SlideShare ist ein Scribd-Unternehmen logo

2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better Defenses

Allison Miller
Allison Miller

An examination of how behavioral analytics can be leveraged to design better defenses in complex user-facing platforms.

Technologie
1 von 41
Downloaden Sie, um offline zu lesen
A Million Mousetraps Using Big Data and Little Loops to Build Better Defenses Allison Miller
Overview Protecting customers on an open platform Big data + Little loops enable automation via analytics Decisions as defenses Putting your data to work
the interdependent system
the porous attack surface
so, about that perimeter... Spam ! ! Credential Theft Malware Bots Account takeover Fraud DOS Phishin Griefers Scammers
The Better Mousetrap Automates defensive action x-platform - Fast - Accurate - Cheap IN REAL TIME IN TIME TO MINIMIZE LOSS REASONABLE FALSE POSITIVES AS GOOD AS A HUMAN SPECIALIST REDUCES MORE LOSS THAN COST CREATED CHEAPER THAN MANUAL INTERVENTION BIG DATA & LITTLE LOOPS
BIG DATA & LITTLE LOOPS
123.123.123.123 - - [26/Apr/2000:00:23:48 -0400] "GET /pics/wpaper.gif HTTP/ 1.0" 200 6248 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"! 123.123.123.123 - - [26/Apr/2000:00:23:47 -0400] "GET /asctortf/ HTTP/1.0" 200 8130 "http://search.netscape.com/Computers/Data_Formats/Document/Text/ RTF" "Mozilla/4.05 (Macintosh; I; PPC)"! 123.123.123.123 - - [26/Apr/2000:00:23:48 -0400] "GET /pics/5star2000.gif HTTP/1.0" 200 4005 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"! [Tue Mar 9 22:02:41 2004] [info] created shared memory segment #10813446! [Tue Mar 9 22:02:41 2004] [notice] Apache/1.3.29 (Unix) mod_ssl/2.8.16 OpenSSL/0.9.7c configured -- resuming normal operations! [Tue Mar 9 22:02:41 2004] [info] Server built: Mar 7 2004 13:38:59! pausing [http://xmlrevenue.com/s.php?username=jenneypan&keywords=Online +Gambling] for 50000 ms! [Tue Mar 9 22:04:16 2004] [error] [client 218.93.92.137] mod_security: Access denied with code 200. Pattern match "Basic" at HEADER.! [Tue Mar 9 22:07:16 2004] [error] [client 203.121.182.190] mod_security: Invalid character detected [4]! 123.123.123.123 - - [26/Apr/2000:00:23:50 -0400] "GET /pics/5star.gif HTTP/ 1.0" 200 1031 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"! 123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /pics/a2hlogo.jpg HTTP/1.0" 200 4282 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"! 123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /cgi-bin/newcount? jafsof3&width=4&font=digital&noshow HTTP/1.0" 200 36 "http:// www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"! [Tue Mar 9 22:02:41 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)! [Tue Mar 9 22:03:26 2004] [error] [client 218.93.92.137] mod_security:! [Tue Mar 9 22:07:16 2004] [error] [client 203.121.182.190] mod_security: Invalid character detected [4]! 123.123.123.123 - - [26/Apr/2000:00:23:50 -0400] "GET /pics/5star.gif HTTP/ 1.0" 200 1031 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"! 123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /pics/a2hlogo.jpg HTTP/1.0" 200 4282 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"! 123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /cgi-bin/newcount? jafsof3&width=4&font=digital&noshow HTTP/1.0" 200 36 "http:// www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"! [Tue Mar 9 22:02:41 2004] [notice] Accept mutex: sysvsem (Default: sysvsem) BIG DATA & LITTLE LOOPS
BIG DATA & LITTLE LOOPS * Loop Disposition: Logic, Human, or Other?
APPLIED RISK ANALYTICS Use of technology, data, research & statistics to solve problems associated with losses or costs due to security vulnerabilities / gaps in a system -- resulting in the deployment of optimized detection, prevention, or response capabilities.
BRIEF TANGENT
WHAT IS THE DIFFERENCE BETWEEN RISK ANALYTICS AND RISK METRICS?
METRICS ANALYTICS
Such as... Metrics Analytics $ Loss Txns Purchase trends of high loss users # Compromised Accts IP Sources of bad login attempts % of Spam Messages Delivered Spam subject lines generating most clicks Minutes of downtime Most process-intensive applications # Customer Contacts Generated Highest-contact exception flows
YMMV
END TANGENT
Applied where? Where risks manifest in observable behavior Where system owners make decisions Where controls can be optimized by better recognizing identity, intent, or change
Decisions, Decisions Authorize Block Good false positive Bad false negative RESPONSE POPULATION Incorrect decisions have a cost Correct decisions are free (usually) Good Action Gets Blocked Bad Action Gets Through Downstream Impacts
BIG DATA & LITTLE LOOPS Why are you picking on me?Boo-yah! Still getting away with it. <Sigh> Nobody understands me.
