Rob Fry, profile picture
Uploaded byRob Fry
490 views

Fully Integrated Defense Operation

The document discusses the F.I.D.O. (Fully Integrated Defense Operation) framework aimed at addressing human and technical challenges in cybersecurity. It highlights the overwhelming nature of security alerts, the inefficiency of current practices, and proposes a solution through orchestration that improves response times and reduces false positives. The document emphasizes the need for improved machine-learning applications, data integration, and automated processes to enhance security operations.

Embed presentation

Download to read offline
F.I.D.O. Fully Integrated Defense OperationRob Fry - Sr Security Architect
Agenda • The Human Problem • The Technical Problem • F.I.D.O. High Level • What’s Next? • Q & A
The Human Problem Source: Cisco 2014 ASR, Network World, ISAC, swimlane.com, Security Week
The Human Problem • Vendors and organizations are not doing enough to lower the bar • 62% of organizations have not increased security training • 83% of enterprises lack the resources or skills to protect assets • Majority of the work is done manually… self-defeating • Response time windows are too high • Enforcement, mitigation is largely manual
Too Many Alerts, Too Little Time/Resources
 Network defenders are overwhelmed by the volume of alerts • Typical Fortune 1000 organization experiences thousands of new security events everyday (1) • Data review is time consuming
 Current industry best practices rely on analysts using SIEM 
 technologies + manual use of threat intel feeds • Too many false positives • Very little guidance on how to filter the signal from the noise The Technical Problem Source: (1) IBM 2014 Cyber Security Intelligence Index
“There are 400 alerts in my SIEM, and I have time/resources to investigate 10. Which 10 do I choose?” (1) Source: (1) CISO from Fortune 200 Company The Technical Problem
But… it WORKS in the MOVIES The Technical Problem
F.I.D.O. = Orchestration • The work of a human, but at machine speed • Data enrichment • Get more out of security investment • Adds consistency • Filter out false positives • Threat, user, machine and asset scoring
Known -versus- Unknown F.I.D.O. = Orchestration
Reduce Response Time Attackers Ability Defender s Ability Source:(Verizon(Data(Breach(Report( F.I.D.O. = Orchestration
At First, Simplicity Disjointed Security Network Alert Firewall/IPS/IDS Endpoint Defense Support Person Support Person = = Bad! Blocked! Malware
At First, Simplicity Joining the disjointed Network Alert Firewall/IPS/IDS Endpoint Defense Support Person Blocked Not Blocked Malware
At First, Simplicity Joining the disjointed • Aggregate data from multiple human jobs at once • Look for corresponding events • Reduce severity where one detector blocks • Reduce response time • Opened door to other ideas
Look Outside the Security Sphere Network Alert Firewall/IPS/IDS Endpoint Defense Support Person Expanding data sources Blocked Not Blocked User Asset Machine Data Source Malware
Data Source Expanding data sources • Systems management, inventory, HR, AD, etc. • Added machine, user, asset posture • Not just about the threat, context is still king • Example: any alert against PCI, PII, Domain Admin, CEO, etc., would be more critical Look Outside the Security Sphere
Threat Feeds Value in Crowdsourcing Alert Support Person Data Source User Asset Machine Threat Feeds Correlation
Threat Feeds Crowdsourcing Context Validation False Positives
Threat Feeds • Too much data to do manually, more effective automated • Can provide rich detailed layers of context • As a stack, can cover the multiple layers • Cross-correlation between feeds • Scheduled artifact checking • Prelude to detection Value in Crowdsourcing
Historical Data Alert Support Person Data Source User Asset Machine Threat Feeds Correlation Historical Looking back is important
Historical Data • Security alerts • User, machine • Artifacts (IP, hash, URL) • Introduces thresholds • Retrospection Historical Looking back is important
