SlideShare a Scribd company logo

Next generation security analytics

C
Christian Have

A brief run-through of the economics of controls, threats and how attackers and defenders think. Following an introduction to the current and next generation security analytics.

Technology
1 of 66
Download to read offline
NEXT GENERATION SECURITY ANALYTICS CHRISTIAN HAVE @CKHAVE CH@LOGPOINT.COM
ATTACKERS NAVIGATE A GRAPH. DEFENDERS TYPICALLY THINK IN POINT-SOLUTIONS ME! ACADEMIC PSEUDO-INTELLECTUALISM
THE PATH OF LEAST RESISTANCE
GRAPHS? NAVIGATING A GRAPH ▸ Expensive exploits are expensive ▸ Use the least expensive weapon ▸ Cost of 0Day exploits ▸ Use once == expensive
DEFENDERS THINK IN POINT SOLUTIONS IMPLEMENTING MOVIE-PLOT POINTS ▸ Natural-path engineering; layout buildings, let people find paths ▸ We find the best way forward ▸ We get around controls - it’s in our nature.
MOTIVATION IS NOT IMPACTED BY CONTROLS. AS LONG AS THE ATTACK IS ECONOMICALLY FEASIBLE MOTIVATION REMAINS. ME! ACADEMIC PSEUDO-INTELLECTUALISM
MOTIVATION AND ECONOMIC BENEFIT ▸ The implementation of the “child pornography filter” did not change the number of convictions in Denmark ▸ It did move it out of the “open” Internet ▸ Introducing a censorship filter for enticing terrorism will not solve the problem of radicalising the youth ▸ It will move it from the “open” Internet somewhere else ▸ The clearing of pusher-street in Christiania did not stop the sale of marihuana ▸ It did move it out of the open ▸ Laws work wonders for law-abiding citizens
ECONOMIC BENEFIT ▸ Paedophiles will not stop because of a DNS block, regardless of the penalty ▸ Buying marihuana does not carry a penalty in Denmark ▸ Selling marihuana does not carry a penalty 
 (besides whatever you have on you at the point of arrest) ▸ We can only start winning once we understand what “winning” is and what game we are actually playing
WE FIGHT HUMAN NATURE. PICKING THE RIGHT BATTLE IS KEY FOR WINNING. ME PICKING THE RIGHT BATTLE
WE WANT THE EASIEST ATTACKS. NOT THE HARDEST. ME WINNING THE RIGHT BATTLE
EASY ATTACKS - SINCE WE CANT AVOID ATTACKS SURRENDERING? ▸ Attackers are lazy ▸ Attackers optimise cost (0days) ▸ Controls raise the cost of attacks ▸ Making attacks hard to detect ▸ Controls are not “free” ▸ Cancer-screening has a higher mortality than not screening ▸ Anti-Virus engines are points-of-infection ▸ Accept attacks will happen ▸ Deal with the attacks when they happen ▸ Don’t screen for cancer or move the attackers away from the obvious routes
EASY ATTACKS - SINCE THEY CAN’T BE AVOIDED NOT SURRENDERING - PICKING THE BATTLEFIELD ▸ Defensively design your security architecture ▸ Understand it’s weaknesses ▸ Exploit weaknesses ▸ Monitor and gather intelligence, and defend smarter
ECONOMY OF THE DEFENCE SHOULDN’T WE INVEST IN CONTROLS? ▸ Of course! ▸ Controls associated with costs towards the attacks ▸ The barrier of entry (cost of attack) deters some, but typically only the lowest on the spectrum ▸ Controls as point-solutions gives way for target-fixation ▸ GDPR changes the economy of the defence
CURRENT STATE OF SECURITY ANALYTICS INTRO
CURRENT STATE OF SECURITY ANALYTICS COMPONENTS OF SECURITY ANALYTICS DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
CURRENT STATE OF SECURITY ANALYTICS ▸ Nothing new. ▸ Everyone does syslog ▸ Everyone has an agent ▸ Some do Flow-analytics ▸ Some do application-level analytics ▸ Few do full-packet captures DATA INGESTION DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
CURRENT STATE OF SECURITY ANALYTICS ▸ Inbound content must be structured ▸ Structure sometimes follows a common language ▸ Taxonomy, Ontology - whatever floats your boat ▸ Some content is sometimes enriched with metadata ▸ Threat Intel, GeoIP, Asset Management DB info etc. ▸ This part has to be fast - many vendors “cheat” PROCESSING DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
ANALYSIS ▸ Analytics today is relatively simple ▸ Simple statistics ▸ Advanced statistics ▸ Patterns ▸ Known-bad, known-good analysis on more COTS platforms ▸ Most vendors pack tons of alerts and correlations SECURITY ANALYTICS DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
ANALYSIS ▸ Most vendors provide views on the raw data or an abstraction of the raw data ▸ Most vendors provide a relatively easy way to setup views on the raw or aggregated data for analytics ▸ Some vendors have great views when presenting alerts and important events ▸ Few if any systems are able to present hierarchies of data, the relationships between events and deviations on hierarchies PRESENTATION DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
ANALYSIS ▸ Pie charts ▸ geo maps ▸ tables ▸ rows, columns and heatmaps ▸ Nothing you couldn't do with excel - and maybe thats ok DATA VISUALIZATION DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
ANALYSIS ▸ We collect syslog, application data and network data ▸ We process it, transform it ▸ We enrich and present it both for the analyst and graphically ▸ Making the system provide actionable information for the analyst ▸ Some systems even go the next step and perform proactive responses on other platforms ▸ Shuts ports, adds to ACLs, disables users e.g. ACTIONS DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
