Case study on how to use Interactive Data Visualization and Predictive Modeling to find the needle in the haystack in SIEM Analytics and Cyber Security. We discuss how to create an analytical sandbox in front of your correlation systems, as well as intrusion, firewall, and virus scan / endpoint protection systems. Our clients include Fortune 100 companies, governments and government agencies, two of the top SIEM vendors, and a variety of mid-sized companies.

1. Security Visualization
… using Interactive
Data Visualization
and Predictive Modeling
to find the needle in the
haystack.
Copyright 2016

2. YOUR HOST
Doug Cogswell
o President & CEO, ADVIZOR Solutions
o 15 Years in the Business Intelligence Sector
o Extensive data analytics experience
o Over 10 years in Cyber Security
o Clients include:
 Fortune 100 companies
 Large government organizations
 U.S. Military
 Top SIEM vendors

3. WHO WE ARE
Copyright 2016
ADVZOR is a spinoff from Bell Labs. We offer a low cost and
extremely easy to use visual front-end to complex data
systems. We blend, prep, and synthesize data from all kinds of
commercial and operational systems into an integrated in-
memory data mart. That mart powers our easy-to-understand
interactive dashboards and ad hoc reports, which are designed
for self-service business decision making. We are the only vendor
anywhere who has integrated no-coding predictive
analytics into an end-user data discovery tool targeted at
people who don’t have degrees in statistics.

4. SMALLER FIRMS …
… TOP TIER BEST OF BREED
Copyright 2016
Security Visualization

5. WHAT’S THE PROBLEM?
Copyright 2016
• Threat teams and vulnerability teams often don’t talk to each other
• Multiple separate collection systems
• Systems create 100’s of pages of reports each day
• Analysts pull the data out and try to cross ruff, often in Excel
• Lack of context. Have to prioritize, but can only investigate some
things, which are usually the “high priority threats”. When in reality
there can be clusters of lower priority events that together make a
difference.
• End up putting out fires, vs. taking a strategic approach
• Get distracted by all the noise and don’t find the needle in the
haystack

6. GARTNER
“Analyzing large amounts of data to find interesting
security events, such as undetected breaches or
rogue users, is a desired output for buyers.
And visualization of that data will greatly affect
adoption of the technology.
This presents an opportunity for security providers to
partner with proven large data visualization
technologies to better increase the adoption of their
security analytics platforms.”
Copyright 2016

7. CASE STUDY –
FORTUNE 100 COMPANY
Copyright 2016

8. • Intrusion Detection System (Sourcefire)
• Firewall (Palo Alto, SonicWALL)
• Virus Scan/Endpoint Protection (Symantec)
• Correlation Systems (HP ESM, Splunk, etc.)
 “Rules Based”; known trigger, aggregate, correlate; identify issue,
send to case investigation and respond
MULTIPLE DATA SOURCES
Copyright 2016
• Security Visualization App (ADVIZOR)
 Hunt for unknown and unexpected threats

9. SECURITY VISUALIZATION
• Most people think of “presentation of output”
• We mean: “present raw data visually for human pattern
recognition and analysis”
• Why?
• 100’s of thousands of correlations / day
• Can’t process them all
• Need further and additional insights into log data
• Detect activity beyond traditional intrusion and event management
• Human visual perception automatically recognizes unusual patterns
• “We don’t know what we’re looking for”
• “Writing a rule to detect a ‘diagonal attack’ would be really hard and
expensive”
• Need to get down to the underlying log data and attach to the case
• Must be proactive and real time analysis
Copyright 2016

10. SECURITY VISUALIZATION VALUE ADD
• Provide proactive and real time analysis
• Find anomalies that traditional systems don’t
• Find new attacks that were designed to avoid traditional
signature based detection tools:
• Time staged attacks
• Diagonal attacks
• Cluster attacks
• Octal jump attacks
• Embedded activity attacks
• Etc.
• Easily communicate & submit case detail for further
investigation
Copyright 2016
Demo

11. Copyright 2016
DEMO: TIME STAGED ATTACK
Vertical lines
normal. Multiple
users going to one
file server
Anomaly – a large
bulk data transfer.
Anomaly – one
source hitting wide
range of internal
addresses

12. Copyright 2016
Select with mouse.
SELECT THE “HORIZONTAL ANOMALY”

13. Copyright 2016
THIS APPEARS TO BE A
TIME STAGED ATTACK
Hits hard, goes
dormant, hits again
Hits hard, goes
dormant, hits again
Hits hard, goes
dormant, hits again
Hits hard, goes
dormant, hits again
Very intense.
Dominates all
traffic when it hits.

