Download to read offline
Uploaded byInterset
IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]
The document discusses operationalizing big data security analytics by highlighting the challenges organizations face with alert overload and incident detection. A probabilistic approach to anomaly detection is proposed, which involves computing the probability of anomalous behavior based on observed data. The goal is to distill vast amounts of data into prioritized threat leads to improve cybersecurity defenses.
More Related Content
Similar to IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]
![Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]](https://cdn.slidesharecdn.com/ss_thumbnails/interset-innovatingincybersecurity-180423194815-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Webinar] Supercharging Security with Behavioral Analytics](https://cdn.slidesharecdn.com/ss_thumbnails/sept19forresterintersetwebinarfinal1-180924190339-thumbnail.jpg?width=640&height=640&fit=bounds)
![IANS Forum DC: Operationalizing Big Data Security [Tech Spotlight]](https://cdn.slidesharecdn.com/ss_thumbnails/ianstechnologysessionscharlottemh0918181-181003004433-thumbnail.jpg?width=640&height=640&fit=bounds)
IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]
- 1. 1 | ©2018 Interset Software How to Operationalize Big Data Security Analytics Mario Daigle VP of Product
- 2. 2 | ©2018 Interset Software About Interset.AI SECURITY ANALYTICS LEADER PARTNE RS ABOUT US Data science & analytics focused on cybersecurity 100 person-years of security analytics and anomaly detection R&D Offices in Ottawa, Canada and Newport Beach, CA In-Q-Tel Portfolio Company Interset.AI
- 3. 3 | ©2018 Interset Software Attackers are Fast Defenders are Slow Alert Overload AV-test.org, 2015 64% of US companies face 10,000+ alerts per month 203 Days - Breaches take on average 80 days to discover and 123 days to resolve 60% of data is stolen in hours 54% Of breaches remain undiscovere d after 6 months Ponemon Institute, 2015 Missed Incidents 8% of incidents are detected by endpoint, firewall & network solutions Verizon DBIR, 2014 Problem Domain: Drowning in Data and Missing Incidents 1% SIEM
- 4. 4 | ©2018 Interset Software Standard Approach – Rules and Thresholds Source: A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders, Andrew Moore, Carnegie Mellon 2011
- 5. 5 | ©2018 Interset Software The Threshold Approach Challenge Abnormal Normal
- 6. 6 | ©2018 Interset Software The Threshold Approach Challenge Abnormal Normal
- 7. 7 | ©2018 Interset Software The Threshold Approach Challenge Abnormal Normal
- 8. 8 | ©2018 Interset Software A Probabilistic Approach • Computes probability that a value in a given hour is anomalous • Explicitly models both normal and abnormal distributions • Estimators for both normal and abnormal based on observation • Baseline “Unique Normal” and measure deviations
- 9. 9 | ©2018 Interset Software USB drives are marked as high risk method Method The volume of copying is large, compared to John’s past 30 days and compared to other sysadmins Activity John Sneakypants is a contractor and sysadmin with privileged access User/Machine These files have a high risk and importance value Asset Behavioral Risk: Quantifying Suspicious Events John Sneakypants is copying an unusually large number of sensitive files to an external USB drive.
- 10. 10 | ©2018 Interset Software Entity Risk: Distilling Evidence to Find Leads Activity User/Machine Asset Method Behavioral Risk Score User Asset Machine OWASP Risk = Likelihood * Impact
- 11. 11 | ©2018 Interset Software Activity User/Machine Asset Method Behavioral Risk Score User Asset Machine Entity Risk: Distilling Evidence to Find Leads • Ann Funderburk works at an unusual hour 15 • … and accesses repositories that she and her peers do not usually access 65 • … and takes from a folder on a repository an unusual number of times 80 • … and moves a significantly high volume of data than normal 96 • … VPNs in from China 46
- 12. 12 | ©2018 Interset Software Data Repository Logs Active Directory Logs VPN Logs Feature Extraction Ann moves a significant volume of data Ann access and takes from file folders Ann accesses anomalous repositories Ann logs in from anomalous location Ann logs in at unusual time of day (other features) (other features) (other features) ∑ Anomaly Detection Auth./Access Anomaly Model File Access & Usage Models Volumetric Models VPN Anomaly Models Entity Risk Aggregation Entities - Account - Machine - File - Application 96 Mathematical Framework
- 13. 13 | ©2018 Interset Software Distill billions of events into a handful of prioritized threat leads A Handful of Prioritized Threat LeadsBillions of Events Hundreds of Anomalies
- 14. 14 | ©2018 Interset Software Technology Demonstration
- 15. 15 | ©2018 Interset Software 15 | © 2018 Interset Software QUESTIONS? Mario Daigle mdaigle@interest.com @mariodaigle 613.882.6955 Learn more at Interset.AI