to spot a data exfiltration attack
Depending on the type of attack method used, detecting data exfiltration can be a difficult task. Cybercriminals using more difficult-to-detect techniques can be mistaken for normal network traffic. This means that they can lurk in networks unnoticed for months and even years. Data exfiltration is often only discovered when the damage has already been caused.
To detect the presence of at-risk users, organizations must use tools that automatically discover malicious or unusual traffic in real time.
One tool with this capability is SOC (also offered as a service: SOCaaS) which implements an intrusion monitoring system, as well as an automatic system that verifies user behavior. When the SOC detects a possible threat, it sends an alert to the organization’s IT and security teams who can take action and investigate the situation.
SOC works by searching for and detecting anomalies that deviate from regular network activity. They then issue an alert or report so administrators and security teams can review the case.
In addition to detecting automatic threats, organizations can also construct the entire sequence of an event as it occurred, including mapping to a known kill chain or attack framework.
Using a SOCaaS, for a company that manages sensitive data, is an advantage from many points of view. Being offered as a service, the company will not have to invest in setting up a specialized IT department for its SOC, will not have to hire additional personnel and will be able to count on security systems that are always updated with qualified and always available operators.
For more information, do not hesitate to contact us.
Estimated reading time: 5 minutes With the advent of big data platforms, IT security companies can now make guid… https://t.co/aTv41eq2Ir
Estimated reading time: 5 minutes Ogni anno cresce costantemente il numero di attacchi che minacciano la sicurezz… https://t.co/e1g9VBSYq9
Estimated reading time: 5 minutes Every year the number of attacks that threaten the security of devices, comput… https://t.co/MnoEKRNMwk
Estimated reading time: 7 minutes Il vishing è una particolare tipologia di phishing che sfrutta la tecnologia Vo… https://t.co/q9OO03jSHj
Estimated reading time: 5 minutes Come abbiamo già affrontato precedentemente negli scorsi articoli, i ransomware… https://t.co/O8xUUJocYc