Sqrrl Enterprise: Big Data Security Analytics Use CaseSqrrl
Organizations are utilizing Sqrrl Enterprise to securely integrate vast amounts of multi-structured data (e.g., tens of petabytes) onto a single Big Data platform and then are building real-time applications using this data and Sqrrl Enterprise’s analytical interfaces. The secure integration is enabled by Accumulo’s innovative cell-level security capabilities and Sqrrl Enterprise’s security extensions, such as encryption.
Xanadu Functionality
Xanadu Performance BMT
Xanadu based Big Data Archive
Xanadu Big Data Deep Learning Integration
Content Based Image Retrieval (CBIR) System
Xanadu based Medical CBIR System
Xanadu based Medical CBIR System Procedure
Automated Diabetic Retinopathy Classification
Xanadu based Medical CBIR System Demo for Diabetic Retinopathy Diagnosis
An attempt at categorizing the thriving big data ecosystem by @mattturck and @shivonZ - comments are welcome (please add your thoughts on mattturck.com)
Sqrrl Enterprise: Big Data Security Analytics Use CaseSqrrl
Organizations are utilizing Sqrrl Enterprise to securely integrate vast amounts of multi-structured data (e.g., tens of petabytes) onto a single Big Data platform and then are building real-time applications using this data and Sqrrl Enterprise’s analytical interfaces. The secure integration is enabled by Accumulo’s innovative cell-level security capabilities and Sqrrl Enterprise’s security extensions, such as encryption.
Xanadu Functionality
Xanadu Performance BMT
Xanadu based Big Data Archive
Xanadu Big Data Deep Learning Integration
Content Based Image Retrieval (CBIR) System
Xanadu based Medical CBIR System
Xanadu based Medical CBIR System Procedure
Automated Diabetic Retinopathy Classification
Xanadu based Medical CBIR System Demo for Diabetic Retinopathy Diagnosis
An attempt at categorizing the thriving big data ecosystem by @mattturck and @shivonZ - comments are welcome (please add your thoughts on mattturck.com)
IoT (Internet of things) big data analytics is becoming important to process unimaginably large amounts of information and data that are obtained by the sensor embedded interconnected IoT devices. The typical IoT big data analytics system is Hadoop, an open-source software framework that supports data-intensive distributed applications, and the running of applications on large clusters of commodity hardware. Hadoop, that is based on the architectural framework MapReduce, collects both structured data and unstructured data, processes the collected data set in a distributed network cluster in parallel, and extracts valuable information from the processed data set within a short time.
Slides for the webinar presented by Risk Focus on automating large scale Splunk deployments with Cloud Orchestration.
More details available here:
http://cloudify.co/webinar/Automating-Splunk-Large-Scale
Enterprise Data World Webinar: Make BIG DATA Work for YouDATAVERSITY
TARGIT CTO Dr. Morton Middelfart has professionally devoted himself to one thing: turning DECISIONS into ACTION faster, more efficiently, and more intelligently than ever. He continues to develop patented features that zero in on solving the challenges that companies face every day. One of those challenges is harnessing the massive amounts of external data relevant to your company. Big data is … well … big. And companies that don’t learn from it and adapt will be quickly left in the dust. Join Morton for his session “Make BIG DATA work for you” and discover how to get the most out of your big data through Business Intelligence.
What you’ll learn:
- Why external data is increasingly important to today’s businesses
- Exciting new technologies developed to help you make sense of the growing amount of Big Data
- How to measure and monitor consumers’ sentiments about your company
- What your external data says about your internal data
- What you need to take action to constantly stay ahead of the curve
Visão geral sobre a solução iDefense da VeriSign de resposta a incidentes em tempo real, remediação de fraudes on-line, gerenciamento de riscos, conhecimentos dos impactos globais das ameaças, proteção proativa, entre outros benefícios.
DMTI Spatial Location Hub Analytics: big data, analytics, visualizationDMTI Spatial
This changes everything. When it comes to data analytics, accuracy and data quality is crucial. Location Hub Analytics ® is the only self-service analytics engine that leverages Canada’s most robust, accurate and up-to-date location-based data for precise, compelling, unbiased results.
CLEANSE
Location Hub Analytics automatically validates, standardizes, and geocodes your address database. Each record is assigned a Unique Address Identifier (UAID®)
ENRICH
Location Hub Analytics enriches your data with Canadian demographics information for further analysis and greater customer intelligence.
