Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Accelerating The Pathway to Better Threat Analytics: From Getting Started to Cloud Security Analytics and Machine Learning Algorithms

246 views

Published on

Fighting the Eternal Challenge: Dealing with Alert Fatigue and Getting Insights into Security Productivity. Lessons for a Fast Start in Automation and Orchestration.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Accelerating The Pathway to Better Threat Analytics: From Getting Started to Cloud Security Analytics and Machine Learning Algorithms

  1. 1. © 2 0 2 0 S P L U N K I N C . © 2 0 2 0 S P L U N K I N C . Accelerating The Pathway to Better Threat Analytics: From Getting Started to Cloud Security Analytics and Machine Learning Algorithms Security Breakout
  2. 2. © 2 0 2 0 S P L U N K I N C . © 2 0 2 0 S P L U N K I N C . Fighting the Eternal Challenge: Dealing with Alert Fatigue and Getting Insights into Security Productivity Security Breakout
  3. 3. © 2 0 2 0 S P L U N K I N C . © 2 0 2 0 S P L U N K I N C . Lessons for a Fast Start in Automation and Orchestration Security Breakout
  4. 4. During the course of this presentation, we may make forward‐looking statements regarding future events or plans of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results may differ materially. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, it may not contain current or accurate information. We do not assume any obligation to update any forward‐looking statements made herein. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release. Splunk, Splunk>, Data-to-Everything, D2E, and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2020 Splunk Inc. All rights reserved. Forward- Looking Statements © 2 0 2 0 S P L U N K I N C .
  5. 5. © 2 0 2 0 S P L U N K I N C . Speaker Intro Sales Engineer Lars Wittich Product Marketing Director CEH, CISSP, CISM Matthias Maier
  6. 6. © 2 0 2 0 S P L U N K I N C . What is worth to investigate? Which asset or identity (user) to investigate first? More detection mechanisms should not mean to overburden the SOC Analysts with more alerts Impacts: SOC Efficiency and Effectiveness • = Increased costs and burden on the Security Analysts • = Increased RISK missing the important things Key Challenges Alert Fatigue
  7. 7. © 2 0 2 0 S P L U N K I N C . Key Takeaways Three strategies to prioritize your security alerts and anomalies that your threat detection program produces: SOC Metrics: Measuring efficiency and effectiveness of your Alerting Strategy 1 2 3 Urgency = Severity + Priority Risk Based Machine Learning
  8. 8. © 2 0 2 0 S P L U N K I N C . Cloud Security Endpoints OrchestrationWAF & App Security Threat Intelligence Network Web Proxy Firewall Identity and Access Splunk as the Security Nerve Center Optimize People, Process and Technology Operations Analytics Data Platform
  9. 9. © 2 0 2 0 S P L U N K I N C . Customer Delivery Other Data Lakes CLOUDON-PREM HYBRID WITH BROKERS Platform for Machine DataPlatform Applications Future Splunk Solutions 3rd Party Plug-ins Solutions Mission Control Cloud-Based Unified Security Operations + Security Operations Suite Architecture
  10. 10. © 2 0 2 0 S P L U N K I N C . I N G E S TD E T E C T P R E D I C T A U T O M AT E O R C H E S T R AT ER E C O M M E N D C O L L A B O R AT E I N V E S T I G AT E M A N A G E C A S E S R E P O R T Artificial Intelligence Content Machine Learning
  11. 11. © 2 0 2 0 S P L U N K I N C . ! ! ! ! ! ! ! !! !! ! ! ! ! ! ! ! ! ! ! ! ! !! !! ! Today’s SOC
  12. 12. © 2 0 2 0 S P L U N K I N C . Today’s Security Operations Workflow A process that doesn’t scale Firewall IDS / IPS Endpoint Waf Advanced Malware Forensics Malware Detection Tier 1 Tier 2 Network Traffic Intrusion Data Endpoint Threat Intel Malware Authentication Wire Data Assets & Identities SIEM
