SlideShare a Scribd company logo
1 of 66
Download to read offline
NEXT GENERATION
SECURITY ANALYTICS
CHRISTIAN HAVE
@CKHAVE
CH@LOGPOINT.COM
ATTACKERS NAVIGATE A GRAPH.
DEFENDERS TYPICALLY THINK
IN POINT-SOLUTIONS
ME!
ACADEMIC PSEUDO-INTELLECTUALISM
THE PATH OF LEAST RESISTANCE
GRAPHS?
NAVIGATING A GRAPH
▸ Expensive exploits are expensive
▸ Use the least expensive weapon
▸ Cost of 0Day exploits
▸ Use once == expensive
DEFENDERS THINK IN POINT SOLUTIONS
IMPLEMENTING MOVIE-PLOT POINTS
▸ Natural-path engineering; layout buildings, let people find paths
▸ We find the best way forward
▸ We get around controls - it’s in our nature.
MOTIVATION IS NOT IMPACTED BY
CONTROLS.
AS LONG AS THE ATTACK IS ECONOMICALLY
FEASIBLE MOTIVATION REMAINS.
ME!
ACADEMIC PSEUDO-INTELLECTUALISM
MOTIVATION AND ECONOMIC BENEFIT
▸ The implementation of the “child pornography filter” did not
change the number of convictions in Denmark
▸ It did move it out of the “open” Internet
▸ Introducing a censorship filter for enticing terrorism will not
solve the problem of radicalising the youth
▸ It will move it from the “open” Internet somewhere else
▸ The clearing of pusher-street in Christiania did not stop the
sale of marihuana
▸ It did move it out of the open
▸ Laws work wonders for law-abiding citizens
ECONOMIC BENEFIT
▸ Paedophiles will not stop because of a DNS block,
regardless of the penalty
▸ Buying marihuana does not carry a penalty in Denmark
▸ Selling marihuana does not carry a penalty 

(besides whatever you have on you at the point of arrest)
▸ We can only start winning once we understand what
“winning” is and what game we are actually playing
WE FIGHT HUMAN NATURE.
PICKING THE RIGHT BATTLE IS
KEY FOR WINNING.
ME
PICKING THE RIGHT BATTLE
WE WANT THE EASIEST ATTACKS.
NOT THE HARDEST.
ME
WINNING THE RIGHT BATTLE
EASY ATTACKS - SINCE WE CANT AVOID ATTACKS
SURRENDERING?
▸ Attackers are lazy
▸ Attackers optimise cost (0days)
▸ Controls raise the cost of attacks
▸ Making attacks hard to detect
▸ Controls are not “free”
▸ Cancer-screening has a higher mortality than not
screening
▸ Anti-Virus engines are points-of-infection
▸ Accept attacks will happen
▸ Deal with the attacks when they happen
▸ Don’t screen for cancer or move the attackers
away from the obvious routes
EASY ATTACKS - SINCE THEY CAN’T BE AVOIDED
NOT SURRENDERING - PICKING THE BATTLEFIELD
▸ Defensively design your security architecture
▸ Understand it’s weaknesses
▸ Exploit weaknesses
▸ Monitor and gather intelligence, and defend smarter
ECONOMY OF THE DEFENCE
SHOULDN’T WE INVEST IN CONTROLS?
▸ Of course!
▸ Controls associated with costs
towards the attacks
▸ The barrier of entry (cost of attack)
deters some, but typically only the
lowest on the spectrum
▸ Controls as point-solutions gives way
for target-fixation
▸ GDPR changes the economy of the
defence
CURRENT STATE
OF SECURITY ANALYTICS
INTRO
CURRENT STATE OF SECURITY ANALYTICS
COMPONENTS OF SECURITY ANALYTICS
DATA
INGEST
PROCES ANALYSE PRESENT VIZ ACT.
CURRENT STATE OF SECURITY ANALYTICS
▸ Nothing new.
▸ Everyone does syslog
▸ Everyone has an agent
▸ Some do Flow-analytics
▸ Some do application-level analytics
▸ Few do full-packet captures
DATA INGESTION DATA
INGEST
PROCES ANALYSE PRESENT VIZ ACT.
CURRENT STATE OF SECURITY ANALYTICS
▸ Inbound content must be structured
▸ Structure sometimes follows a common language
▸ Taxonomy, Ontology - whatever floats your boat
▸ Some content is sometimes enriched with metadata
▸ Threat Intel, GeoIP, Asset Management DB info etc.
▸ This part has to be fast - many vendors “cheat”
PROCESSING DATA
INGEST
PROCES ANALYSE PRESENT VIZ ACT.
ANALYSIS
▸ Analytics today is relatively simple
▸ Simple statistics
▸ Advanced statistics
▸ Patterns
▸ Known-bad, known-good analysis on more COTS
platforms
▸ Most vendors pack tons of alerts and correlations
SECURITY ANALYTICS DATA
INGEST
PROCES ANALYSE PRESENT VIZ ACT.
ANALYSIS
▸ Most vendors provide views on the raw data or an abstraction
of the raw data
▸ Most vendors provide a relatively easy way to setup views on
the raw or aggregated data for analytics
▸ Some vendors have great views when presenting alerts and
important events
▸ Few if any systems are able to present hierarchies of data, the
relationships between events and deviations on hierarchies
PRESENTATION DATA
INGEST
PROCES ANALYSE PRESENT VIZ ACT.
ANALYSIS
▸ Pie charts
▸ geo maps
▸ tables
▸ rows, columns and heatmaps
▸ Nothing you couldn't do with excel - and maybe thats ok
DATA VISUALIZATION DATA
INGEST
PROCES ANALYSE PRESENT VIZ ACT.
ANALYSIS
▸ We collect syslog, application data and network data
▸ We process it, transform it
▸ We enrich and present it both for the analyst and graphically
▸ Making the system provide actionable information for the
analyst
▸ Some systems even go the next step and perform proactive
responses on other platforms
▸ Shuts ports, adds to ACLs, disables users e.g.
ACTIONS DATA
INGEST
PROCES ANALYSE PRESENT VIZ ACT.
CURRENT STATE OF SECURITY ANALYTICS
COMPONENTS OF SECURITY ANALYTICS
DATA
INGEST
PROCES ANALYSE PRESENT VIZ ACT.
SCALING
OUT
ANCHOR
IN

