Downloaded 34 times
Uploaded byDataWorks Summit/Hadoop Summit
SQRRL threat hunting platform
The document discusses the SqrrlThreat Hunting Platform, which collects security, network, and endpoint data to detect threats. It uses Apache Accumulo for distributed storage and processing. Behavioral analytics models adversary behavior based on the attack kill chain. Analytics run on the data to detect rare events and chain them together using graphs. Results are then collated for visualization and analysis to hunt, detect, and disrupt threats.
More Related Content
![Overview of the Cyber Kill Chain [TM]](https://cdn.slidesharecdn.com/ss_thumbnails/cybersecuritykillchain8-161209191549-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to SQRRL threat hunting platform
More from DataWorks Summit/Hadoop Summit
SQRRL threat hunting platform
- 1. SQRRLTHREAT HUNTING PLATFORM ADAMFUCHS CTO, SQRRL COMMITTER, ACCUMULO MEMBER, ASF
- 2. © 2016 SqrrlData, Inc. All rights reserved. 2 Accelerating Investigations
- 3. © 2016 SqrrlData, Inc. All rights reserved. 3 The SqrrlThreat Hunting Platform SECURITY DATA NETWORK DATA ENDPOINT/IDENTITY DATA Firewall / IDS Threat Intel Bro SIEM Alerts NetflowProxy ProcessesHR
- 4. © 2016 SqrrlData, Inc. All rights reserved. 4 Sqrrl Architecture Visualization + API Physical Data Storage Data Model Processing Interface Audit Encryption Labeling+Policy Query Engine: Accumulo Iterators Bulk/Graph Processing: YARN + Spark Raw Events Linked Data HDFS Accumulo+ Commodity Hardware
- 5. © 2016 SqrrlData, Inc. All rights reserved. 5 The Apache Accumulo Project Accumulo Stores Sorted Key,Value Pairs High Performance Writes Great Scalability Embedded Processing (Iterators) We leverage Accumulo for: Low-Latency Information Retrieval Indexing Distributed Processing GraphOrganization Ingest-Time Aggregation Secure Storage
- 6.
- 7. © 2016 SqrrlData, Inc. All rights reserved. 7 Attack Chain Behavior detection Adversary behavior is modeled based on a kill chain Kill chain alignment of behavior detection analytics: Helps to determine attack penetration and risk Supports arguments of completeness of detection coverage
- 8. © 2016 SqrrlData, Inc. All rights reserved. 8 Kill Chain-Based Behavioral Analytic Example • Lateral Movement: Multiple host logins, credential theft • Active Directory • Windows event logs • Unsupervised machine learning for rarity detection • Graph algorithm for chaining • Analyst whitelisting of false positives
- 9. © 2016 SqrrlData, Inc. All rights reserved. 9 Collating Results ForVisualization and Analysis Behavioral Analytics Entity Risk Scoring Raw Data Modeled Data (Graph) API Applications AnalyticsAnalyticsAnalyticsAnalytics
- 10.
Editor's Notes
- #9 Identify Pain Point It is hard to find attackers moving from a beechhead machine to more interesting machines in a sea of login data Every Windows machine has tens to hundreds of logins a day normally Project datasets Use a subset of windows event login data most likely to contain attacker movement Constrain Output LMs will only be of certain login chain shapes Localized in time Identify Algorithms Use modern classifiers on projected log event set to identify logins that are more or less likely to be in a LM Use motif search algorithms to find patterns of logins that fit the output constraints Self-learning and feedback