Interview with Nicola Sotira
For organizations operating in hyper-regulated industries, the need to secure an extensive network of business applications and sensitive data is daunting. In this video, Nicola Sotira, Head of CERT at Poste Italiane, Italy’s largest postal service provider, shares how he built his CERT Big Data Analytics to analyze millions of new logs daily to:
– Identify anomalies in the use of applications by trusted identities
– Discover threats that other tools cannot detect
– Enable a proactive response.
The following is a summary of the key points from his recent presentation, highlighting crucial statistics and the strategies employed by Poste Italiane to fortify its security posture.
Poste Italiane, a company spanning banking, insurance, logistics, utilities, and more, faced a substantial challenge in securing its extensive network. With over 70,000 IP addresses, 3,000 domains, and a workforce of around 130,000 employees, their security responsibilities are immense.
“In this kind of environment, it’s very difficult to understand what rules to set up for detecting something strange, when the range of data is so vast and complex.”
To tackle the complexity of their security landscape, Poste Italiane adopted a data-driven approach. Sotira explains that they focused on detecting anomalies and unusual behavior in transactions, network activities, and employee application access. Drawing from Gartner’s cybersecurity mesh architecture, they emphasized the importance of rationalizing applications and centralizing data for effective correlation, as well as, moving to a machine learning approach and away from the “classic SIEM” approaches for higher accuracy.
Step 1: Building the Data Lake
In 2018, Poste Italiane initiated the construction of a data lake, a centralized repository for diverse data sources. They standardized data ingestion methods, utilizing technologies such as Axway and Kafka for batch and real-time approaches, respectively. Notably, the data lake encompasses information from various sources like proxy data, Office 365, Qualys Audit log, and ServiceNow Audit log, accumulating over 35 billion records to date.
Step 2: Navigating the Sea of Data
Dealing with millions of logs daily, especially from applications like ServiceNow and Office 365, presented a significant challenge. Sotira highlighted the difficulty of defining rules for anomaly detection amidst this massive influx of data.
To address this, Poste Italiane turned to Reveal Security, employing its continuous monitoring of identity usage in and across applications and use of unsupervised machine learning (ML) to identify and flag potential security threats. Employing an ML approach is crucial as it can automatically learn the identity’s typical behavior and pinpoint anomalies or deviations from these patterns without requiring detection rules. This capability is vital for detecting novel and sophisticated threats that do not match predefined rules.
Step 3: Securing the Cloud
Looking now toward the future, Poste Italiane is transitioning its data lake to the cloud, specifically, Azure Databricks. RevealSecurity continues to be an important part of their strategy for detecting anomalies and illegitimate behavior in their business applications. This move to the cloud aims to enhance their ability to detect anomalies and behaviors that could compromise network and application security.
For security practitioners in hyper-regulated industries, there’s much to glean from Poste Italiane’s experience and commitment to innovation and adaptability in the face of evolving threats. By adopting a data-driven approach, centralizing information in a data lake, monitoring identity usage in applications, and incorporating ML- and AI-based tools, Poste Italiane exemplifies a proactive stance in safeguarding sensitive information, as they continue to fortify their defenses in the dynamic realm of cybersecurity.