Machine Learning for Threat Detection

1,415 views

Published on

A presentation by Harry McLaren at The Cyber Academy

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,415
On SlideShare
0
From Embeds
0
Number of Embeds
584
Actions
Shares
0
Downloads
26
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Slide: Title
  • Slide: Introduction
  • Slide: Machine Data
  • Slide: Problem – Legacy SIEM
  • Slide: Evidence
    The same survey showed that over half of the respondents are trying to employ more entry level analysts to deal with the overwhelming (but largely worthless) alerts coming from their legacy SIEMs and further more turning to audits and compliance activities to overcome the SIEMs drawbacks.

    Sources:
    http://www.bloomberg.com/research/markets/news/article.asp?docKey=600-201603150921MRKTWIREUSPR_____1249121-1
    http://www.information-age.com/technology/information-management/123461162/why-big-data-and-siem-dont-always-equal-big-answers-security
  • Slide: Technology Development
  • Slide: Events Overload
  • Slide: Splunk Security Platform
  • Slide: Machine Learning Evolution
  • Slide: Solution – Splunk UBA

    Splunk User Behavior Analytics is a cyber security and threat detection solution that helps organizations find hidden threats without using rules, signatures or human analysis.
    It uses behavior modeling, peer group analysis, real-time statistical analysis, collaborative filtering and other machine learning techniques.
    Has a 99% reduction of notable events in various customer based case studies, enabling analysts to focus on important threats and not waste time confirming false positives.


    Attack Defenses
    User & Entity Behavior Baseline
    Behavioral Peer Group Analysis
    Insider Threat Detection
    IP Reputation Analysis
    Reconnaissance, Botnet and C&C Analysis
    Statistical Analysis
    Data Exfiltration Models
    Lateral Movement Analysis
    Polymorphic Attack Analysis
    Cyber Attack / External Threat Detection
    Entropy/Rare Event Detection
    User/Device Dynamic Fingerprinting
    Threat Attack Correlation

    Data Sources
    Key:
    Identity/Authentication
    Active Directory/Domain Controller
    Single Sign-on
    HRIS
    VPN
    DNS, DHCP
    Activity
    Web Gateway
    Proxy Server
    Firewall
    DLP
    Security Products
    Malware
    Endpoint
    IDS, IPS, AV
    Optional:
    SaaS/Mobile
    AWS CloudTrail
    Box, SF.com, Dropbox, other SaaS apps
    Mobile Devices
    External Threat Feeds
    Threat Stream, FS-ISAC or other blacklists for IPs/domains


  • Slide: Example – Insider Threat
  • Slide: Behaviour Modelling

    Categories
    Deviation from Baseline
    Time series
    Rarity, probabilistic difference
    Rare sequences
    Outliers
    Advanced Behaviour Detection
    Beaconing
    Exploit kit
    Malware for HTTP
    Malware for IP
    Webshell
    Graph Models
    Lateral movement
    Resource Access
    Helper Models
    Anomalies based on rules
    Externals alarms handlers
    Session Building
    Connection between events
    Track activity from different perspectives in a kill chain
    Threat Models
    Graph-based models
    Session-based models
    Rule-based models

  • Demo
  • Machine Learning for Threat Detection

    1. 1. USER BEHAVIOURAL ANALYTICS Machine Learning for Threat Detection Harry McLaren – Security Consultant at ECS
    2. 2. HARRY MCLAREN •Alumnus of Edinburgh Napier •Security Consultant at ECS • SOC & CSIR Development • Splunk Consultant & Architect
    3. 3. ACCELERATING PACE OF DATA Volume | Velocity | Variety | Variability
    4. 4. Legacy SIEM type technologies aren’t enough to detect insider threats and advanced adversaries and are poorly designed for rapid incident response. [SIEM - Security Information & Event Management]
    5. 5. Inadequate Contextual Data 68% of respondents in the survey said that reports often only indicated changes without specifying what the change was. Innocuous Events of Interest 81% of respondents said that SIEM reports contain too much extraneous information and were overwhelmed with false positives. 2016 SIEM Efficiency Survey - Conducted by Netwrix
    6. 6. 1995 2002 2008 2011 2015 END-POINT SECURITY NETWORK SECURITY EARLY CORRELATION PAYLOAD ANALYSIS BEHAVIOR ANALYSIS TECHNOLOGY DEVELOPMENT CAPABILITY EVOLUTION
    7. 7. KILL CHAIN - EVENTS OVERLOAD
    8. 8. SECURITY PLATFORM DETECTING UNKNOWN THREATS SECURITY & COMPLIANCE REPORTING INCIDENT INVESTIGATIONS & FORENSICS REAL-TIME MONITORING OF KNOWN THREATS DETECTION OF INSIDER THREATS DETECTION OF ADVANCED CYBER ATTACKS Splunk Enterprise Security Splunk UBA
    9. 9. MACHINE LEARNING EVOLUTION EVOLUTION COMPLEXITY RULES - THRESHOLD POLICY - THRESHOLD POLICY - STATISTICS UNSUPERVISED MACHINE LEARNING POLICY - PEER GROUP STATISTICS SUPERVISED MACHINE LEARNING
    10. 10. DETECT ADVANCED CYBERATTACKS DETECT MALICIOUS INSIDER THREATS ANOMALY DETECTION THREAT DETECTION UNSUPERVISED MACHINE LEARNING BEHAVIOR BASELINING & MODELING REAL-TIME & BIG DATA ARCHITECTURE WHAT IS SPLUNK USER BEHAVIORAL ANALYTICS?
    11. 11. INSIDER THREAT John connects via VPN Administrator performs ssh (root) to a file share - finance department John executes remote desktop to a system (administrator) - PCI zone John elevates his privileges root copies the document to another file share - Corporate zone root accesses a sensitive document from the file share root uses a set of Twitter handles to chop and copy the data outside the enterprise USER ACTIVITY Day 1 . . Day 2 . . Day N
    12. 12. MULTI-ENTITY BEHAVIORAL MODEL APPLICATION USER HOST NETWORK DATA
    13. 13. UBA 2.2 LATEST FEATURES • Threat Modeling Framework • Create custom threats using 60+ anomalies. • Enhanced Security Analytics • Visibility and baseline metrics around user, device, application and protocols. • Risk Percentile & Dynamic Peer Groups • Support for Additional 3rd Party Devices
    14. 14. QUESTIONS / CONTACT twitter.com/cyberharibu harry.mclaren@ecs.co.uk harrymclaren.co.uk/blog

    ×