SlideShare ist ein Scribd-Unternehmen logo

A New Approach to Threat Detection: Big Data Security Analytics

Als PPTX, PDF herunterladen
Interset
Interset

Learn how to distill billions of events into a handful of security leads. Security analytics powered by machine learning is proven to make your SOC more efficient. This presentation includes four case studies.

Technologie
1 von 26
1 | © 2017 Interset Software A New Approach to Threat Detection: Big Data Security Analytics Paul Reid, Technology Strategist October 2017
2 | © 2017 Interset Software Alert Fatigue = Playing ”Where is Waldo”
3 | © 2017 Interset Software Not Enough Time, Not Enough People
4 | © 2017 Interset Software Standard Approach – Rules and Thresholds A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders, Andrew Moore, Carnegie Mellon 2011
5 | © 2017 Interset Software The Threshold Approach Challenge Abnormal Normal
6 | © 2017 Interset Software The Threshold Approach Challenge Abnormal Normal
7 | © 2017 Interset Software The Threshold Approach Challenge Abnormal Normal
8 | © 2017 Interset Software A Probabilistic Approach • Computes probability that a value in a given hour is anomalous • Bayesian approach • Explicitly models both normal and abnormal distributions • Gaussian, Gamma • Estimators for both normal and abnormal based on observation
9 | © 2017 Interset Software New Approach: Distill Billions of Events into Security Leads A Handful of Threat LeadsBillions of Events Hundreds of Anomalies
10 | © 2017 Interset Software Anomaly Detection and Risk Scoring Process Data Acquisition Correlation Baseline Risk Story Aggregation John synced 1029 files from Project X John was active at 6:30 pm = 95 Outputs a score between 0-100 Represents the probability that a behavior is anomalous W1 W2 Anomaly Detection Aggregates risk score to entities involved in the event - User - File - Machine - Application
11 | © 2017 Interset Software Aggregating Behaviors for Entity Risk • Ann Funderburk works at an unusual hour 15 • … and accesses repositories that she and her peers do not usually access 65 • … and takes from a folder on a repository an unusual number of times 80 • … and moves a significantly high volume of data than normal 96 • … VPN’s in from China 46
12 | © 2017 Interset Software The Interset Synthesis ACQUIRE DATA INGEST BASELINE LEARN CREATE ENTITY PROFILE 200+ BEHAVIORAL MODELS DETECT ANOMALIES INVESTIGATE VALIDATE REMEDIATE RISKY ENTITY 92 SIEM IAM & NETWORK ENDPOINT + DLP BUSINESS APPLICATIONS CUSTOM DATA INTERNAL RECON INFECTED HOST DATA STAGING & THEFT COMPROMISED ACCOUNT LATERAL MOVEMENT ACCOUNT MISUSE CUSTOM FRAUD Users/Accounts, Machines, Data Files, Applications, Projects Detect, measure & score anomalies. Contextual views. Drill-down and cyber-hunting. Workflow engine for incident response. Broad data collection
13 | © 2017 Interset Software THE INTERSET APPROACH Acquire Gather the raw materials. Baseline Determine what is “normal.” Detect Find the behavior that matters. Respond Stop the threat. Now.
14 | © 2017 Interset Software Acquire Gather the raw materials. Baseline Determine what is “normal.” Detect Find the behavior that matters. Respond Stop the threat. Now. THE INTERSET APPROACH
15 | © 2017 Interset Software INTERSET ARCHITECTURE Kibana
16 | © 2017 Interset Software REAL WORLD RESULTS AND LEARNINGS
17 | © 2017 Interset Software Case Study #1: $20B Manufacturer X 2 Engineers stole data 1 Year $1 Million Spent Large security vendor failed to find anything 2 Weeks Easily identified the 2 Engineers Found 3 additional users stealing data in North America Found 8 additional users stealing data in China
18 | © 2017 Interset Software Lesson #1: The Math Matters – Test It  Too much snake oil  The math matters – but the use case matters more!  Don’t rely on a smoking gun Recommendations • Agree on the use cases in advance • Use a proof-of-concept with historical/existing data to test the SA’s math • Engage red team or pen testing if available • Evaluate the results: Do they support the use cases?
19 | © 2017 Interset Software Case Study #2: Every Interset Customer Millions of events analyzed with machine learning Anomalies discovered by data science High quality “most wanted” list By analyzing the intersection of data from users, machines, files, projects, servers, sharing behavior, resource, websites, IP Addresses and more
20 | © 2017 Interset Software Lesson #2: Less Alerts, Not More  Solution should help you deal with less alerts, not more alerts  Solution should leverage sound statistical methods to reduce false positives and noise  Should allow you to do more with the limited resources you have Recommendations Measure and quantify the amount of work effort involved with and without the Security Analytics system
21 | © 2017 Interset Software Case Study #3: Defense Contractor High Probability Anomalous Behavior Models  Detected large copies to the portable hard drive, at an unusual time of day  Bayesian models to measure and detect highly improbable events High Risk File Models  Detected high risk files, including PowerPoints used to collect large amounts of inappropriate content  Risk aggregation based on suspicious behaviors and unusual derivative movement
22 | © 2017 Interset Software Lesson #3: Automated, Measured Responses  Security Analytics system should allow you to quantify risk, not just a binary alert  Consider how to automate responses to low, medium, high and extreme risk scenarios  Where does security analytics fit into your existing runbook? Recommendations • Ensure the Security Analytics system has the ability to output a risk assessment level or score, not just a binary alert • Ensure the Security Analytics system can integrate with downstream systems • Evaluate the solution with automated response systems as part of the deployment
23 | © 2017 Interset Software Case Study #4: Healthcare Records and Payment  Profile: 6.5 billion transactions annually, 750+ customers, 500+ employees  Team of 7: CISO, 1 security architect , 3 security analysts, 2 network security  Analytics surfaced (for example) an employee who attempted to move “sensitive data” from endpoint to personal Dropbox  Employee was arrested and prosecuted using incident dataFocus and prioritized incident responses Incident alert accuracy increased from 28% to 92% Incident mitigation coverage doubled from 70 per week to 140
24 | © 2017 Interset Software Lesson #4: Meaningful Metrics  Hawthorne Effect: Whatever gets measured, gets optimized Recommendations  Define meaningful operational metrics (not just “false positives”)  Build a process for measuring and quantifying over time, not just during a pilot  Ensure the Security Analytics system supports a feedback process to adjust the analytics to support your target metrics
25 | © 2017 Interset Software Considerations for a New Approach Measured Risk & Response VS Binary Risk & Response Open Integrated VS Compartmentalized Scalable Unsupervised Machine Learning VS Constrained Fast, Simple Streamlined VS Manual Obstacle Course
26 | © 2017 Interset Software MORE INFO WWW.INTERSET.COM Paul Reid, Technology Strategist preid@interset.com www.interset.com