ANALYZE
Location Hub Analytics quickly processes and analyzes your data, objectively revealing meaningful patterns and trends
INFILL
Location Hub Analytics helps you generate new prospect lists by infilling the addresses within a specific territory that are not in your current database.
VISUALIZE
Unlike other analytics engines, Location Hub Analytics allows you to visualize and interact with your results on a map for better data profiling
SHARE
Quickly and easily share your customized report with key stakeholders
Learn more about Hitachi Content Platform Anywhere by visiting http://www.hds.com/products/file-and-content/hitachi-content-platform-anywhere.html
and more information on the Hitachi Content Platform is at http://www.hds.com/products/file-and-content/content-platform
Smart Investigator is a revolutionary and fully scalable Big Data Security Analytics Platform that unifies data from all networks and systems and offers real-time visibility through contextual dashboards.
Cyglass is a network centric, dark threat detection solution that allows you to uncover, pinpoint, and respond to advanced cyber threats that have evaded traditional security controls. If you're not interested in what we have to offer, here are 8 key reasons why you should be...
IoT (Internet of things) big data analytics is becoming important to process unimaginably large amounts of information and data that are obtained by the sensor embedded interconnected IoT devices. The typical IoT big data analytics system is Hadoop, an open-source software framework that supports data-intensive distributed applications, and the running of applications on large clusters of commodity hardware. Hadoop, that is based on the architectural framework MapReduce, collects both structured data and unstructured data, processes the collected data set in a distributed network cluster in parallel, and extracts valuable information from the processed data set within a short time.
Slides for the webinar presented by Risk Focus on automating large scale Splunk deployments with Cloud Orchestration.
More details available here:
http://cloudify.co/webinar/Automating-Splunk-Large-Scale
Enterprise Data World Webinar: Make BIG DATA Work for YouDATAVERSITY
TARGIT CTO Dr. Morton Middelfart has professionally devoted himself to one thing: turning DECISIONS into ACTION faster, more efficiently, and more intelligently than ever. He continues to develop patented features that zero in on solving the challenges that companies face every day. One of those challenges is harnessing the massive amounts of external data relevant to your company. Big data is … well … big. And companies that don’t learn from it and adapt will be quickly left in the dust. Join Morton for his session “Make BIG DATA work for you” and discover how to get the most out of your big data through Business Intelligence.
What you’ll learn:
- Why external data is increasingly important to today’s businesses
- Exciting new technologies developed to help you make sense of the growing amount of Big Data
- How to measure and monitor consumers’ sentiments about your company
- What your external data says about your internal data
- What you need to take action to constantly stay ahead of the curve
Visão geral sobre a solução iDefense da VeriSign de resposta a incidentes em tempo real, remediação de fraudes on-line, gerenciamento de riscos, conhecimentos dos impactos globais das ameaças, proteção proativa, entre outros benefícios.
DMTI Spatial Location Hub Analytics: big data, analytics, visualizationDMTI Spatial
This changes everything. When it comes to data analytics, accuracy and data quality is crucial. Location Hub Analytics ® is the only self-service analytics engine that leverages Canada’s most robust, accurate and up-to-date location-based data for precise, compelling, unbiased results.
CLEANSE
Location Hub Analytics automatically validates, standardizes, and geocodes your address database. Each record is assigned a Unique Address Identifier (UAID®)
ENRICH
Location Hub Analytics enriches your data with Canadian demographics information for further analysis and greater customer intelligence.
ANALYZE
Location Hub Analytics quickly processes and analyzes your data, objectively revealing meaningful patterns and trends
INFILL
Location Hub Analytics helps you generate new prospect lists by infilling the addresses within a specific territory that are not in your current database.
VISUALIZE
Unlike other analytics engines, Location Hub Analytics allows you to visualize and interact with your results on a map for better data profiling
SHARE
Quickly and easily share your customized report with key stakeholders
Learn more about Hitachi Content Platform Anywhere by visiting http://www.hds.com/products/file-and-content/hitachi-content-platform-anywhere.html
and more information on the Hitachi Content Platform is at http://www.hds.com/products/file-and-content/content-platform
Smart Investigator is a revolutionary and fully scalable Big Data Security Analytics Platform that unifies data from all networks and systems and offers real-time visibility through contextual dashboards.
Cyglass is a network centric, dark threat detection solution that allows you to uncover, pinpoint, and respond to advanced cyber threats that have evaded traditional security controls. If you're not interested in what we have to offer, here are 8 key reasons why you should be...
