SlideShare a Scribd company logo

Fully Integrated Defense Operation

Rob Fry
Rob Fry

The typical process for investigating security-related alerts is labor intensive and largely manual. To make the situation more difficult, as attacks increase in number and diversity, there is an increasing array of detection systems deployed and generating even more alerts for security teams to investigate. Netflix, like all organizations, has a finite amount of resources to combat this phenomenon, so we built FIDO to help. FIDO is an orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats.

Technology
1 of 37
Download to read offline
F.I.D.O. Fully Integrated Defense OperationRob Fry - Sr Security Architect
Agenda • The Human Problem • The Technical Problem • F.I.D.O. High Level • What’s Next? • Q & A
The Human Problem Source: Cisco 2014 ASR, Network World, ISAC, swimlane.com, Security Week
The Human Problem • Vendors and organizations are not doing enough to lower the bar • 62% of organizations have not increased security training • 83% of enterprises lack the resources or skills to protect assets • Majority of the work is done manually… self-defeating • Response time windows are too high • Enforcement, mitigation is largely manual
Too Many Alerts, Too Little Time/Resources
 Network defenders are overwhelmed by the volume of alerts • Typical Fortune 1000 organization experiences thousands of new security events everyday (1) • Data review is time consuming
 Current industry best practices rely on analysts using SIEM 
 technologies + manual use of threat intel feeds • Too many false positives • Very little guidance on how to filter the signal from the noise The Technical Problem Source: (1) IBM 2014 Cyber Security Intelligence Index
“There are 400 alerts in my SIEM, and I have time/resources to investigate 10. Which 10 do I choose?” (1) Source: (1) CISO from Fortune 200 Company The Technical Problem
But… it WORKS in the MOVIES The Technical Problem
F.I.D.O. = Orchestration • The work of a human, but at machine speed • Data enrichment • Get more out of security investment • Adds consistency • Filter out false positives • Threat, user, machine and asset scoring
Known -versus- Unknown F.I.D.O. = Orchestration
Reduce Response Time Attackers Ability Defender s Ability Source:(Verizon(Data(Breach(Report( F.I.D.O. = Orchestration
At First, Simplicity Disjointed Security Network Alert Firewall/IPS/IDS Endpoint Defense Support Person Support Person = = Bad! Blocked! Malware
At First, Simplicity Joining the disjointed Network Alert Firewall/IPS/IDS Endpoint Defense Support Person Blocked Not Blocked Malware
At First, Simplicity Joining the disjointed • Aggregate data from multiple human jobs at once • Look for corresponding events • Reduce severity where one detector blocks • Reduce response time • Opened door to other ideas
Look Outside the Security Sphere Network Alert Firewall/IPS/IDS Endpoint Defense Support Person Expanding data sources Blocked Not Blocked User Asset Machine Data Source Malware
Data Source Expanding data sources • Systems management, inventory, HR, AD, etc. • Added machine, user, asset posture • Not just about the threat, context is still king • Example: any alert against PCI, PII, Domain Admin, CEO, etc., would be more critical Look Outside the Security Sphere
Threat Feeds Value in Crowdsourcing Alert Support Person Data Source User Asset Machine Threat Feeds Correlation
Threat Feeds Crowdsourcing Context Validation False Positives
Threat Feeds • Too much data to do manually, more effective automated • Can provide rich detailed layers of context • As a stack, can cover the multiple layers • Cross-correlation between feeds • Scheduled artifact checking • Prelude to detection Value in Crowdsourcing
Historical Data Alert Support Person Data Source User Asset Machine Threat Feeds Correlation Historical Looking back is important
Historical Data • Security alerts • User, machine • Artifacts (IP, hash, URL) • Introduces thresholds • Retrospection Historical Looking back is important
