SlideShare une entreprise Scribd logo

Data Connectors San Antonio Cybersecurity Conference 2018

Télécharger en tant que PPTX, PDF
Interset
Interset

This document discusses operationalizing big data security analytics. It provides lessons learned from case studies of implementing security analytics at various organizations. The key lessons are: 1) Security analytics should help analysts deal with fewer, higher-quality alerts rather than more alerts. 2) It is important to test the mathematical models on historical data to validate the analytics can surface useful threats. 3) Metrics must be defined to measure the impact and ensure the analytics are optimized over time for the organization's needs. The document advocates agreeing on use cases, evaluating results, assessing risk level, and ensuring feedback for continuous improvement.

Technologie
1  sur  16
1 | © 2018 Interset Software How to Operationalize Big Data Security Analytics Roy Wilds Field Data Scientist Interset.AI
2 | © 2018 Interset Software Welcome About Interset • 75 employees & growing • 450% ARR growth • Data science & analytics focused on cybersecurity • 100 person-years of Anomaly Detection R&D • Offices in Ottawa, Canada & Newport Beach, California Partners About Me • Data miner scientist since 2006 • 4+ years building machine learning systems for threat hunting • 8 years experience using Hadoop for large scale advanced analytics Field Data Scientist • Identify valuable data feeds • Optimize system for use cases We uncover the threats that matter!
3 | © 2018 Interset Software 3 | © 2018 Interset Software What is AI-Based Security Analytics About? Advanced analytics to help you catch the bad guys
4 | © 2018 Interset Software 4 | © 2018 Interset Software zz Increasing Threat Hunting Efficiency Low Success Rate SOC Cycle Generate Highly Anomalous Threat Leads
5 | © 2018 Interset Software 5 | © 2018 Interset Software Increasing Visibility by Augmenting Existing Tools SECURITY ANALYTICS SIEM IAMENDPOINT BUSINESS APPLICATIONS CUSTOM DATA NETWORK DLP SIEM IAMENDPOINT NETWORK DLP
6 | © 2018 Interset Software 6 | © 2018 Interset Software Case Study #1: Every SOC Billions of events analyzed with machine learning Anomalies discovered by data science High quality “most wanted” list Data, Data, Data! Users, machines, files, projects, servers, sharing behavior, resource, websites, IP Addresses and more 5,210,465,083
7 | © 2018 Interset Software 7 | © 2018 Interset Software z Lesson #1: Less Alerts, Not More  Solution should help you deal with less alerts, not more alerts  Solution should leverage sound statistical methods to reduce false positives and noise  Should allow you to do more with the limited resources you have Recommendations Measure and quantify the amount of work effort involved with and without the Security Analytics system
8 | © 2018 Interset Software Telecom • Potential Data Staging/Theft • Account Compromise • Lateral Movement Indicators Healthcare • Data Theft Defense • Incident Response Field Examples
9 | © 2018 Interset Software 9 | © 2018 Interset Software Case Study #2: Large Telco The Situation • Highly secure & diverse environment – protected by multiple security products The Challenge • Large rule/policy set developed • Too many indicators to optimize threat leads • Inefficient SOC cycle The Solution • Surface mathematically valid leads – ”legit anomalies” • Unique normal baselines – removes threshold/rule limitations Google Drive • Permissive controls • Personal/external sharing Authentication • Sudden change in workstation access • Odd working hours USB • Sudden increase in file copy volumes
10 | © 2018 Interset Software 10 | © 2018 Interset Software z Lesson #2: The Math Matters – Test It Recommendations • Agree on the use cases in advance • Use a proof-of-concept with historical/existing data to test the SA’s math • Engage red team or pen testing if available • Evaluate the results: Do they support the use cases? Google Drive • Permissive controls • Personal/external sharing USB • Sudden increase in file copy volumes Authentication • Sudden change in workstation access • Odd working hours • Data Theft • Data Staging • Lateral Movement • Account Compromise
11 | © 2018 Interset Software 11 | © 2018 Interset Software Case Study #3: Healthcare Records & Payments  Profile: 6.5 billion transactions annually, 750+ customers, 500+ employees  Team of 7: CISO, 1 security architect, 3 security analysts, 2 network security  Analytics surfaced (for example) an employee who attempted to move “sensitive data” from endpoint to personal Dropbox  Employee was arrested and prosecuted using incident data Focus and prioritized incident responses Incident alert accuracy increased from 28% to 92% Incident mitigation coverage doubled from 70 per week to 140
12 | © 2018 Interset Software 12 | © 2018 Interset Software Lesson #3: Meaningful Metrics Hawthorne Effect: Whatever gets measured, gets optimized Recommendations  Define meaningful operational metrics (not just “false positives”)  Build a process for measuring and quantifying over time, not just during a pilot  Ensure the Security Analytics system supports a feedback process to adjust the analytics to support your target metrics
13 | © 2018 Interset Software 13 | © 2018 Interset Software What Have We Learned? Lessons Learned  The Math Matters – Test It  Less Alerts, Not More  Automated, Measured Responses  Meaningful Metrics Recommendations  Agree on the use cases in advance  Evaluate results with and without security analytics system  Assess risk level, not binary alert  Ensure integrated feedback and automated response
14 | © 2018 Interset Software 14 | © 2018 Interset Software QUESTIONS? Roy Wilds – Field Data Scientist @roywilds Learn more at Interset.AI
15 | © 2018 Interset Software How Millions of Events Become Qualified Threats Leads ACQUIRE DATA CREATE UNIQUE BASELINES DETECT, MEASURE AND SCORE ANOMALIES HIGH QUALITY THREAT LEADS INTERNAL RECON INFECTED HOST DATA STAGING & THEFT COMPROMISED ACCOUNT LATERAL MOVEMENT ACCOUNT MISUSE CUSTOM FRAUD Contextual views. Drill-down and cyber-hunting. Broad data collection DLP ENDPOINT Buz Apps CUSTOM DATA NETWORK IAM Determine what is normal Gather the raw materials Find the behavior that matters W orkflow engine for incident response.
16 | © 2018 Interset Software 16 | © 2018 Interset Software About Interset.AI SECURITY ANALYTICS LEADER PARTNERSABOUT US Data science & analytics focused on cybersecurity 100 person-years of security analytics and anomaly detection R&D Offices in Ottawa, Canada; Newport Beach, CA Interset.AI