Scoring Engine Assessing the DataAlert Support Person Correlation Scoring 0%-100% User Asset Machine Threat Total Data Source User Asset Machine Threat Feeds Historical
F.I.D.O. 1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification F.I.D.O. High Level
F.I.D.O. High Level F.I.D.O. Carbon Black ProtectWise Cyphort SentinelOne Niddel 1. Detectors DHCP RPC SSH DNS 2. Host Detection VirusTotal ThreatGRID OpenDNS ThreatExchange AlienVault 3. Threat Stack LDAP Jamf Landesk SCCM Endpoint 4. Data Sources Detectors Previous Threats Historical User/Machine OS Threat Feeds Thresholds 5. Correlation 6. Scoring 7. Enforcement 8. Notification ARP Palo Alto Network HR
Although somedays I feel like it’s here. Evolution of Correlation F.I.D.O. is probably here.
Correlation: Simple Example Patterns in the data Normal Suspicious Malicious
Correlation: Real World Example Patterns in the data
Correlation: Cross Sections Patterns in the data 66.102.255.50 eda661bf08ca0129d78f901dc561afe6549e383d 167.89.125.30 76adfe71d590173b7b6a8db01133d3eb7132bfc6 54.71.32.218 www.downloadcrest.com 463065c87d58befbfde6d150fe1d1338fa752bd6 appsom1.com d1ut7rcibkldo.cloudfront.net/b_zq_ym_hotvideo002/hotvideo_0910_3.apk 205.210.187.209 67.207.158.254 miserupdate.aliyun.com/data/2.4.1.6/TBSecSvc.exe wilsart.nl/images/banners/eok.swf?myid=2ac20f898f1e6a17f04952452c4d20d4 209.222.15.232 d1qd2jv3uw36vk.cloudfront.net/PlusHDrow_14_01-a1a8f801.exe 179.43.156.66 172.98.67.53 108.61.226.13 6de64d26a49b05b0e70ad50b8ed3b99a0200240c IP/Hash/URL/Domain5x 2x 2x 4x 2x 2x 3x 2x 2x
Correlation Initiatives • More data, different data, more data points • Move past 1000 vectors • More indicators • Move laterally across data (detector, threat feed, whatever) • Drill in multiple layers deep • Better data enrichment algorithms for higher quality associations, thresholds, increments • Independent processes for correlation ( micro services ] • Continue to evaluate ML for correlation
• F.I.D.O. is not ML, but we are working on it • ML for scoring first (Thank you Mines.IO team) • ML for security is hard, efficacy can be challenging • Correlation can be repeatable • Correlation is what security people do… codify it Correlation Initiatives
F.I.D.O. High Level F.I.D.O. Threat User Machine Asset Total Score Kill NIC Client Sandboxing Network Sandboxing Automated Re-image Kill VPN DHCP Blacklist Disable Account Reset Password Recommendation Link to Docs Actions Performed Create Ticket Updates DB 1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification
F.I.D.O. High Level F.I.D.O. Carbon Black ProtectWise Cyphort SentinelOne DHCP RPC SSH DNS VirusTotal ThreatGRID OpenDNS AlienVault LDAP Jamf Landesk SCCM Endpoint Detectors Previous Threats Historical User/Machine OS Threat Feeds Thresholds Threat User Machine Asset Total Score Kill NIC Client Sandboxing Network Sandboxing Automated Re-image Kill VPN DHCP Blacklist Disable Account Reset Password Recommendation Link to Docs Actions Performed Create Ticket Updates DBARP ThreatExchange Niddel Palo Alto Network HR 1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification
F.I.D.O. High Level 1. Response measured in days to week 2. Aggregation of data took hours 3. 80% of alerts not processed 4. Minimal endpoint/user information 5. Little or no scoring information Pre-F.I.D.O. Post-F.I.D.O. 1. Response measures less than an hour 2. Aggregation of data takes minutes 3. All alerts processed 4. Detailed endpoint/user information 5. Detailed scoring information Success?
F.I.D.O. High Level Success? Time = Days 7 Days1 Days> 1hr Time = Hours 4 Hours30 Mins>10mins Response Time Data Aggregation Pre-F.I.D.O. Post-F.I.D.O. +23hrs Improvement +20mins Improvement
F.I.D.O. High Level Success? Alerts Processed 80% of alerts not processed Before F.I.D.O. After F.I.D.O. Alerts Processed 100% of alerts processed
What’s Next? Opportunity
What’s Next? • ML for scoring (Thanks Mines.IO guys) • More and tighter integrations • Full stack: Ubuntu, python, node, nginx, couchdb & more • Web UI: both configuration and admin • API for data ingestion or export
Q&A • Questions? • Thank you! • rob.fry@netflix.com