Scoring Engine Assessing the DataAlert Support Person Correlation Scoring 0%-100% User Asset Machine Threat Total Data Source User Asset Machine Threat Feeds Historical
F.I.D.O. 1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification F.I.D.O. High Level
F.I.D.O. High Level F.I.D.O. Carbon Black ProtectWise Cyphort SentinelOne Niddel 1. Detectors DHCP RPC SSH DNS 2. Host Detection VirusTotal ThreatGRID OpenDNS ThreatExchange AlienVault 3. Threat Stack LDAP Jamf Landesk SCCM Endpoint 4. Data Sources Detectors Previous Threats Historical User/Machine OS Threat Feeds Thresholds 5. Correlation 6. Scoring 7. Enforcement 8. Notification ARP Palo Alto Network HR
Although somedays I feel like it’s here. Evolution of Correlation F.I.D.O. is probably here.
Correlation: Simple Example Patterns in the data Normal Suspicious Malicious
Correlation: Real World Example Patterns in the data
Correlation: Cross Sections Patterns in the data 66.102.255.50 eda661bf08ca0129d78f901dc561afe6549e383d 167.89.125.30 76adfe71d590173b7b6a8db01133d3eb7132bfc6 54.71.32.218 www.downloadcrest.com 463065c87d58befbfde6d150fe1d1338fa752bd6 appsom1.com d1ut7rcibkldo.cloudfront.net/b_zq_ym_hotvideo002/hotvideo_0910_3.apk 205.210.187.209 67.207.158.254 miserupdate.aliyun.com/data/2.4.1.6/TBSecSvc.exe wilsart.nl/images/banners/eok.swf?myid=2ac20f898f1e6a17f04952452c4d20d4 209.222.15.232 d1qd2jv3uw36vk.cloudfront.net/PlusHDrow_14_01-a1a8f801.exe 179.43.156.66 172.98.67.53 108.61.226.13 6de64d26a49b05b0e70ad50b8ed3b99a0200240c IP/Hash/URL/Domain5x 2x 2x 4x 2x 2x 3x 2x 2x
Correlation Initiatives • More data, different data, more data points • Move past 1000 vectors • More indicators • Move laterally across data (detector, threat feed, whatever) • Drill in multiple layers deep • Better data enrichment algorithms for higher quality associations, thresholds, increments • Independent processes for correlation ( micro services ] • Continue to evaluate ML for correlation
• F.I.D.O. is not ML, but we are working on it • ML for scoring first (Thank you Mines.IO team) • ML for security is hard, efficacy can be challenging • Correlation can be repeatable • Correlation is what security people do… codify it Correlation Initiatives
F.I.D.O. High Level F.I.D.O. Threat User Machine Asset Total Score Kill NIC Client Sandboxing Network Sandboxing Automated Re-image Kill VPN DHCP Blacklist Disable Account Reset Password Recommendation Link to Docs Actions Performed Create Ticket Updates DB 1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification
F.I.D.O. High Level F.I.D.O. Carbon Black ProtectWise Cyphort SentinelOne DHCP RPC SSH DNS VirusTotal ThreatGRID OpenDNS AlienVault LDAP Jamf Landesk SCCM Endpoint Detectors Previous Threats Historical User/Machine OS Threat Feeds Thresholds Threat User Machine Asset Total Score Kill NIC Client Sandboxing Network Sandboxing Automated Re-image Kill VPN DHCP Blacklist Disable Account Reset Password Recommendation Link to Docs Actions Performed Create Ticket Updates DBARP ThreatExchange Niddel Palo Alto Network HR 1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification
F.I.D.O. High Level 1. Response measured in days to week 2. Aggregation of data took hours 3. 80% of alerts not processed 4. Minimal endpoint/user information 5. Little or no scoring information Pre-F.I.D.O. Post-F.I.D.O. 1. Response measures less than an hour 2. Aggregation of data takes minutes 3. All alerts processed 4. Detailed endpoint/user information 5. Detailed scoring information Success?
F.I.D.O. High Level Success? Time = Days 7 Days1 Days> 1hr Time = Hours 4 Hours30 Mins>10mins Response Time Data Aggregation Pre-F.I.D.O. Post-F.I.D.O. +23hrs Improvement +20mins Improvement
F.I.D.O. High Level Success? Alerts Processed 80% of alerts not processed Before F.I.D.O. After F.I.D.O. Alerts Processed 100% of alerts processed
What’s Next? Opportunity
What’s Next? • ML for scoring (Thanks Mines.IO guys) • More and tighter integrations • Full stack: Ubuntu, python, node, nginx, couchdb & more • Web UI: both configuration and admin • API for data ingestion or export
Q&A • Questions? • Thank you! • rob.fry@netflix.com

