Slide: Evidence The same survey showed that over half of the respondents are trying to employ more entry level analysts to deal with the overwhelming (but largely worthless) alerts coming from their legacy SIEMs and further more turning to audits and compliance activities to overcome the SIEMs drawbacks.
Splunk User Behavior Analytics is a cyber security and threat detection solution that helps organizations find hidden threats without using rules, signatures or human analysis. It uses behavior modeling, peer group analysis, real-time statistical analysis, collaborative filtering and other machine learning techniques. Has a 99% reduction of notable events in various customer based case studies, enabling analysts to focus on important threats and not waste time confirming false positives.
Attack Defenses User & Entity Behavior Baseline Behavioral Peer Group Analysis Insider Threat Detection IP Reputation Analysis Reconnaissance, Botnet and C&C Analysis Statistical Analysis Data Exfiltration Models Lateral Movement Analysis Polymorphic Attack Analysis Cyber Attack / External Threat Detection Entropy/Rare Event Detection User/Device Dynamic Fingerprinting Threat Attack Correlation
Data Sources Key: Identity/Authentication Active Directory/Domain Controller Single Sign-on HRIS VPN DNS, DHCP Activity Web Gateway Proxy Server Firewall DLP Security Products Malware Endpoint IDS, IPS, AV Optional: SaaS/Mobile AWS CloudTrail Box, SF.com, Dropbox, other SaaS apps Mobile Devices External Threat Feeds Threat Stream, FS-ISAC or other blacklists for IPs/domains
Slide: Example – Insider Threat
Slide: Behaviour Modelling
Categories Deviation from Baseline Time series Rarity, probabilistic difference Rare sequences Outliers Advanced Behaviour Detection Beaconing Exploit kit Malware for HTTP Malware for IP Webshell Graph Models Lateral movement Resource Access Helper Models Anomalies based on rules Externals alarms handlers Session Building Connection between events Track activity from different perspectives in a kill chain Threat Models Graph-based models Session-based models Rule-based models
Machine Learning for Threat Detection
Machine Learning for Threat Detection
Harry McLaren – Security Consultant at ECS
•Alumnus of Edinburgh Napier
•Security Consultant at ECS
• SOC & CSIR Development
• Splunk Consultant & Architect
ACCELERATING PACE OF DATA
Volume | Velocity | Variety | Variability
Legacy SIEM type technologies aren’t
enough to detect insider threats and
advanced adversaries and are poorly
designed for rapid incident response.
[SIEM - Security Information & Event Management]
68% of respondents in the
survey said that reports
often only indicated
changes without specifying
what the change was.
Events of Interest
81% of respondents said
that SIEM reports contain
too much extraneous
information and were
2016 SIEM Efficiency Survey - Conducted by Netwrix
END-POINT SECURITY NETWORK SECURITY EARLY CORRELATION PAYLOAD ANALYSIS BEHAVIOR ANALYSIS
DETECT ADVANCED CYBERATTACKS
DETECT MALICIOUS INSIDER THREATS
WHAT IS SPLUNK
USER BEHAVIORAL ANALYTICS?
John connects via VPN
Administrator performs ssh (root) to a file share -
John executes remote desktop to a system
(administrator) - PCI zone
John elevates his privileges
root copies the document to another file share -
root accesses a sensitive document
from the file share
root uses a set of Twitter handles to chop and copy
the data outside the enterprise
MULTI-ENTITY BEHAVIORAL MODEL
UBA 2.2 LATEST FEATURES
• Threat Modeling Framework
• Create custom threats using 60+ anomalies.
• Enhanced Security Analytics
• Visibility and baseline metrics around user,
device, application and protocols.
• Risk Percentile & Dynamic Peer Groups
• Support for Additional 3rd Party Devices