1. Gunter Ollmann | CTO, Security -- Cloud + Enterprise Division
Twitter: @gollmann LinkedIn: https://linkedin.com/in/gunterollmann/
How Machine Learning is Changing the
Face of Cyber-Defense
4. Microsoft’s daily cloud security scale
10s of PBs
of logs
300+ million
active Microsoft
Account users
Detected/
reflected attacks
>10,000
location-detected
attacks
1.5 million
compromise
attempts
deflected
450 billion
Azure Active
Directory logons
5. • Incident Response (IR) and Threat Hunting
• No shortage of interesting things needing to be investigated
• Each new detection capability adds more needles to the haystack
ML Applied to Continual Threat Detection
6. • Detection capabilities and volume scaling fast!
• More threats than can ever be fully investigated by a human
Prioritizing The Haystacks
• Prioritization via scoring
• Learning from human investigators
• Collating related attack and exploitation events
• Combining external and 3rd-party intelligence
• Understanding the “business context”
• Growing haystacks
• Cyber defenders increasing focused on big/edge events
• Backlog of (possible) investigations keeps growing
• Need for AI-powered blocking/mitigation automation
7. • Transition of defender
• 6+ years ago: “patch-monkey”
• Today: front-line, highly-trained cybersecurity expert
ML Critical to the Changing Cyber Battlefield
Tier-2.5
Successful detections require domain knowledge
8. • Detect anomalous Azure Active Directory logins
from unusual geographic locations
• A login is anomalous, if the distance between places is ‘unreachable’
Example: Geolocation Anomaly Detection
Noisy Inputs
Company proxy/gateway
Cellphone networks
Staff vacations and travel
Former rules + heuristics
based approach
28% of logins identified
as suspicious
2 billion logins per day =
560m “suspicious”
logins
9. • Detect anomalous Azure Active Directory logins
from unusual geographic locations
• A login is anomalous, if the distance between places is ‘unreachable’
Example: Geolocation Anomaly Detection
After applying
Machine Learning
Rate dropped to less than
0.001%
Profile User’s location by comparing with similar users.
Ensure the model accounts for travel and company proxies
• Trained in regular intervals: 800+ GB per day
• Classification completed within milliseconds
10. • Network anomaly and Multi-cloud behavioral detections
• “User” downloading from an odd location, odd times, and unmanaged devices
• Disproportionate download of documents marked as “confidential”
• Attributed to an employee one-week before leaving
• Anti-phishing leads to Patient-zero protection
• Dynamically generated email with “unique” text and link to infector site
• Sophisticated anti-phishing ML and anomaly detection recognizes the attack
• URL inspected, payload downloaded and detonated
• New malware family and campaign uncovered
• Behavioral classifier and malware labels pushed to desktop protectors
Preempting Customer Attacks with ML
12. • Cyber Reasoning System (CRS)
• DEF CON 2016 – Las Vegas - $55m program, with $2m cash award for Mayhem
• Auto-attack
• Auto-defend
• Auto-patch
• Auto-”bug hunt”
DARPA Cyber Grand Challenge
13. • The world today… is already automated
• Every IP scanned hundreds of times per day
• Every “common” port scanned hundreds of times per day
• Every uncommon port scanned dozens of times per day
• Every service identified, enumerated, and probed daily
• Every service account tested and brute-forced 10,000’s times per day
• All automated, database driven, searchable – ready for mass compromise
• The world next week… will be smarter
• Hide within the background noise of the Internet, maintain persistence
• High volume, everything at once, land grab of target resources and data
• Or something inbetween…
From Defenders to Attackers
14. • Humans monitor across systems
• Too big a “bump in the wire” to have humans in-line
• Dynamic defensive layers fed by suspicion
• Defenses added, connections re-routed, as behavioral anomalies grow
• Move from “alert” to “mitigated”
• Defend earlier in the attack life-cycle
• Collaborative multi-provider prevention
• Attack traffic is mitigated at source, informed by AI
Next Generation Cyber Defense
Left: Old model. Defender with limited “hard shell” defenses surrounded by attackers. Out numbered and out-gunned.
Right: Cloud model. The cloud is instrumented and has defensive capabilities. Each customer/workload has its own set of defenses. Threat information and telemetry is shared and actions coordinated. Cloud provider’s defensive team helps orchestrate x-cloud defenses and responses. Defenders out number the attackers.
Microsoft Cloud App Security
b. Office 365 Advanced Security Management
c. Microsoft Azure Rights Management
d. Office 365 Data Loss Prevention
e. Windows BitLocker
f. Windows Information Protection
g. Azure Information Protection
h. Exchange Online Advanced Threat Protection
i. Office 365 Customer Lockbox