With machines fighting machines and increasingly sophisticated human attackers, we are now entering a new era of cyber-threats. The battle is no longer at the perimeter but inside of our organizations, and no security team can keep up with its speed. Cyber-attackers are quickly becoming silent and stealthy, and cyber defense has turned into an arms race.
This new wave of cyber-threats has seen skilled attackers that may lie low for weeks or months. By the time they take definitive steps, their actions blend in with the everyday hum of network activity. These attacks call for a change in the way we protect our most critical assets.
Threat intelligence is information that informs enterprise defenders of adversarial elements to stop them.
It is information that is relevant to the organization, has business value, and is actionable.
If you having all data and feeds then data alone isn’t intelligence.
#Threat #Intelligence #Forensics #ELK #Forensics #VAPT #SOC #SIEM #Incident #D3pak
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
A presentation given in April 2019 in London during ICS Cyber Security Conference. I discuss an anonymized investigation conducted by our team to identify a real malware infection on a production network, the tools and techniques used to contain this threat and how to use threat intelligence and visibility to stay ahead of cyber adversaries.
Asset visibility and network baselining
Continuous network monitoring
Threat intelligence ingestion
Thorough incident response plans
Fast Data Mining: Real Time Knowledge Discovery for Predictive Decision MakingCodemotion
Fast Data as a different approach to Big Data for managing large quantities of “in-flight” data that help organizations get a jump on those business-critical decisions. Difference between Big Data and Fast Data is comparable to the amount of time you wait downloading a movie from an online store and playing the dvd instantly.
Data Mining as a process to extract info from a data set and transform it into an understandable structure in order to deliver predictive, advanced analytics to enterprises and operational environments.
The combination of Fast Data and Data Mining are changing the “Rules”
Get The Information Here For Mobile Phone Investigation ToolsParaben Corporation
Mobile phone investigation tools are essential for uncovering crucial evidence stored within smartphones. These sophisticated software solutions meticulously analyze call logs, text messages, GPS data, and app usage, aiding law enforcement and corporate investigators alike in solving crimes and identifying security breaches. With their advanced capabilities, they ensure thorough scrutiny and effective resolution, contributing significantly to justice and security in the digital age.
In this presentation we will look at the cause and effect of the problem, analyze preparedness and learn how you can better prepare, detect, respond and recover from cyber-attacks.
Leveraging Threat Intelligence to Guide Your HuntsSqrrl
This webinar training session covers everything from what threat intelligence is to specific examples of how to hunt with it; applying intel during a tactical hunt and what you should be looking out for when searching for adversaries on your enterprise network. Taught by Keith Gilbert, Keith is an experienced threat researcher with a background in Digital Forensics and Incident Response.
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
Machine Learning for Incident Detection: Getting StartedSqrrl
This presentation walks you through the uses of machine learning in incident detection and response, outlining some of the basic features of machine learning and specific tools you can use.
Watch the presentation with audio here: https://www.youtube.com/watch?v=4pArapSIu_w
Building a Next-Generation Security Operations Center (SOC)Sqrrl
So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.
Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc
User and Entity Behavior Analytics using the Sqrrl Behavior GraphSqrrl
UEBA leverages advanced statistical techniques and machine learning to surface subtle behaviors that are indicative of attacker presence. In this presentation, Sqrrl's Director of Data Science, Chris McCubbin, and Sqrrl's Director of Products, Joe Travaglini, provide an overview of how machine learning and UEBA can be used to detect cyber threats using Sqrrl's Behavior Graph.
Watch the presentation with audio here: http://info.sqrrl.com/april-2016-ueba-webinar-on-demand
Threat Hunting Platforms (Collaboration with SANS Institute)Sqrrl
Traditional security measures like firewalls, IDS, endpoint protection, and SIEMs are only part of the network security puzzle. Threat hunting is a proactive approach to uncovering threats that lie hidden in your network or system, that can evade more traditional security tools. Go in-depth with Sqrrl and SANS Institute to learn how hunting platforms work.
Watch the recording with audio here: http://info.sqrrl.com/sans-sqrrl-threat-hunting-webcast
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl
This joint webinar, in collaboration with IBM, offers a look at the industry leading Threat Hunting App for IBM QRadar. By combining the threat detection capabilities of QRadar and Sqrrl, security analysts are armed with advanced analytics and visualization to hunt for unknown threats and more efficiently investigate known incidents.