Recommandé

The Myths + Realities of Machine-Learning Cybersecurity
The Myths + Realities of Machine-Learning CybersecurityThe Myths + Realities of Machine-Learning Cybersecurity
The Myths + Realities of Machine-Learning Cybersecurity
Interset
 
User and Entity Behavioral Analytics
User and Entity Behavioral AnalyticsUser and Entity Behavioral Analytics
User and Entity Behavioral Analytics
Interset
 
A New Approach to Threat Detection: Big Data Security Analytics
A New Approach to Threat Detection: Big Data Security Analytics A New Approach to Threat Detection: Big Data Security Analytics
A New Approach to Threat Detection: Big Data Security Analytics
Interset
 
Machine Learning + AI for Accelerated Threat-Hunting
Machine Learning + AI for Accelerated Threat-HuntingMachine Learning + AI for Accelerated Threat-Hunting
Machine Learning + AI for Accelerated Threat-Hunting
Interset
 
WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider ThreatsWEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
Interset
 
Operationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum DallasOperationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum Dallas
Interset
 
IANS Forum Dallas - Technology Spotlight Session
IANS Forum Dallas - Technology Spotlight SessionIANS Forum Dallas - Technology Spotlight Session
IANS Forum Dallas - Technology Spotlight Session
Interset
 
Operationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto KeynoteOperationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Interset
 

Recommandé

The Myths + Realities of Machine-Learning Cybersecurity
The Myths + Realities of Machine-Learning CybersecurityThe Myths + Realities of Machine-Learning Cybersecurity
The Myths + Realities of Machine-Learning Cybersecurity
Interset
 
User and Entity Behavioral Analytics
User and Entity Behavioral AnalyticsUser and Entity Behavioral Analytics
User and Entity Behavioral Analytics
Interset
 
A New Approach to Threat Detection: Big Data Security Analytics
A New Approach to Threat Detection: Big Data Security Analytics A New Approach to Threat Detection: Big Data Security Analytics
A New Approach to Threat Detection: Big Data Security Analytics
Interset
 
Machine Learning + AI for Accelerated Threat-Hunting
Machine Learning + AI for Accelerated Threat-HuntingMachine Learning + AI for Accelerated Threat-Hunting
Machine Learning + AI for Accelerated Threat-Hunting
Interset
 
WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider ThreatsWEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
Interset
 
Operationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum DallasOperationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum Dallas
Interset
 
IANS Forum Dallas - Technology Spotlight Session
IANS Forum Dallas - Technology Spotlight SessionIANS Forum Dallas - Technology Spotlight Session
IANS Forum Dallas - Technology Spotlight Session
Interset
 
Operationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto KeynoteOperationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Interset
 
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
Interset
 
Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]
Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]
Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]
Interset
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the Day
Interset
 
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Collin Miles
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security Analytics
Interset
 