ORG
INVEST

IN

PROJ.
IN-
HOUSE?
NON-INF
APPS
USING SIEM AND GETTING VALUE FROM ANALYTICS
SCALING
OUT
USING AND GETTING
VALUE OUT OF SIEM
USING AND GETTING VALUE OUT OF SIEM
SCALING OUT
▸ The only thing constant is change; 20% growth in volume
▸ Areas that we need to scale on
▸ Ingestion
▸ Processing
▸ Storage
▸ Presentation
USING AND GETTING VALUE OUT OF SIEM
SCALING OUT
▸ Ensure your system scales well when it comes to ingestion
▸ Everyone is doing it differently
▸ Some solutions tie together backends and presentation
layers
▸ Scaling presentation is immensely important for
widespread adoption in your organisation
▸ Scaling the backends should not be a concern in 2016
ORGANISATIONAL
ANCHORING
USING AND GETTING
VALUE OUT OF SIEM
SIEMS FAIL WHEN THEY ARE
LEFT ALONE
ME
WHEN DO WE FAIL
SAD
ME
WHEN DO WE FAIL
IN THE CORNER.
SILENTLY COLLECTING LOGS AND
TRIGGERING ALERTS, NOBODY
WILL EVER SEE.
ME
WHEN DO WE FAIL
USING AND GETTING VALUE OUT OF SIEM
ORGANISATIONAL ANCHORING
▸ SIEMS fail if they are the point solution to a problem
▸ Stakeholders lose interest
▸ The value-prop was never clear
▸ A great sale but a horrible purchase
USING AND GETTING VALUE OUT OF SIEM
ORGANISATIONAL ANCHORING
▸ Logs and network data is immensely rich in information
▸ This information can be used for much more than security
▸ Let help-desk-users use pre-defined views and prepared
analytics for easier resolution (move work to 1st level support)
▸ Allow your OPs team to use analytics for root-cause analysis,
statistics for predictions and forecasts
▸ Allow your management-team to view quality of infrastructure
and do controls of outsourced services
▸ Liberate data from silos
INVESTING IN THE
PROJECT
USING AND GETTING VALUE OUT OF SIEM
INVESTING IN THE PROJECT
▸ Set expectations - understand why we use analytics
▸ Introduce the notion of the Lockheed Martin Cyber Kill
Chain (see next slide)
▸ Understand the threat landscape
▸ Identify the key threats to the organisation (ext)
▸ Identify the key threats identified by the organisation (int)
▸ Bringing it all together
KILL
CHAIN
SECTOR DRILL-DOWN (VERIZON DBIR - 2016)
MOTIVATION DRILL-DOWN: HEALTH-CARE
THREAT ACTOR DRILL-DOWN: HEALTH-CARE
INVESTING IN THE PROJECT
IDENTIFYING KEY INTERNALLY IDENTIFIED THREATS
▸ Use the internal risk assessment
▸ Compare with external threat information
▸ Identify any potential gap - ask yourself why it exists
INVESTING IN THE PROJECT
BRINGING IT ALL TOGETHER
▸ With threats and critical systems identified
▸ And with an understanding of the kill-chain and the cost of
controls in mind
▸ The task of the project-team is to identify the success
criteria for the project with a common acceptance and
buy-in from leadership and stakeholders
THE
SECURITY OPERATIONS CENTER
IN-HOUSE OR OUTSOURCED
THE SECURITY OPERATIONS CENTER
CONSIDERATIONS
▸ The 3 Ps
▸ People, Process and Technology
▸ Is it possible to retain skill
▸ With level we need
▸ In numbers sufficient to staff the SOC
▸ Are we mature enough to identify which alerts and incidents we want to act
on
▸ Can we with confidence say that we understand how to act when we
then receive the alert?
▸ Engagement models:
▸ Who takes action on our network during a breach
▸ What gets escalated back “home”
▸ Do we have sensitive data preventing a full managed SOC?
USING SIEM FOR
ENTERPRISE
APPLICATIONS
USING SIEM FOR ENTERPRISE APPLICATIONS
WHERE IS THE GOLD IN YOUR NETWORK
▸ Third generation SCADA
▸ Industry 4.0
▸ SOA-Enabling your ERP Platforms
▸ Federated Access with suppliers
WHERE IS THE GOLD
PATH OF LEAST RESISTANCE
▸ Vulnerabilities in SCADA
▸ Hard-coded admin-passwords
▸ non-patchable systems, “because operational IT”
▸ Non-networked mindset of admins
▸ Industry 4.0
▸ “Smart products with localisation point, status, historical
positions and data points, allowing globally unique
identification of all products” - Good luck with that
WHERE IS THE GOLD
PATH OF LEAST RESISTANCE
▸ SOA-Enabling your ERP Platforms
▸ % of SAP notes