CURRENT STATE OF SECURITY ANALYTICS COMPONENTS OF SECURITY ANALYTICS DATA INGEST PROCES ANALYSE PRESENT VIZ ACT. SCALING OUT ANCHOR IN
 ORG INVEST
 IN
 PROJ. IN- HOUSE? NON-INF APPS USING SIEM AND GETTING VALUE FROM ANALYTICS
SCALING OUT USING AND GETTING VALUE OUT OF SIEM
USING AND GETTING VALUE OUT OF SIEM SCALING OUT ▸ The only thing constant is change; 20% growth in volume ▸ Areas that we need to scale on ▸ Ingestion ▸ Processing ▸ Storage ▸ Presentation
USING AND GETTING VALUE OUT OF SIEM SCALING OUT ▸ Ensure your system scales well when it comes to ingestion ▸ Everyone is doing it differently ▸ Some solutions tie together backends and presentation layers ▸ Scaling presentation is immensely important for widespread adoption in your organisation ▸ Scaling the backends should not be a concern in 2016
ORGANISATIONAL ANCHORING USING AND GETTING VALUE OUT OF SIEM
SIEMS FAIL WHEN THEY ARE LEFT ALONE ME WHEN DO WE FAIL
SAD ME WHEN DO WE FAIL
IN THE CORNER. SILENTLY COLLECTING LOGS AND TRIGGERING ALERTS, NOBODY WILL EVER SEE. ME WHEN DO WE FAIL
USING AND GETTING VALUE OUT OF SIEM ORGANISATIONAL ANCHORING ▸ SIEMS fail if they are the point solution to a problem ▸ Stakeholders lose interest ▸ The value-prop was never clear ▸ A great sale but a horrible purchase
USING AND GETTING VALUE OUT OF SIEM ORGANISATIONAL ANCHORING ▸ Logs and network data is immensely rich in information ▸ This information can be used for much more than security ▸ Let help-desk-users use pre-defined views and prepared analytics for easier resolution (move work to 1st level support) ▸ Allow your OPs team to use analytics for root-cause analysis, statistics for predictions and forecasts ▸ Allow your management-team to view quality of infrastructure and do controls of outsourced services ▸ Liberate data from silos
INVESTING IN THE PROJECT
USING AND GETTING VALUE OUT OF SIEM INVESTING IN THE PROJECT ▸ Set expectations - understand why we use analytics ▸ Introduce the notion of the Lockheed Martin Cyber Kill Chain (see next slide) ▸ Understand the threat landscape ▸ Identify the key threats to the organisation (ext) ▸ Identify the key threats identified by the organisation (int) ▸ Bringing it all together
KILL CHAIN
SECTOR DRILL-DOWN (VERIZON DBIR - 2016)
MOTIVATION DRILL-DOWN: HEALTH-CARE
THREAT ACTOR DRILL-DOWN: HEALTH-CARE
INVESTING IN THE PROJECT IDENTIFYING KEY INTERNALLY IDENTIFIED THREATS ▸ Use the internal risk assessment ▸ Compare with external threat information ▸ Identify any potential gap - ask yourself why it exists
INVESTING IN THE PROJECT BRINGING IT ALL TOGETHER ▸ With threats and critical systems identified ▸ And with an understanding of the kill-chain and the cost of controls in mind ▸ The task of the project-team is to identify the success criteria for the project with a common acceptance and buy-in from leadership and stakeholders
THE SECURITY OPERATIONS CENTER IN-HOUSE OR OUTSOURCED
THE SECURITY OPERATIONS CENTER CONSIDERATIONS ▸ The 3 Ps ▸ People, Process and Technology ▸ Is it possible to retain skill ▸ With level we need ▸ In numbers sufficient to staff the SOC ▸ Are we mature enough to identify which alerts and incidents we want to act on ▸ Can we with confidence say that we understand how to act when we then receive the alert? ▸ Engagement models: ▸ Who takes action on our network during a breach ▸ What gets escalated back “home” ▸ Do we have sensitive data preventing a full managed SOC?
USING SIEM FOR ENTERPRISE APPLICATIONS
USING SIEM FOR ENTERPRISE APPLICATIONS WHERE IS THE GOLD IN YOUR NETWORK ▸ Third generation SCADA ▸ Industry 4.0 ▸ SOA-Enabling your ERP Platforms ▸ Federated Access with suppliers
WHERE IS THE GOLD PATH OF LEAST RESISTANCE ▸ Vulnerabilities in SCADA ▸ Hard-coded admin-passwords ▸ non-patchable systems, “because operational IT” ▸ Non-networked mindset of admins ▸ Industry 4.0 ▸ “Smart products with localisation point, status, historical positions and data points, allowing globally unique identification of all products” - Good luck with that
WHERE IS THE GOLD PATH OF LEAST RESISTANCE ▸ SOA-Enabling your ERP Platforms ▸ % of SAP notes
 found externally ▸ SAP offers mobile access, organisations offers BYOD ▸ Do we trust jail-break detection? ▸ Federated Access with external suppliers ▸ Identities does not exist any longer ▸ Business rules define access to the network now
WHERE IS THE GOLD USE-CASES FOR ENTERPRISE APPLICATION SIEM USE ▸ Changing master data records ▸ Critical transactions (payments) ▸ Changes in performance data (valve pressure) ▸ Critical changes to equipment (voltage, valve positions) ▸ Abnormality on order sizes, frequency, workflows ▸ The data is here - why not use it?
NEXT GENERATION SECURITY ANALYTICS SORRY! IT WONT BE MINORITY REPORT
NEXT GENERATION - CHALLENGES DIVERSITY IN DATA - VALUE IS FOUND EVERYWHERE TWO PROBLEMS LARGE VARIATION LARGE VOLUME