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
SaraPia5
 
Active Network Monitoring brings Peace of Mind
Active Network Monitoring brings Peace of MindActive Network Monitoring brings Peace of Mind
Active Network Monitoring brings Peace of Mind
The Lorenzi Group
 
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No ShoesCarolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
centralohioissa
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON
 
IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]
IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]
IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]
Interset
 
[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics
Interset
 
Leverage Big Data for Security Intelligence
Leverage Big Data for Security Intelligence Leverage Big Data for Security Intelligence
Leverage Big Data for Security Intelligence
Stefaan Van daele
 
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersCISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security Leaders
NUS-ISS
 
Threat Life Cycle Management
Threat Life Cycle ManagementThreat Life Cycle Management
Threat Life Cycle Management
Fujitsu Middle East
 
Data Privacy, Security, and Sovereignty in a Cloudy World
Data Privacy, Security, and Sovereignty in a Cloudy WorldData Privacy, Security, and Sovereignty in a Cloudy World
Data Privacy, Security, and Sovereignty in a Cloudy World
Netskope
 
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]Taking a Proactive Approach to Combat Ransomware [Druva Webinar]
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]
Druva
 
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
Interset
 
How big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the doorHow big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the door
DataWorks Summit
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
Splunk
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Security Analytics and Big Data: What You Need to Know
Security Analytics and Big Data: What You Need to KnowSecurity Analytics and Big Data: What You Need to Know
Security Analytics and Big Data: What You Need to Know
MapR Technologies
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
Phil Huggins FBCS CITP
 

Contenu connexe

Tendances

Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Collin Miles
 
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
SaraPia5
 
Threat Life Cycle Management
Threat Life Cycle ManagementThreat Life Cycle Management
Threat Life Cycle Management
Fujitsu Middle East
 
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]Taking a Proactive Approach to Combat Ransomware [Druva Webinar]
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]
Druva
 

Tendances (17)

How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
 
Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]
Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]
Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the Day
 
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security Analytics
 
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
 
Active Network Monitoring brings Peace of Mind
Active Network Monitoring brings Peace of MindActive Network Monitoring brings Peace of Mind
Active Network Monitoring brings Peace of Mind
 
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No ShoesCarolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
 
IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]
IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]
IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]
 
[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics
 
Leverage Big Data for Security Intelligence
Leverage Big Data for Security Intelligence Leverage Big Data for Security Intelligence
Leverage Big Data for Security Intelligence
 
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersCISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security Leaders
 
Threat Life Cycle Management
Threat Life Cycle ManagementThreat Life Cycle Management
Threat Life Cycle Management
 
Data Privacy, Security, and Sovereignty in a Cloudy World
Data Privacy, Security, and Sovereignty in a Cloudy WorldData Privacy, Security, and Sovereignty in a Cloudy World
Data Privacy, Security, and Sovereignty in a Cloudy World
 
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]Taking a Proactive Approach to Combat Ransomware [Druva Webinar]
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]
 
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
 

Similaire à Data Connectors San Antonio Cybersecurity Conference 2018

How big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the doorHow big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the door
DataWorks Summit
 
Too much data and not enough analytics!
Too much data and not enough analytics!Too much data and not enough analytics!
Too much data and not enough analytics!
Emma Kelly
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log Analysis
Jim Kaplan CIA CFE
 
“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...
“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...
“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...
Edge AI and Vision Alliance
 
Protecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomwareProtecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomware
Cloudera, Inc.
 

Similaire à Data Connectors San Antonio Cybersecurity Conference 2018 (20)

How big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the doorHow big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the door
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
Security Analytics and Big Data: What You Need to Know
Security Analytics and Big Data: What You Need to KnowSecurity Analytics and Big Data: What You Need to Know
Security Analytics and Big Data: What You Need to Know
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
 
For the CISO: Continuous Cyber Attacks - Achieving Operational Excellence for...
For the CISO: Continuous Cyber Attacks - Achieving Operational Excellence for...For the CISO: Continuous Cyber Attacks - Achieving Operational Excellence for...
For the CISO: Continuous Cyber Attacks - Achieving Operational Excellence for...
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2
 
Too much data and not enough analytics!
Too much data and not enough analytics!Too much data and not enough analytics!
Too much data and not enough analytics!
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log Analysis
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Cyber Security in the market place: HP CTO Day
Cyber Security in the market place: HP CTO DayCyber Security in the market place: HP CTO Day
Cyber Security in the market place: HP CTO Day
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protection
 
Secure Your High Risk Data
Secure Your High Risk Data Secure Your High Risk Data
Secure Your High Risk Data
 
“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...
“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...
“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...
 