found externally
▸ SAP offers mobile access, organisations offers BYOD
▸ Do we trust jail-break detection?
▸ Federated Access with external suppliers
▸ Identities does not exist any longer
▸ Business rules define access to the network now
WHERE IS THE GOLD
USE-CASES FOR ENTERPRISE APPLICATION SIEM USE
▸ Changing master data records
▸ Critical transactions (payments)
▸ Changes in performance data (valve pressure)
▸ Critical changes to equipment (voltage, valve positions)
▸ Abnormality on order sizes, frequency, workflows
▸ The data is here - why not use it?
Next generation security analytics
NEXT GENERATION
SECURITY ANALYTICS
SORRY!
IT WONT BE MINORITY REPORT
NEXT GENERATION - CHALLENGES
DIVERSITY IN DATA - VALUE IS FOUND EVERYWHERE
TWO PROBLEMS
LARGE VARIATION
LARGE VOLUME
NEXT GENERATION
INFORMATION OVERLOAD: OVERCOMING CHALLENGES
▸ Even with effective alerts, the amount of data is
unmanageable
▸ Workflow is the key
PREPARE
SITUATIONAL
AWARENESS
IDENTIFY
ANALYSIS
REACT
INVESTIGATE
IMPROVE
COLLABORATE
NEXT GENERATION
WORKFLOW
▸ Situational awareness
▸ Identify anomalies based on what is observed
▸ Time of day deviations or time of year (scale!)
▸ Identify / analyse
▸ Based on the norm and baseline we can work on large-scale analytics
▸ Complex temporal changes in behaviours and activity
▸ React and “arm the investigators”
▸ Rapid response on what data was exposed, how and not least why
▸ Improve / Collaborate
▸ Feedback of the intelligence created in the analysis must be fed back into the system
▸ Partners and collaborators must receive the right amount of supporting information
▸ Think of this as the collective immune system
NEXT GENERATION
WORKING WITH DATA
▸ Clustering:
▸ Build a network
of events and
relations
NEXT GENERATION
WORKING WITH DATA
▸ Drill-down
▸ Re-draw - build hierarchies based on relationships
▸ Use gathered data, third party threat intel or collaboration
data as a key to further expand on the search
▸ With our “enriched” analysis we can map a focus area
▸ Replay interactions over time, spot patterns and behaviour
▸ Login, data is moved out of network (repeat ad. inifitum)
NEXT GENERATION
LIMITATIONS OF CURRENT-GENERATION ARCHITECTURES
▸ Remember the architecture?
▸ Ingest, process, analyse, visualise, act
▸ This is inherently inefficient and a testament to legacy
▸ “NoSQL” is more part of the problem than the solution
▸ “BigData” in it’s true form is what will move us forward
▸ We spend most of the hardware available for processing
data to store it and to prepare it
NEXT GENERATION
INSIGHTS INTO NEXT-GENERATION ARCHITECTURES
▸ Small hardware footprint needed for storage
▸ No processing, no normalisation, just straight to disk
▸ Use the hardware you have for analytics
▸ Towards realtime analytics and away from “Queries”
▸ Ingestion of full packet capture as an equal part to log-
collections
NEXT GENERATION
ARCHITECTURE PRINCIPLES
NEXT GENERATION ARCHITECTURE
BIG DATA?
▸ Hadoop (ecosystem) is full of great and powerful tools
▸ Cluster management, realtime streaming, graph
databases, distributed file systems (HDFS) etc.
▸ The technology is ready - vendors just need to get going ;)
CONCLUSIONS
ANALYTICS TRENDS
▸ Machine Learning
▸ People who bought X also looked at Y
▸ Automatic signature and pattern creation
▸ Payload analytics
▸ Deep behavioural analytics on network and log data
▸ Frameworks supports use-cases we could only dream of
▸ Online packet compression in real-time
▸ Analysis on packets to reconstruct network topologies behind NAT
CONCLUSIONS
ANALYTICS TRENDS
▸ Machine Learning Based Botnet Detection With Dynamic
Adaptation
▸ Botnet beaconing based on linguistic analytics of DNS-names
▸ Detect stealthy DDoS against large-scale networks (ML)
▸ Automated discovery, attribution, analysis and risk
assessment
▸ Social connectivity graphs, Machine-Learning, automatic
malware reverse-engineering
CONCLUSIONS
ANALYTICS TRENDS
▸ Creation of “Social graphs” by crawling social networks
and intercepting mail traffic
▸ Creation of “Social graphs” by analysing voice patterns
and writing patterns regardless of from where they
originate
▸ Combining social graphs and analyse sentiment
▸ (Radicalisation between actors)
NEXT GENERATION
PRODUCTISING
▸ Anomaly detection
▸ Machine learning (SparkML2.0 just released)
▸ Graph processing (All of Facebook is stored in 1 GraphDB)
▸ Scale dynamically - provision servers and services along
with the processing need
▸ Scale locally or in the cloud - based on data sensitivity
NEXT GENERATION
ENRICHMENT
▸ Enriching data is possible today but sees relatively slow
adoption in security
▸ STIX/TAXII/Cybox/Yara and other standards provide an
ontology for attacks, actors, motives
▸ The SIEM of tomorrow will evaluate every event against
internal and external threat intelligence sources
▸ The SIEM of tomorrow will forward-integrate with whatever
“flavor of the month” point-solution implemented
TRANSITIONS
CONCLUSIONS
CONCLUSIONS
TRANSITIONS
▸ The threat-landscape is changing
▸ The efficiency of technical controls declines in comparison to
the economy of the attacker
▸ We have to level the playing field by understanding our
weaknesses
▸ Ensure we have security analytics in place
▸ Ensure we have the insights and capacities to deal with it our
selves or move it to a third party (responsibility not included)
CONCLUSIONS
TECHNOLOGY TRENDS
▸ We move to larger platforms
▸ Built with the tools developed at Twitter, LinkedIN and
Facebook
▸ Queries, SQL and pre-processed data does not scale
▸ Imagine an out-sourced SOC with an installed capacity for
the 20 of the Top2000 companies in Europe -
▸ Milions and Milions of events every second (EPS)
ANALYTICS
WRAP UP
▸ We have the technology now
▸ We have the math
▸ And we are starting to understand
the threats and playing field
▸ The vendors just have to wrap
everything together
▸ Few, if any, organisations have the
capacity to write algorithms