Empfohlen

User and Entity Behavioral Analytics
User and Entity Behavioral AnalyticsUser and Entity Behavioral Analytics
User and Entity Behavioral AnalyticsInterset
 
Machine Learning + AI for Accelerated Threat-Hunting
Machine Learning + AI for Accelerated Threat-HuntingMachine Learning + AI for Accelerated Threat-Hunting
Machine Learning + AI for Accelerated Threat-HuntingInterset
 
The Myths + Realities of Machine-Learning Cybersecurity
The Myths + Realities of Machine-Learning CybersecurityThe Myths + Realities of Machine-Learning Cybersecurity
The Myths + Realities of Machine-Learning CybersecurityInterset
 
WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider ThreatsWEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider ThreatsInterset
 
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...Interset
 
Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]
Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]
Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]Interset
 
IANS Forum Dallas - Technology Spotlight Session
IANS Forum Dallas - Technology Spotlight SessionIANS Forum Dallas - Technology Spotlight Session
IANS Forum Dallas - Technology Spotlight SessionInterset
 
IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]
IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]
IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]Interset
 

Empfohlen

User and Entity Behavioral Analytics
User and Entity Behavioral AnalyticsUser and Entity Behavioral Analytics
User and Entity Behavioral AnalyticsInterset
 
Machine Learning + AI for Accelerated Threat-Hunting
Machine Learning + AI for Accelerated Threat-HuntingMachine Learning + AI for Accelerated Threat-Hunting
Machine Learning + AI for Accelerated Threat-HuntingInterset
 
The Myths + Realities of Machine-Learning Cybersecurity
The Myths + Realities of Machine-Learning CybersecurityThe Myths + Realities of Machine-Learning Cybersecurity
The Myths + Realities of Machine-Learning CybersecurityInterset
 
WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider ThreatsWEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats
WEBINAR: How To Use Artificial Intelligence To Prevent Insider ThreatsInterset
 
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...Interset
 
Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]
Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]
Innovation in Cybersecurity [Montreal 2018 CRIAQ RDV Forum]Interset
 
IANS Forum Dallas - Technology Spotlight Session
IANS Forum Dallas - Technology Spotlight SessionIANS Forum Dallas - Technology Spotlight Session
IANS Forum Dallas - Technology Spotlight SessionInterset
 
IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]
IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]
IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]Interset
 
Operationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto KeynoteOperationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto KeynoteInterset
 
Operationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum DallasOperationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum DallasInterset
 
Data Connectors San Antonio Cybersecurity Conference 2018
Data Connectors San Antonio Cybersecurity Conference 2018Data Connectors San Antonio Cybersecurity Conference 2018
Data Connectors San Antonio Cybersecurity Conference 2018Interset
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsInterset
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayInterset
 
Lead On: When More Data Becomes Less Work
Lead On: When More Data Becomes Less WorkLead On: When More Data Becomes Less Work
Lead On: When More Data Becomes Less WorkInterset
 
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...Collin Miles
 
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...SaraPia5
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesTechBiz Forense Digital
 
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...Interset
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON
 
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]Taking a Proactive Approach to Combat Ransomware [Druva Webinar]
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]Druva
 
DevOpsDaysRiga 2018: Antonio Pigna - Put the brAIn into your DevOps workflow
DevOpsDaysRiga 2018: Antonio Pigna - Put the brAIn into your DevOps workflowDevOpsDaysRiga 2018: Antonio Pigna - Put the brAIn into your DevOps workflow
DevOpsDaysRiga 2018: Antonio Pigna - Put the brAIn into your DevOps workflowDevOpsDays Riga
 
2016 09-19 - stephan jou - machine learning meetup v1
2016 09-19 - stephan jou - machine learning meetup v12016 09-19 - stephan jou - machine learning meetup v1
2016 09-19 - stephan jou - machine learning meetup v1Jenny Midwinter
 
Philly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by ConstructionPhilly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by Constructionjxyz
 
[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral AnalyticsInterset
 
Leverage Big Data for Security Intelligence
Leverage Big Data for Security Intelligence Leverage Big Data for Security Intelligence
Leverage Big Data for Security Intelligence Stefaan Van daele
 
How big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the doorHow big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the doorDataWorks Summit
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsIBM Security
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsInterset
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond CyberPhil Huggins FBCS CITP
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Cloudera, Inc.
 

Weitere ähnliche Inhalte

Was ist angesagt?

Operationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto KeynoteOperationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto KeynoteInterset
 
Operationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum DallasOperationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum DallasInterset
 
Data Connectors San Antonio Cybersecurity Conference 2018
Data Connectors San Antonio Cybersecurity Conference 2018Data Connectors San Antonio Cybersecurity Conference 2018
Data Connectors San Antonio Cybersecurity Conference 2018Interset
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsInterset
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayInterset
 
Lead On: When More Data Becomes Less Work
Lead On: When More Data Becomes Less WorkLead On: When More Data Becomes Less Work
Lead On: When More Data Becomes Less WorkInterset
 
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...Collin Miles
 
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...SaraPia5
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesTechBiz Forense Digital
 
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...Interset
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON
 
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]Taking a Proactive Approach to Combat Ransomware [Druva Webinar]
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]Druva
 
DevOpsDaysRiga 2018: Antonio Pigna - Put the brAIn into your DevOps workflow
DevOpsDaysRiga 2018: Antonio Pigna - Put the brAIn into your DevOps workflowDevOpsDaysRiga 2018: Antonio Pigna - Put the brAIn into your DevOps workflow
DevOpsDaysRiga 2018: Antonio Pigna - Put the brAIn into your DevOps workflowDevOpsDays Riga
 
2016 09-19 - stephan jou - machine learning meetup v1
2016 09-19 - stephan jou - machine learning meetup v12016 09-19 - stephan jou - machine learning meetup v1
2016 09-19 - stephan jou - machine learning meetup v1Jenny Midwinter
 