ISC2 Privacy-Preserving Analytics and Secure Multiparty Computation
ISC2 Privacy-Preserving Analytics and Secure Multiparty ComputationISC2 Privacy-Preserving Analytics and Secure Multiparty Computation
ISC2 Privacy-Preserving Analytics and Secure Multiparty Computation
 
Applying Auto-Data Classification Techniques for Large Data Sets
Applying Auto-Data Classification Techniques for Large Data SetsApplying Auto-Data Classification Techniques for Large Data Sets
Applying Auto-Data Classification Techniques for Large Data Sets
 
Protecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomwareProtecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomware
 
The Journey to Success with Big Data
The Journey to Success with Big DataThe Journey to Success with Big Data
The Journey to Success with Big Data
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
 

Plus de Interset

Plus de Interset (8)

IANS Forum DC: Operationalizing Big Data Security [Tech Spotlight]
IANS Forum DC: Operationalizing Big Data Security [Tech Spotlight]IANS Forum DC: Operationalizing Big Data Security [Tech Spotlight]
IANS Forum DC: Operationalizing Big Data Security [Tech Spotlight]
 
IANS Forum DC: Everything is a Nail! Machine Learning in Cybersecurity
IANS Forum DC: Everything is a Nail! Machine Learning in CybersecurityIANS Forum DC: Everything is a Nail! Machine Learning in Cybersecurity
IANS Forum DC: Everything is a Nail! Machine Learning in Cybersecurity
 
IANS Forum Charlotte: Everything is a Nail! Machine Learning in Cybersecurity
IANS Forum Charlotte: Everything is a Nail! Machine Learning in CybersecurityIANS Forum Charlotte: Everything is a Nail! Machine Learning in Cybersecurity
IANS Forum Charlotte: Everything is a Nail! Machine Learning in Cybersecurity
 
IANS Forum Seattle: Everything is a Nail! Machine Learning in Cybersecurity
IANS Forum Seattle: Everything is a Nail! Machine Learning in CybersecurityIANS Forum Seattle: Everything is a Nail! Machine Learning in Cybersecurity
IANS Forum Seattle: Everything is a Nail! Machine Learning in Cybersecurity
 
Webinar: Will the Real AI Please Stand Up?
Webinar: Will the Real AI Please Stand Up?Webinar: Will the Real AI Please Stand Up?
Webinar: Will the Real AI Please Stand Up?
 
Infographic: Inside Data Breaches
Infographic: Inside Data BreachesInfographic: Inside Data Breaches
Infographic: Inside Data Breaches
 
Lead On: When More Data Becomes Less Work
Lead On: When More Data Becomes Less WorkLead On: When More Data Becomes Less Work
Lead On: When More Data Becomes Less Work
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security Analytics
 

Dernier

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Dernier (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Data Connectors San Antonio Cybersecurity Conference 2018

