Data Connectors San Antonio Cybersecurity Conference 2018
Download as PPTX, PDF0 likes207 views
This document discusses operationalizing big data security analytics. It provides lessons learned from case studies of implementing security analytics at various organizations. The key lessons are: 1) Security analytics should help analysts deal with fewer, higher-quality alerts rather than more alerts. 2) It is important to test the mathematical models on historical data to validate the analytics can surface useful threats. 3) Metrics must be defined to measure the impact and ensure the analytics are optimized over time for the organization's needs. The document advocates agreeing on use cases, evaluating results, assessing risk level, and ensuring feedback for continuous improvement.
Data Connectors San Antonio Cybersecurity Conference 2018
- 1. 1 | © 2018 Interset Software How to Operationalize Big Data Security Analytics Roy Wilds Field Data Scientist Interset.AI
- 2. 2 | © 2018 Interset Software Welcome About Interset • 75 employees & growing • 450% ARR growth • Data science & analytics focused on cybersecurity • 100 person-years of Anomaly Detection R&D • Offices in Ottawa, Canada & Newport Beach, California Partners About Me • Data miner scientist since 2006 • 4+ years building machine learning systems for threat hunting • 8 years experience using Hadoop for large scale advanced analytics Field Data Scientist • Identify valuable data feeds • Optimize system for use cases We uncover the threats that matter!
- 3. 3 | © 2018 Interset Software 3 | © 2018 Interset Software What is AI-Based Security Analytics About? Advanced analytics to help you catch the bad guys
- 4. 4 | © 2018 Interset Software 4 | © 2018 Interset Software zz Increasing Threat Hunting Efficiency Low Success Rate SOC Cycle Generate Highly Anomalous Threat Leads
- 5. 5 | © 2018 Interset Software 5 | © 2018 Interset Software Increasing Visibility by Augmenting Existing Tools SECURITY ANALYTICS SIEM IAMENDPOINT BUSINESS APPLICATIONS CUSTOM DATA NETWORK DLP SIEM IAMENDPOINT NETWORK DLP
- 6. 6 | © 2018 Interset Software 6 | © 2018 Interset Software Case Study #1: Every SOC Billions of events analyzed with machine learning Anomalies discovered by data science High quality “most wanted” list Data, Data, Data! Users, machines, files, projects, servers, sharing behavior, resource, websites, IP Addresses and more 5,210,465,083
- 7. 7 | © 2018 Interset Software 7 | © 2018 Interset Software z Lesson #1: Less Alerts, Not More Solution should help you deal with less alerts, not more alerts Solution should leverage sound statistical methods to reduce false positives and noise Should allow you to do more with the limited resources you have Recommendations Measure and quantify the amount of work effort involved with and without the Security Analytics system
- 8. 8 | © 2018 Interset Software Telecom • Potential Data Staging/Theft • Account Compromise • Lateral Movement Indicators Healthcare • Data Theft Defense • Incident Response Field Examples
- 9. 9 | © 2018 Interset Software 9 | © 2018 Interset Software Case Study #2: Large Telco The Situation • Highly secure & diverse environment – protected by multiple security products The Challenge • Large rule/policy set developed • Too many indicators to optimize threat leads • Inefficient SOC cycle The Solution • Surface mathematically valid leads – ”legit anomalies” • Unique normal baselines – removes threshold/rule limitations Google Drive • Permissive controls • Personal/external sharing Authentication • Sudden change in workstation access • Odd working hours USB • Sudden increase in file copy volumes
- 10. 10 | © 2018 Interset Software 10 | © 2018 Interset Software z Lesson #2: The Math Matters – Test It Recommendations • Agree on the use cases in advance • Use a proof-of-concept with historical/existing data to test the SA’s math • Engage red team or pen testing if available • Evaluate the results: Do they support the use cases? Google Drive • Permissive controls • Personal/external sharing USB • Sudden increase in file copy volumes Authentication • Sudden change in workstation access • Odd working hours • Data Theft • Data Staging • Lateral Movement • Account Compromise
- 11. 11 | © 2018 Interset Software 11 | © 2018 Interset Software Case Study #3: Healthcare Records & Payments Profile: 6.5 billion transactions annually, 750+ customers, 500+ employees Team of 7: CISO, 1 security architect, 3 security analysts, 2 network security Analytics surfaced (for example) an employee who attempted to move “sensitive data” from endpoint to personal Dropbox Employee was arrested and prosecuted using incident data Focus and prioritized incident responses Incident alert accuracy increased from 28% to 92% Incident mitigation coverage doubled from 70 per week to 140
- 12. 12 | © 2018 Interset Software 12 | © 2018 Interset Software Lesson #3: Meaningful Metrics Hawthorne Effect: Whatever gets measured, gets optimized Recommendations Define meaningful operational metrics (not just “false positives”) Build a process for measuring and quantifying over time, not just during a pilot Ensure the Security Analytics system supports a feedback process to adjust the analytics to support your target metrics
- 13. 13 | © 2018 Interset Software 13 | © 2018 Interset Software What Have We Learned? Lessons Learned The Math Matters – Test It Less Alerts, Not More Automated, Measured Responses Meaningful Metrics Recommendations Agree on the use cases in advance Evaluate results with and without security analytics system Assess risk level, not binary alert Ensure integrated feedback and automated response
- 14. 14 | © 2018 Interset Software 14 | © 2018 Interset Software QUESTIONS? Roy Wilds – Field Data Scientist @roywilds Learn more at Interset.AI
- 15. 15 | © 2018 Interset Software How Millions of Events Become Qualified Threats Leads ACQUIRE DATA CREATE UNIQUE BASELINES DETECT, MEASURE AND SCORE ANOMALIES HIGH QUALITY THREAT LEADS INTERNAL RECON INFECTED HOST DATA STAGING & THEFT COMPROMISED ACCOUNT LATERAL MOVEMENT ACCOUNT MISUSE CUSTOM FRAUD Contextual views. Drill-down and cyber-hunting. Broad data collection DLP ENDPOINT Buz Apps CUSTOM DATA NETWORK IAM Determine what is normal Gather the raw materials Find the behavior that matters W orkflow engine for incident response.
- 16. 16 | © 2018 Interset Software 16 | © 2018 Interset Software About Interset.AI SECURITY ANALYTICS LEADER PARTNERSABOUT US Data science & analytics focused on cybersecurity 100 person-years of security analytics and anomaly detection R&D Offices in Ottawa, Canada; Newport Beach, CA Interset.AI
Editor's Notes
- #16: 4 key components you need for an effective security analytics solution -You need to compute unique normal -You need unsupervised machine learning – making no assumptions as to behavior or distribution of data. In fact, these types of datasets involved in insider attacks rarely have much meta-data that describes the data itself. -You need a Big Data infrastructure – need the ability to compute at scale in a cost effective manner -You need a mathematical framework – to ingest billions of events every day and reduce it down to a handful of real threat leads. -Also, the ability to integrate into your security eco-system is critical so the solution is completely API driven