Philly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by ConstructionPhilly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by Constructionjxyz
 
[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral AnalyticsInterset
 
Leverage Big Data for Security Intelligence
Leverage Big Data for Security Intelligence Leverage Big Data for Security Intelligence
Leverage Big Data for Security Intelligence Stefaan Van daele
 

Was ist angesagt? (17)

Operationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto KeynoteOperationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
 
Operationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum DallasOperationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum Dallas
 
Data Connectors San Antonio Cybersecurity Conference 2018
Data Connectors San Antonio Cybersecurity Conference 2018Data Connectors San Antonio Cybersecurity Conference 2018
Data Connectors San Antonio Cybersecurity Conference 2018
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security Analytics
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the Day
 
Lead On: When More Data Becomes Less Work
Lead On: When More Data Becomes Less WorkLead On: When More Data Becomes Less Work
Lead On: When More Data Becomes Less Work
 
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
 
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence Services
 
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
 
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]Taking a Proactive Approach to Combat Ransomware [Druva Webinar]
Taking a Proactive Approach to Combat Ransomware [Druva Webinar]
 
DevOpsDaysRiga 2018: Antonio Pigna - Put the brAIn into your DevOps workflow
DevOpsDaysRiga 2018: Antonio Pigna - Put the brAIn into your DevOps workflowDevOpsDaysRiga 2018: Antonio Pigna - Put the brAIn into your DevOps workflow
DevOpsDaysRiga 2018: Antonio Pigna - Put the brAIn into your DevOps workflow
 
2016 09-19 - stephan jou - machine learning meetup v1
2016 09-19 - stephan jou - machine learning meetup v12016 09-19 - stephan jou - machine learning meetup v1
2016 09-19 - stephan jou - machine learning meetup v1
 
Philly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by ConstructionPhilly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by Construction
 
[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics
 
Leverage Big Data for Security Intelligence
Leverage Big Data for Security Intelligence Leverage Big Data for Security Intelligence
Leverage Big Data for Security Intelligence
 

Ähnlich wie A New Approach to Threat Detection: Big Data Security Analytics

How big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the doorHow big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the doorDataWorks Summit
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsIBM Security
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsInterset
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Cloudera, Inc.
 
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh ĐứcNETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh ĐứcSecurity Bootcamp
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteSplunk
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...TI Safe
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2Manish Kumar
 
For the CISO: Continuous Cyber Attacks - Achieving Operational Excellence for...
For the CISO: Continuous Cyber Attacks - Achieving Operational Excellence for...For the CISO: Continuous Cyber Attacks - Achieving Operational Excellence for...
For the CISO: Continuous Cyber Attacks - Achieving Operational Excellence for...Accenture Technology
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Customer Insights Prozess
Customer Insights ProzessCustomer Insights Prozess
Customer Insights ProzessCapgemini
 
H2020 finsec-ort-webinar-ml-dl-cybersecurity-july 2020
H2020 finsec-ort-webinar-ml-dl-cybersecurity-july 2020H2020 finsec-ort-webinar-ml-dl-cybersecurity-july 2020
H2020 finsec-ort-webinar-ml-dl-cybersecurity-july 2020innov-acts-ltd
 
Webinar - Feel Secure with revolutionary OTM Solution
Webinar - Feel Secure with revolutionary OTM SolutionWebinar - Feel Secure with revolutionary OTM Solution
Webinar - Feel Secure with revolutionary OTM SolutionJK Tech
 
IANS Forum DC: Operationalizing Big Data Security [Tech Spotlight]
IANS Forum DC: Operationalizing Big Data Security [Tech Spotlight]IANS Forum DC: Operationalizing Big Data Security [Tech Spotlight]
IANS Forum DC: Operationalizing Big Data Security [Tech Spotlight]Interset
 
El contexto de la integración masiva de datos
El contexto de la integración masiva de datosEl contexto de la integración masiva de datos
El contexto de la integración masiva de datosSoftware Guru
 
Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned. Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned. Proofpoint
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
Modernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led TrainingModernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led TrainingSqrrl
 

Ähnlich wie A New Approach to Threat Detection: Big Data Security Analytics (20)

How big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the doorHow big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the door
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security Analytics
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
 
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh ĐứcNETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2
 