Such as... Populations - Users, Transactions, Messages, Packets, API calls, Files Actions - Allow, Block, Challenge, Review, Retry, Quarantine, Add privileges, Upgrade privileges, Make Offer Costs - Fraud, Data leakage, Customer churn, Customer contacts, Downstream liability
Applying Decisions Risk management is decision management ACTOR ATTEMPTS ACTION SUBMIT WHAT IS THE REQUEST HOW TO HONOR THE REQUEST SHOULD WE HONOR? RESULT ACTION OCCURS
For example: ACTOR ATTEMPTS PAYMENT p (actor attempting payment is accountholder) Decision Authorize Review Refer Request Authentication Decline f(variable A + Variable B + ...) SUBMIT
Flavors of Risk Models I deviate significantly from a normal (good) pattern I summarize a known bad pattern fa(x), fb(x), fc(x) fq(x), fr(x), fs(x)
What is normal? http://en.wikipedia.org/wiki/Normal_distribution WHAT IS BAD? WHAT IS GOOD?
Study history... Who What Where When Why And then?
Study history... User IP Country <> Billing Country Buying prepaid mobile phones Add new shipping address in cart However Buyer = Phone reseller, static machine ID How much $$ is at risk? What is “normal” for this customer? What “bad” profiles does this match?
SHALL WE PLAY A GAME? (SINCE WE CAN’T PLAY “CLUE” FOR EVERY LOGIN TRANSACTION NEW USER MESSAGE FRIEND REQUEST ATTACHMENT PACKET WINK POKE CLICK WE BUILD RISK MODELS)
Model Development Process Target -> Yes/No questions best Find Data, Variable Creation -> Best part Data Prep -> Worst part Model Training -> Pick an algorithm Assessment -> Catch vs FP rate Deployment -> Decisioning vs Detection
User IP Country <> Billing Country Buying prepaid mobile phones Add new shipping address in cart Buyer = Phone reseller, static machine ID How much $$ is at risk? What is “normal” for this customer? What “bad” profiles does this match? GEOLOCATE IP CONVERT GEO TO COUNTRY CODE FLAG ON MISMATCH CART CATEGORY MERCH RISK LEVEL DATE ADDED ADDRESS TYPE STRING MATCHING CUSTOMER PROFILE DEVICE ID DEVICE HISTORYTXN-$-AMT CHURN RISK, CLV, TXNS, LOGINS, STOLEN CC,
Model Training Some algorithms: - Regression: Determines the best equation describe relationship between control variable and independent variables Linear Regression: Best equation is a line Logistic Regression: Best equation is a curve (exponential properties) - Bayesian: Used to estimate regression models, useful when working w/small data sets - Neural Nets: Can approximate any type of non-linear function, often highly predictive, but doesn’t explain the relationship between control and independent variables
LOGISTIC <DEPVAR> <VAR1> <VAR2>...
P-VALUE OF SIGNIFICANCE, THROW OUT IF > .05 VARIANCE IN DEPENDENT VARIABLE EXPLAINED BY INDEPENDENT VARIABLES DEPENDENT VARIABLE INDEPENDENT VARIABLES FACTOR ODDS OF DEPENDENT GO UP WHEN INDEPENDENT VAR INCREMENTED P-VALUE SHOULD BE < SIGNIFICANCE LEVEL (.05)
GAIN More gain/lift = more efficient predictions Catch as much as possible (as much of the “bads”) Minimize the overall affected
Target In the end, we only hit what we aim at
And now an example Everyone loves a good 419 scam
419 example: the 411 Trigger - Contact receives 419 from a (free) business email account, who contacts victim OOB Backtrack - Password was changed (user had to go through reset process) - Contacts, inbox, outbox deleted - Nigerian IP login Elaboration - “Reply-to”: changed an “i” to an “l” (same ISP) - Only takes Western Union
419 example: with love, from Abuja What is the question? - p(ATO) - p(Spam:scam) - p(Fake acct creation) What are our available answer/action sets? What else can we do to detect/mitigate?
419 example: Reducing 911s Variables - “New” session variables: New login IP, new login IP country, new cookie/machine ID - “Change” account variables: Change password, change secondary email, change name, change public profile - “New” activity variables: Send to all contacts, # of accounts in “cc” or “bcc”, Edit/delete contacts en masse - Association variables: New recipients, New “reply-to” fields, “Similar” accounts created/associated (fuzzy=more difficult) User empowerment - Stronger password reset options (SMS) - Transparency: Other current sessions, past session history (IPs, logins) - Auto-logout all other sessions upon password reset - Reporting: Details of elaboration as well as cut and paste messages
Recap Protecting customers requires understanding not just technology but also behavior. This requires: - Activity data - Clear definitions of “good” vs “bad” results - Constant feedback - Analysis Designing data-driven defenses - Decisions that can be automated w/data - Where/what data sets to use - Business drivers to keep in mind An example BIG DATA & LITTLE LOOPS p (bad) f(variable A + Variable B + ...)
Prediction is very difficult, especially about the future Niels Bohr Allison Miller @selenakyle

