Weitere ähnliche Inhalte Ähnlich wie Machine Learning + AI for Accelerated Threat-Hunting (20) Kürzlich hochgeladen (20) Machine Learning + AI for Accelerated Threat-Hunting1. 1 |
©
2017
Interset
Software
2. 2 |
©
2017
Interset
Software
How
Fast
Can
You
Find
The
Threats
That
Matter?
3. 3 |
©
2017
Interset
Software
How
Fast
Can
You
Find
The
Threats
That
Matter?
4. 4 |
©
2017
Interset
Software
Standard
Approach
– Rules
and
Thresholds
A Pattern for Increased Monitoring for Intellectual Property Theft by
Departing Insiders, Andrew Moore, Carnegie Mellon 2011
5. 5 |
©
2017
Interset
Software
The
Threshold
Approach
Challenge
Abnormal
Normal
6. 6 |
©
2017
Interset
Software
The
Threshold
Approach
Challenge
Abnormal
Normal
7. 7 |
©
2017
Interset
Software
The
Threshold
Approach
Challenge
Abnormal
Normal
8. 8 |
©
2017
Interset
Software
A
Probabilistic
Approach
• Computes
probability
that
a
value
in
a
given
hour
is
anomalous
• Bayesian
approach
• Explicitly
models
both
normal
and
abnormal
distributions
• Gaussian,
Gamma
• Estimators
for
both
normal
and
abnormal
based
on
observation
9. 9 |
©
2017
Interset
Software
500
ANOMALIES
41,465,083
EVENTS
11
RISKY ENTITIES
New
Approach:
Distill
Billions
of
Events
into
Security
Leads
10. 10 |
©
2017
Interset
Software
Anomaly
Detection
and
Risk
Scoring
Process
Data
Acquisition
Correlation Baseline
Risk
Story
Aggregation
John synced 1029
files from Project X
John was active
at 6:30 pm
= 95
Outputs a score between 0-100
Represents the probability that a
behavior is anomalous
W1
W2
Anomaly
Detection
Aggregates risk score to
entities involved in the event
• User
• File
• Machine
• Application
11. 11 |
©
2017
Interset
Software
Aggregating
Behaviors
for
Entity
Risk
Ann Funderburk works at an unusual hour 15
… and accesses repositories that she and her peers do not usually access 65
… and takes from a folder on a repository an unusual number of times 80
… and moves a significantly high volume of data than normal 96
… VPN’s in from China 46
12. 12 |
©
2017
Interset
Software
The
Interset Synthesis
ACQUIRE
DATA
BASELINE DETECT THREAT
LEADS
13. 13 |
©
2017
Interset
Software
How
Billions
of
Events
Become
Qualified
Threat
Leads
ACQUIRE
DATA
CREATE
UNIQUE
BASELINES
DETECT,
MEASURE
AND
SCORE
ANOMALIES
HIGH
QUALITY
THREAT
LEADS
Contextual
views.
Drill-‐down
and
cyber-‐hunting.
Broad
data
collection
DLP
ENDPOINT
Biz
Apps
CUSTOM
DATA
NETWORK
IAM
Determine
what
is
normal
Gather
the
raw
materials
Find
the
behavior
that
matters
Workflow
engine
for
incident
response.
14. 14 |
©
2017
Interset
Software
Unsupervised
Machine
Learning
&
AI
ACQUIRE
DATA
CREATE
UNIQUE
BASELINES
DETECT,
MEASURE
AND
SCORE
ANOMALIES
HIGH
QUALITY
THREAT
LEADS INTERNAL
RECON
INFECTED
HOST
DATA
STAGING
&
THEFT
COMPROMISED
ACCOUNT
LATERAL
MOVEMENT
ACCOUNT
MISUSE
CUSTOM
FRAUD
DLP
ENDPOINT
Buz Apps
CUSTOM
DATA
NETWORK
IAM Kibana
Contextual
views.
Drill-‐down
and
cyber-‐hunting.
Broad
data
collection
Determine
what
is
normal
Gather
the
raw
materials
Find
the
behavior
that
matters
Workflow
engine
for
incident
response.
15. 15 |
©
2017
Interset
Software
Scalable
Architecture
for
Self-‐Learning
Threat
Detection
ACQUIRE
DATA
CREATE
UNIQUE
BASELINES
DETECT,
MEASURE
AND
SCORE
ANOMALIES
HIGH
QUALITY
THREAT
LEADS INTERNAL
RECON
INFECTED
HOST
DATA
STAGING
&
THEFT
COMPROMISED
ACCOUNT
LATERAL
MOVEMENT
ACCOUNT
MISUSE
CUSTOM
FRAUD
DLP
ENDPOINT
Buz Apps
CUSTOM
DATA
NETWORK
IAM
Kibana
Interset Analytics
Contextual
views.
Drill-‐down
and
cyber-‐hunting.
Broad
data
collection
Determine
what
is
normal
Gather
the
raw
materials
Find
the
behavior
that
matters
Workflow
engine
for
incident
response.
16. 16 |
©
2017
Interset
Software
MCAFEE INTEGRATION
17. 17 |
©
2017
Interset
Software
18. 18 |
©
2017
Interset
Software
Desired
Outcomes
–McAfee
Source:
https://www.mcafee.com/us/resources/misc/infographic-‐soc-‐collaboration.pdf
19. 19 |
©
2017
Interset
Software
500
ANOMALIES
DISCOVERED
41,465,083
EVENTS
11
RISKY ENTITIES
New
Approach:
Distill
Billions
of
Events
into
Security
Leads
20. 20 |
©
2017
Interset
Software
Together,
Powering
The
Business
of
Security
Reduce
or
Eliminate
Data
Theft
SECURITY
ANALYTICS
• Addressing
More
Threats,
Faster
and
with
Fewer
Resources
• Machine
finds
”Leads”
for
Humans
to
Investigate
• Results
to
McAfee
Ecosystem
for
Orchestration
Business
Outcomes
McAfee
Ecosystem
and
Applications
Interset
Analytics
Platform
Data
Exchange
Layer
(DXL)
Reduce
or
Eliminate
Espionage
Reduce
or
Eliminate
IP
Theft
Reduce
or
Eliminate
Sabotage
Reduce
or
Eliminate
Fraud
Reduce
or
Eliminate
APT
21. 21 |
©
2017
Interset
Software
McAfee
ENS
and
DLP
Data
Enrichment
Framework
John synced 1029
files from Project X
John was active
at 6:30 pm
= 95
P1
P2
W1
W2
P3
Data
Acquisition
Correlation Baseline
Risk
Story
Aggregation
Anomaly
Detection
W3
22. 22 |
©
2017
Interset
Software
McAfee
ESM
Integration
Security
Analytics
DXL
23. 23 |
©
2017
Interset
Software
McAfee
ePO Integration
Tag
Tag
Tag
Security
Analytics
DXL
24. 24 |
©
2017
Interset
Software
McAfee
MAR
Reaction
Integration
Security
Analytics
DXL
25. 25 |
©
2017
Interset
Software
More info: www.interset.com
sales@interset.com www.interset.com
Thank you