More Related Content

PDF
RSA: Security Analytics Architecture for APT
byLee Wei Yeong
 
PPTX
How to Build a Successful Incident Response Program
byResilient Systems
 
PDF
Pivotal Data Lake Architecture & its role in security analytics
byEMC
 
PDF
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
byAPNIC
 
PPTX
Jim Wojno: Incident Response - No Pain, No Gain!
bycentralohioissa
 
PPTX
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
PDF
Ransomware ly
byLisa Young
 
PPTX
Threat Hunting 101: Intro to Threat Detection and Incident Response
byInfocyte
 
RSA: Security Analytics Architecture for APT
byLee Wei Yeong
 
How to Build a Successful Incident Response Program
byResilient Systems
 
Pivotal Data Lake Architecture & its role in security analytics
byEMC
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
byAPNIC
 
Jim Wojno: Incident Response - No Pain, No Gain!
bycentralohioissa
 
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
Ransomware ly
byLisa Young
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
byInfocyte
 

What's hot

PPTX
Data Security: Why You Need Data Loss Prevention & How to Justify It
byMarc Crudgington, MBA
 
PPTX
Chris Haley - Understanding Attackers' Use of Covert Communications
bycentralohioissa
 
PPTX
Insider Threat Solution from GTRI
byZivaro Inc
 
PDF
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
byChaitanya chandra sekhar
 
PPTX
Insider threat kill chain
byTarun Gupta,CRISC CISSP CISM CISA BCCE
 
PDF
The Cost of Doing Nothing: A Ransomware Backup Story
byQuest
 
PPTX
Incident Response in the age of Nation State Cyber Attacks
byResilient Systems
 
PDF
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
byDragos, Inc.
 
PPTX
Remote forensics fsec2016 delija draft
byDamir Delija
 
PPTX
online investigation
byfortune777
 
PPTX
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
byInfocyte
 
PPTX
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
byFRSecure
 
PDF
Ht t17
bySelectedPresentations
 
PPTX
Covert channels: A Window of Data Exfiltration Opportunities
byJoel Aleburu
 
PPTX
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
byInfocyte
 
PDF
Slide Deck CISSP Class Session 2
byFRSecure
 
PPTX
Insider Threat Final Powerpoint Prezi
byKashif Semple
 
PPTX
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
byFRSecure
 
PPTX
Cyber Incident Response Triage - CPX 360 Presentation
byInfocyte
 
PPTX
Security Analytics for Data Discovery - Closing the SIEM Gap
byEric Johansen, CISSP
 
Data Security: Why You Need Data Loss Prevention & How to Justify It
byMarc Crudgington, MBA
 
Chris Haley - Understanding Attackers' Use of Covert Communications
bycentralohioissa
 
Insider Threat Solution from GTRI
byZivaro Inc
 
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
byChaitanya chandra sekhar
 
Insider threat kill chain
byTarun Gupta,CRISC CISSP CISM CISA BCCE
 
The Cost of Doing Nothing: A Ransomware Backup Story
byQuest
 
Incident Response in the age of Nation State Cyber Attacks
byResilient Systems
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
byDragos, Inc.
 
Remote forensics fsec2016 delija draft
byDamir Delija
 
online investigation
byfortune777
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
byInfocyte
 
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
byFRSecure
 
Ht t17
bySelectedPresentations
 
Covert channels: A Window of Data Exfiltration Opportunities
byJoel Aleburu
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
byInfocyte
 
Slide Deck CISSP Class Session 2
byFRSecure
 
Insider Threat Final Powerpoint Prezi
byKashif Semple
 
Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017
byFRSecure
 
Cyber Incident Response Triage - CPX 360 Presentation
byInfocyte
 
Security Analytics for Data Discovery - Closing the SIEM Gap
byEric Johansen, CISSP
 

Similar to Fully Integrated Defense Operation

PDF
br-security-connected-top-5-trends
byChristopher Bennett
 
PPTX
5 Steps to an Effective Vulnerability Management Program
byTripwire
 
PDF
IOCs Are Dead—Long Live IOCs!
byPriyanka Aash
 
PPTX
Operational Security Intelligence
bySplunk
 
PDF
Aujas incident management webinar deck 08162016
byKarl Kispert
 
PPT
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
byMichael Smith
 
PPTX
TakeDownCon Rocket City: Research Advancements Towards Protecting Critical As...
byEC-Council
 
PDF
Why Corporate Security Professionals Should Care About Information Security
byResolver Inc.
 