More Related Content

What's hot

Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...IBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsIBM Security
 
Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Coastal Pet Products, Inc.
 
Stay out of headlines for non compliance or data breach
Stay out of headlines for non compliance or data breachStay out of headlines for non compliance or data breach
Stay out of headlines for non compliance or data breachSridhar Karnam
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...IBM Security
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber DefenseEnergySec
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...centralohioissa
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown JewelsIBM Security
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016Sarah Bark
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...Shah Sheikh
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingPriyanka Aash
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security AutomationHexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automationbarbara bogue
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDPriyanka Aash
 

What's hot (20)

Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title)
 
Stay out of headlines for non compliance or data breach
Stay out of headlines for non compliance or data breachStay out of headlines for non compliance or data breach
Stay out of headlines for non compliance or data breach
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and Reporting
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security AutomationHexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
 

Viewers also liked

RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTLee Wei Yeong
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardEMC
 
The Value of Pervasive Analytics
The Value of Pervasive AnalyticsThe Value of Pervasive Analytics
The Value of Pervasive AnalyticsCloudera, Inc.
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
 
Performing network security analytics
Performing network security analyticsPerforming network security analytics
Performing network security analyticsDataWorks Summit
 
Protecting Innovation Through Next Generation Enterprise File Sharing
Protecting Innovation Through Next Generation Enterprise File SharingProtecting Innovation Through Next Generation Enterprise File Sharing
Protecting Innovation Through Next Generation Enterprise File SharingIntralinks
 
IP&A109 Next-Generation Analytics Architecture for the Year 2020
IP&A109 Next-Generation Analytics Architecture for the Year 2020IP&A109 Next-Generation Analytics Architecture for the Year 2020
IP&A109 Next-Generation Analytics Architecture for the Year 2020Anjan Roy, PMP
 
Envisioning the Next Generation of Analytics
Envisioning the Next Generation of AnalyticsEnvisioning the Next Generation of Analytics
Envisioning the Next Generation of AnalyticsLora Cecere
 
Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬Allot Communications
 
The Next Generation (of) IT
The Next Generation (of) ITThe Next Generation (of) IT
The Next Generation (of) ITUwe Friedrichsen
 
Survey: Security Analytics and Intelligence
Survey: Security Analytics and IntelligenceSurvey: Security Analytics and Intelligence
Survey: Security Analytics and IntelligenceSolarWinds
 
(SEC326) Security Science Using Big Data
(SEC326) Security Science Using Big Data(SEC326) Security Science Using Big Data
(SEC326) Security Science Using Big DataAmazon Web Services
 
Analytics tool comparison
Analytics tool comparisonAnalytics tool comparison
Analytics tool comparisonShivam Dhawan
 
Machine Learning for Threat Detection
Machine Learning for Threat DetectionMachine Learning for Threat Detection
Machine Learning for Threat DetectionNapier University
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Alex Pinto
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016IBM Security
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Cybereason
 

Viewers also liked (20)

RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APT
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
 
The Value of Pervasive Analytics
The Value of Pervasive AnalyticsThe Value of Pervasive Analytics
The Value of Pervasive Analytics
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
 
Next generation enterprise
Next generation enterprise Next generation enterprise
Next generation enterprise
 