For the CISO: Continuous Cyber Attacks - Achieving Operational Excellence for...
For the CISO: Continuous Cyber Attacks - Achieving Operational Excellence for...For the CISO: Continuous Cyber Attacks - Achieving Operational Excellence for...
For the CISO: Continuous Cyber Attacks - Achieving Operational Excellence for...
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Customer Insights Prozess
Customer Insights ProzessCustomer Insights Prozess
Customer Insights Prozess
 
H2020 finsec-ort-webinar-ml-dl-cybersecurity-july 2020
H2020 finsec-ort-webinar-ml-dl-cybersecurity-july 2020H2020 finsec-ort-webinar-ml-dl-cybersecurity-july 2020
H2020 finsec-ort-webinar-ml-dl-cybersecurity-july 2020
 
Webinar - Feel Secure with revolutionary OTM Solution
Webinar - Feel Secure with revolutionary OTM SolutionWebinar - Feel Secure with revolutionary OTM Solution
Webinar - Feel Secure with revolutionary OTM Solution
 
IANS Forum DC: Operationalizing Big Data Security [Tech Spotlight]
IANS Forum DC: Operationalizing Big Data Security [Tech Spotlight]IANS Forum DC: Operationalizing Big Data Security [Tech Spotlight]
IANS Forum DC: Operationalizing Big Data Security [Tech Spotlight]
 
El contexto de la integración masiva de datos
El contexto de la integración masiva de datosEl contexto de la integración masiva de datos
El contexto de la integración masiva de datos
 
Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned. Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned.
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
Modernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led TrainingModernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led Training
 

