This document discusses security analytics and hunting maturity. It defines hunting as a proactive approach to identifying incidents by actively looking for patterns, intelligence or hunches, rather than waiting for notifications. It describes the "SIEM gap" where SIEM tools are designed for known threats and lack the tools and flexibility for human analysis and hunting of unknown threats. It outlines techniques used in security analytics like event clustering, association analysis, and visualization to help analyze large datasets and discover unknown threats. The document argues security analytics provides the data access, analysis techniques and workflows to help close the SIEM gap and improve an organization's hunting maturity over time.

1. Security Analytics for Data Discovery:
Closing the SIEM Gap
Eric Johansen
Sr. Solutions Architect
eric.johansen@firemon.com

2. Background
Virus CERT / Incident Response @ IBM
MSS Architect @ IBM Internet Security Systems
 SME: IBM SELM (Security Event & Log Management)
MSS Architect @ FishNet Security
 Launched Hosted SIEM and Co-managed SIEM Services
MSS Biz Dev @ Optiv

3. Overview
- Hunting
- The SIEM Gap
- The Problem with Hunting (and the Solution)
- Unknowns (and how to turn them into
Knowns)
- Wrap up

4. Hunting Defined
Proactive versus reactive approach to identifying incidents
Reactive: incident starts when a notification comes in.
Proactive: actively looking for incidents - based on patterns, intelligence, or
even hunches.
Source: Scott J. Roberts - http://sroberts.github.io/2015/04/14/ir-is-dead-long-live-ir/.

5. Hunting Maturity Model
3 Factors Contribute:
1) Quality of data – the more data the better
2) Tools provided to access and analyze the data
3) Skills of the analysts using the data (hunting)
Source: David Bianco - http://detect-respond.blogspot.com.au/2015/10/a-simple-hunting-
maturity-model.html.
Maturity Indicators:
Threat Intel
Data Analysis Procedures
Automation

6. Security Analytics – A Path to Hunting Maturity
“Advanced analytics are being integrated into security markets
after rule- and signature-based prevention systems and tuning
processes struggled to detect or stop most security breaches
over the past few years”
Source: Gartner - The Fast-Evolving State of Security Analytics, 2016 – April 4, 2016.

7. The SIEM Gap Defined
Designed for the known
- Normalize / parse logs with defined compatibility
- Alerts based on policy
- Pre-defined reporting
- Automated Data Analysis (for compliance / audit)
If there’s not a rule, policy, report, or alert – nothing gets detected.
Architectural decisions made then - now fundamentally limit SIEM.
(Technology advancements have enabled Security Analytics).
Not really designed for human interaction – i.e. hunting and
incident response.

8. The SIEM Gap - Industry Analyst Perspectives
• Requires advanced skills and knowledge
• Custom queries are difficult
• Challenges collecting certain types of data
• Lacks context for collected data
• Too many false positive alerts
• Primary challenge is complexity
• Performance limits galore
• Data variety challenges
• New environment explosion
• Analysis? Where is that?

9. Data Analysis Evolution
Example Products
Delivery
Create Views
Use Cases
Predefined
Reports
HP Arcsight
Vendors
Compliance
Structured Data
Aggregation
Data Scientists
Visualize the
Known
Custom
Dashboards
Security
Operations
Splunk
SMEs
Discover the
Unknown
Security Analytics
Integrated
Operations
Data Discovery
Workflow

10. The Problem with Hunting
“Effective threat hunting remains the domain of the well-
resourced, super-security-mature, extra-skilled security
1%-ers…”
Source: Anton Chuvakin – http://blogs.gartner.com/anton-chuvakin/2016/03/21/antons-favorite-threat-hunting-
links/.

11. The Most Sophisticated Analytic on the Planet

12. A Profound Shift – Known to Unknown
Report on
answers
Collect only
data required
to answer
questions
Develop list of
questions
Known
Analytics-enabled
exploration and
discovery
Collect
everything
No list of
questions
Cloud
Virtual
Unknown

13. Security Analytics – Techniques for the Unknown
Event Clusters
Rapidly analyze large data sets with machine learning – event clusters technology
summarizes the data set based on commonality to allow for quick human analysis.

14. Security Analytics – Techniques for the Unknown
Association Analytics
Explore frequency in your data in different categories, i.e. IP addresses, geolocations,
usernames, applications, etc.

15. Security Analytics – Techniques for the Unknown
Activity & Change
Compare datasets and timeframes for differences – trending up/down, what’s new,
etc.

16. Security Analytics – Techniques for the Unknown
Cohort Analysis
“Guilt by association”

17. Security Analytics – Techniques for the Unknown
Visualization / Perspective
See the data – find outliers - explore

18. Security Analytics – Techniques for the Unknown
Natural Language Processing
Deconstruct messages to attempt to find the direct and implied information
content.
- Actions (verbs) – allow, deny, block, fail, etc.
- Subjects (proper nouns) – addresses, usernames, etc.
- Various other parts of speech (direct objects, prepositions, adjectives, etc.) that add nuance
- Fuzzy
Security Analytics Search Engine
- Much like Google – to the user Google looks like one big bucket of one big field.
- Under the covers - adding in metadata to add hints and help improve relevance.

19. Security Analytics – Techniques for the Unknown
Clustering (Big Data) and Federation (Data Politics)

20. Security Analytics – Techniques for the Unknown
Flexible Real-time Data Collection
- Streaming Packet Capture: Forensic analysis on demand
- Any TCP/UDP Port
- All usual suspects (syslog, flat files, netflow, etc.)
- Define repository, TTL, rate limit

21. Security Analytics – Techniques for the Unknown
Drag and Drop Import
- Simple browser interface to bring in disparate data
- Define repository, TTL, delimiters, time (now versus time discovered in data)
- Take in anything human readable
- Office files, Outlook PST, PDF, PCAP, configuration files, and much more.
- Threat Intel and CMDB Data

22. Security Analytics – Techniques for the Unknown
Collaboration
- Pinboard
- Save and share commonly used queries.
- Tags, Notes
- Rapidly record observations in data

23. Security Analytics – Techniques for the Unknown
Automation
- Workflow
- Create repeatable processes within your data.
- Remotes
- Tie remote agent based actions into Workflow or use ad-hoc.

24. Security Analytics – A Path to Hunting Maturity
Hunting
Discover The Unknown
Rapid Event Triage
Discover The Cause
Incident Response
Discover Incident Context
Data Accessibility
Discover From More Data
Search for outbound deny events and view clusters, trends
and associations to spot high risk activity.
Drag log files from multiple sources into the system, retain
original date, create time-correlated views.
Automatically correlate alerts and human data with
automatically enriched infrastructure data.
Drag the 2G log file and 4G PCAP into the system as
easy as uploading to Dropbox.
Clusters, comparisons and associations are automatic.

25. Hunting Maturity Model Revisited
3 Factors Contribute:
1) Quality of data – the more data the better
2) Tools provided to access and analyze the data
3) Skills of the analysts using the data (hunting)
Source: David Bianco - http://detect-respond.blogspot.com.au/2015/10/a-simple-hunting-
maturity-model.html.
Maturity Indicators:
Threat Intel
Data Analysis Procedures
Automation

26. Thank You
Eric Johansen
Sr. Solutions Architect
eric.johansen@firemon.com