Netadminpres
NetadminpresNetadminpres
Netadminpres
 
Security analytics
Security analyticsSecurity analytics
Security analytics
 
Performing network security analytics
Performing network security analyticsPerforming network security analytics
Performing network security analytics
 
Protecting Innovation Through Next Generation Enterprise File Sharing
Protecting Innovation Through Next Generation Enterprise File SharingProtecting Innovation Through Next Generation Enterprise File Sharing
Protecting Innovation Through Next Generation Enterprise File Sharing
 
IP&A109 Next-Generation Analytics Architecture for the Year 2020
IP&A109 Next-Generation Analytics Architecture for the Year 2020IP&A109 Next-Generation Analytics Architecture for the Year 2020
IP&A109 Next-Generation Analytics Architecture for the Year 2020
 
Envisioning the Next Generation of Analytics
Envisioning the Next Generation of AnalyticsEnvisioning the Next Generation of Analytics
Envisioning the Next Generation of Analytics
 
Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬
 
The Next Generation (of) IT
The Next Generation (of) ITThe Next Generation (of) IT
The Next Generation (of) IT
 
Survey: Security Analytics and Intelligence
Survey: Security Analytics and IntelligenceSurvey: Security Analytics and Intelligence
Survey: Security Analytics and Intelligence
 
(SEC326) Security Science Using Big Data
(SEC326) Security Science Using Big Data(SEC326) Security Science Using Big Data
(SEC326) Security Science Using Big Data
 
Analytics tool comparison
Analytics tool comparisonAnalytics tool comparison
Analytics tool comparison
 
Machine Learning for Threat Detection
Machine Learning for Threat DetectionMachine Learning for Threat Detection
Machine Learning for Threat Detection
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
 

Similar to Next generation security analytics

Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Dinis Cruz
 
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...DevOpsDays Tel Aviv
 
Building trust in your data lake. A fintech case study on automated data disc...
Building trust in your data lake. A fintech case study on automated data disc...Building trust in your data lake. A fintech case study on automated data disc...
Building trust in your data lake. A fintech case study on automated data disc...DataWorks Summit
 
Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Wendy Nather
 
Stop Wasting Your Time: Focus on Security Practices that Actually Matter
Stop Wasting Your Time: Focus on Security Practices that Actually MatterStop Wasting Your Time: Focus on Security Practices that Actually Matter
Stop Wasting Your Time: Focus on Security Practices that Actually MatterAmazon Web Services
 
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...Amazon Web Services
 
G-Research - Privacera - Dataworks Summit 2018
G-Research - Privacera - Dataworks Summit 2018G-Research - Privacera - Dataworks Summit 2018
G-Research - Privacera - Dataworks Summit 2018Alberto Romero
 
Application Security by Ethical Hackers
Application Security by Ethical HackersApplication Security by Ethical Hackers
Application Security by Ethical HackersEntersoft
 
A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersTony Perez
 
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionTop 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionEnterprise Management Associates
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to SecurityTripwire
 
Jim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for CybersecurityJim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for Cybersecurityidsecconf
 
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxCNSHacking
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
 

Similar to Next generation security analytics (20)

ProActive Security
ProActive SecurityProActive Security
ProActive Security
 
ProActive Security
ProActive SecurityProActive Security
ProActive Security
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
 
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
 
Building trust in your data lake. A fintech case study on automated data disc...
Building trust in your data lake. A fintech case study on automated data disc...Building trust in your data lake. A fintech case study on automated data disc...
Building trust in your data lake. A fintech case study on automated data disc...
 
Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?
 
Stop Wasting Your Time: Focus on Security Practices that Actually Matter
Stop Wasting Your Time: Focus on Security Practices that Actually MatterStop Wasting Your Time: Focus on Security Practices that Actually Matter
Stop Wasting Your Time: Focus on Security Practices that Actually Matter
 
Effective security
Effective securityEffective security
Effective security
 
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
 
Chaos monitoring
Chaos monitoringChaos monitoring
Chaos monitoring
 
G-Research - Privacera - Dataworks Summit 2018
G-Research - Privacera - Dataworks Summit 2018G-Research - Privacera - Dataworks Summit 2018
G-Research - Privacera - Dataworks Summit 2018
 
Application Security by Ethical Hackers
Application Security by Ethical HackersApplication Security by Ethical Hackers
Application Security by Ethical Hackers
 
A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
 
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionTop 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
 
Jim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for CybersecurityJim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for Cybersecurity
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
 
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
 
Up your Infosec game
Up your Infosec gameUp your Infosec game
Up your Infosec game
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 

Recently uploaded

UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 

Recently uploaded (20)

UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 

Next generation security analytics

  • 1. NEXT GENERATION SECURITY ANALYTICS CHRISTIAN HAVE @CKHAVE CH@LOGPOINT.COM
  • 2. ATTACKERS NAVIGATE A GRAPH. DEFENDERS TYPICALLY THINK IN POINT-SOLUTIONS ME! ACADEMIC PSEUDO-INTELLECTUALISM
  • 3. THE PATH OF LEAST RESISTANCE
  • 4. GRAPHS? NAVIGATING A GRAPH ▸ Expensive exploits are expensive ▸ Use the least expensive weapon ▸ Cost of 0Day exploits ▸ Use once == expensive
  • 5. DEFENDERS THINK IN POINT SOLUTIONS IMPLEMENTING MOVIE-PLOT POINTS ▸ Natural-path engineering; layout buildings, let people find paths ▸ We find the best way forward ▸ We get around controls - it’s in our nature.
  • 6. MOTIVATION IS NOT IMPACTED BY CONTROLS. AS LONG AS THE ATTACK IS ECONOMICALLY FEASIBLE MOTIVATION REMAINS. ME! ACADEMIC PSEUDO-INTELLECTUALISM
  • 7. MOTIVATION AND ECONOMIC BENEFIT ▸ The implementation of the “child pornography filter” did not change the number of convictions in Denmark ▸ It did move it out of the “open” Internet ▸ Introducing a censorship filter for enticing terrorism will not solve the problem of radicalising the youth ▸ It will move it from the “open” Internet somewhere else ▸ The clearing of pusher-street in Christiania did not stop the sale of marihuana ▸ It did move it out of the open ▸ Laws work wonders for law-abiding citizens
  • 8. ECONOMIC BENEFIT ▸ Paedophiles will not stop because of a DNS block, regardless of the penalty ▸ Buying marihuana does not carry a penalty in Denmark ▸ Selling marihuana does not carry a penalty 
 (besides whatever you have on you at the point of arrest) ▸ We can only start winning once we understand what “winning” is and what game we are actually playing
  • 9. WE FIGHT HUMAN NATURE. PICKING THE RIGHT BATTLE IS KEY FOR WINNING. ME PICKING THE RIGHT BATTLE
  • 10. WE WANT THE EASIEST ATTACKS. NOT THE HARDEST. ME WINNING THE RIGHT BATTLE
  • 11. EASY ATTACKS - SINCE WE CANT AVOID ATTACKS SURRENDERING? ▸ Attackers are lazy ▸ Attackers optimise cost (0days) ▸ Controls raise the cost of attacks ▸ Making attacks hard to detect ▸ Controls are not “free” ▸ Cancer-screening has a higher mortality than not screening ▸ Anti-Virus engines are points-of-infection ▸ Accept attacks will happen ▸ Deal with the attacks when they happen ▸ Don’t screen for cancer or move the attackers away from the obvious routes
  • 12. EASY ATTACKS - SINCE THEY CAN’T BE AVOIDED NOT SURRENDERING - PICKING THE BATTLEFIELD ▸ Defensively design your security architecture ▸ Understand it’s weaknesses ▸ Exploit weaknesses ▸ Monitor and gather intelligence, and defend smarter
  • 13. ECONOMY OF THE DEFENCE SHOULDN’T WE INVEST IN CONTROLS? ▸ Of course! ▸ Controls associated with costs towards the attacks ▸ The barrier of entry (cost of attack) deters some, but typically only the lowest on the spectrum ▸ Controls as point-solutions gives way for target-fixation ▸ GDPR changes the economy of the defence
  • 14. CURRENT STATE OF SECURITY ANALYTICS INTRO
  • 15. CURRENT STATE OF SECURITY ANALYTICS COMPONENTS OF SECURITY ANALYTICS DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
  • 16. CURRENT STATE OF SECURITY ANALYTICS ▸ Nothing new. ▸ Everyone does syslog ▸ Everyone has an agent ▸ Some do Flow-analytics ▸ Some do application-level analytics ▸ Few do full-packet captures DATA INGESTION DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
  • 17. CURRENT STATE OF SECURITY ANALYTICS ▸ Inbound content must be structured ▸ Structure sometimes follows a common language ▸ Taxonomy, Ontology - whatever floats your boat ▸ Some content is sometimes enriched with metadata ▸ Threat Intel, GeoIP, Asset Management DB info etc. ▸ This part has to be fast - many vendors “cheat” PROCESSING DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
  • 18. ANALYSIS ▸ Analytics today is relatively simple ▸ Simple statistics ▸ Advanced statistics ▸ Patterns ▸ Known-bad, known-good analysis on more COTS platforms ▸ Most vendors pack tons of alerts and correlations SECURITY ANALYTICS DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
  • 19. ANALYSIS ▸ Most vendors provide views on the raw data or an abstraction of the raw data ▸ Most vendors provide a relatively easy way to setup views on the raw or aggregated data for analytics ▸ Some vendors have great views when presenting alerts and important events ▸ Few if any systems are able to present hierarchies of data, the relationships between events and deviations on hierarchies PRESENTATION DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
  • 20. ANALYSIS ▸ Pie charts ▸ geo maps ▸ tables ▸ rows, columns and heatmaps ▸ Nothing you couldn't do with excel - and maybe thats ok DATA VISUALIZATION DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