  13. 13. © 2 0 2 0 S P L U N K I N C . What is worth to investigate? • Which asset or identity (user) to investigate first? • More detection mechanisms should not mean to overburden the SOC Analysts with more alerts Impacts: SOC Efficiency and Effectiveness • = Increased costs and burden on the Security Analysts • = Increased RISK missing the important things Key Challenges Alert Fatigue
  14. 14. © 2 0 2 0 S P L U N K I N C . Urgency Calculation Urgency = Severity + Priority
  15. 15. © 2 0 2 0 S P L U N K I N C . Urgency based on asset priority and alert severity • Asset can be anything – Network segment, server, service, user.. • Alert can come from everything – Simple and Complex ML correlations, other security tools… Source for asset priority from risk assessment and risk management • Asset Identification and Asset Owners • Valuation of Assets • Loss Scenarios Alert Strategy Urgency Calculations Advantage: Alignment with business priorities and outcomes
  16. 16. © 2 0 2 0 S P L U N K I N C . Entering Splunk Enterprise Security Priority: assignment of the relevant asset or identity Severity: of the correlation search Urgency: to prioritize the investigation of notable events
  17. 17. © 2 0 2 0 S P L U N K I N C . Entering Splunk Enterprise Security Demo Time Where priorities for Assets and Identities comes from Where urgency of correlation rules is configured How to even adjust the urgency matrix formula
  18. 18. © 2 0 2 0 S P L U N K I N C .
  19. 19. © 2 0 2 0 S P L U N K I N C . Entering Splunk Enterprise Security Demo Time Where priorities for Assets and Identities comes from Can come from everywhere included in the Assets and Identities Framework as a meta field—priority Where urgency of correlation rules is configured Within the adaptive response notable events action including asset and identify field selections How to even adjust the urgency matrix formula Lookup table called urgency_lookup
  20. 20. © 2 0 2 0 S P L U N K I N C . Risk-based Alerting
  21. 21. © 2 0 2 0 S P L U N K I N C . Alert Strategy Risk-based alerting Credits to Bryan Turner, IT Security Analyst, Publix
  22. 22. © 2 0 2 0 S P L U N K I N C . Alert Strategy Risk-based alerting Credits to Bryan Turner, IT Security Analyst, Publix
  23. 23. © 2 0 2 0 S P L U N K I N C . Alert Matrix Risk-based alerting Credits to Bryan Turner, IT Security Analyst, Publix *Note: Use values that work best for YOUR environment
  24. 24. © 2 0 2 0 S P L U N K I N C . Entering Splunk Enterprise Security Demo Time Notables prioritized based on risk scoring Configuring risk attribution for notables Creating risk incident rule Monitor enterprise risk trends
  25. 25. © 2 0 2 0 S P L U N K I N C .
  26. 26. © 2 0 2 0 S P L U N K I N C . Entering Splunk Enterprise Security Demo Time Notables prioritized based on risk scoring Improved analysis workflow Configuring risk attribution for notables Easy to deploy through any correlation search, also via search commands possible Creating risk incident rule Reduced alerts and improved detections through creating an abstraction layer for security alerts Monitor enterprise risk trends Scale analysts through focused priorities
  27. 27. © 2 0 2 0 S P L U N K I N C . Utilizing Graph Mining for Security Alerts Powered by Machine Learning
  28. 28. © 2 0 2 0 S P L U N K I N C . Alert Strategy Machine Learning 1 2 Utilizing graph mining Time series behavioral profiling What happened? Who was involved? When did it start? Where was it seen? How did it get in? How do I contain it?