NEXT GENERATION INFORMATION OVERLOAD: OVERCOMING CHALLENGES ▸ Even with effective alerts, the amount of data is unmanageable ▸ Workflow is the key PREPARE SITUATIONAL AWARENESS IDENTIFY ANALYSIS REACT INVESTIGATE IMPROVE COLLABORATE
NEXT GENERATION WORKFLOW ▸ Situational awareness ▸ Identify anomalies based on what is observed ▸ Time of day deviations or time of year (scale!) ▸ Identify / analyse ▸ Based on the norm and baseline we can work on large-scale analytics ▸ Complex temporal changes in behaviours and activity ▸ React and “arm the investigators” ▸ Rapid response on what data was exposed, how and not least why ▸ Improve / Collaborate ▸ Feedback of the intelligence created in the analysis must be fed back into the system ▸ Partners and collaborators must receive the right amount of supporting information ▸ Think of this as the collective immune system
NEXT GENERATION WORKING WITH DATA ▸ Clustering: ▸ Build a network of events and relations
NEXT GENERATION WORKING WITH DATA ▸ Drill-down ▸ Re-draw - build hierarchies based on relationships ▸ Use gathered data, third party threat intel or collaboration data as a key to further expand on the search ▸ With our “enriched” analysis we can map a focus area ▸ Replay interactions over time, spot patterns and behaviour ▸ Login, data is moved out of network (repeat ad. inifitum)
NEXT GENERATION LIMITATIONS OF CURRENT-GENERATION ARCHITECTURES ▸ Remember the architecture? ▸ Ingest, process, analyse, visualise, act ▸ This is inherently inefficient and a testament to legacy ▸ “NoSQL” is more part of the problem than the solution ▸ “BigData” in it’s true form is what will move us forward ▸ We spend most of the hardware available for processing data to store it and to prepare it
NEXT GENERATION INSIGHTS INTO NEXT-GENERATION ARCHITECTURES ▸ Small hardware footprint needed for storage ▸ No processing, no normalisation, just straight to disk ▸ Use the hardware you have for analytics ▸ Towards realtime analytics and away from “Queries” ▸ Ingestion of full packet capture as an equal part to log- collections
NEXT GENERATION ARCHITECTURE PRINCIPLES
NEXT GENERATION ARCHITECTURE BIG DATA? ▸ Hadoop (ecosystem) is full of great and powerful tools ▸ Cluster management, realtime streaming, graph databases, distributed file systems (HDFS) etc. ▸ The technology is ready - vendors just need to get going ;)
CONCLUSIONS ANALYTICS TRENDS ▸ Machine Learning ▸ People who bought X also looked at Y ▸ Automatic signature and pattern creation ▸ Payload analytics ▸ Deep behavioural analytics on network and log data ▸ Frameworks supports use-cases we could only dream of ▸ Online packet compression in real-time ▸ Analysis on packets to reconstruct network topologies behind NAT
CONCLUSIONS ANALYTICS TRENDS ▸ Machine Learning Based Botnet Detection With Dynamic Adaptation ▸ Botnet beaconing based on linguistic analytics of DNS-names ▸ Detect stealthy DDoS against large-scale networks (ML) ▸ Automated discovery, attribution, analysis and risk assessment ▸ Social connectivity graphs, Machine-Learning, automatic malware reverse-engineering
CONCLUSIONS ANALYTICS TRENDS ▸ Creation of “Social graphs” by crawling social networks and intercepting mail traffic ▸ Creation of “Social graphs” by analysing voice patterns and writing patterns regardless of from where they originate ▸ Combining social graphs and analyse sentiment ▸ (Radicalisation between actors)
NEXT GENERATION PRODUCTISING ▸ Anomaly detection ▸ Machine learning (SparkML2.0 just released) ▸ Graph processing (All of Facebook is stored in 1 GraphDB) ▸ Scale dynamically - provision servers and services along with the processing need ▸ Scale locally or in the cloud - based on data sensitivity
NEXT GENERATION ENRICHMENT ▸ Enriching data is possible today but sees relatively slow adoption in security ▸ STIX/TAXII/Cybox/Yara and other standards provide an ontology for attacks, actors, motives ▸ The SIEM of tomorrow will evaluate every event against internal and external threat intelligence sources ▸ The SIEM of tomorrow will forward-integrate with whatever “flavor of the month” point-solution implemented
TRANSITIONS CONCLUSIONS
CONCLUSIONS TRANSITIONS ▸ The threat-landscape is changing ▸ The efficiency of technical controls declines in comparison to the economy of the attacker ▸ We have to level the playing field by understanding our weaknesses ▸ Ensure we have security analytics in place ▸ Ensure we have the insights and capacities to deal with it our selves or move it to a third party (responsibility not included)
CONCLUSIONS TECHNOLOGY TRENDS ▸ We move to larger platforms ▸ Built with the tools developed at Twitter, LinkedIN and Facebook ▸ Queries, SQL and pre-processed data does not scale ▸ Imagine an out-sourced SOC with an installed capacity for the 20 of the Top2000 companies in Europe - ▸ Milions and Milions of events every second (EPS)
ANALYTICS WRAP UP ▸ We have the technology now ▸ We have the math ▸ And we are starting to understand the threats and playing field ▸ The vendors just have to wrap everything together ▸ Few, if any, organisations have the capacity to write algorithms

