Michael Baker discusses big data security analytics and how analyzing full network data at scale and in real-time can help detect threats. Three key points: 1) Analyzing complete network streams without aggregation allows understanding subtle attacks and exploring data through visualization and machine learning. 2) Enriching data with additional context like user and system profiles improves detection of attackers and security investigations. 3) Real-time streaming analytics and the ability to "rewind" and explore historical network data is critical for detecting unknown threats, profiling attackers, and disrupting cyber kill chains. This level of analysis goes beyond traditional SIEM tools.

1. Michael Baker
@cloudjunky
AusCERT - May 2013
Finding Needles in Haystacks
(the size of countries)

2. Me
Michael Baker
CTO and Co-Founder of Packetloop.
Pioneering Big Data Security Analytics.
Spoken at Black Hat and Ruxcon.
http://bitly.com/bundles/packetloop/1

3. “We build toys. Some of those toys
change the world”
- Nicholas Taleb

5. Uncertainty
Risk you can’t measure.
Castles, Casinos,War Zones.
Let’s get Bayesian (H|E).
Industry suffering from overfit.
Signatures, limited data, work once.

6. Exhibit A
CVE-2011-3192 - “Apache Killer”
auxiliary/dos/http/apache_range_dos 2011-08-19
normal Apache Range header DoS (Apache Killer)
Snort 1:19825
/Ranges*x3As*bytes=([dx2D]+x2C){50}/Hsmi
/Ranges*x3As*bytes=([dx2D]+[x2Cs]*){50}/
Hsmi

7. Unknown Unknowns.

8. Source: http://bit.ly/10J3Jjp

9. Prevention Fails.

10. Detection is the key.

11. Prevention is the goal.

12. The Big Data Promise*
Full fidelity, higher accuracy, no aggregation,
size and scale.
Model complexity.
Apply real science to the problem.
“There are more chess games than the
number of atoms in the universe” Diego
Rasskin Gutman
Induction and the Turkey Problem.

13. Kill Chains
Reconnaissance
Weaponisation
Delivery
Exploitation
Installation
Command Control
Actions and Objectives

14. APT1 Kill Chain
Malware link or executable sent to target.
(Spearfish or watering hole).
Malware executed.
Establish Command and Control.
Lateral movement through privilege
escalation.
Data Compressed and Exfiltrated.

15. Invasion Games
Attackers vs Defenders.
Attackers looking to stretch, avoid,
challenge defensive lines to achieve their
goal.
Security is a contact sport.
Manipulate Time and Space.
Win collisions.

16. Invasion Games
Detect
Deny
Disrupt
Degrade
Deceive
Destroy

17. Big Data
Security Analytics

18. Big Data Security Analytics
Size and Scale
Visualization
Fidelity
Interaction
Outlier Detection
Attacker Profiling
Enrichment
Transform
Prediction and
Probability
Intelligence sharing
Statistical Analysis
Feature Extraction
Machine Learning
Kill Chain Disruption

19. Size and Scale

20. Network Streams
Complete record of all network data.
Provides the highest fidelity to analysts.
Only way to really understand subtle,
targeted attacks.
Play, pause and rewind your network.
No need to have a specific logging setup.
Dense feature space.

21. “The difficulty shifts from traffic
collection to traffic analysis. If you can
store hundreds of gigabytes of traffic
per day, how do you make sense of it?”
- Richard Bejtlich

22. Map Reduce

23. Packetpig
http://bit.ly/105AYxc

24. It’s all about Context.

25. Context
Enriched information, not just IP Addresses.
Additional intelligence on attackers.
Allow you to perform detective work.
What if? Branch analysis and exploring data.
Providing full fidelity and full context
quickly.

26. It’s really about
feature space.

27. Hindsight is 20/20

28. Realtime

29. Streaming

30. Streaming

31. Visualisation

32. Anscombe’s Quartet
II IIII IIIIII IVIV
x y x y x y x y
0.0 8.04 10.0 9.14 10.0 7.46 8.0 6.58
8.0 6.95 8.0 8.14 8.0 6.77 8.0 5.76
13.0 7.58 13.0 8.74 13.0 12.74 8.0 7.71
9.0 8.81 9.0 8.77 9.0 7.11 8.0 8.84
11.0 8.33 11.0 9.26 11.0 7.81 8.0 8.47
14.0 9.96 14.0 8.10 14.0 8.84 8.0 7.04
6.0 7.24 6.0 6.13 6.0 6.08 8.0 5.25
4.0 4.26 4.0 3.10 4.0 5.39 19.0 12.50
12.0 10.84 12.0 9.13 12.0 8.15 8.0 5.56
7.0 4.82 7.0 7.26 7.0 6.42 8.0 7.91
5.0 5.68 5.0 4.74 5.0 5.73 8.0 6.89
Source:Wikipedia http://bit.ly/110Se5y

33. Anscombe’s Quartet
Source: visual.ly - http://bit.ly/105BcEI

34. Full HD
Play, Pause, Rewind

35. Deep Packet
Inspection

36. Finding Zero Days

37. Attacker Information

38. File Extraction

40. Bias Collisions
Producing information as it arrives in the
stream.
Yaraprocessor
Chopshop
Enrich as much information as possible.
What’s the probability of the event?

41. ssdeep comparison
VirusShare_fe8ff84a23feb673a59d8571575fee0b

42. ssdeep comparison

43. Machine Learning
High dimensional feature space.
Models instead of signatures.
Classification (class prediction).
Operating system detection.
Protocol detection.
Finding novelty and outliers.
Trained models, real time predictions.

44. Related ML Work
Frank Denis @jedisct1
Malware vs Big Data
Jason Trost @jason_trost and John Munro
Large Scale Malicious Domain
Classification

45. Entropy and Covert
Channels

46. Tor in HTTPS

47. Tor/HTTPS PCA

49. Meterpreter in HTTP

50. Meterpreter (HTTP)

51. Meterpreter Needle

52. Geocoding

53. Tor Endpoints

54. Torrent Triangulation

55. Torrent
1M attacks over 12 days.
17 attackers were also downloading
torrents.
TOR / Torrent are generally mutually
exclusive.
Good entropy on larger files for changing
IPs.
Torrent client + UA + OS Classification

56. Really?
7 Weeks to 100 Push-Ups: Strengthen and
SculptYour Arms,Abs, C
1000 Photoshop Tips and Tricks (Dec
2010)-Mantesh
Footloose.2011.DVDRip.XviD- PADDO

57. Decision Making

58. Half Life of Data
Incredibly valuable just after creation.
What is the half life of security data?
Need to accommodate post hoc delivery of
information.
Probabilistic models making real time
decisions.
Full fidelity and long histories for Tactical,
Operational and Strategic decisions.
Source: Nucleus Research - http://bit.ly/10BRAeZ

59. This is not SIEM.

60. !SIEM
Real time
Full Fidelity
Explore and explain the data (evidence).
Play, Pause and Rewind.
Blink and you miss it technology.
No aggregation. No parsers. Frictionless.
Clear intelligence.
Decision Making Platform.

61. One thing we can
count on

62. Changing Tactics
Kill Chains will change.
Commit, shift, delay defenders.
Commit to triaging an event that is not the
real event.
Shift defenders to locations or targets.
Create doubt in defenders to maintain
stationary.

63. @packetloop
@packetpig
Questions?

64. Thank you!
http://blog.packetloop.com