Empfohlen

2013.10 Operating * by the Numbers
2013.10 Operating * by the Numbers2013.10 Operating * by the Numbers
2013.10 Operating * by the NumbersAllison Miller
 
Armorizing applications
Armorizing applicationsArmorizing applications
Armorizing applicationsIftach Ian Amit
 
Dr.Repi
Dr.Repi Dr.Repi
Dr.Repi Driton Haliti
 
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)Allison Miller
 
2011.04 How to Isotope Tag a Ghost
2011.04 How to Isotope Tag a Ghost2011.04 How to Isotope Tag a Ghost
2011.04 How to Isotope Tag a GhostAllison Miller
 
2013.05 Games We Play: Payoffs & Chaos Monkeys
2013.05 Games We Play: Payoffs & Chaos Monkeys2013.05 Games We Play: Payoffs & Chaos Monkeys
2013.05 Games We Play: Payoffs & Chaos MonkeysAllison Miller
 
2010.08 Applied Threat Modeling: Live (Hutton/Miller)
2010.08 Applied Threat Modeling: Live (Hutton/Miller)2010.08 Applied Threat Modeling: Live (Hutton/Miller)
2010.08 Applied Threat Modeling: Live (Hutton/Miller)Allison Miller
 
2012.12 Games We Play: Defenses & Disincentives
2012.12 Games We Play: Defenses & Disincentives2012.12 Games We Play: Defenses & Disincentives
2012.12 Games We Play: Defenses & DisincentivesAllison Miller
 

Empfohlen

2013.10 Operating * by the Numbers
2013.10 Operating * by the Numbers2013.10 Operating * by the Numbers
2013.10 Operating * by the NumbersAllison Miller
 
Armorizing applications
Armorizing applicationsArmorizing applications
Armorizing applicationsIftach Ian Amit
 
Dr.Repi
Dr.Repi Dr.Repi
Dr.Repi Driton Haliti
 
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)Allison Miller
 
2011.04 How to Isotope Tag a Ghost
2011.04 How to Isotope Tag a Ghost2011.04 How to Isotope Tag a Ghost
2011.04 How to Isotope Tag a GhostAllison Miller
 
2013.05 Games We Play: Payoffs & Chaos Monkeys
2013.05 Games We Play: Payoffs & Chaos Monkeys2013.05 Games We Play: Payoffs & Chaos Monkeys
2013.05 Games We Play: Payoffs & Chaos MonkeysAllison Miller
 
2010.08 Applied Threat Modeling: Live (Hutton/Miller)
2010.08 Applied Threat Modeling: Live (Hutton/Miller)2010.08 Applied Threat Modeling: Live (Hutton/Miller)
2010.08 Applied Threat Modeling: Live (Hutton/Miller)Allison Miller
 
2012.12 Games We Play: Defenses & Disincentives
2012.12 Games We Play: Defenses & Disincentives2012.12 Games We Play: Defenses & Disincentives
2012.12 Games We Play: Defenses & DisincentivesAllison Miller
 
ISSA Siem Fraud
ISSA Siem FraudISSA Siem Fraud
ISSA Siem FraudXavier Mertens
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Petr Dvořák: Mobilní webové služby pohledem iPhone developera
Petr Dvořák: Mobilní webové služby pohledem iPhone developeraPetr Dvořák: Mobilní webové služby pohledem iPhone developera
Petr Dvořák: Mobilní webové služby pohledem iPhone developeraWebExpo
 
- Webexpo 2010
- Webexpo 2010- Webexpo 2010
- Webexpo 2010Petr Dvorak
 
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...in.security Ltd.
 
