Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Securely explore your data
SQRRL WEBINAR
Reducing “Mean Time to Know”
© 2015 Sqrrl | All Rights Reserved 2
YOUR WEBINAR HOSTS
•  Sqrrl cofounder / VP Business Development
•  Former Director of...
© 2015 Sqrrl | All Rights Reserved
From securing the country to securing your enterprise
SQRRL HISTORY
Google’s
BigTable
P...
© 2015 Sqrrl | All Rights Reserved
Sqrrl’s focus today is on Detection and Analysis (i.e., cybersecurity
investigations)
I...
© 2015 Sqrrl | All Rights Reserved 5
CYBERSECURITY INVESTIGATIONS TAXONOMY
Cybersecurity
Investigations
Detection Analysis...
© 2015 Sqrrl | All Rights Reserved
How do we decrease Mean Time To Know?
MEAN TIME TO KNOW
Mean Time To Identify (MTTI): D...
© 2015 Sqrrl | All Rights Reserved
Sqrrl MTTK Case Study
Large Telecommunications Company
Results
Challenge Sqrrl Solution...
© 2015 Sqrrl | All Rights Reserved 8
TOP 5 WAYS TO REDUCE MTTK
1.  Big Data
2.  Linked Data Visualization
3.  Graph Explor...
© 2015 Sqrrl | All Rights Reserved 9
#1 BIG DATA
Current solutions can’t
easily handle the variety
and volume of data that...
© 2015 Sqrrl | All Rights Reserved 10
Performance Measures
#1 BIG DATA
Source: http://www.pdl.cmu.edu/SDI/2013/slides/
big...
© 2015 Sqrrl | All Rights Reserved 11
#2 LINKED DATA VISUALIZATION
LOGS
VS.
LINKED DATA
© 2015 Sqrrl | All Rights Reserved
LINKED DATA
•  Organizes data into entities
and relationships (links)
•  More intuitive...
© 2015 Sqrrl | All Rights Reserved 13
LINKED DATA VISUALIZATION DEMO
© 2015 Sqrrl | All Rights Reserved 14
Pattern Discovery and Matching
#3 GRAPH EXPLORATION
•  Hunting for known patterns
• ...
© 2015 Sqrrl | All Rights Reserved 15
GRAPH EXPLORATION DEMO
© 2015 Sqrrl | All Rights Reserved 16
It is easy to get lost in a maze of searches during an investigation
#4 INVESTIGATIO...
© 2015 Sqrrl | All Rights Reserved 17
INVESTIGATION WORKFLOW DEMO
© 2015 Sqrrl | All Rights Reserved 18
#5 ADVANCED ANALYTICS
Peer Group
Outlier
Algorithmic approaches to anomaly detection
© 2015 Sqrrl | All Rights Reserved 19
ADVANCED ANALYTICS DEMO
© 2015 Sqrrl | All Rights Reserved 20
www.sqrrl.com
HOW TO LEARN MORE?
• Read our white paper or product paper
• Schedule ...
Upcoming SlideShare
Loading in …5
×

Reducing Mean Time to Know

612 views

Published on

Slides from the webinar led by Ely Kahn and Luis Maldonado discussing strategies to reduce Mean Time to Know in detecting cybersecurity attacks, threats, or data breaches.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Reducing Mean Time to Know