Recommended

RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APT
Lee Wei Yeong
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response Program
Resilient Systems
 
Pivotal Data Lake Architecture & its role in security analytics
Pivotal Data Lake Architecture & its role in security analyticsPivotal Data Lake Architecture & its role in security analytics
Pivotal Data Lake Architecture & its role in security analytics
EMC
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
APNIC
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
centralohioissa
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 
Ransomware ly
Ransomware lyRansomware ly
Ransomware ly
Lisa Young
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident Response
Infocyte
 

Recommended

RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APT
Lee Wei Yeong
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response Program
Resilient Systems
 
Pivotal Data Lake Architecture & its role in security analytics
Pivotal Data Lake Architecture & its role in security analyticsPivotal Data Lake Architecture & its role in security analytics
Pivotal Data Lake Architecture & its role in security analytics
EMC
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
APNIC
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
centralohioissa
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 
Ransomware ly
Ransomware lyRansomware ly
Ransomware ly
Lisa Young
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident Response
Infocyte
 
Data Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify ItData Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify It
Marc Crudgington, MBA
 
Chris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert CommunicationsChris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert Communications
centralohioissa
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
Zivaro Inc
 
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Chaitanya chandra sekhar
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
Tarun Gupta,CRISC CISSP CISM CISA BCCE
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup Story
Quest
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
Resilient Systems
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Dragos, Inc.
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draft
Damir Delija
 
online investigation
online investigationonline investigation
online investigation
fortune777
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
Infocyte
 
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
FRSecure
 
Ht t17
Ht t17Ht t17
Ht t17
SelectedPresentations
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
Joel Aleburu
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Infocyte
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2
FRSecure
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint Prezi
Kashif Semple
 
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
FRSecure
 
Cyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationCyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 Presentation
Infocyte
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
Eric Johansen, CISSP
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
TI Safe
 

More Related Content

What's hot

Data Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify ItData Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify It
Marc Crudgington, MBA
 
Chris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert CommunicationsChris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert Communications
centralohioissa
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
Zivaro Inc
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
Resilient Systems
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Dragos, Inc.
 
online investigation
online investigationonline investigation
online investigation
fortune777
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
Infocyte
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
Joel Aleburu
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Infocyte
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint Prezi
Kashif Semple
 

What's hot (20)

Data Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify ItData Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify It
 
Chris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert CommunicationsChris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert Communications
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
 
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup Story
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draft
 
online investigation
online investigationonline investigation
online investigation
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
 
Ht t17
Ht t17Ht t17
Ht t17
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint Prezi
 
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
 
Cyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationCyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 Presentation
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
 

Similar to Fully Integrated Defense Operation

AMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection PresentatiionAMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection Presentatiion
SohanGole1
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
Qualys
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
Blue Coat
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
Resilient Systems
 
2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...
2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...
2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...
Jürgen Ambrosi
 

Similar to Fully Integrated Defense Operation (20)

Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Threat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive EnterpriseThreat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive Enterprise
 
AMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection PresentatiionAMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection Presentatiion
 
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application Security
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and Prevention
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
 
2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...
2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...
2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Recently uploaded (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Fully Integrated Defense Operation

