This presentation explains how security teams can leverage hunting and analytics to detect advanced threats faster, more reliably, and with common analyst skill sets. Watch the presentation with audio here: http://info.sqrrl.com/threat-hunting-and-ueba-webinar
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
1. Threat Hunting and
UEBA:
Similarities, Differences, and How
They Work Together
• Speakers:
• Greg Schaffer, FirstBank CISO
• Luis Maldonado. Sqrrl VP of Products
Sponsor:
Primary UBA use cases
1) risk mgmt oriented: trusted insider threat, contractor
2) threat detection oriented: external attacker compromising a host/user and using their creds
Use Cases: departure theft, anomalous VPN, call center privacy breach, priv account sharing…
EUBA adds others
Databases – focus on data protection and governance
Applications – CASB misuse
We believe you shouldn’t stop there, especially Security Ops teams
External attacks that are already in the network
Many times no longer simply using user accounts; now have persistence, command control, staging points etc.
=> need Behavioral analytics across protocols, file systems, host configurations etc.
Network flow
Ucs: Data exfil, lateral movement
Registry
DNS data
Files system
Use Cases: targeted attacks, advanced malware,
What you see is Analytics are great tools but need to be built into your organization’s processes and use cases
At Sqrrl, we focus on powering Threat Hunters, so analytics are a great tool
Important to note, analytics tools don’t stand on their own.
Security Analysts need additional hunting tools to enable their work including:
Data aggregation
Visualization capabilities
Collaboration tools to share insights, assist in investigations, train on best practices etc
Survey across 350,000 member Infosec community
To be effective, hunting needs to be incorporated into other SOC processes (or “loops”)
Most SOCs already have mature content development and detection loops
Implement signatures, rules and other content that feeds their automated detection processes (IDS, SIEM, DLP etc)
Detection cycle – observe, compare to signature, patterns, content; alert; human validates
What hunting loop focuses on is coming up with new ideas of activity and behavior to look for
This process is used to find things not already in your automated detection content
More importantly, drives improvements to your content
Take a closer look at the hunting loop:
Identify behavioral patterns
Using link analysis
Looking for behavior chains
Clusters of anomalous behavior
Overview of the Sqrrl platform
Ingest traditional and non traditional security sources
Logs are common core data sets
Supports structured and semi-structured file types
Extensible framework for parsing customized sources
BENFITS: Include non-traditional sources that provide context (e.g. HR reports, Email, App data)
Dynamic extraction
We do the ‘heavy lifting’ of populating your desired graph
Contrast this with ‘case file’ oriented products such IBM i2 and Palantir
Contrast with Maltego which only builds a graph view of queries (called Transforms)
BENEFIT: analysts don’t have to focus on massaging data
We store the model and the raw data which allows:
Evolution of the model
Multiple models on the same data – enables team sharing, data reuse etc.
Analysis
Provide multiple analysis techniques (search, exploration, reporting, computations)
Common syntaxes and programming for power users (python, Lucene, SQL)
visual exploration environment for patterns, exploring relationships, connections
Computational techniques for finding and filtering anomalies / outliers; baseline and compare entity behavior across peer groups
Extensible framework for integrating with Hadoop frameworks such as Spark
BENEFITS: faster hunting through visual and search techniques; find behaviors and outliers that are hard to see