Recommended

Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for Dummies
Liberteks
 
Security Analytics and Big Data: What You Need to Know
Security Analytics and Big Data: What You Need to KnowSecurity Analytics and Big Data: What You Need to Know
Security Analytics and Big Data: What You Need to Know
MapR Technologies
 
Identifying Effective Endpoint Detection and Response Platforms (EDRP)
Identifying Effective Endpoint Detection and Response Platforms (EDRP)Identifying Effective Endpoint Detection and Response Platforms (EDRP)
Identifying Effective Endpoint Detection and Response Platforms (EDRP)
Enterprise Management Associates
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Jason Clark
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
EnergySec
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
centralohioissa
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
IBM Security
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 

Recommended

Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for Dummies
Liberteks
 
Security Analytics and Big Data: What You Need to Know
Security Analytics and Big Data: What You Need to KnowSecurity Analytics and Big Data: What You Need to Know
Security Analytics and Big Data: What You Need to Know
MapR Technologies
 
Identifying Effective Endpoint Detection and Response Platforms (EDRP)
Identifying Effective Endpoint Detection and Response Platforms (EDRP)Identifying Effective Endpoint Detection and Response Platforms (EDRP)
Identifying Effective Endpoint Detection and Response Platforms (EDRP)
Enterprise Management Associates
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Jason Clark
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
EnergySec
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
centralohioissa
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
IBM Security
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
IBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title)
Coastal Pet Products, Inc.
 
Stay out of headlines for non compliance or data breach
Stay out of headlines for non compliance or data breachStay out of headlines for non compliance or data breach
Stay out of headlines for non compliance or data breach
Sridhar Karnam
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
EnergySec
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
centralohioissa
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels
IBM Security
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016
Sarah Bark
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
Shah Sheikh
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and Reporting
Priyanka Aash
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
Brencil Kaimba
 
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security AutomationHexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
barbara bogue
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
Priyanka Aash
 
RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APT
Lee Wei Yeong
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
EMC
 

More Related Content

What's hot

Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
IBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title)
Coastal Pet Products, Inc.
 
Stay out of headlines for non compliance or data breach
Stay out of headlines for non compliance or data breachStay out of headlines for non compliance or data breach
Stay out of headlines for non compliance or data breach
Sridhar Karnam
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
EnergySec
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
centralohioissa
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels
IBM Security
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016
Sarah Bark
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
Shah Sheikh
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and Reporting
Priyanka Aash
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
Brencil Kaimba
 
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security AutomationHexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
barbara bogue
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
Priyanka Aash
 

What's hot (20)

Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title)
 
Stay out of headlines for non compliance or data breach
Stay out of headlines for non compliance or data breachStay out of headlines for non compliance or data breach
Stay out of headlines for non compliance or data breach
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and Reporting
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security AutomationHexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
Hexis Cyber Solutions: Rules of Engagement for Cyber Security Automation
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
 

Viewers also liked

RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APT
Lee Wei Yeong
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
EMC
 
The Value of Pervasive Analytics
The Value of Pervasive AnalyticsThe Value of Pervasive Analytics
The Value of Pervasive Analytics
Cloudera, Inc.
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
Eric Johansen, CISSP
 
Next generation enterprise
Next generation enterprise Next generation enterprise
Next generation enterprise
Tania Boyajieva, CMC
 
Netadminpres
NetadminpresNetadminpres
Netadminpres
Simon Bennett
 
Security analytics
Security analyticsSecurity analytics
Security analytics
Simon Bennett
 
Performing network security analytics
Performing network security analyticsPerforming network security analytics
Performing network security analytics
DataWorks Summit
 
Protecting Innovation Through Next Generation Enterprise File Sharing
Protecting Innovation Through Next Generation Enterprise File SharingProtecting Innovation Through Next Generation Enterprise File Sharing
Protecting Innovation Through Next Generation Enterprise File Sharing
Intralinks
 
IP&A109 Next-Generation Analytics Architecture for the Year 2020
IP&A109 Next-Generation Analytics Architecture for the Year 2020IP&A109 Next-Generation Analytics Architecture for the Year 2020
IP&A109 Next-Generation Analytics Architecture for the Year 2020
Anjan Roy, PMP
 
Envisioning the Next Generation of Analytics
Envisioning the Next Generation of AnalyticsEnvisioning the Next Generation of Analytics
Envisioning the Next Generation of Analytics
Lora Cecere
 
Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬
Allot Communications
 
The Next Generation (of) IT
The Next Generation (of) ITThe Next Generation (of) IT
The Next Generation (of) IT
Uwe Friedrichsen
 
Survey: Security Analytics and Intelligence
Survey: Security Analytics and IntelligenceSurvey: Security Analytics and Intelligence
Survey: Security Analytics and Intelligence
SolarWinds
 
(SEC326) Security Science Using Big Data
(SEC326) Security Science Using Big Data(SEC326) Security Science Using Big Data
(SEC326) Security Science Using Big Data
Amazon Web Services
 
Analytics tool comparison
Analytics tool comparisonAnalytics tool comparison
Analytics tool comparison
Shivam Dhawan
 
Machine Learning for Threat Detection
Machine Learning for Threat DetectionMachine Learning for Threat Detection
Machine Learning for Threat Detection
Napier University
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Alex Pinto
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
IBM Security
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Cybereason
 

