Information Security is an challenge to many companies. This paper helps team build secure operation center.

2. Threat oday’s synergistic corporate infrastructure along with federation of their information is building
an agile and cohesive environment. However it also introduces newer challenges to protect information
assets from ge;ing into adversary’s hands. According to an article in Forbes , the cyber crime costs are1
projected to hit $2 Trillion by 2019 with cyber a;ack projected losses of at least $9.7 Billion in 2020 .2
With recent a;acks on Equifax, Kaspersky, SonicWall, Deloi;e, and Whole Foods its just ma;er of time
when these projections will turn into a reality.
Identifying cyber threats is particularly challenging. First, hackers collaborate across geographical
locations, making it difficult to trace the a;acking source. Second, complexity and a;ack payloads are
evolving rapidly, making it slow to monitor and prevent many vulnerabilities and consequences in
synergistic cyber networks. Third, the advanced persistent threats (APT) are implanted across multiple
stages, making it troublesome to catch real time incidents out of normal network traffic. Last but not
least, it is extremely hard to manage the volume, velocity, and complexity of the data generated by the
myriad of security tools. It can easily take months’ effort of even the most experienced security experts
to comb through these massive amount of data and find the needle in the haystack.
In order to build an intelligent and proactive security program, security evangelist and thought leaders
must investing some time on following,
1. Build a;acker’s portfolio
2. Behavior Analysis
3. Deeper learning and feedback loop
Building Attacker’s Portfolio - Know your adversary!
Asset Discovery
In order to build resourceful and content-driven security team, security thought leaders should identify
the critical assets the team is protecting. If you are protecting The Wall against Night Walkers than you
will need a Sworn Brother of the Night’s Watch to protect it (a GOT reference :)). However if you only
have public data classification and an adversary may not have any monetary gain than you can avoid
heavy investment in information security organization by focusing on automating against hacktivists,
script-kiddies or pranksters.
https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-1
trillion-by-2019/#63c9e44b3a91
https://www.bloomberg.com/news/articles/2017-07-18/global-cyber-attack-could-cost-121-4-2
billion-lloyd-s-estimates
Challenges • 1

3. Cyber Adversary Profiling
Once asset discovery is performed, charactering cyber adversary and build an relevant a;ack’s profile
is next in line. Over the past decade, information security evangelist has done a splendid job in building
a template and database of various cyber adversary. But it comes with a disclaimer it is not a one size
fits all. Based on the data assets and where it lies in the infrastructure you start building control access
around them.
Image Reference - h;ps://blog.illusivenetworks.com/cyber-a;ackers-evolution-4-profiles
Cyber Kill Chain
Lockheed Martin coined the term Cyber Kill Chain and is aggressively adopted in security3
community to describe stages of cyber a;acks. The intrusion-centric model focuses on seven different
steps
1. Reconnaissance, information gathering
2. Weaponization, use of known exploits or create new ones
3. Delivery, plant malicious payload on target machines
https://www.darkreading.com/attacks-breaches/deconstructing-the-cyber-kill-chain/a/d-id/3
1317542?
Challenges • 2

4. 4. Exploitation, execute the exploit
5. Installation, install malware
6. Command and Center, create C&C to operate a;acks remotely
7. Action on objectives, perform the steps to achieve actual goals
Below is an example of one such cyber kill chain
Challenges • 3

5. Behavioral Analysis
The common thread across various forms of threats is the deviation of an asset or user’s behavior.
Security evangelist needs to map behavioral pa;erns to cyber adversary characterization. This
deviation can indicate fraudulent or malicious activity , which is important in detecting such a;ackers.
Behavior of users, devices, system accounts, and privileged accounts should be monitored to reveal
anomalies.
Deeper Learning And Feedback Loop
Next in line is implementing systematic solutions using the most advanced statistical and deep learning
techniques to detect and prevent threats in real-time. Each a;ack tree is implemented to cover certain
stage along the cyber kill chain. Once such a;ack trees are discovered an automated alerting process
must be triggered and first layer of incident responders must be trigger for a review. Responders can
than triage various trigger sources and decide on appropriate actions, like blocking the corresponding
web traffic, removing the responsible extensions, or acting over the suspicious segment. After a few
iterations one can build a supervised security threat models to tune overall detection rate.
In practice, malicious application, licitly or illicitly, draw characteristic signatures through their
network traffic logs. Building an artificial neural network would trace down these traffic pa;erns then
generate alerts that are potentially tied to different phases of the threats.
Challenges • 4