Watch the training with audio here: http://info.sqrrl.com/sqrrl-ibm-threat-hunting-for-qradar-users
Threat Hunting for Command and Control ActivitySqrrl
Sqrrl's Security Technologist Josh Liburdi provides an overview of how to detect C2 through a combination of automated detection and hunting.
Watch the presentation with audio here: http://info.sqrrl.com/threat-hunting-for-command-and-control-activity
Today's threats demand a more active role in detecting and isolating sophisticated attacks. This must-see presentation provides practical guidance on modernizing your SOC and building out an effective threat hunting program. Ed Amoroso and David Bianco discuss best practices for developing and staffing a modern SOC, including the essential shifts in how to think about threat detection.
Watch the presentation with audio here: http://info.sqrrl.com/webinar-modernizing-your-security-operations
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Sqrrl
This presentation explains how security teams can leverage hunting and analytics to detect advanced threats faster, more reliably, and with common analyst skill sets. Watch the presentation with audio here: http://info.sqrrl.com/threat-hunting-and-ueba-webinar
In this training session, two leading security experts review how adversaries use DNS to achieve their mission, how to use DNS data as a starting point for launching an investigation, the data science behind automated detection of DNS-based malicious techniques and how DNS tunneling and DGA machine learning algorithms work.
Watch the presentation with audio here: http://info.sqrrl.com/leveraging-dns-for-proactive-investigations
If you follow the trade press, one theme you hear over and over again is that organizations are drowning in alerts. It’s true that we need technological solutions to prioritize and escalate the most important alerts to our analysts, but the humans have a critical part to play in this process as well. The quicker they are able to make decisions about the alerts they review, the better they are able to keep up. An incident responders’ most common task is alert triage, the process of investigation and escalation that ultimately results in the creation of security incidents. As crucial as this process is, there has been remarkably little written about how to do it correctly and efficiently. In this presentation, learn incident response best practices from Sqrrl security expert, David Bianco.
Slides from the webinar led by Ely Kahn and Luis Maldonado discussing strategies to reduce Mean Time to Know in detecting cybersecurity attacks, threats, or data breaches.
Benchmarking The Apache Accumulo Distributed Key–Value StoreSqrrl
This paper presents results of benchmarking Apache Accumulo distributed table store using the continuous tests suite included in its open source distribution.
Adam Fuchs' presentation slides on what's next in the evolution of BigTable implementations (transactions, indexing, etc.) and what these advances could mean for the massive database that gave rise to Google.
The days when Security Operations Center analysts could sit back and wait for alerts to come to them have long passed. Years of breaches and attacks at Fortune 100 banks, retailers, and government agencies have shown that traditional measures like firewalls, IDS, and SIEMs are not enough. While these measures are still important, today’s threats demand a more active role in detecting and isolating sophisticated attacks. It’s hunting season!
Evolution in cybersecurity is the norm. As computer threats evolve, so have defenses. The debilitating effect of viruses borne by email gave rise to the what is now a vast anti-virus infrastructure. The rise of network-based attacks created the incrementalism of constant updates to IDS and IPS. The inability to make sense of millions of IDS alerts gave rise to SIEM solutions.
October 2014 Webinar: Cybersecurity Threat DetectionSqrrl
Using Sqrrl Enterprise and the GraphX library included in Apache Spark, we will construct a dynamic graph of entities and relationships that will allow us to build baseline patterns of normalcy, flag anomalies on the fly, analyze the context of an event, and ultimately identify and protect against emergent cyber threats.
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...Subhajit Sahu
Abstract — Levelwise PageRank is an alternative method of PageRank computation which decomposes the input graph into a directed acyclic block-graph of strongly connected components, and processes them in topological order, one level at a time. This enables calculation for ranks in a distributed fashion without per-iteration communication, unlike the standard method where all vertices are processed in each iteration. It however comes with a precondition of the absence of dead ends in the input graph. Here, the native non-distributed performance of Levelwise PageRank was compared against Monolithic PageRank on a CPU as well as a GPU. To ensure a fair comparison, Monolithic PageRank was also performed on a graph where vertices were split by components. Results indicate that Levelwise PageRank is about as fast as Monolithic PageRank on the CPU, but quite a bit slower on the GPU. Slowdown on the GPU is likely caused by a large submission of small workloads, and expected to be non-issue when the computation is performed on massive graphs.