  1. 1. Securely explore your data SQRRL WEBINAR Reducing “Mean Time to Know”
  2. 2. © 2015 Sqrrl | All Rights Reserved 2 YOUR WEBINAR HOSTS •  Sqrrl cofounder / VP Business Development •  Former Director of Cybersecurity at the National Security Council Staff / White House •  Degrees from Wharton and Harvard •  Sqrrl VP Products •  Former Director of Product Management at Vertica, Imprivata, and DataSynapse •  CS degree from MIT
  3. 3. © 2015 Sqrrl | All Rights Reserved From securing the country to securing your enterprise SQRRL HISTORY Google’s BigTable Paper 2006 NSA Builds Accumulo 2008 Sqrrl Founded 2012 Sqrrl Enterprise 1.0 2013 Sqrrl Enterprise 2.0 2015 Investors: Patented Technology: 3
  4. 4. © 2015 Sqrrl | All Rights Reserved Sqrrl’s focus today is on Detection and Analysis (i.e., cybersecurity investigations) INCIDENT RESPONSE LIFECYCLE 4 Source: NIST
  5. 5. © 2015 Sqrrl | All Rights Reserved 5 CYBERSECURITY INVESTIGATIONS TAXONOMY Cybersecurity Investigations Detection Analysis Hunting / IOCs Threat Intelligence Alerting Alert Resolution Incident Triage Root Cause / Forensics Rule-Based Algorithmic
  6. 6. © 2015 Sqrrl | All Rights Reserved How do we decrease Mean Time To Know? MEAN TIME TO KNOW Mean Time To Identify (MTTI): Detect than an incident has occurred Mean Time To Know (MTTK): Understand root cause of an incident 25% 75% MTTK MTTI % Time Spent on MTTI vs. MTTK Source: Ponemon Institute 6
  7. 7. © 2015 Sqrrl | All Rights Reserved Sqrrl MTTK Case Study Large Telecommunications Company Results Challenge Sqrrl Solution Ensured compliance with data security regulations Reduce investigation time from days/weeks to minutes Visibility across more data than previously possible Analyzing more than 1 year of multi-structured security data including for Advanced Persistent (APT), fraud, and insider threats •  Aggregate and store all data •  Gather and profile employee and device behaviors •  Search, query and analyze behaviors, details and anomalies 7
  8. 8. © 2015 Sqrrl | All Rights Reserved 8 TOP 5 WAYS TO REDUCE MTTK 1.  Big Data 2.  Linked Data Visualization 3.  Graph Exploration 4.  Investigation Workflow 5.  Advanced Analytics
  9. 9. © 2015 Sqrrl | All Rights Reserved 9 #1 BIG DATA Current solutions can’t easily handle the variety and volume of data that security analysts need Volume and Variety of Data
  10. 10. © 2015 Sqrrl | All Rights Reserved 10 Performance Measures #1 BIG DATA Source: http://www.pdl.cmu.edu/SDI/2013/slides/ big_graph_nsa_rd_2013_56002v1.pdf Source: http://arxiv.org/pdf/1406.4923v1.pdf •  Sqrrl indexes and stores 25,000 events per second per node •  Sqrrl’s core has proven near-linear scalability to 2000+ nodes •  Clustered support for processing Trillions of events per day Data Source Record Count Ne#low   2,109,409,060   Cisco  ASA  Firewall   2,982,124,483   Websense   924,819,607   MsDns   503,237,033   IsaFw   207,834,546   IIS   38,941,968   Damballa   16,060   Apache  Webserver   5,615,832   ISE   671,006   Radius   1,138,001   Windows  Events   12,220,081   Symantec  EP   1,040,871   FireEye   4,305   Total  Records   6,787,072,853   Node  *  Seconds    271,800     Records/Second/Node    24,971    
  11. 11. © 2015 Sqrrl | All Rights Reserved 11 #2 LINKED DATA VISUALIZATION LOGS VS. LINKED DATA
  12. 12. © 2015 Sqrrl | All Rights Reserved LINKED DATA •  Organizes data into entities and relationships (links) •  More intuitive visualization •  Surfaces meaning & context •  Enables faster analysis 12
  13. 13. © 2015 Sqrrl | All Rights Reserved 13 LINKED DATA VISUALIZATION DEMO
  14. 14. © 2015 Sqrrl | All Rights Reserved 14 Pattern Discovery and Matching #3 GRAPH EXPLORATION •  Hunting for known patterns •  Search for the HTTP transaction “triangle” •  Locate specific instance quickly amongst large volume of transactions
  15. 15. © 2015 Sqrrl | All Rights Reserved 15 GRAPH EXPLORATION DEMO
  16. 16. © 2015 Sqrrl | All Rights Reserved 16 It is easy to get lost in a maze of searches during an investigation #4 INVESTIGATION WORKFLOW
  17. 17. © 2015 Sqrrl | All Rights Reserved 17 INVESTIGATION WORKFLOW DEMO
  18. 18. © 2015 Sqrrl | All Rights Reserved 18 #5 ADVANCED ANALYTICS Peer Group Outlier Algorithmic approaches to anomaly detection
  19. 19. © 2015 Sqrrl | All Rights Reserved 19 ADVANCED ANALYTICS DEMO
  20. 20. © 2015 Sqrrl | All Rights Reserved 20 www.sqrrl.com HOW TO LEARN MORE? • Read our white paper or product paper • Schedule a demo or proof of concept • Request a VM or evaluation software

×