  • 1. 1 | © 2018 Interset Software How to Operationalize Big Data Security Analytics Roy Wilds Field Data Scientist Interset.AI
  • 2. 2 | © 2018 Interset Software Welcome About Interset • 75 employees & growing • 450% ARR growth • Data science & analytics focused on cybersecurity • 100 person-years of Anomaly Detection R&D • Offices in Ottawa, Canada & Newport Beach, California Partners About Me • Data miner scientist since 2006 • 4+ years building machine learning systems for threat hunting • 8 years experience using Hadoop for large scale advanced analytics Field Data Scientist • Identify valuable data feeds • Optimize system for use cases We uncover the threats that matter!
  • 3. 3 | © 2018 Interset Software 3 | © 2018 Interset Software What is AI-Based Security Analytics About? Advanced analytics to help you catch the bad guys
  • 4. 4 | © 2018 Interset Software 4 | © 2018 Interset Software zz Increasing Threat Hunting Efficiency Low Success Rate SOC Cycle Generate Highly Anomalous Threat Leads
  • 5. 5 | © 2018 Interset Software 5 | © 2018 Interset Software Increasing Visibility by Augmenting Existing Tools SECURITY ANALYTICS SIEM IAMENDPOINT BUSINESS APPLICATIONS CUSTOM DATA NETWORK DLP SIEM IAMENDPOINT NETWORK DLP
  • 6. 6 | © 2018 Interset Software 6 | © 2018 Interset Software Case Study #1: Every SOC Billions of events analyzed with machine learning Anomalies discovered by data science High quality “most wanted” list Data, Data, Data! Users, machines, files, projects, servers, sharing behavior, resource, websites, IP Addresses and more 5,210,465,083
  • 7. 7 | © 2018 Interset Software 7 | © 2018 Interset Software z Lesson #1: Less Alerts, Not More  Solution should help you deal with less alerts, not more alerts  Solution should leverage sound statistical methods to reduce false positives and noise  Should allow you to do more with the limited resources you have Recommendations Measure and quantify the amount of work effort involved with and without the Security Analytics system
  • 8. 8 | © 2018 Interset Software Telecom • Potential Data Staging/Theft • Account Compromise • Lateral Movement Indicators Healthcare • Data Theft Defense • Incident Response Field Examples
  • 9. 9 | © 2018 Interset Software 9 | © 2018 Interset Software Case Study #2: Large Telco The Situation • Highly secure & diverse environment – protected by multiple security products The Challenge • Large rule/policy set developed • Too many indicators to optimize threat leads • Inefficient SOC cycle The Solution • Surface mathematically valid leads – ”legit anomalies” • Unique normal baselines – removes threshold/rule limitations Google Drive • Permissive controls • Personal/external sharing Authentication • Sudden change in workstation access • Odd working hours USB • Sudden increase in file copy volumes
  • 10. 10 | © 2018 Interset Software 10 | © 2018 Interset Software z Lesson #2: The Math Matters – Test It Recommendations • Agree on the use cases in advance • Use a proof-of-concept with historical/existing data to test the SA’s math • Engage red team or pen testing if available • Evaluate the results: Do they support the use cases? Google Drive • Permissive controls • Personal/external sharing USB • Sudden increase in file copy volumes Authentication • Sudden change in workstation access • Odd working hours • Data Theft • Data Staging • Lateral Movement • Account Compromise
  • 11. 11 | © 2018 Interset Software 11 | © 2018 Interset Software Case Study #3: Healthcare Records & Payments  Profile: 6.5 billion transactions annually, 750+ customers, 500+ employees  Team of 7: CISO, 1 security architect, 3 security analysts, 2 network security  Analytics surfaced (for example) an employee who attempted to move “sensitive data” from endpoint to personal Dropbox  Employee was arrested and prosecuted using incident data Focus and prioritized incident responses Incident alert accuracy increased from 28% to 92% Incident mitigation coverage doubled from 70 per week to 140
  • 12. 12 | © 2018 Interset Software 12 | © 2018 Interset Software Lesson #3: Meaningful Metrics Hawthorne Effect: Whatever gets measured, gets optimized Recommendations  Define meaningful operational metrics (not just “false positives”)  Build a process for measuring and quantifying over time, not just during a pilot  Ensure the Security Analytics system supports a feedback process to adjust the analytics to support your target metrics
  • 13. 13 | © 2018 Interset Software 13 | © 2018 Interset Software What Have We Learned? Lessons Learned  The Math Matters – Test It  Less Alerts, Not More  Automated, Measured Responses  Meaningful Metrics Recommendations  Agree on the use cases in advance  Evaluate results with and without security analytics system  Assess risk level, not binary alert  Ensure integrated feedback and automated response
  • 14. 14 | © 2018 Interset Software 14 | © 2018 Interset Software QUESTIONS? Roy Wilds – Field Data Scientist @roywilds Learn more at Interset.AI
  • 15. 15 | © 2018 Interset Software How Millions of Events Become Qualified Threats Leads ACQUIRE DATA CREATE UNIQUE BASELINES DETECT, MEASURE AND SCORE ANOMALIES HIGH QUALITY THREAT LEADS INTERNAL RECON INFECTED HOST DATA STAGING & THEFT COMPROMISED ACCOUNT LATERAL MOVEMENT ACCOUNT MISUSE CUSTOM FRAUD Contextual views. Drill-down and cyber-hunting. Broad data collection DLP ENDPOINT Buz Apps CUSTOM DATA NETWORK IAM Determine what is normal Gather the raw materials Find the behavior that matters W orkflow engine for incident response.
  • 16. 16 | © 2018 Interset Software 16 | © 2018 Interset Software About Interset.AI SECURITY ANALYTICS LEADER PARTNERSABOUT US Data science & analytics focused on cybersecurity 100 person-years of security analytics and anomaly detection R&D Offices in Ottawa, Canada; Newport Beach, CA Interset.AI

Notes de l'éditeur

  1. 4 key components you need for an effective security analytics solution -You need to compute unique normal -You need unsupervised machine learning – making no assumptions as to behavior or distribution of data. In fact, these types of datasets involved in insider attacks rarely have much meta-data that describes the data itself. -You need a Big Data infrastructure – need the ability to compute at scale in a cost effective manner -You need a mathematical framework – to ingest billions of events every day and reduce it down to a handful of real threat leads. -Also, the ability to integrate into your security eco-system is critical so the solution is completely API driven