14. Copyright 2016
EXCLUDE TO JUST SHOW THE “HORIZONTAL
ANOMALY”; SELECT THE 1st “DOUBLE” ATTACK
Select with mouse.

15. Copyright 2016
Very in depth
probing. Multiple hits
on most destination
addresses.
EXAMINE THE FIRST “DOUBLE” ATTACK

16. Copyright 2016
SELECT THE MIDDLE ATTACK
Select with mouse.

17. Copyright 2016
Generally single
hits across the
same spectrum as
the 1st attack.
Follow-up probing
to the 1st attack
EXAMINE THE MIDDLE ATTACK

18. THOUGHTS
• Strong evidence of something nefarious
• Close the loop with other context sensitive
data. For example:
o Research what the source IP address actually is
o Are there factors that might drive this timing?
o What other contextual information might there
be?
• Lets look at a few other things …
Copyright 2016

19. Copyright 2016
A BIT MORE ANALYSIS – THE PARABOX

20. Copyright 2016
RESELECT THE “HORIZONTAL ANOMALY”

21. Copyright 2016
DRILL IN: 2 DESTINATION PORTS:
• Port 139 = NetBios
• Port 445 = ActiveDirectory Screening
• Trying to access files across a bunch
of machines.

22. Copyright 2016
AD HOC SANDBOX: EXAMINE MORE DATA

23. Copyright 2016
AD HOC SANDBOX: EXAMINE MORE DATA

24. Copyright 2016
AD HOC SANDBOX: EXAMINE MORE DATA

25. Copyright 2016
AD HOC SANDBOX:
DESCRIPTIVE & PREDICTIVE ANALYTICS

26. Copyright 2016
AD HOC SANDBOX:
DESCRIPTIVE & PREDICTIVE ANALYTICS

27. Copyright 2016
EXPORT LOGS FOR FURTHER
FORENSIC INVESTIGATION
Click to export to
Excel
Click to export to
Excel

28. THE PROCESS IS KEY
• Many just throw tons of logs at a tool
• But less data can be better
• Best of breed:
• Start with the problem / anomaly / notable event
• Then use visualization to carve down the data
• Determine which logs need to be investigated
• Export those logs to case investigation
• “A Question Generator”
 NOT just answers to questions
Copyright 2016

29. SECURITY VISUALIZATION SOFTWARE
• Easy desktop analysis  “Ad Hoc Analytical Sandbox”
• Push results out over the web
• We allow you to:
• Mash-up unstructured data
Combine log data from HP ArcSight, Logger, Splunk, and other SIEM sources with existing data sources
from within your company using our data blending and in-memory-data capabilities
• Correlate machine data with other structured data
Enable security analysts to correlate, analyze and visualize machine data with other structured data for
advanced business analytics.
• Blend, synthesize, and structure data
Perform numeric, string, and date calculations within and across tables. Sort IP addresses properly, test for
subnet inclusion, adjust time stamps to one time zone (e.g., GMT).
• Visually explore, slice and dice data, and then export results
Explore source / destination correlation, time trends of alerts and qualified threats. Ad hoc threat
investigation
• Build and deploy descriptive & predictive models
Use our no-coding analytical sandbox modelling capabilities to determine the common factors in various
anomalies, and then create scores to flag future incidents
• Securely access reports and analyses
Distribute impact reports and dashboards across the organization for easy consumption in a web browser
Copyright 2016

30. ADVIZOR: CSO50 2015 AWARD
Copyright 2016

31. Discussion, Q&A
Follow-up: Doug.Cogswell@AdvizorSolutions.com, +1.630.971.5201
www.AdvizorSolutions.com
Copyright 2016
Find the needle in the haystack.