  29. 29. © 2 0 2 0 S P L U N K I N C . Two Stage Machine Learning Splunk UBA Process Unusual Machine Access External Alerts (e.g. SIEM) Unusual Network Activity Flight Risk User Suspicious Data Movement Anomalies (Low Fidelity) Lateral Movement Suspicious Behavior Compromised Account Malware Activity Data Exfiltration Threats (High Fidelity Alerts) Data Machine Learning (Logistic Regression, Random Forest, etc.) Stage 1 Machine Learning (Graph Mining, Time Series Behavioral profiling) Stage 2 Unusual Network Activity Flight Risk User Suspicious Data Movement Data Exfiltration
  30. 30. © 2 0 2 0 S P L U N K I N C . Entering Splunk UBA Demo Time Review a network scanning alert Applying machine learning to connect the dots Send ”Real” Threats back to ES for Analyst Work
  31. 31. © 2 0 2 0 S P L U N K I N C .
  32. 32. © 2 0 2 0 S P L U N K I N C . Entering Splunk UBA Demo Time Review a network scanning alert Applying machine learning to connect the dots Machine Learning Models with Graph Mining of dependencies Send ”Real” Threats back to ES for Analyst Work Central Interface for Security Information and Event Management
  33. 33. © 2 0 2 0 S P L U N K I N C . SOC Metrics How good are we on working on security alerts?
  34. 34. © 2 0 2 0 S P L U N K I N C . Measuring SOC Effectiveness Security Operations Management Effective Metrics = SMART • Specific • Measurable • Attainable • Relevant • Timely Performance Management Time to remediate security incidents • Mean Time To Detect (Dwell Time) • Mean Time To Triage (End to End Analysis Time within SOC) • Mean Time To Closure (End to End Response Time including other operational units)
  35. 35. © 2 0 2 0 S P L U N K I N C . Build in Measurements Demo Time Report on how long it takes to triage a notable Report on how long it takes to closure
  36. 36. © 2 0 2 0 S P L U N K I N C .
  37. 37. © 2 0 2 0 S P L U N K I N C . Build in Measurements Demo Time Report on how long it takes to triage a notable Triage Time = “In Progress to Closed” Report on how long it takes to closure Closure Time = “New” to “Closed”
  38. 38. © 2 0 2 0 S P L U N K I N C . Recommended Further Reads Add asset and identity data to Splunk Enterprise Security https://docs.splunk.com/Documentation/ES/6.0.0/Admin/Addassetandidentitydata Getting Started with Risk-Based Alerting and MITRE (Bryan Turner, IT Security Analyst, Publix) https://conf.splunk.com/files/2019/slides/SEC1538.pdf Modernize and Mature your SOC with Risk-Based Alerting (Jim Apger, Security Specialist Splunk / Jimi Mills, SOC Manager, Texas Instruments) https://conf.splunk.com/files/2019/slides/SEC1538.pdf Understand data flow in Splunk UBA https://docs.splunk.com/Documentation/UBA/5.0.0/GetDataIn/Overview Machine Learning Toolkit Overview in Splunk Enterprise Security https://docs.splunk.com/Documentation/ES/6.0.0/Admin/MLTKoverview
  39. 39. © 2 0 2 0 S P L U N K I N C . Splunk Technology Covered in This Session Customer Delivery Other Data Lakes CLOUDON-PREM HYBRID WITH BROKERS Platform for Machine DataPlatform Applications Future Splunk Solutions 3rd Party Plug-ins Solutions Mission Control Cloud-Based Unified Security Operations +Splunk Enterprise Security Splunk User Behavior Analytics + Phantom
  40. 40. © 2 0 2 0 S P L U N K I N C . Action Plan Next 90 Days Tech Hands On • Schedule ES hands on workshop • Leverages the Boss of the SOC (BOTS) dataset • Multiple scenarios • From the creation of a notable event to investigate Strategy • Schedule PVP* with a Splunk security expert • * Prescriptive Value Path Your Target State - Today = Identified Gap and Project Roadmap Security Program Review • Understand your business organizations goals. • Gain an understanding on business goals and the business case for IT and Data Security. Understand the managements risk appetite, asset classifications and review recent incidents.
  41. 41. © 2 0 2 0 S P L U N K I N C . You! Thank

×