6. To identify lateral movement across net-flow data, we build graph model using PageRank algorithm to
measure the in/egress fluctuations of the endpoints across the subnets. In theory, the PageRank score of
each node corresponds to the net-flow counts among other nodes. Therefor a drastic score change of a
node reflects the impact of its neighbors and suggests possible propagation of suspicious actions.
Network intrusion detection can be the vital mechanism where the a;acker’s trace should be definitely
identifiable. Finding malicious activity on Visa network depends on humans’ intervention to properly
code and configure them. We create profiles of users behavior based on different network activity
related features, such as egress, ingress, data volume sent or received etc. Rareness of usage of
different access pa;erns, such as, protocol or port are also brought into consideration to determine
deviation from normal user’s behavior. Profiles are also created based on roles of employees. Deviation
of a user’s activity is determined based on a user’s own profile deviation and from his peer group’s
profile deviation. We use historical knowledge base and histogram approach to determine anomalies
for this net-flow-UBA based model.
We also profile network behavior in different network entity level i.e. VMSN servers, shared scanners,
printers etc. Using time series model we learn the normal behavior of network traffic pa;ern over time
using historical data and determine the risk of network flow in sliding window fashion. Using different
combination of features, we determine reconnaissance, port scanning, privilege escalation, lateral
movement, data exfiltration from network activity.
One of the very common a;ack scenario these days is Distributed Denial of Service (DDoS). Excessive
Domain Name system (DNS) request is widely used to instigate DDoS a;ack. Applying natural
language processing and machine learning techniques, we are able to determine the legitimacy of the
requested domains and determine whether it is coming from a;ackers or not. The distribution of
number of requests in sliding time window fashion is investigated to identify a;ack scenario. We also
determine the probability of a requested domain whether it is generated randomly or by malware
using deep neural network learning based LSM method.
Ports and protocol access pa;erns are profiled from network flow data. Using advanced ML-
classification algorithms, i.e. KNN, SVM etc., for a new network flow, we determine the probability of it
to be unknown or malicious compared to legitimate network flows. We apply clustering techniques to
firewall data to determine outliers for further investigation and determine the accurate functionalities
of firewalls.
We investigate users escalation in privileges based on historically occurred access pa;erns of that user
and the pa;ern of that escalated critical group. We also use different decision tree based approaches to
determine the sequence of events that created the escalation.
Challenges • 5

7. Some models at VSA follow specific rules based on which threat of an a;ack is determined. Specific
scoring mechanisms depending on various factors are outlined. When the event activity score is
beyond a threshold value, alert is generated and validated by security specialists. With their feedback,
the model keeps tuning itself over time. This is where self-learning comes into picture.
Future Prospect
As the sophistication and technology of cyber-a;acks continue to evolve, we foresee the following
trends will become the priorities of the next generation cyber security solutions in the coming years.
We’ll implement more intelligent deep learning model to understand cyber intelligence report and take
its up-to-date scenarios into consideration. The model shall have self-learning and evolving capabilities
to catch the most critical information from the intelligence. Ideally it can automatically update its own
design and thinking logic to adapt to the real practice.
We’ll also extend our protection measures to address today’s rapidly growing a;ack surface. This
moves beyond the network endpoints, to involve applications, databases, cloud environments and the
Internet of Things (IoT), etc.
We’ll continue to provide high detection rates with low computational overhead.
Challenges • 6