Big Data, Security Intelligence, (And Why I Hate This Title)


Published on

The only way to get where we need to be in security analysis is if we use Security Intelligence. This means working harder and understanding the big picture of your data.

Published in: Technology, News & Politics

Big Data, Security Intelligence, (And Why I Hate This Title)

  1. 1. Big Data, SecurityIntelligence,(And Why I Hate This Title)
  2. 2. Introduction / Who Am I• Matt Yonchak• Director of SecurityServices• Hurricane Labs• Avid Clevelandsports cynic
  3. 3. What are we going totalk about?Security Intelligence
  4. 4. Fact #1Attacks are happening on our networks and we dont know:•How it happened•Who got in•How pervasive this attack is
  5. 5. Fact #2Traditional tools are insufficient to the task of realsecurity analysis
  6. 6. Intrusion PreventionSystems (IPS)
  7. 7. Firewalls
  8. 8. Incredible tool or amazing distraction?SIEM
  9. 9. Fact #3All Data Is Security Relevant
  10. 10. • WAF• IPS• Proxy• FirewallTypical Security Data
  11. 11. Non-Typical Data(but still relevant to security)• Web Application Data• Voice and Communication• Email• Performance Monitoring• ID Management• External Data Sources
  12. 12. ProblemWe’ve Been Attacked
  13. 13. How Did It Happen?Social EngineeringAttacking the User
  14. 14. What Does It Look Like?• Evades normal security controls• Moves slow and stays quiet• Knows what data its after• Propagates itself internally
  15. 15. Weve Been Compromised
  16. 16. Looking At The ProblemDifferently
  17. 17. Security Intelligence Is:Analysis Outside the Box
  18. 18. Security Intelligence Is:Behavior-Based Analysis
  19. 19. Security Intelligence Is:Working a Little Harder
  20. 20. Security Intelligence Is:Understanding theBig Picture
  21. 21. Security Intelligence: HowDo We Get It?Understand the Attack / Attackers
  22. 22. LogsSecurity Intelligence: HowDo We Get It?
  23. 23. Understand Your NetworkSecurity Intelligence: HowDo We Get It?
  24. 24. Understand Your NetworkSecurity Intelligence: HowDo We Get It?
  25. 25. Back to Our ProblemHow would we have detected/stopped theattack?
  26. 26. Finding The Attack
  27. 27. Finding The AttackBring In SomeExternal Data• GeoIP• Blacklists / Watchlists• Our own intelligence
  28. 28. Finding The AttackThink Outside the Box
  29. 29. Going ForwardHow do we build out this practice withinour organizations?
  30. 30. Going ForwardAccept that what were doing now:• Traditional IncidentResponse• Our typical securitycontrols• Our SIEMs
  31. 31. Going ForwardLegitimize the SecurityIntelligence Concept
  32. 32. Security IntelligenceLegitimacyTrain For It
  33. 33. Security IntelligenceLegitimacy• SecurityIntelligenceAnalyst?• SecurityIntelligenceEngineer?• SecurityIntelligence...Ninja?
  34. 34. Security IntelligenceLegitimacy
  35. 35. Results
  36. 36. Results
  37. 37. ClosingThe only way to really get where we need tobe in security analysis is if we:•Put in the work to get there•Think outside the box•Change what is normal for security analysis
  38. 38. Questions?• Twitter: @mattyonchak• Email: