Marco Casassa Mont - Web Page - HP Labs
Cloud & Security Lab
SILAS: Security Intelligence-as-a-Service
The SILAS solution consists, at the very base, of an Analytics Technology that provides: statistical analysis of data; predictions based on simulations.
A typical scenario (where SILAS can be deployed and add value) consists of a multitenant Security Operation Center (SOC), as shown in the following picture:
In this scenario the SOC manages incidents and IT operation issues for multiple customers. SILAS calculates and provides a wide variety of strategic metrics: customer metrics, reflecting the effectiveness of their processes (e.g. vulnerability and threat management - VTM, identity and access management - IAM, etc.), based on the data they shared with the SOC; metrics related to external threat environments (e.g. derived from information collected from HP ArchSight, HP TippingPoint, DV Labs, OSVDB, etc.); metrics providing an assessment of SOC processes, e.g. how effectively they identify incidents, close alerts, deal with false positives; what-if analysis and predictive metrics. All these metrics can be conveyed to customers (and/or other stakeholders) via reports, by highlighting trend analysis and benchmarks.
SILAS is meant to:
provide estimation of strategic (security, risk and business) metrics to decision makers and customers, in multi-tenancy, multi-customer contexts, such as Security Operation Centers and Cloud Operation Centers
use these metrics to enable predictive and what-if analysis, by leveraging the HP/HPL Security Analytics Solution (based on modelling and simulation techniques)
provide customers with strategic reports - based on processed metrics and prediction - to illustrate historical trends and benchmarks
leverage Cloud infrastructure for data processing and metric estimations
The following picture illustrates the SILAS core capabilities and high-level architecture:
SILAS is not meant to be a reactive, real-time
analytic solution. It
leverages existing solutions such as HP ArchSight, HP TippingPoint/ThreatLinq, OSVDB, etc.
to gather the relevant data. As unique
differentiation,. it provides longer-term
estimates of critical metrics and uses them to
It provides decision support capabilities to key
stakeholders (risk management teams, customers ,etc). As such it nicely complement current HP SW
We are currently trialling this solution in collaboration with HP business groups. I have been the technical lead of this work in collaboration with a team of colleagues.
A few screenshots of a public version of SILAS (we use for demonstration purposes) follow:
Figure 1: SILAS main dashboard. Links to various metric processing, prediction and reporting capabilities
Figure 2: SILAS metric estimation. Example of estimation of "patch take-up curve" metric estimation (i.e. how quickly an organisation patches its systems against a vulnerability), over a period of time, calculated on data collected from HP ArcSight
Figure 3: SILAS predictions and "what-if" analysis. Example of prediction to vulnerability "risk exposure", calculated with HP/HPL Security Analytics models and related simulations. Models are are instantiated with previously calculated SILAS metrics, e.g. the "patch take-up curve" metric.
Figure 4: SILAS Report. Example of customer report illustrating, for a given time period, the "patch take-up curve" metric and compare it against an anonymised version of the same metrics (in the same time period) calculated by using information collected from other customers (in a multi-tenant SOC).
Figure 4: SILAS Report. Another example of customer report showing the outcomes of various "what-if" analysis, calculated with HP/HPL Security Analytics models and related simulations. Models are are instantiated with both previously calculated SILAS metrics, e.g. the "patch take-up curve" metric and the various "what-if" assumption to be explored (e.g. using specific IT security controls).
Figure 5: SILAS Report. Another example of customer report showing the historical trends of some relevant SOC process metrics indicating how effectively a SOC handles customer's incidents (e.g. in terms of time to close an alert, identify false positives or identify an incident). The report shows historical trends and anonymised benchmarks against similar, aggregated metrics, obtained from other customers.
Marco Casassa Mont
Cloud & Security Lab
Long Down Avenue
Bristol, BS34 8QZ, UK