  • 21. ANALYSIS ▸ We collect syslog, application data and network data ▸ We process it, transform it ▸ We enrich and present it both for the analyst and graphically ▸ Making the system provide actionable information for the analyst ▸ Some systems even go the next step and perform proactive responses on other platforms ▸ Shuts ports, adds to ACLs, disables users e.g. ACTIONS DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
  • 22. CURRENT STATE OF SECURITY ANALYTICS COMPONENTS OF SECURITY ANALYTICS DATA INGEST PROCES ANALYSE PRESENT VIZ ACT. SCALING OUT ANCHOR IN
 ORG INVEST
 IN
 PROJ. IN- HOUSE? NON-INF APPS USING SIEM AND GETTING VALUE FROM ANALYTICS
  • 24. USING AND GETTING VALUE OUT OF SIEM SCALING OUT ▸ The only thing constant is change; 20% growth in volume ▸ Areas that we need to scale on ▸ Ingestion ▸ Processing ▸ Storage ▸ Presentation
  • 25. USING AND GETTING VALUE OUT OF SIEM SCALING OUT ▸ Ensure your system scales well when it comes to ingestion ▸ Everyone is doing it differently ▸ Some solutions tie together backends and presentation layers ▸ Scaling presentation is immensely important for widespread adoption in your organisation ▸ Scaling the backends should not be a concern in 2016
  • 27. SIEMS FAIL WHEN THEY ARE LEFT ALONE ME WHEN DO WE FAIL
  • 29. IN THE CORNER. SILENTLY COLLECTING LOGS AND TRIGGERING ALERTS, NOBODY WILL EVER SEE. ME WHEN DO WE FAIL
  • 30. USING AND GETTING VALUE OUT OF SIEM ORGANISATIONAL ANCHORING ▸ SIEMS fail if they are the point solution to a problem ▸ Stakeholders lose interest ▸ The value-prop was never clear ▸ A great sale but a horrible purchase
  • 31. USING AND GETTING VALUE OUT OF SIEM ORGANISATIONAL ANCHORING ▸ Logs and network data is immensely rich in information ▸ This information can be used for much more than security ▸ Let help-desk-users use pre-defined views and prepared analytics for easier resolution (move work to 1st level support) ▸ Allow your OPs team to use analytics for root-cause analysis, statistics for predictions and forecasts ▸ Allow your management-team to view quality of infrastructure and do controls of outsourced services ▸ Liberate data from silos
  • 33. USING AND GETTING VALUE OUT OF SIEM INVESTING IN THE PROJECT ▸ Set expectations - understand why we use analytics ▸ Introduce the notion of the Lockheed Martin Cyber Kill Chain (see next slide) ▸ Understand the threat landscape ▸ Identify the key threats to the organisation (ext) ▸ Identify the key threats identified by the organisation (int) ▸ Bringing it all together
  • 38. INVESTING IN THE PROJECT IDENTIFYING KEY INTERNALLY IDENTIFIED THREATS ▸ Use the internal risk assessment ▸ Compare with external threat information ▸ Identify any potential gap - ask yourself why it exists
  • 39. INVESTING IN THE PROJECT BRINGING IT ALL TOGETHER ▸ With threats and critical systems identified ▸ And with an understanding of the kill-chain and the cost of controls in mind ▸ The task of the project-team is to identify the success criteria for the project with a common acceptance and buy-in from leadership and stakeholders
  • 41. THE SECURITY OPERATIONS CENTER CONSIDERATIONS ▸ The 3 Ps ▸ People, Process and Technology ▸ Is it possible to retain skill ▸ With level we need ▸ In numbers sufficient to staff the SOC ▸ Are we mature enough to identify which alerts and incidents we want to act on ▸ Can we with confidence say that we understand how to act when we then receive the alert? ▸ Engagement models: ▸ Who takes action on our network during a breach ▸ What gets escalated back “home” ▸ Do we have sensitive data preventing a full managed SOC?
  • 43. USING SIEM FOR ENTERPRISE APPLICATIONS WHERE IS THE GOLD IN YOUR NETWORK ▸ Third generation SCADA ▸ Industry 4.0 ▸ SOA-Enabling your ERP Platforms ▸ Federated Access with suppliers
  • 44. WHERE IS THE GOLD PATH OF LEAST RESISTANCE ▸ Vulnerabilities in SCADA ▸ Hard-coded admin-passwords ▸ non-patchable systems, “because operational IT” ▸ Non-networked mindset of admins ▸ Industry 4.0 ▸ “Smart products with localisation point, status, historical positions and data points, allowing globally unique identification of all products” - Good luck with that
  • 45. WHERE IS THE GOLD PATH OF LEAST RESISTANCE ▸ SOA-Enabling your ERP Platforms ▸ % of SAP notes
 found externally ▸ SAP offers mobile access, organisations offers BYOD ▸ Do we trust jail-break detection? ▸ Federated Access with external suppliers ▸ Identities does not exist any longer ▸ Business rules define access to the network now
  • 46. WHERE IS THE GOLD USE-CASES FOR ENTERPRISE APPLICATION SIEM USE ▸ Changing master data records ▸ Critical transactions (payments) ▸ Changes in performance data (valve pressure) ▸ Critical changes to equipment (voltage, valve positions) ▸ Abnormality on order sizes, frequency, workflows ▸ The data is here - why not use it?
  • 49. NEXT GENERATION - CHALLENGES DIVERSITY IN DATA - VALUE IS FOUND EVERYWHERE TWO PROBLEMS LARGE VARIATION LARGE VOLUME
  • 50. NEXT GENERATION INFORMATION OVERLOAD: OVERCOMING CHALLENGES ▸ Even with effective alerts, the amount of data is unmanageable ▸ Workflow is the key PREPARE SITUATIONAL AWARENESS IDENTIFY ANALYSIS REACT INVESTIGATE IMPROVE COLLABORATE