Viewers also liked (20)

RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APT
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
 
The Value of Pervasive Analytics
The Value of Pervasive AnalyticsThe Value of Pervasive Analytics
The Value of Pervasive Analytics
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
 
Next generation enterprise
Next generation enterprise Next generation enterprise
Next generation enterprise
 
Netadminpres
NetadminpresNetadminpres
Netadminpres
 
Security analytics
Security analyticsSecurity analytics
Security analytics
 
Performing network security analytics
Performing network security analyticsPerforming network security analytics
Performing network security analytics
 
Protecting Innovation Through Next Generation Enterprise File Sharing
Protecting Innovation Through Next Generation Enterprise File SharingProtecting Innovation Through Next Generation Enterprise File Sharing
Protecting Innovation Through Next Generation Enterprise File Sharing
 
IP&A109 Next-Generation Analytics Architecture for the Year 2020
IP&A109 Next-Generation Analytics Architecture for the Year 2020IP&A109 Next-Generation Analytics Architecture for the Year 2020
IP&A109 Next-Generation Analytics Architecture for the Year 2020
 
Envisioning the Next Generation of Analytics
Envisioning the Next Generation of AnalyticsEnvisioning the Next Generation of Analytics
Envisioning the Next Generation of Analytics
 
Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬
 
The Next Generation (of) IT
The Next Generation (of) ITThe Next Generation (of) IT
The Next Generation (of) IT
 
Survey: Security Analytics and Intelligence
Survey: Security Analytics and IntelligenceSurvey: Security Analytics and Intelligence
Survey: Security Analytics and Intelligence
 
(SEC326) Security Science Using Big Data
(SEC326) Security Science Using Big Data(SEC326) Security Science Using Big Data
(SEC326) Security Science Using Big Data
 
Analytics tool comparison
Analytics tool comparisonAnalytics tool comparison
Analytics tool comparison
 
Machine Learning for Threat Detection
Machine Learning for Threat DetectionMachine Learning for Threat Detection
Machine Learning for Threat Detection
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
 

Similar to Next generation security analytics

ProActive Security
ProActive SecurityProActive Security
ProActive Security
Ibnisina Sina
 
ProActive Security
ProActive SecurityProActive Security
ProActive Security
Ibnisina Sina
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
Dinis Cruz
 
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOpsDays Tel Aviv
 
Building trust in your data lake. A fintech case study on automated data disc...
Building trust in your data lake. A fintech case study on automated data disc...Building trust in your data lake. A fintech case study on automated data disc...
Building trust in your data lake. A fintech case study on automated data disc...
DataWorks Summit
 
Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?
Wendy Nather
 
Stop Wasting Your Time: Focus on Security Practices that Actually Matter
Stop Wasting Your Time: Focus on Security Practices that Actually MatterStop Wasting Your Time: Focus on Security Practices that Actually Matter
Stop Wasting Your Time: Focus on Security Practices that Actually Matter
Amazon Web Services
 
Effective security
Effective securityEffective security
Effective security
Mike Mackintosh
 
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
Amazon Web Services
 
Chaos monitoring
Chaos monitoringChaos monitoring
Chaos monitoring
Mona Arkhipova
 
G-Research - Privacera - Dataworks Summit 2018
G-Research - Privacera - Dataworks Summit 2018G-Research - Privacera - Dataworks Summit 2018
G-Research - Privacera - Dataworks Summit 2018
Alberto Romero
 
Application Security by Ethical Hackers
Application Security by Ethical HackersApplication Security by Ethical Hackers
Application Security by Ethical Hackers
Entersoft
 
A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
Tony Perez
 
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionTop 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
Enterprise Management Associates
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
Tripwire
 
Jim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for CybersecurityJim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for Cybersecurity
idsecconf
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
Rahul Neel Mani
 
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
CNSHacking
 
Up your Infosec game
Up your Infosec gameUp your Infosec game
Up your Infosec game
Michalis Kamprianis
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 

Similar to Next generation security analytics (20)

ProActive Security
ProActive SecurityProActive Security
ProActive Security
 
ProActive Security
ProActive SecurityProActive Security
ProActive Security
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
 
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...
 
Building trust in your data lake. A fintech case study on automated data disc...
Building trust in your data lake. A fintech case study on automated data disc...Building trust in your data lake. A fintech case study on automated data disc...
Building trust in your data lake. A fintech case study on automated data disc...
 
Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?
 
Stop Wasting Your Time: Focus on Security Practices that Actually Matter
Stop Wasting Your Time: Focus on Security Practices that Actually MatterStop Wasting Your Time: Focus on Security Practices that Actually Matter
Stop Wasting Your Time: Focus on Security Practices that Actually Matter
 
Effective security
Effective securityEffective security
Effective security
 
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
 
Chaos monitoring
Chaos monitoringChaos monitoring
Chaos monitoring
 
G-Research - Privacera - Dataworks Summit 2018
G-Research - Privacera - Dataworks Summit 2018G-Research - Privacera - Dataworks Summit 2018
G-Research - Privacera - Dataworks Summit 2018
 
Application Security by Ethical Hackers
Application Security by Ethical HackersApplication Security by Ethical Hackers
Application Security by Ethical Hackers
 
A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
 
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionTop 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
 
Jim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for CybersecurityJim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for Cybersecurity
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
 
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
 
Up your Infosec game
Up your Infosec gameUp your Infosec game
Up your Infosec game
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 