Kürzlich hochgeladen

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 

Kürzlich hochgeladen (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

A New Approach to Threat Detection: Big Data Security Analytics

  • 1. 1 | © 2017 Interset Software A New Approach to Threat Detection: Big Data Security Analytics Paul Reid, Technology Strategist October 2017
  • 2. 2 | © 2017 Interset Software Alert Fatigue = Playing ”Where is Waldo”
  • 3. 3 | © 2017 Interset Software Not Enough Time, Not Enough People
  • 4. 4 | © 2017 Interset Software Standard Approach – Rules and Thresholds A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders, Andrew Moore, Carnegie Mellon 2011
  • 5. 5 | © 2017 Interset Software The Threshold Approach Challenge Abnormal Normal
  • 6. 6 | © 2017 Interset Software The Threshold Approach Challenge Abnormal Normal
  • 7. 7 | © 2017 Interset Software The Threshold Approach Challenge Abnormal Normal
  • 8. 8 | © 2017 Interset Software A Probabilistic Approach • Computes probability that a value in a given hour is anomalous • Bayesian approach • Explicitly models both normal and abnormal distributions • Gaussian, Gamma • Estimators for both normal and abnormal based on observation
  • 9. 9 | © 2017 Interset Software New Approach: Distill Billions of Events into Security Leads A Handful of Threat LeadsBillions of Events Hundreds of Anomalies
  • 10. 10 | © 2017 Interset Software Anomaly Detection and Risk Scoring Process Data Acquisition Correlation Baseline Risk Story Aggregation John synced 1029 files from Project X John was active at 6:30 pm = 95 Outputs a score between 0-100 Represents the probability that a behavior is anomalous W1 W2 Anomaly Detection Aggregates risk score to entities involved in the event - User - File - Machine - Application
  • 11. 11 | © 2017 Interset Software Aggregating Behaviors for Entity Risk • Ann Funderburk works at an unusual hour 15 • … and accesses repositories that she and her peers do not usually access 65 • … and takes from a folder on a repository an unusual number of times 80 • … and moves a significantly high volume of data than normal 96 • … VPN’s in from China 46
  • 12. 12 | © 2017 Interset Software The Interset Synthesis ACQUIRE DATA INGEST BASELINE LEARN CREATE ENTITY PROFILE 200+ BEHAVIORAL MODELS DETECT ANOMALIES INVESTIGATE VALIDATE REMEDIATE RISKY ENTITY 92 SIEM IAM & NETWORK ENDPOINT + DLP BUSINESS APPLICATIONS CUSTOM DATA INTERNAL RECON INFECTED HOST DATA STAGING & THEFT COMPROMISED ACCOUNT LATERAL MOVEMENT ACCOUNT MISUSE CUSTOM FRAUD Users/Accounts, Machines, Data Files, Applications, Projects Detect, measure & score anomalies. Contextual views. Drill-down and cyber-hunting. Workflow engine for incident response. Broad data collection
  • 13. 13 | © 2017 Interset Software THE INTERSET APPROACH Acquire Gather the raw materials. Baseline Determine what is “normal.” Detect Find the behavior that matters. Respond Stop the threat. Now.
  • 14. 14 | © 2017 Interset Software Acquire Gather the raw materials. Baseline Determine what is “normal.” Detect Find the behavior that matters. Respond Stop the threat. Now. THE INTERSET APPROACH
  • 15. 15 | © 2017 Interset Software INTERSET ARCHITECTURE Kibana
  • 16. 16 | © 2017 Interset Software REAL WORLD RESULTS AND LEARNINGS
  • 17. 17 | © 2017 Interset Software Case Study #1: $20B Manufacturer X 2 Engineers stole data 1 Year $1 Million Spent Large security vendor failed to find anything 2 Weeks Easily identified the 2 Engineers Found 3 additional users stealing data in North America Found 8 additional users stealing data in China
  • 18. 18 | © 2017 Interset Software Lesson #1: The Math Matters – Test It  Too much snake oil  The math matters – but the use case matters more!  Don’t rely on a smoking gun Recommendations • Agree on the use cases in advance • Use a proof-of-concept with historical/existing data to test the SA’s math • Engage red team or pen testing if available • Evaluate the results: Do they support the use cases?
  • 19. 19 | © 2017 Interset Software Case Study #2: Every Interset Customer Millions of events analyzed with machine learning Anomalies discovered by data science High quality “most wanted” list By analyzing the intersection of data from users, machines, files, projects, servers, sharing behavior, resource, websites, IP Addresses and more
  • 20. 20 | © 2017 Interset Software Lesson #2: Less Alerts, Not More  Solution should help you deal with less alerts, not more alerts  Solution should leverage sound statistical methods to reduce false positives and noise  Should allow you to do more with the limited resources you have Recommendations Measure and quantify the amount of work effort involved with and without the Security Analytics system
  • 21. 21 | © 2017 Interset Software Case Study #3: Defense Contractor High Probability Anomalous Behavior Models  Detected large copies to the portable hard drive, at an unusual time of day  Bayesian models to measure and detect highly improbable events High Risk File Models  Detected high risk files, including PowerPoints used to collect large amounts of inappropriate content  Risk aggregation based on suspicious behaviors and unusual derivative movement
  • 22. 22 | © 2017 Interset Software Lesson #3: Automated, Measured Responses  Security Analytics system should allow you to quantify risk, not just a binary alert  Consider how to automate responses to low, medium, high and extreme risk scenarios  Where does security analytics fit into your existing runbook? Recommendations • Ensure the Security Analytics system has the ability to output a risk assessment level or score, not just a binary alert • Ensure the Security Analytics system can integrate with downstream systems • Evaluate the solution with automated response systems as part of the deployment
  • 23. 23 | © 2017 Interset Software Case Study #4: Healthcare Records and Payment  Profile: 6.5 billion transactions annually, 750+ customers, 500+ employees  Team of 7: CISO, 1 security architect , 3 security analysts, 2 network security  Analytics surfaced (for example) an employee who attempted to move “sensitive data” from endpoint to personal Dropbox  Employee was arrested and prosecuted using incident dataFocus and prioritized incident responses Incident alert accuracy increased from 28% to 92% Incident mitigation coverage doubled from 70 per week to 140
  • 24. 24 | © 2017 Interset Software Lesson #4: Meaningful Metrics  Hawthorne Effect: Whatever gets measured, gets optimized Recommendations  Define meaningful operational metrics (not just “false positives”)  Build a process for measuring and quantifying over time, not just during a pilot  Ensure the Security Analytics system supports a feedback process to adjust the analytics to support your target metrics
  • 25. 25 | © 2017 Interset Software Considerations for a New Approach Measured Risk & Response VS Binary Risk & Response Open Integrated VS Compartmentalized Scalable Unsupervised Machine Learning VS Constrained Fast, Simple Streamlined VS Manual Obstacle Course
  • 26. 26 | © 2017 Interset Software MORE INFO WWW.INTERSET.COM Paul Reid, Technology Strategist preid@interset.com www.interset.com