  • 1. F.I.D.O. Fully Integrated Defense OperationRob Fry - Sr Security Architect
  • 2. Agenda • The Human Problem • The Technical Problem • F.I.D.O. High Level • What’s Next? • Q & A
  • 3. The Human Problem Source: Cisco 2014 ASR, Network World, ISAC, swimlane.com, Security Week
  • 4. The Human Problem • Vendors and organizations are not doing enough to lower the bar • 62% of organizations have not increased security training • 83% of enterprises lack the resources or skills to protect assets • Majority of the work is done manually… self-defeating • Response time windows are too high • Enforcement, mitigation is largely manual
  • 5. Too Many Alerts, Too Little Time/Resources
 Network defenders are overwhelmed by the volume of alerts • Typical Fortune 1000 organization experiences thousands of new security events everyday (1) • Data review is time consuming
 Current industry best practices rely on analysts using SIEM 
 technologies + manual use of threat intel feeds • Too many false positives • Very little guidance on how to filter the signal from the noise The Technical Problem Source: (1) IBM 2014 Cyber Security Intelligence Index
  • 6. “There are 400 alerts in my SIEM, and I have time/resources to investigate 10. Which 10 do I choose?” (1) Source: (1) CISO from Fortune 200 Company The Technical Problem
  • 7. But… it WORKS in the MOVIES The Technical Problem
  • 8. F.I.D.O. = Orchestration • The work of a human, but at machine speed • Data enrichment • Get more out of security investment • Adds consistency • Filter out false positives • Threat, user, machine and asset scoring
  • 10. Reduce Response Time Attackers Ability Defender s Ability Source:(Verizon(Data(Breach(Report( F.I.D.O. = Orchestration
  • 11. At First, Simplicity Disjointed Security Network Alert Firewall/IPS/IDS Endpoint Defense Support Person Support Person = = Bad! Blocked! Malware
  • 12. At First, Simplicity Joining the disjointed Network Alert Firewall/IPS/IDS Endpoint Defense Support Person Blocked Not Blocked Malware
  • 13. At First, Simplicity Joining the disjointed • Aggregate data from multiple human jobs at once • Look for corresponding events • Reduce severity where one detector blocks • Reduce response time • Opened door to other ideas
  • 14. Look Outside the Security Sphere Network Alert Firewall/IPS/IDS Endpoint Defense Support Person Expanding data sources Blocked Not Blocked User Asset Machine Data Source Malware
  • 15. Data Source Expanding data sources • Systems management, inventory, HR, AD, etc. • Added machine, user, asset posture • Not just about the threat, context is still king • Example: any alert against PCI, PII, Domain Admin, CEO, etc., would be more critical Look Outside the Security Sphere
  • 16. Threat Feeds Value in Crowdsourcing Alert Support Person Data Source User Asset Machine Threat Feeds Correlation
  • 18. Threat Feeds • Too much data to do manually, more effective automated • Can provide rich detailed layers of context • As a stack, can cover the multiple layers • Cross-correlation between feeds • Scheduled artifact checking • Prelude to detection Value in Crowdsourcing
  • 19. Historical Data Alert Support Person Data Source User Asset Machine Threat Feeds Correlation Historical Looking back is important
  • 20. Historical Data • Security alerts • User, machine • Artifacts (IP, hash, URL) • Introduces thresholds • Retrospection Historical Looking back is important
  • 21. Scoring Engine Assessing the DataAlert Support Person Correlation Scoring 0%-100% User Asset Machine Threat Total Data Source User Asset Machine Threat Feeds Historical
  • 22. F.I.D.O. 1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification F.I.D.O. High Level