Recently uploaded

Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 

Recently uploaded (20)

Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 

Next generation security analytics

  • 1. NEXT GENERATION SECURITY ANALYTICS CHRISTIAN HAVE @CKHAVE CH@LOGPOINT.COM
  • 2. ATTACKERS NAVIGATE A GRAPH. DEFENDERS TYPICALLY THINK IN POINT-SOLUTIONS ME! ACADEMIC PSEUDO-INTELLECTUALISM
  • 3. THE PATH OF LEAST RESISTANCE
  • 4. GRAPHS? NAVIGATING A GRAPH ▸ Expensive exploits are expensive ▸ Use the least expensive weapon ▸ Cost of 0Day exploits ▸ Use once == expensive
  • 5. DEFENDERS THINK IN POINT SOLUTIONS IMPLEMENTING MOVIE-PLOT POINTS ▸ Natural-path engineering; layout buildings, let people find paths ▸ We find the best way forward ▸ We get around controls - it’s in our nature.
  • 6. MOTIVATION IS NOT IMPACTED BY CONTROLS. AS LONG AS THE ATTACK IS ECONOMICALLY FEASIBLE MOTIVATION REMAINS. ME! ACADEMIC PSEUDO-INTELLECTUALISM
  • 7. MOTIVATION AND ECONOMIC BENEFIT ▸ The implementation of the “child pornography filter” did not change the number of convictions in Denmark ▸ It did move it out of the “open” Internet ▸ Introducing a censorship filter for enticing terrorism will not solve the problem of radicalising the youth ▸ It will move it from the “open” Internet somewhere else ▸ The clearing of pusher-street in Christiania did not stop the sale of marihuana ▸ It did move it out of the open ▸ Laws work wonders for law-abiding citizens
  • 8. ECONOMIC BENEFIT ▸ Paedophiles will not stop because of a DNS block, regardless of the penalty ▸ Buying marihuana does not carry a penalty in Denmark ▸ Selling marihuana does not carry a penalty 
 (besides whatever you have on you at the point of arrest) ▸ We can only start winning once we understand what “winning” is and what game we are actually playing
  • 9. WE FIGHT HUMAN NATURE. PICKING THE RIGHT BATTLE IS KEY FOR WINNING. ME PICKING THE RIGHT BATTLE
  • 10. WE WANT THE EASIEST ATTACKS. NOT THE HARDEST. ME WINNING THE RIGHT BATTLE
  • 11. EASY ATTACKS - SINCE WE CANT AVOID ATTACKS SURRENDERING? ▸ Attackers are lazy ▸ Attackers optimise cost (0days) ▸ Controls raise the cost of attacks ▸ Making attacks hard to detect ▸ Controls are not “free” ▸ Cancer-screening has a higher mortality than not screening ▸ Anti-Virus engines are points-of-infection ▸ Accept attacks will happen ▸ Deal with the attacks when they happen ▸ Don’t screen for cancer or move the attackers away from the obvious routes
  • 12. EASY ATTACKS - SINCE THEY CAN’T BE AVOIDED NOT SURRENDERING - PICKING THE BATTLEFIELD ▸ Defensively design your security architecture ▸ Understand it’s weaknesses ▸ Exploit weaknesses ▸ Monitor and gather intelligence, and defend smarter
  • 13. ECONOMY OF THE DEFENCE SHOULDN’T WE INVEST IN CONTROLS? ▸ Of course! ▸ Controls associated with costs towards the attacks ▸ The barrier of entry (cost of attack) deters some, but typically only the lowest on the spectrum ▸ Controls as point-solutions gives way for target-fixation ▸ GDPR changes the economy of the defence
  • 14. CURRENT STATE OF SECURITY ANALYTICS INTRO
  • 15. CURRENT STATE OF SECURITY ANALYTICS COMPONENTS OF SECURITY ANALYTICS DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
  • 16. CURRENT STATE OF SECURITY ANALYTICS ▸ Nothing new. ▸ Everyone does syslog ▸ Everyone has an agent ▸ Some do Flow-analytics ▸ Some do application-level analytics ▸ Few do full-packet captures DATA INGESTION DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
  • 17. CURRENT STATE OF SECURITY ANALYTICS ▸ Inbound content must be structured ▸ Structure sometimes follows a common language ▸ Taxonomy, Ontology - whatever floats your boat ▸ Some content is sometimes enriched with metadata ▸ Threat Intel, GeoIP, Asset Management DB info etc. ▸ This part has to be fast - many vendors “cheat” PROCESSING DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
  • 18. ANALYSIS ▸ Analytics today is relatively simple ▸ Simple statistics ▸ Advanced statistics ▸ Patterns ▸ Known-bad, known-good analysis on more COTS platforms ▸ Most vendors pack tons of alerts and correlations SECURITY ANALYTICS DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
  • 19. ANALYSIS ▸ Most vendors provide views on the raw data or an abstraction of the raw data ▸ Most vendors provide a relatively easy way to setup views on the raw or aggregated data for analytics ▸ Some vendors have great views when presenting alerts and important events ▸ Few if any systems are able to present hierarchies of data, the relationships between events and deviations on hierarchies PRESENTATION DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
  • 20. ANALYSIS ▸ Pie charts ▸ geo maps ▸ tables ▸ rows, columns and heatmaps ▸ Nothing you couldn't do with excel - and maybe thats ok DATA VISUALIZATION DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
