Marco Casassa Mont - Web Page - HP Labs

Marco Casassa Mont at HP Labs
Senior Researcher
Cloud & Security Lab
Bristol, UK

SILAS: Security Intelligence-as-a-Service

The SILAS solution consists, at the very base, of an Analytics Technology that provides: statistical analysis of data; predictions based on simulations.

A typical scenario (where SILAS can be deployed and add value) consists of a multitenant Security Operation Center (SOC), as shown in the following picture:

In this scenario the SOC manages incidents and IT operation issues for multiple customers. SILAS calculates and provides a wide variety of strategic metrics: customer metrics, reflecting the effectiveness of their processes (e.g. vulnerability and threat management - VTM, identity and access management - IAM, etc.), based on the data they shared with the SOC; metrics related to external threat environments (e.g. derived from information collected from HP ArchSight, HP TippingPoint, DV Labs, OSVDB, etc.); metrics providing an assessment of SOC processes, e.g. how effectively they identify incidents, close alerts, deal with false positives; what-if analysis and predictive metrics. All these metrics can be  conveyed to customers (and/or other stakeholders) via reports, by highlighting trend analysis and benchmarks. 

SILAS is meant to:

  • provide estimation of strategic (security, risk and business) metrics to decision makers and customers, in multi-tenancy, multi-customer contexts, such as Security Operation Centers and Cloud Operation Centers

  • use these metrics to enable predictive and what-if analysis, by leveraging the HP/HPL Security Analytics Solution (based on modelling and simulation techniques)

  • provide customers with strategic reports - based on processed metrics and prediction - to illustrate historical trends and benchmarks

  • leverage Cloud infrastructure for data processing and metric estimations

The following picture illustrates the SILAS core capabilities and high-level architecture:

SILAS is not meant to be a reactive, real-time analytic solution. It leverages existing solutions such as  HP ArchSight, HP TippingPoint/ThreatLinq, OSVDB, etc. to gather the relevant data. As unique differentiation,. it provides longer-term estimates of  critical metrics and uses them to make predictions. It provides decision support capabilities to key stakeholders (risk management teams, customers ,etc). As such it nicely complement current HP SW offerings.

We are currently trialling this solution in collaboration with HP business groups. I have been the technical lead of this work in collaboration with a team of colleagues.

A few screenshots of a  public version of SILAS (we use for demonstration purposes) follow:

Figure 1: SILAS main dashboard. Links to various metric processing, prediction and reporting capabilities

 

Figure 2: SILAS metric estimation. Example of estimation of "patch take-up curve" metric estimation (i.e. how quickly an organisation patches its systems against a vulnerability), over a period of time,  calculated on data collected from HP ArcSight

 

Figure 3: SILAS predictions and "what-if" analysis. Example of prediction to vulnerability "risk exposure", calculated with  HP/HPL Security Analytics models and related simulations. Models are are instantiated with previously calculated SILAS metrics, e.g. the "patch take-up curve" metric.




Figure 4: SILAS Report. Example of customer report illustrating, for a given time period, the "patch take-up curve" metric and compare it against an anonymised version of the same metrics (in the same time period) calculated by using information collected from other customers (in a multi-tenant SOC).




Figure 4: SILAS Report. Another example of customer report showing the outcomes of various "what-if" analysis, calculated with  HP/HPL Security Analytics models and related simulations. Models are are instantiated with both previously calculated SILAS metrics, e.g. the "patch take-up curve" metric and the various "what-if" assumption to be explored (e.g. using specific IT security controls).

 


Figure 5: SILAS Report. Another example of customer report showing the historical trends of some relevant SOC process metrics indicating how effectively a SOC handles customer's incidents (e.g. in terms of time to close an alert, identify false positives or identify an incident). The report shows historical trends and  anonymised benchmarks against similar, aggregated metrics, obtained from other customers.

My Contacts:

Marco Casassa Mont

HP Laboratories

Cloud & Security Lab

Long Down Avenue

Stoke Gifford

Bristol, BS34 8QZ, UK       

TEL: +44-117-3162196

marco.casassa-mont@hp.com