  • 23. F.I.D.O. High Level F.I.D.O. Carbon Black ProtectWise Cyphort SentinelOne Niddel 1. Detectors DHCP RPC SSH DNS 2. Host Detection VirusTotal ThreatGRID OpenDNS ThreatExchange AlienVault 3. Threat Stack LDAP Jamf Landesk SCCM Endpoint 4. Data Sources Detectors Previous Threats Historical User/Machine OS Threat Feeds Thresholds 5. Correlation 6. Scoring 7. Enforcement 8. Notification ARP Palo Alto Network HR
  • 24. Although somedays I feel like it’s here. Evolution of Correlation F.I.D.O. is probably here.
  • 25. Correlation: Simple Example Patterns in the data Normal Suspicious Malicious
  • 26. Correlation: Real World Example Patterns in the data
  • 27. Correlation: Cross Sections Patterns in the data 66.102.255.50 eda661bf08ca0129d78f901dc561afe6549e383d 167.89.125.30 76adfe71d590173b7b6a8db01133d3eb7132bfc6 54.71.32.218 www.downloadcrest.com 463065c87d58befbfde6d150fe1d1338fa752bd6 appsom1.com d1ut7rcibkldo.cloudfront.net/b_zq_ym_hotvideo002/hotvideo_0910_3.apk 205.210.187.209 67.207.158.254 miserupdate.aliyun.com/data/2.4.1.6/TBSecSvc.exe wilsart.nl/images/banners/eok.swf?myid=2ac20f898f1e6a17f04952452c4d20d4 209.222.15.232 d1qd2jv3uw36vk.cloudfront.net/PlusHDrow_14_01-a1a8f801.exe 179.43.156.66 172.98.67.53 108.61.226.13 6de64d26a49b05b0e70ad50b8ed3b99a0200240c IP/Hash/URL/Domain5x 2x 2x 4x 2x 2x 3x 2x 2x
  • 28. Correlation Initiatives • More data, different data, more data points • Move past 1000 vectors • More indicators • Move laterally across data (detector, threat feed, whatever) • Drill in multiple layers deep • Better data enrichment algorithms for higher quality associations, thresholds, increments • Independent processes for correlation ( micro services ] • Continue to evaluate ML for correlation
  • 29. • F.I.D.O. is not ML, but we are working on it • ML for scoring first (Thank you Mines.IO team) • ML for security is hard, efficacy can be challenging • Correlation can be repeatable • Correlation is what security people do… codify it Correlation Initiatives
  • 30. F.I.D.O. High Level F.I.D.O. Threat User Machine Asset Total Score Kill NIC Client Sandboxing Network Sandboxing Automated Re-image Kill VPN DHCP Blacklist Disable Account Reset Password Recommendation Link to Docs Actions Performed Create Ticket Updates DB 1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification
  • 31. F.I.D.O. High Level F.I.D.O. Carbon Black ProtectWise Cyphort SentinelOne DHCP RPC SSH DNS VirusTotal ThreatGRID OpenDNS AlienVault LDAP Jamf Landesk SCCM Endpoint Detectors Previous Threats Historical User/Machine OS Threat Feeds Thresholds Threat User Machine Asset Total Score Kill NIC Client Sandboxing Network Sandboxing Automated Re-image Kill VPN DHCP Blacklist Disable Account Reset Password Recommendation Link to Docs Actions Performed Create Ticket Updates DBARP ThreatExchange Niddel Palo Alto Network HR 1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification
  • 32. F.I.D.O. High Level 1. Response measured in days to week 2. Aggregation of data took hours 3. 80% of alerts not processed 4. Minimal endpoint/user information 5. Little or no scoring information Pre-F.I.D.O. Post-F.I.D.O. 1. Response measures less than an hour 2. Aggregation of data takes minutes 3. All alerts processed 4. Detailed endpoint/user information 5. Detailed scoring information Success?
  • 33. F.I.D.O. High Level Success? Time = Days 7 Days1 Days> 1hr Time = Hours 4 Hours30 Mins>10mins Response Time Data Aggregation Pre-F.I.D.O. Post-F.I.D.O. +23hrs Improvement +20mins Improvement
  • 34. F.I.D.O. High Level Success? Alerts Processed 80% of alerts not processed Before F.I.D.O. After F.I.D.O. Alerts Processed 100% of alerts processed
  • 36. What’s Next? • ML for scoring (Thanks Mines.IO guys) • More and tighter integrations • Full stack: Ubuntu, python, node, nginx, couchdb & more • Web UI: both configuration and admin • API for data ingestion or export
  • 37. Q&A • Questions? • Thank you! • rob.fry@netflix.com