  • 51. NEXT GENERATION WORKFLOW ▸ Situational awareness ▸ Identify anomalies based on what is observed ▸ Time of day deviations or time of year (scale!) ▸ Identify / analyse ▸ Based on the norm and baseline we can work on large-scale analytics ▸ Complex temporal changes in behaviours and activity ▸ React and “arm the investigators” ▸ Rapid response on what data was exposed, how and not least why ▸ Improve / Collaborate ▸ Feedback of the intelligence created in the analysis must be fed back into the system ▸ Partners and collaborators must receive the right amount of supporting information ▸ Think of this as the collective immune system
  • 52. NEXT GENERATION WORKING WITH DATA ▸ Clustering: ▸ Build a network of events and relations
  • 53. NEXT GENERATION WORKING WITH DATA ▸ Drill-down ▸ Re-draw - build hierarchies based on relationships ▸ Use gathered data, third party threat intel or collaboration data as a key to further expand on the search ▸ With our “enriched” analysis we can map a focus area ▸ Replay interactions over time, spot patterns and behaviour ▸ Login, data is moved out of network (repeat ad. inifitum)
  • 54. NEXT GENERATION LIMITATIONS OF CURRENT-GENERATION ARCHITECTURES ▸ Remember the architecture? ▸ Ingest, process, analyse, visualise, act ▸ This is inherently inefficient and a testament to legacy ▸ “NoSQL” is more part of the problem than the solution ▸ “BigData” in it’s true form is what will move us forward ▸ We spend most of the hardware available for processing data to store it and to prepare it
  • 55. NEXT GENERATION INSIGHTS INTO NEXT-GENERATION ARCHITECTURES ▸ Small hardware footprint needed for storage ▸ No processing, no normalisation, just straight to disk ▸ Use the hardware you have for analytics ▸ Towards realtime analytics and away from “Queries” ▸ Ingestion of full packet capture as an equal part to log- collections
  • 57. NEXT GENERATION ARCHITECTURE BIG DATA? ▸ Hadoop (ecosystem) is full of great and powerful tools ▸ Cluster management, realtime streaming, graph databases, distributed file systems (HDFS) etc. ▸ The technology is ready - vendors just need to get going ;)
  • 58. CONCLUSIONS ANALYTICS TRENDS ▸ Machine Learning ▸ People who bought X also looked at Y ▸ Automatic signature and pattern creation ▸ Payload analytics ▸ Deep behavioural analytics on network and log data ▸ Frameworks supports use-cases we could only dream of ▸ Online packet compression in real-time ▸ Analysis on packets to reconstruct network topologies behind NAT
  • 59. CONCLUSIONS ANALYTICS TRENDS ▸ Machine Learning Based Botnet Detection With Dynamic Adaptation ▸ Botnet beaconing based on linguistic analytics of DNS-names ▸ Detect stealthy DDoS against large-scale networks (ML) ▸ Automated discovery, attribution, analysis and risk assessment ▸ Social connectivity graphs, Machine-Learning, automatic malware reverse-engineering
  • 60. CONCLUSIONS ANALYTICS TRENDS ▸ Creation of “Social graphs” by crawling social networks and intercepting mail traffic ▸ Creation of “Social graphs” by analysing voice patterns and writing patterns regardless of from where they originate ▸ Combining social graphs and analyse sentiment ▸ (Radicalisation between actors)
  • 61. NEXT GENERATION PRODUCTISING ▸ Anomaly detection ▸ Machine learning (SparkML2.0 just released) ▸ Graph processing (All of Facebook is stored in 1 GraphDB) ▸ Scale dynamically - provision servers and services along with the processing need ▸ Scale locally or in the cloud - based on data sensitivity
  • 62. NEXT GENERATION ENRICHMENT ▸ Enriching data is possible today but sees relatively slow adoption in security ▸ STIX/TAXII/Cybox/Yara and other standards provide an ontology for attacks, actors, motives ▸ The SIEM of tomorrow will evaluate every event against internal and external threat intelligence sources ▸ The SIEM of tomorrow will forward-integrate with whatever “flavor of the month” point-solution implemented
  • 64. CONCLUSIONS TRANSITIONS ▸ The threat-landscape is changing ▸ The efficiency of technical controls declines in comparison to the economy of the attacker ▸ We have to level the playing field by understanding our weaknesses ▸ Ensure we have security analytics in place ▸ Ensure we have the insights and capacities to deal with it our selves or move it to a third party (responsibility not included)
  • 65. CONCLUSIONS TECHNOLOGY TRENDS ▸ We move to larger platforms ▸ Built with the tools developed at Twitter, LinkedIN and Facebook ▸ Queries, SQL and pre-processed data does not scale ▸ Imagine an out-sourced SOC with an installed capacity for the 20 of the Top2000 companies in Europe - ▸ Milions and Milions of events every second (EPS)
  • 66. ANALYTICS WRAP UP ▸ We have the technology now ▸ We have the math ▸ And we are starting to understand the threats and playing field ▸ The vendors just have to wrap everything together ▸ Few, if any, organisations have the capacity to write algorithms