PPTX
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
byThreatConnect
 
PPTX
Optimizing Security Operations: 5 Keys to Success
bySirius
 
PDF
FireSIGHT Management Center (FMC) slides
byAmy Gerrie
 
DOCX
Cyber Intelligence Operations Center
byBill Ross
 
PDF
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
byAngeloluca Barba
 
PDF
The State of Threat Detection 2019
byFidelis Cybersecurity
 
PPTX
Introduction-to-Monitoring-and-Detection.pptx
bykarthikeyancvr942
 
PDF
Journey to the Center of Security Operations
by♟Sergej Epp
 
PDF
The future of cyber security
bySandip Juthani
 
PDF
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
byHappiest Minds Technologies
 
PPTX
Threat hunting - Every day is hunting season
byBen Boyd
 
PDF
Continuous Monitoring and Real Time Risk Scoring
byQ1 Labs
 
br-security-connected-top-5-trends
byChristopher Bennett
 
5 Steps to an Effective Vulnerability Management Program
byTripwire
 
IOCs Are Dead—Long Live IOCs!
byPriyanka Aash
 
Operational Security Intelligence
bySplunk
 
Aujas incident management webinar deck 08162016
byKarl Kispert
 
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
byMichael Smith
 
TakeDownCon Rocket City: Research Advancements Towards Protecting Critical As...
byEC-Council
 
Why Corporate Security Professionals Should Care About Information Security
byResolver Inc.
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
byThreatConnect
 
Optimizing Security Operations: 5 Keys to Success
bySirius
 
FireSIGHT Management Center (FMC) slides
byAmy Gerrie
 
Cyber Intelligence Operations Center
byBill Ross
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
byAngeloluca Barba
 
The State of Threat Detection 2019
byFidelis Cybersecurity
 
Introduction-to-Monitoring-and-Detection.pptx
bykarthikeyancvr942
 
Journey to the Center of Security Operations
by♟Sergej Epp
 
The future of cyber security
bySandip Juthani
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
byHappiest Minds Technologies
 
Threat hunting - Every day is hunting season
byBen Boyd
 
Continuous Monitoring and Real Time Risk Scoring
byQ1 Labs
 

Recently uploaded

PDF
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PPTX
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
PDF
Salesforce Sales Cloud and Generative AI Present a Fresh Approach to Personal...
byMinuscule Technologies
 
PDF
Why Enterprises Are Moving to Dedicated Servers in the Netherlands
byAtal Networks
 
PPTX
About Computer Hardware ................
bymaratiakshaya07
 
PPT
connectives-linking words in English.ppt
byAmrMohammed82
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PDF
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
PDF
A paper in the leading academic journal Telecommunication Policy cited Scott ...
byScott M. Graffius
 
PDF
January Patch Tuesday
byIvanti
 
PPTX
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
PPTX
congo red stain nd PAS STAIN histopathology
bybushrariaz1240
 
PPTX
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
PDF
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PDF
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
PDF
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
Salesforce Sales Cloud and Generative AI Present a Fresh Approach to Personal...
byMinuscule Technologies
 
Why Enterprises Are Moving to Dedicated Servers in the Netherlands
byAtal Networks
 
About Computer Hardware ................
bymaratiakshaya07
 
connectives-linking words in English.ppt
byAmrMohammed82
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
A paper in the leading academic journal Telecommunication Policy cited Scott ...
byScott M. Graffius
 
January Patch Tuesday
byIvanti
 
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
congo red stain nd PAS STAIN histopathology
bybushrariaz1240
 
