Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Transforming incident Response to Intelligent Response using Graphs

1,245 views

Published on

The market is overflowing with vendors who are out to build—wherein, graphs are used in the Detection phase. This session showcases the collaborative efforts between Azure Security Data Science, Microsoft Research, Azure Security Assurance and Microsoft’s Threat Intelligence Center to explore the idea of using graphs during/after the Incident Response phase, wherein the IOCs have been (or in the process of being) collected. At the end of the session, audience will gain insights from their incident response process using open source tools and take steps towards automating them.

Published in: Technology
  • Be the first to comment

Transforming incident Response to Intelligent Response using Graphs

  1. 1. TRANSFORMING INCIDENT RESPONSE TO INTELLIGENT RESPONSE USING GRAPHICALANALYSIS RAM SHANKAR SIVA KUMAR SECURITY DATA WRANGLER MICROSOFT (AZURE SECURITY DATA SCIENCE) PETER CAP SENIOR THREATANALYST MICROSOFT (THREAT INTELLIGENCE CENTER)
  2. 2. MICROSOFT ONE HUNT EXERCISE Source Photo: ITV / Carnival Films
  3. 3. 18 Log Sources 73 Pieces of Evidence = Source:http://nearpictures.com/pages/p/puzzle-pieces-wallpaper/
  4. 4. TRANSFORMING INCIDENT RESPONSE TO INTELLIGENT RESPONSE
  5. 5. Team Person Expertise Microsoft Threat Intelligence Center Peter Cap Abhijeet Hatekar Security Incident Response Microsoft Research Danyel Fisher Visualization Azure Security Thomas Garnier Engineering Azure Security Data Science Ram Shankar Siva Kumar Data Science Sharepoint Online Matt Swann Security
  6. 6. BOTTOM LINE UPFRONT Close the Incident Response loop with the data owners Using simple graph measures and matching algorithms, we can gain insights into the Incident Response process
  7. 7. AGENDA How graphs are currently, used in the Industry Current pain points in Incident Response Demo! How graphs can help Conclusion
  8. 8. LINK ANALYSIS
  9. 9. PAIN POINTS Investigation spans days to months Query different log sources, minting different IOCs Fighting fires all the time Is there a story? What is the big picture? What was the most “important” log source/IOC? Are there any patterns in how we use our logs?
  10. 10. THE INCIDENT RESPONSE PROCESS Source: http://www.akmgsi.com/
  11. 11. THE INCIDENT RESPONSE PROCESS Source: http://www.akmgsi.com/
  12. 12. DEMO
  13. 13. HOW TO USE GRAPHS IN RESPONSE PHASE?
  14. 14. SYSTEM COMPONENTS 1) Data Aggregator: Collect the required information as your investigation proceeds  Result is a table of IOC and log sources 2) Data Clean up: Covert into XML format with appropriate tags 3) Ingesting into visualization platform: d3.js 4) Incorporating the necessary libraries for computation:
  15. 15. MODELING DATA WITH GRAPHS… Graphs are suitable for capturing arbitrary relations between the various elements. VertexElement Element’s Attributes Relation Between Two Elements Type Of Relation Vertex Label Edge Label Edge Data Instance Graph Instance Provide enormous flexibility for modeling the underlying data as they allow the modeler to decide on what the elements should be and the type of relations to be modeled Source: Lectures by George Karypsis/
  16. 16. Graphs in IR INTELLIGENT RESPONSE USING GRAPHS Graph Theoretic Measures Contextual Visualization Graph Mining • Is there a story? • What is the big picture? Which log source/IOC was critical to the investigation? Is there a pattern to our log usage?
  17. 17. CONTEXTUAL VISUALIZATION FLOW LAYOUTHIERARCHICAL REPRESENTATION COLA LAYOUT
  18. 18. GRAPH THEORETIC MEASURES BETWEENESS CENTRALITYDEGREE CENTRALITY indegree outdegree
  19. 19. DEGREE CENTRALITY BETWEENESS CENTRALITY
  20. 20. FUTURE WORK Once we have collected a corpus of response graphs, Can we tell if the attack at hand, resembles previous attacks? • Motivation: Finding inherent regularities in data in the DIFFERENT graphs • Step 1: Store all IR graphs in graph database • Step 2: Examine if query graph at hand, is part of graph database using sub query graph graph database Source: Lectures by George Karypsis/
  21. 21. WORDS OF WISDOM Open Source Tools: yEd – For graph drawing and Layout Gephi – For graph analysis neO4j – For graph database Scale: • Need to do some sortof clustering Cyclic graphs: • Some of the analysisbreaks.You can cheat by introducingduplicatenodes Play around and try a lot of things!
  22. 22. CONCLUSION There are three benefits to using graphs in IR 1. Contextual visualization 2. Simple graph measures to close feedback with data owners 3. Graph Mining to find inherent patterns in the Incident Response process 10/14/2015 26
  23. 23. ADDITIONAL RESOURCES 1) Kuramochi, Michihiro, and GeorgeKarypis."Finding frequent patternsin a largesparse graph*." Data mining and knowledgediscovery 11.3 (2005): 243-271. http://glaros.dtc.umn.edu/gkhome/fetch/papers/sigramDMKD05.pdf 2) Jiang, Chuntao, Frans Coenen, and Michele Zito."A surveyof frequentsubgraphmining algorithms."The Knowledge EngineeringReview 28.01 (2013): 75-105. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.309.2712&rep=rep1&type= pdf 3) Templatecode for Centrality measures http://nodexl.codeplex.com/SourceControl/latest 4) Templatecode for Cola Visualization- http://marvl.infotech.monash.edu/webcola/ 5) Blog post by John Lambert 10/14/2015 27
  24. 24. THANK YOU

×