Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

User and Entity Behavior Analytics using the Sqrrl Behavior Graph

709 views

Published on

UEBA leverages advanced statistical techniques and machine learning to surface subtle behaviors that are indicative of attacker presence. In this presentation, Sqrrl's Director of Data Science, Chris McCubbin, and Sqrrl's Director of Products, Joe Travaglini, provide an overview of how machine learning and UEBA can be used to detect cyber threats using Sqrrl's Behavior Graph.

Watch the presentation with audio here: http://info.sqrrl.com/april-2016-ueba-webinar-on-demand

Published in: Software
  • Be the first to comment

User and Entity Behavior Analytics using the Sqrrl Behavior Graph

  1. 1. Target. Hunt. Disrupt. USER AND ENTITY BEHAVIOR ANALYTICS (UEBA) WEBINAR: ANALYTICS USING THE SQRRL BEHAVIOR GRAPH
  2. 2. Presenters 2© 2016 Sqrrl | All Rights Reserved Joe Travaglini Director of Products Chris McCubbin Director of Data Science
  3. 3. Agenda §  Machine Learning and UEBA Overview §  Sqrrl Behavior Graph §  Demonstration 3© 2016 Sqrrl | All Rights Reserved
  4. 4. Target. Hunt. Disrupt. Machine Learning and UEBA Overview
  5. 5. What is machine learning? © 2016 Sqrrl | All Rights Reserved 5
  6. 6. “AI”, Perceptrons, seeking an AGI 1960 19901980 2000 2010 20161970 Expert Systems - Backpropagation “AI Winter” - ML splits from AI Kernelized SVM’s - Boosting/Ensembles - Big data storage Resurgence of NN methods - New optimization techniques - Big data computation Brief history of machine learning 6 User and Entity Behavior Analytics (UEBA) © 2016 Sqrrl | All Rights Reserved
  7. 7. How does UEBA complement a SIEM? SIEM UEBA Velocity of Data Real-time alerting based on streaming data flows Batch-based analytics on large historical data sets Anomaly Detection Static, rule-based Self-learning Types of Anomalies Event-based Entity-based Algorithms Standard deviation, simple matching Supervised machine learning, unsupervised machine learning, Bayesian, graph algorithms False Positive Rate Higher Lower Infrastructure Typically RAID Typically Hadoop 7© 2016 Sqrrl | All Rights Reserved
  8. 8. Why did ML fail for IDS in the early 2000s? 8© 2016 Sqrrl | All Rights Reserved
  9. 9. How has machine learning improved? Before (IDS) Now (UEBA) Data Quantity Smaller data (short historical baselines) Big data (long historical baselines) Data Variety Single data source (network packets) Correlation across diverse data sources (endpoint, perimeter, network, threat intel, etc.) Machine Learning Technology Inductive logic programming, pattern recognition, relational databases Random forests, deep learning, Hadoop/Spark/NoSQL Machine Learning Usage “Black Box” techniques Open source with analyst feedback loops Machine Learning Approaches Searching for general anomalies Constraining search to look for Kill Chain behaviors 9© 2016 Sqrrl | All Rights Reserved
  10. 10. Sqrrl’s Analytic Framework 10© 2016 Sqrrl | All Rights Reserved
  11. 11. © 2016 Sqrrl | All Rights Reserved 11 Source: http://setosa.io/ev/principal-component-analysis/ The kill chain as a modeling constraint
  12. 12. Case Study: Lateral Movement Detector •  Lateral Movement: Multiple host logins, credential theft •  Active Directory •  Windows event logs •  Unsupervised machine learning for rarity detection •  Graph algorithm for chaining •  Analyst whitelisting of false positives © 2016 Sqrrl | All Rights Reserved 12
  13. 13. Target. Hunt. Disrupt. Sqrrl Behavior Graph
  14. 14. Proactive Threat Hunting Incident Investigation User and Entity Behavior Analytics 14 Sqrrl’s Behavior Graph Sqrrl Capabilities: Detection and Response © 2016 Sqrrl | All Rights Reserved
  15. 15. Behavior Graph: Continuous Context 15© 2016 Sqrrl | All Rights Reserved
  16. 16. Behavior Graph: Risk Dashboard 16© 2016 Sqrrl | All Rights Reserved
  17. 17. Behavior Graph: Entity Profile 17© 2016 Sqrrl | All Rights Reserved
  18. 18. Proactively and iteratively looking for unknown or advanced threats UEBA and Risk Scores Linked Data Automating the Hunt 18© 2016 Sqrrl | All Rights Reserved
  19. 19. The Sqrrl Detection and Response Platform SECURITY DATA NETWORK DATA ENDPOINT/IDENTITY DATA Firewall / IDS Threat Intel Processes HR Bro SIEM Alerts NetflowProxy © 2016 Sqrrl | All Rights Reserved 19
  20. 20. Target. Hunt. Disrupt. Demonstration
  21. 21. How To Learn More? Go to sqrrl.com to… •  Download Sqrrl’s Threat Hunting White Paper, a SANS collaboration •  Download Sqrrl’s Threat Hunting eBook for Executives •  Download the Sqrrl Product Paper •  Request a Test Drive VM •  Reach out to us at info@sqrrl.com Thank you! © 2016 Sqrrl | All Rights Reserved 21
  22. 22. Target. Hunt. Disrupt. Questions

×