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 

Fully Integrated Defense Operation

  • 1.
    F.I.D.O. Fully Integrated DefenseOperationRob Fry - Sr Security Architect
  • 2.
    Agenda • The HumanProblem • The Technical Problem • F.I.D.O. High Level • What’s Next? • Q & A
  • 3.
    The Human Problem Source:Cisco 2014 ASR, Network World, ISAC, swimlane.com, Security Week
  • 4.
    The Human Problem •Vendors and organizations are not doing enough to lower the bar • 62% of organizations have not increased security training • 83% of enterprises lack the resources or skills to protect assets • Majority of the work is done manually… self-defeating • Response time windows are too high • Enforcement, mitigation is largely manual
  • 5.
    Too Many Alerts,Too Little Time/Resources
 Network defenders are overwhelmed by the volume of alerts • Typical Fortune 1000 organization experiences thousands of new security events everyday (1) • Data review is time consuming
 Current industry best practices rely on analysts using SIEM 
 technologies + manual use of threat intel feeds • Too many false positives • Very little guidance on how to filter the signal from the noise The Technical Problem Source: (1) IBM 2014 Cyber Security Intelligence Index
  • 6.
    “There are 400alerts in my SIEM, and I have time/resources to investigate 10. Which 10 do I choose?” (1) Source: (1) CISO from Fortune 200 Company The Technical Problem
  • 7.
    But… it WORKSin the MOVIES The Technical Problem
  • 8.
    F.I.D.O. = Orchestration •The work of a human, but at machine speed • Data enrichment • Get more out of security investment • Adds consistency • Filter out false positives • Threat, user, machine and asset scoring
  • 9.
  • 10.
    Reduce Response Time Attackers Ability Defender sAbility Source:(Verizon(Data(Breach(Report( F.I.D.O. = Orchestration
  • 11.
    At First, Simplicity DisjointedSecurity Network Alert Firewall/IPS/IDS Endpoint Defense Support Person Support Person = = Bad! Blocked! Malware
  • 12.
    At First, Simplicity Joiningthe disjointed Network Alert Firewall/IPS/IDS Endpoint Defense Support Person Blocked Not Blocked Malware
  • 13.
    At First, Simplicity Joiningthe disjointed • Aggregate data from multiple human jobs at once • Look for corresponding events • Reduce severity where one detector blocks • Reduce response time • Opened door to other ideas
  • 14.
    Look Outside theSecurity Sphere Network Alert Firewall/IPS/IDS Endpoint Defense Support Person Expanding data sources Blocked Not Blocked User Asset Machine Data Source Malware
  • 15.
    Data Source Expanding datasources • Systems management, inventory, HR, AD, etc. • Added machine, user, asset posture • Not just about the threat, context is still king • Example: any alert against PCI, PII, Domain Admin, CEO, etc., would be more critical Look Outside the Security Sphere
  • 16.
    Threat Feeds Value inCrowdsourcing Alert Support Person Data Source User Asset Machine Threat Feeds Correlation
  • 17.
  • 18.
    Threat Feeds • Toomuch data to do manually, more effective automated • Can provide rich detailed layers of context • As a stack, can cover the multiple layers • Cross-correlation between feeds • Scheduled artifact checking • Prelude to detection Value in Crowdsourcing
  • 19.
    Historical Data Alert Support Person DataSource User Asset Machine Threat Feeds Correlation Historical Looking back is important
  • 20.
    Historical Data • Securityalerts • User, machine • Artifacts (IP, hash, URL) • Introduces thresholds • Retrospection Historical Looking back is important
  • 21.
    Scoring Engine Assessing theDataAlert Support Person Correlation Scoring 0%-100% User Asset Machine Threat Total Data Source User Asset Machine Threat Feeds Historical
  • 22.
    F.I.D.O. 1. Detectors 2.Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification F.I.D.O. High Level
  • 23.
