Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Machine Learning for Threat Detection

2,820 views

Published on

A presentation by Harry McLaren at The Cyber Academy

Published in: Technology
  • Be the first to comment

Machine Learning for Threat Detection

  1. 1. USER BEHAVIOURAL ANALYTICS Machine Learning for Threat Detection Harry McLaren – Security Consultant at ECS
  2. 2. HARRY MCLAREN •Alumnus of Edinburgh Napier •Security Consultant at ECS • SOC & CSIR Development • Splunk Consultant & Architect
  3. 3. ACCELERATING PACE OF DATA Volume | Velocity | Variety | Variability
  4. 4. Legacy SIEM type technologies aren’t enough to detect insider threats and advanced adversaries and are poorly designed for rapid incident response. [SIEM - Security Information & Event Management]
  5. 5. Inadequate Contextual Data 68% of respondents in the survey said that reports often only indicated changes without specifying what the change was. Innocuous Events of Interest 81% of respondents said that SIEM reports contain too much extraneous information and were overwhelmed with false positives. 2016 SIEM Efficiency Survey - Conducted by Netwrix
  6. 6. 1995 2002 2008 2011 2015 END-POINT SECURITY NETWORK SECURITY EARLY CORRELATION PAYLOAD ANALYSIS BEHAVIOR ANALYSIS TECHNOLOGY DEVELOPMENT CAPABILITY EVOLUTION
  7. 7. KILL CHAIN - EVENTS OVERLOAD
  8. 8. SECURITY PLATFORM DETECTING UNKNOWN THREATS SECURITY & COMPLIANCE REPORTING INCIDENT INVESTIGATIONS & FORENSICS REAL-TIME MONITORING OF KNOWN THREATS DETECTION OF INSIDER THREATS DETECTION OF ADVANCED CYBER ATTACKS Splunk Enterprise Security Splunk UBA
  9. 9. MACHINE LEARNING EVOLUTION EVOLUTION COMPLEXITY RULES - THRESHOLD POLICY - THRESHOLD POLICY - STATISTICS UNSUPERVISED MACHINE LEARNING POLICY - PEER GROUP STATISTICS SUPERVISED MACHINE LEARNING
  10. 10. DETECT ADVANCED CYBERATTACKS DETECT MALICIOUS INSIDER THREATS ANOMALY DETECTION THREAT DETECTION UNSUPERVISED MACHINE LEARNING BEHAVIOR BASELINING & MODELING REAL-TIME & BIG DATA ARCHITECTURE WHAT IS SPLUNK USER BEHAVIORAL ANALYTICS?
  11. 11. INSIDER THREAT John connects via VPN Administrator performs ssh (root) to a file share - finance department John executes remote desktop to a system (administrator) - PCI zone John elevates his privileges root copies the document to another file share - Corporate zone root accesses a sensitive document from the file share root uses a set of Twitter handles to chop and copy the data outside the enterprise USER ACTIVITY Day 1 . . Day 2 . . Day N
  12. 12. MULTI-ENTITY BEHAVIORAL MODEL APPLICATION USER HOST NETWORK DATA
  13. 13. UBA 2.2 LATEST FEATURES • Threat Modeling Framework • Create custom threats using 60+ anomalies. • Enhanced Security Analytics • Visibility and baseline metrics around user, device, application and protocols. • Risk Percentile & Dynamic Peer Groups • Support for Additional 3rd Party Devices
  14. 14. QUESTIONS / CONTACT twitter.com/cyberharibu harry.mclaren@ecs.co.uk harrymclaren.co.uk/blog

×