Show drafts
volume_up
Empowering the Data Analytics Ecosystem: A Laser Focus on Value
The data analytics ecosystem thrives when every component functions at its peak, unlocking the true potential of data. Here's a laser focus on key areas for an empowered ecosystem:
1. Democratize Access, Not Data:
Granular Access Controls: Provide users with self-service tools tailored to their specific needs, preventing data overload and misuse.
Data Catalogs: Implement robust data catalogs for easy discovery and understanding of available data sources.
2. Foster Collaboration with Clear Roles:
Data Mesh Architecture: Break down data silos by creating a distributed data ownership model with clear ownership and responsibilities.
Collaborative Workspaces: Utilize interactive platforms where data scientists, analysts, and domain experts can work seamlessly together.
3. Leverage Advanced Analytics Strategically:
AI-powered Automation: Automate repetitive tasks like data cleaning and feature engineering, freeing up data talent for higher-level analysis.
Right-Tool Selection: Strategically choose the most effective advanced analytics techniques (e.g., AI, ML) based on specific business problems.
4. Prioritize Data Quality with Automation:
Automated Data Validation: Implement automated data quality checks to identify and rectify errors at the source, minimizing downstream issues.
Data Lineage Tracking: Track the flow of data throughout the ecosystem, ensuring transparency and facilitating root cause analysis for errors.
5. Cultivate a Data-Driven Mindset:
Metrics-Driven Performance Management: Align KPIs and performance metrics with data-driven insights to ensure actionable decision making.
Data Storytelling Workshops: Equip stakeholders with the skills to translate complex data findings into compelling narratives that drive action.
Benefits of a Precise Ecosystem:
Sharpened Focus: Precise access and clear roles ensure everyone works with the most relevant data, maximizing efficiency.
Actionable Insights: Strategic analytics and automated quality checks lead to more reliable and actionable data insights.
Continuous Improvement: Data-driven performance management fosters a culture of learning and continuous improvement.
Sustainable Growth: Empowered by data, organizations can make informed decisions to drive sustainable growth and innovation.
By focusing on these precise actions, organizations can create an empowered data analytics ecosystem that delivers real value by driving data-driven decisions and maximizing the return on their data investment.
As Europe's leading economic powerhouse and the fourth-largest hashtag#economy globally, Germany stands at the forefront of innovation and industrial might. Renowned for its precision engineering and high-tech sectors, Germany's economic structure is heavily supported by a robust service industry, accounting for approximately 68% of its GDP. This economic clout and strategic geopolitical stance position Germany as a focal point in the global cyber threat landscape.
In the face of escalating global tensions, particularly those emanating from geopolitical disputes with nations like hashtag#Russia and hashtag#China, hashtag#Germany has witnessed a significant uptick in targeted cyber operations. Our analysis indicates a marked increase in hashtag#cyberattack sophistication aimed at critical infrastructure and key industrial sectors. These attacks range from ransomware campaigns to hashtag#AdvancedPersistentThreats (hashtag#APTs), threatening national security and business integrity.
🔑 Key findings include:
🔍 Increased frequency and complexity of cyber threats.
🔍 Escalation of state-sponsored and criminally motivated cyber operations.
🔍 Active dark web exchanges of malicious tools and tactics.
Our comprehensive report delves into these challenges, using a blend of open-source and proprietary data collection techniques. By monitoring activity on critical networks and analyzing attack patterns, our team provides a detailed overview of the threats facing German entities.
This report aims to equip stakeholders across public and private sectors with the knowledge to enhance their defensive strategies, reduce exposure to cyber risks, and reinforce Germany's resilience against cyber threats.
Chatty Kathy - UNC Bootcamp Final Project Presentation - Final Version - 5.23...John Andrews
SlideShare Description for "Chatty Kathy - UNC Bootcamp Final Project Presentation"
Title: Chatty Kathy: Enhancing Physical Activity Among Older Adults
Description:
Discover how Chatty Kathy, an innovative project developed at the UNC Bootcamp, aims to tackle the challenge of low physical activity among older adults. Our AI-driven solution uses peer interaction to boost and sustain exercise levels, significantly improving health outcomes. This presentation covers our problem statement, the rationale behind Chatty Kathy, synthetic data and persona creation, model performance metrics, a visual demonstration of the project, and potential future developments. Join us for an insightful Q&A session to explore the potential of this groundbreaking project.
