Contenu connexe Similaire à Data Connectors San Antonio Cybersecurity Conference 2018 (20) Data Connectors San Antonio Cybersecurity Conference 20181. 1 | © 2018 Interset Software
How to
Operationalize
Big Data Security
Analytics
Roy Wilds
Field Data Scientist
Interset.AI
2. 2 | © 2018 Interset Software
Welcome
About Interset
• 75 employees & growing
• 450% ARR growth
• Data science & analytics focused on cybersecurity
• 100 person-years of Anomaly Detection R&D
• Offices in Ottawa, Canada & Newport Beach,
California
Partners
About Me
• Data miner scientist since 2006
• 4+ years building machine
learning systems for threat
hunting
• 8 years experience using
Hadoop for large scale
advanced analytics
Field Data Scientist
• Identify valuable data feeds
• Optimize system for use cases
We uncover the threats that matter!
3. 3 | © 2018 Interset Software
3 | © 2018 Interset Software
What is AI-Based Security Analytics About?
Advanced analytics to help you catch the bad guys
4. 4 | © 2018 Interset Software
4 | © 2018 Interset Software
zz
Increasing Threat Hunting Efficiency
Low Success Rate SOC Cycle Generate Highly Anomalous Threat Leads
5. 5 | © 2018 Interset Software
5 | © 2018 Interset Software
Increasing Visibility by Augmenting Existing Tools
SECURITY ANALYTICS
SIEM
IAMENDPOINT
BUSINESS
APPLICATIONS
CUSTOM
DATA
NETWORK DLP
SIEM
IAMENDPOINT NETWORK DLP
6. 6 | © 2018 Interset Software
6 | © 2018 Interset Software
Case Study #1: Every SOC
Billions of events
analyzed with
machine learning
Anomalies
discovered by
data science
High quality
“most wanted”
list
Data, Data, Data!
Users, machines, files, projects, servers, sharing behavior, resource,
websites, IP Addresses and more
5,210,465,083
7. 7 | © 2018 Interset Software
7 | © 2018 Interset Software
z
Lesson #1: Less Alerts, Not More
Solution should help you deal
with less alerts, not more alerts
Solution should leverage sound
statistical methods to reduce
false positives and noise
Should allow you to do more
with the limited resources you
have
Recommendations
Measure and quantify the amount of work effort involved with and without the
Security Analytics system
8. 8 | © 2018 Interset Software
Telecom
• Potential Data Staging/Theft
• Account Compromise
• Lateral Movement Indicators
Healthcare
• Data Theft
Defense
• Incident Response
Field Examples
9. 9 | © 2018 Interset Software
9 | © 2018 Interset Software
Case Study #2: Large Telco
The Situation
• Highly secure & diverse environment – protected by multiple security products
The Challenge
• Large rule/policy set developed
• Too many indicators to optimize threat leads
• Inefficient SOC cycle
The Solution
• Surface mathematically valid leads – ”legit anomalies”
• Unique normal baselines – removes threshold/rule limitations
Google Drive
• Permissive controls
• Personal/external sharing
Authentication
• Sudden change in workstation access
• Odd working hours
USB
• Sudden increase in file
copy volumes
10. 10 | © 2018 Interset Software
10 | © 2018 Interset Software
z
Lesson #2: The Math Matters – Test It
Recommendations
• Agree on the use cases in advance
• Use a proof-of-concept with historical/existing data to test the SA’s math
• Engage red team or pen testing if available
• Evaluate the results: Do they support the use cases?
Google Drive
• Permissive controls
• Personal/external sharing
USB
• Sudden increase in
file copy volumes
Authentication
• Sudden change in
workstation access
• Odd working hours
• Data Theft
• Data
Staging
• Lateral
Movement
• Account
Compromise
11. 11 | © 2018 Interset Software
11 | © 2018 Interset Software
Case Study #3: Healthcare Records & Payments
Profile: 6.5 billion transactions annually, 750+
customers, 500+ employees
Team of 7: CISO, 1 security architect, 3 security
analysts, 2 network security
Analytics surfaced (for example) an employee who
attempted to move “sensitive data” from endpoint to
personal Dropbox
Employee was arrested and prosecuted using
incident data
Focus and prioritized incident responses
Incident alert accuracy increased from 28% to 92%
Incident mitigation coverage doubled from 70 per week to 140
12. 12 | © 2018 Interset Software
12 | © 2018 Interset Software
Lesson #3: Meaningful Metrics
Hawthorne Effect: Whatever gets measured,
gets optimized
Recommendations
Define meaningful operational metrics (not just
“false positives”)
Build a process for measuring and quantifying over
time, not just during a pilot
Ensure the Security Analytics system supports a
feedback process to adjust the analytics to support
your target metrics
13. 13 | © 2018 Interset Software
13 | © 2018 Interset Software
What Have We Learned?
Lessons Learned
The Math Matters – Test It
Less Alerts, Not More
Automated, Measured Responses
Meaningful Metrics
Recommendations
Agree on the use cases in advance
Evaluate results with and without security
analytics system
Assess risk level, not binary alert
Ensure integrated feedback and
automated response
14. 14 | © 2018 Interset Software
14 | © 2018 Interset Software
QUESTIONS?
Roy Wilds – Field Data Scientist
@roywilds
Learn more at Interset.AI
15. 15 | © 2018 Interset Software
How Millions of Events Become Qualified Threats
Leads
ACQUIRE
DATA
CREATE UNIQUE
BASELINES
DETECT,
MEASURE AND
SCORE
ANOMALIES
HIGH QUALITY
THREAT
LEADS
INTERNAL RECON
INFECTED HOST
DATA STAGING
& THEFT
COMPROMISED
ACCOUNT
LATERAL
MOVEMENT
ACCOUNT MISUSE
CUSTOM
FRAUD
Contextual views.
Drill-down and
cyber-hunting.
Broad data
collection
DLP
ENDPOINT
Buz Apps
CUSTOM
DATA
NETWORK
IAM
Determine what is
normal
Gather the
raw
materials
Find the behavior
that matters
W orkflow engine
for incident
response.
16. 16 | © 2018 Interset Software
16 | © 2018 Interset Software
About Interset.AI
SECURITY ANALYTICS LEADER PARTNERSABOUT US
Data science & analytics
focused on cybersecurity
100 person-years of security
analytics and anomaly
detection R&D
Offices in Ottawa, Canada;
Newport Beach, CA
Interset.AI
Notes de l'éditeur 4 key components you need for an effective security analytics solution
-You need to compute unique normal
-You need unsupervised machine learning – making no assumptions as to behavior or distribution of data. In fact, these types of datasets involved in insider attacks rarely have much meta-data that describes the data itself.
-You need a Big Data infrastructure – need the ability to compute at scale in a cost effective manner
-You need a mathematical framework – to ingest billions of events every day and reduce it down to a handful of real threat leads.
-Also, the ability to integrate into your security eco-system is critical so the solution is completely API driven