  • 21. ANALYSIS ▸ We collect syslog, application data and network data ▸ We process it, transform it ▸ We enrich and present it both for the analyst and graphically ▸ Making the system provide actionable information for the analyst ▸ Some systems even go the next step and perform proactive responses on other platforms ▸ Shuts ports, adds to ACLs, disables users e.g. ACTIONS DATA INGEST PROCES ANALYSE PRESENT VIZ ACT.
  • 22. CURRENT STATE OF SECURITY ANALYTICS COMPONENTS OF SECURITY ANALYTICS DATA INGEST PROCES ANALYSE PRESENT VIZ ACT. SCALING OUT ANCHOR IN
 ORG INVEST
 IN
 PROJ. IN- HOUSE? NON-INF APPS USING SIEM AND GETTING VALUE FROM ANALYTICS
  • 24. USING AND GETTING VALUE OUT OF SIEM SCALING OUT ▸ The only thing constant is change; 20% growth in volume ▸ Areas that we need to scale on ▸ Ingestion ▸ Processing ▸ Storage ▸ Presentation
  • 25. USING AND GETTING VALUE OUT OF SIEM SCALING OUT ▸ Ensure your system scales well when it comes to ingestion ▸ Everyone is doing it differently ▸ Some solutions tie together backends and presentation layers ▸ Scaling presentation is immensely important for widespread adoption in your organisation ▸ Scaling the backends should not be a concern in 2016
  • 27. SIEMS FAIL WHEN THEY ARE LEFT ALONE ME WHEN DO WE FAIL
  • 29. IN THE CORNER. SILENTLY COLLECTING LOGS AND TRIGGERING ALERTS, NOBODY WILL EVER SEE. ME WHEN DO WE FAIL
  • 30. USING AND GETTING VALUE OUT OF SIEM ORGANISATIONAL ANCHORING ▸ SIEMS fail if they are the point solution to a problem ▸ Stakeholders lose interest ▸ The value-prop was never clear ▸ A great sale but a horrible purchase
  • 31. USING AND GETTING VALUE OUT OF SIEM ORGANISATIONAL ANCHORING ▸ Logs and network data is immensely rich in information ▸ This information can be used for much more than security ▸ Let help-desk-users use pre-defined views and prepared analytics for easier resolution (move work to 1st level support) ▸ Allow your OPs team to use analytics for root-cause analysis, statistics for predictions and forecasts ▸ Allow your management-team to view quality of infrastructure and do controls of outsourced services ▸ Liberate data from silos
  • 33. USING AND GETTING VALUE OUT OF SIEM INVESTING IN THE PROJECT ▸ Set expectations - understand why we use analytics ▸ Introduce the notion of the Lockheed Martin Cyber Kill Chain (see next slide) ▸ Understand the threat landscape ▸ Identify the key threats to the organisation (ext) ▸ Identify the key threats identified by the organisation (int) ▸ Bringing it all together
  • 38. INVESTING IN THE PROJECT IDENTIFYING KEY INTERNALLY IDENTIFIED THREATS ▸ Use the internal risk assessment ▸ Compare with external threat information ▸ Identify any potential gap - ask yourself why it exists
  • 39. INVESTING IN THE PROJECT BRINGING IT ALL TOGETHER ▸ With threats and critical systems identified ▸ And with an understanding of the kill-chain and the cost of controls in mind ▸ The task of the project-team is to identify the success criteria for the project with a common acceptance and buy-in from leadership and stakeholders
  • 41. THE SECURITY OPERATIONS CENTER CONSIDERATIONS ▸ The 3 Ps ▸ People, Process and Technology ▸ Is it possible to retain skill ▸ With level we need ▸ In numbers sufficient to staff the SOC ▸ Are we mature enough to identify which alerts and incidents we want to act on ▸ Can we with confidence say that we understand how to act when we then receive the alert? ▸ Engagement models: ▸ Who takes action on our network during a breach ▸ What gets escalated back “home” ▸ Do we have sensitive data preventing a full managed SOC?
  • 43. USING SIEM FOR ENTERPRISE APPLICATIONS WHERE IS THE GOLD IN YOUR NETWORK ▸ Third generation SCADA ▸ Industry 4.0 ▸ SOA-Enabling your ERP Platforms ▸ Federated Access with suppliers
  • 44. WHERE IS THE GOLD PATH OF LEAST RESISTANCE ▸ Vulnerabilities in SCADA ▸ Hard-coded admin-passwords ▸ non-patchable systems, “because operational IT” ▸ Non-networked mindset of admins ▸ Industry 4.0 ▸ “Smart products with localisation point, status, historical positions and data points, allowing globally unique identification of all products” - Good luck with that
  • 45. WHERE IS THE GOLD PATH OF LEAST RESISTANCE ▸ SOA-Enabling your ERP Platforms ▸ % of SAP notes
 found externally ▸ SAP offers mobile access, organisations offers BYOD ▸ Do we trust jail-break detection? ▸ Federated Access with external suppliers ▸ Identities does not exist any longer ▸ Business rules define access to the network now
  • 46. WHERE IS THE GOLD USE-CASES FOR ENTERPRISE APPLICATION SIEM USE ▸ Changing master data records ▸ Critical transactions (payments) ▸ Changes in performance data (valve pressure) ▸ Critical changes to equipment (voltage, valve positions) ▸ Abnormality on order sizes, frequency, workflows ▸ The data is here - why not use it?
  • 47.
  • 49. NEXT GENERATION - CHALLENGES DIVERSITY IN DATA - VALUE IS FOUND EVERYWHERE TWO PROBLEMS LARGE VARIATION LARGE VOLUME
  • 50. NEXT GENERATION INFORMATION OVERLOAD: OVERCOMING CHALLENGES ▸ Even with effective alerts, the amount of data is unmanageable ▸ Workflow is the key PREPARE SITUATIONAL AWARENESS IDENTIFY ANALYSIS REACT INVESTIGATE IMPROVE COLLABORATE