Project Team: Jay Requarth, Jana Avery, John Andrews, Dr. Dick Davis II, Nee Buntoum, Nam Yeongjin & Mat Nicholas
1. DATASHEET
SQRRL ENTERPRISE
USE CASE: CYBER HUNTING
Proactively uncover hidden threats through cyber hunting
The days when Security Operations Center analysts could sit back and wait for alerts to come to them have
long passed. Breaches and attacks at large companies and government agencies have shown that traditional
measures like firewalls, IDS, and SIEMs are not enough. While these measures are still important, today’s
threats demand a more active role in detecting and isolating sophisticated attacks.
Hunting is the practice of searching iteratively through your data to detect and isolate advanced threats that
evade more traditional security solutions. In other words hunting trips are designed to proactively uncover
threats hidden in a network or system.
The Sqrrl Enterprise Edge
Sqrrl Enterprise is a real-time, unified platform for securely integrating, exploring, and analyzing massive
amounts of data from any source. By creating visual models using linked data, Sqrrl is able to generate a
clearer contextual picture for analysts
Sqrrl Enterprise powers cyber hunting via the following features:
• Enables a hunter to filter and prioritize Big Data, employing advanced data science techniques
• Allows pivoting in real time between disparate datasets and distinct parts of a network
• Facilitates iterative question chaining, which streamlines the process of response and investigation
• Generates advanced visualizations consisting of weighted, directional nodes and edges that can provide
compact representations of complex, dense datasets
Example Advanced Persistent Threat Hunting Use Case
2. ABOUT SQRRL
Powering the Hunt | Page 2
Sqrrl was founded in 2012 by creators of Apache Accumulo™. With their roots in the U.S. Intelligence Community, Sqrrl’s founders have deep experience
integrating and analyzing complex petabyte-scale datasets. Sqrrl is headquartered in Cambridge, MA and is a venture-backed company with investors from
Matrix Partners, Atlas Venture, and Rally Ventures.
125 Cambridge Park Dr
Cambridge, MA 02140
www.sqrrl.com
@SqrrlData
p: (617) 902-0784
e: info@sqrrl.com
Leveraging Data Science
Making sense of Big Data is no easy task, and your enterprise is will want to keep
as much data as it will be able to store. To actually capitalize on terabytes or even
petabytes of information, you will need a smart and effective way of making sense
of it all. Modern machine learning and statistical tools have the potential to multiply
the effectiveness of a hunter's powers by automating common tasks such as
producing activity summaries or finding the “weird” entities in a dataset. Hunters
need tools, like Sqrrl Enterprise, that provide data science without requiring the
users to be data scientists.
Question Driven Investigations
Hunting trips should start with questions and hypotheses, not necessarily specific
indicators. A question, or a hypothesis you start with might be something like “Is
data exfiltration happening?” or “If there is data exfiltration happening, it’s most
likely going on through this part of the network.” A hunter would then check to see
whether any exfiltration going through that subnet, and try to figure out what
protocols might be used. There are often multiple ways you can look for the
answers to these questions, but having some hypotheses helps figure out what
data you need to examine and what analytic techniques might be most fruitful.
Sqrrl Enterprise’s query language makes asking these questions easy.
Keep on Pivoting
Hunting consists of spending a lot of time searching for something that is elusive
by nature. To locate entrenched threats, your hunt needs to be dynamic and
adaptable. Plus, you need to be able to easily pivot from one dataset to the next to
evaluate the full context of the attacker’s digital footprints. This might include
moving from operating system events to Netflow data and then to application logs.
Sqrrl Enterprise is able to support this kind of nimble data exploration.
Mapping Your Terrain
Knowing the lay of the land and where attackers may hide is a key element to
hunting. Kill chain mapping provides a useful framework to plan your hunting trips
for maximum impact. Typically, you will want to focus on the last two phases of the
kill chain (Command and Control and Act on Objectives) first, since the farther
along the kill chain the adversary is, the worse the incident is for you. Sqrrl
Enterprise provides the capability to annotate investigations with kill chain
mappings.
.
Advice from a Hunter
"Organizations are realizing that
their existing traditional security
solutions, such as firewalls and
SIEMs, are not finding
everything that they need to
find. On the detection side
they’re doing well for what they
do, but the problem is that
signature-based or even
intelligence-based network
monitoring systems are limited.
Attackers are virtually unlimited
in what they can do.
Adversaries are very flexible and
agile, so that's what we have to
be."
-David Bianco, Sqrrl's Security
Architect; former Manager of
Mandiant’s Hunt Team