    F.I.D.O. High Level F.I.D.O. CarbonBlack ProtectWise Cyphort SentinelOne Niddel 1. Detectors DHCP RPC SSH DNS 2. Host Detection VirusTotal ThreatGRID OpenDNS ThreatExchange AlienVault 3. Threat Stack LDAP Jamf Landesk SCCM Endpoint 4. Data Sources Detectors Previous Threats Historical User/Machine OS Threat Feeds Thresholds 5. Correlation 6. Scoring 7. Enforcement 8. Notification ARP Palo Alto Network HR
  • 24.
    Although somedays I feellike it’s here. Evolution of Correlation F.I.D.O. is probably here.
  • 25.
    Correlation: Simple Example Patternsin the data Normal Suspicious Malicious
  • 26.
    Correlation: Real WorldExample Patterns in the data
  • 27.
    Correlation: Cross Sections Patternsin the data 66.102.255.50 eda661bf08ca0129d78f901dc561afe6549e383d 167.89.125.30 76adfe71d590173b7b6a8db01133d3eb7132bfc6 54.71.32.218 www.downloadcrest.com 463065c87d58befbfde6d150fe1d1338fa752bd6 appsom1.com d1ut7rcibkldo.cloudfront.net/b_zq_ym_hotvideo002/hotvideo_0910_3.apk 205.210.187.209 67.207.158.254 miserupdate.aliyun.com/data/2.4.1.6/TBSecSvc.exe wilsart.nl/images/banners/eok.swf?myid=2ac20f898f1e6a17f04952452c4d20d4 209.222.15.232 d1qd2jv3uw36vk.cloudfront.net/PlusHDrow_14_01-a1a8f801.exe 179.43.156.66 172.98.67.53 108.61.226.13 6de64d26a49b05b0e70ad50b8ed3b99a0200240c IP/Hash/URL/Domain5x 2x 2x 4x 2x 2x 3x 2x 2x
  • 28.
    Correlation Initiatives • Moredata, different data, more data points • Move past 1000 vectors • More indicators • Move laterally across data (detector, threat feed, whatever) • Drill in multiple layers deep • Better data enrichment algorithms for higher quality associations, thresholds, increments • Independent processes for correlation ( micro services ] • Continue to evaluate ML for correlation
  • 29.
    • F.I.D.O. isnot ML, but we are working on it • ML for scoring first (Thank you Mines.IO team) • ML for security is hard, efficacy can be challenging • Correlation can be repeatable • Correlation is what security people do… codify it Correlation Initiatives
  • 30.
    F.I.D.O. High Level F.I.D.O. Threat User Machine Asset TotalScore Kill NIC Client Sandboxing Network Sandboxing Automated Re-image Kill VPN DHCP Blacklist Disable Account Reset Password Recommendation Link to Docs Actions Performed Create Ticket Updates DB 1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification
  • 31.
    F.I.D.O. High Level F.I.D.O. CarbonBlack ProtectWise Cyphort SentinelOne DHCP RPC SSH DNS VirusTotal ThreatGRID OpenDNS AlienVault LDAP Jamf Landesk SCCM Endpoint Detectors Previous Threats Historical User/Machine OS Threat Feeds Thresholds Threat User Machine Asset Total Score Kill NIC Client Sandboxing Network Sandboxing Automated Re-image Kill VPN DHCP Blacklist Disable Account Reset Password Recommendation Link to Docs Actions Performed Create Ticket Updates DBARP ThreatExchange Niddel Palo Alto Network HR 1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification
  • 32.
    F.I.D.O. High Level 1.Response measured in days to week 2. Aggregation of data took hours 3. 80% of alerts not processed 4. Minimal endpoint/user information 5. Little or no scoring information Pre-F.I.D.O. Post-F.I.D.O. 1. Response measures less than an hour 2. Aggregation of data takes minutes 3. All alerts processed 4. Detailed endpoint/user information 5. Detailed scoring information Success?
  • 33.
    F.I.D.O. High Level Success? Time= Days 7 Days1 Days> 1hr Time = Hours 4 Hours30 Mins>10mins Response Time Data Aggregation Pre-F.I.D.O. Post-F.I.D.O. +23hrs Improvement +20mins Improvement
  • 34.
    F.I.D.O. High Level Success? Alerts Processed 80%of alerts not processed Before F.I.D.O. After F.I.D.O. Alerts Processed 100% of alerts processed
  • 35.
  • 36.
    What’s Next? • MLfor scoring (Thanks Mines.IO guys) • More and tighter integrations • Full stack: Ubuntu, python, node, nginx, couchdb & more • Web UI: both configuration and admin • API for data ingestion or export
  • 37.
    Q&A • Questions? • Thankyou! • rob.fry@netflix.com