  • 51. NEXT GENERATION WORKFLOW ▸ Situational awareness ▸ Identify anomalies based on what is observed ▸ Time of day deviations or time of year (scale!) ▸ Identify / analyse ▸ Based on the norm and baseline we can work on large-scale analytics ▸ Complex temporal changes in behaviours and activity ▸ React and “arm the investigators” ▸ Rapid response on what data was exposed, how and not least why ▸ Improve / Collaborate ▸ Feedback of the intelligence created in the analysis must be fed back into the system ▸ Partners and collaborators must receive the right amount of supporting information ▸ Think of this as the collective immune system
  • 52. NEXT GENERATION WORKING WITH DATA ▸ Clustering: ▸ Build a network of events and relations
  • 53. NEXT GENERATION WORKING WITH DATA ▸ Drill-down ▸ Re-draw - build hierarchies based on relationships ▸ Use gathered data, third party threat intel or collaboration data as a key to further expand on the search ▸ With our “enriched” analysis we can map a focus area ▸ Replay interactions over time, spot patterns and behaviour ▸ Login, data is moved out of network (repeat ad. inifitum)
  • 54. NEXT GENERATION LIMITATIONS OF CURRENT-GENERATION ARCHITECTURES ▸ Remember the architecture? ▸ Ingest, process, analyse, visualise, act ▸ This is inherently inefficient and a testament to legacy ▸ “NoSQL” is more part of the problem than the solution ▸ “BigData” in it’s true form is what will move us forward ▸ We spend most of the hardware available for processing data to store it and to prepare it
  • 55. NEXT GENERATION INSIGHTS INTO NEXT-GENERATION ARCHITECTURES ▸ Small hardware footprint needed for storage ▸ No processing, no normalisation, just straight to disk ▸ Use the hardware you have for analytics ▸ Towards realtime analytics and away from “Queries” ▸ Ingestion of full packet capture as an equal part to log- collections
  • 57. NEXT GENERATION ARCHITECTURE BIG DATA? ▸ Hadoop (ecosystem) is full of great and powerful tools ▸ Cluster management, realtime streaming, graph databases, distributed file systems (HDFS) etc. ▸ The technology is ready - vendors just need to get going ;)
  • 58. CONCLUSIONS ANALYTICS TRENDS ▸ Machine Learning ▸ People who bought X also looked at Y ▸ Automatic signature and pattern creation ▸ Payload analytics ▸ Deep behavioural analytics on network and log data ▸ Frameworks supports use-cases we could only dream of ▸ Online packet compression in real-time ▸ Analysis on packets to reconstruct network topologies behind NAT
  • 59. CONCLUSIONS ANALYTICS TRENDS ▸ Machine Learning Based Botnet Detection With Dynamic Adaptation ▸ Botnet beaconing based on linguistic analytics of DNS-names ▸ Detect stealthy DDoS against large-scale networks (ML) ▸ Automated discovery, attribution, analysis and risk assessment ▸ Social connectivity graphs, Machine-Learning, automatic malware reverse-engineering
  • 60. CONCLUSIONS ANALYTICS TRENDS ▸ Creation of “Social graphs” by crawling social networks and intercepting mail traffic ▸ Creation of “Social graphs” by analysing voice patterns and writing patterns regardless of from where they originate ▸ Combining social graphs and analyse sentiment ▸ (Radicalisation between actors)
  • 61. NEXT GENERATION PRODUCTISING ▸ Anomaly detection ▸ Machine learning (SparkML2.0 just released) ▸ Graph processing (All of Facebook is stored in 1 GraphDB) ▸ Scale dynamically - provision servers and services along with the processing need ▸ Scale locally or in the cloud - based on data sensitivity
  • 62. NEXT GENERATION ENRICHMENT ▸ Enriching data is possible today but sees relatively slow adoption in security ▸ STIX/TAXII/Cybox/Yara and other standards provide an ontology for attacks, actors, motives ▸ The SIEM of tomorrow will evaluate every event against internal and external threat intelligence sources ▸ The SIEM of tomorrow will forward-integrate with whatever “flavor of the month” point-solution implemented
  • 64. CONCLUSIONS TRANSITIONS ▸ The threat-landscape is changing ▸ The efficiency of technical controls declines in comparison to the economy of the attacker ▸ We have to level the playing field by understanding our weaknesses ▸ Ensure we have security analytics in place ▸ Ensure we have the insights and capacities to deal with it our selves or move it to a third party (responsibility not included)
  • 65. CONCLUSIONS TECHNOLOGY TRENDS ▸ We move to larger platforms ▸ Built with the tools developed at Twitter, LinkedIN and Facebook ▸ Queries, SQL and pre-processed data does not scale ▸ Imagine an out-sourced SOC with an installed capacity for the 20 of the Top2000 companies in Europe - ▸ Milions and Milions of events every second (EPS)
  • 66. ANALYTICS WRAP UP ▸ We have the technology now ▸ We have the math ▸ And we are starting to understand the threats and playing field ▸ The vendors just have to wrap everything together ▸ Few, if any, organisations have the capacity to write algorithms