Paper 2013/625

Securing the Data in Big Data Security Analytics

Kevin D. Bowers and Catherine Hart and Ari Juels and Nikos Triandopoulos

Abstract

Big data security analytics is an emerging approach to intrusion detection at the scale of a large organization. It involves a combination of automated and manual analysis of security logs and alerts from a wide and varying array of sources, often aggregated into a massive (“big”) data repository. Many of these sources are host facilities, such as intrusion-detection systems and syslog, that we generically call Security Analytics Sources (SASs). Security analytics are only as good as the data being analyzed. Yet nearly all SASs today lack even basic protections on data collection. An attacker can undetectably suppress or tamper with SAS messages to conceal attack evidence. Moreover, by merely monitoring network traffic they can discover sensitive SAS instrumentation and message-generation behaviors. We introduce PillarBox, a tool for securely relaying SAS messages in a security analytics system. PillarBox enforces integrity: It secures SAS messages against tampering, even against an attacker that controls the network and compromises a message-generating host. It also (optionally) offers stealth: It can conceal alert generation, hiding select SAS alerting rules and actions from an adversary. We present an implementation of PillarBox and show experimentally that it can secure messages against attacker suppression or tampering even in the most challenging environments where SASs generate real-time security alerts. We also show, based on data from a large enterprise and on-host performance measurements, that PillarBox has minimal overhead and is practical for real-world big data security analytics systems.