112 portfpres.pdf
112 portfpres.pdf112 portfpres.pdf
112 portfpres.pdfsash236
 
JAKU Botnet Analysis
JAKU Botnet AnalysisJAKU Botnet Analysis
JAKU Botnet AnalysisNapier University
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Alexander Kot
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
Xebia Knowledge Exchange - Owasp Top Ten
Xebia Knowledge Exchange - Owasp Top TenXebia Knowledge Exchange - Owasp Top Ten
Xebia Knowledge Exchange - Owasp Top TenPublicis Sapient Engineering
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?Sumedt Jitpukdebodin
 
How to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaHow to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaGilles Sgro
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Weitere ähnliche Inhalte

Ähnlich wie 2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better Defenses

VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Petr Dvořák: Mobilní webové služby pohledem iPhone developera
Petr Dvořák: Mobilní webové služby pohledem iPhone developeraPetr Dvořák: Mobilní webové služby pohledem iPhone developera
Petr Dvořák: Mobilní webové služby pohledem iPhone developeraWebExpo
 
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...in.security Ltd.
 
112 portfpres.pdf
112 portfpres.pdf112 portfpres.pdf
112 portfpres.pdfsash236
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Alexander Kot
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?Sumedt Jitpukdebodin
 
How to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaHow to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaGilles Sgro
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 

Ähnlich wie 2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better Defenses (20)

ISSA Siem Fraud
ISSA Siem FraudISSA Siem Fraud
ISSA Siem Fraud
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Petr Dvořák: Mobilní webové služby pohledem iPhone developera
Petr Dvořák: Mobilní webové služby pohledem iPhone developeraPetr Dvořák: Mobilní webové služby pohledem iPhone developera
Petr Dvořák: Mobilní webové služby pohledem iPhone developera
 
- Webexpo 2010
- Webexpo 2010- Webexpo 2010
- Webexpo 2010
 
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
 
112 portfpres.pdf
112 portfpres.pdf112 portfpres.pdf
112 portfpres.pdf
 
JAKU Botnet Analysis
JAKU Botnet AnalysisJAKU Botnet Analysis
JAKU Botnet Analysis
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
Xebia Knowledge Exchange - Owasp Top Ten
Xebia Knowledge Exchange - Owasp Top TenXebia Knowledge Exchange - Owasp Top Ten
Xebia Knowledge Exchange - Owasp Top Ten
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 
How to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaHow to prevent cyber terrorism taragana
How to prevent cyber terrorism taragana
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 

Kürzlich hochgeladen

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Kürzlich hochgeladen (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better Defenses

  • 1. A Million Mousetraps Using Big Data and Little Loops to Build Better Defenses Allison Miller
  • 2. Overview Protecting customers on an open platform Big data + Little loops enable automation via analytics Decisions as defenses Putting your data to work
  • 6. The Better Mousetrap Automates defensive action x-platform - Fast - Accurate - Cheap IN REAL TIME IN TIME TO MINIMIZE LOSS REASONABLE FALSE POSITIVES AS GOOD AS A HUMAN SPECIALIST REDUCES MORE LOSS THAN COST CREATED CHEAPER THAN MANUAL INTERVENTION BIG DATA & LITTLE LOOPS
  • 8. 123.123.123.123 - - [26/Apr/2000:00:23:48 -0400] "GET /pics/wpaper.gif HTTP/ 1.0" 200 6248 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"! 123.123.123.123 - - [26/Apr/2000:00:23:47 -0400] "GET /asctortf/ HTTP/1.0" 200 8130 "http://search.netscape.com/Computers/Data_Formats/Document/Text/ RTF" "Mozilla/4.05 (Macintosh; I; PPC)"! 123.123.123.123 - - [26/Apr/2000:00:23:48 -0400] "GET /pics/5star2000.gif HTTP/1.0" 200 4005 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"! [Tue Mar 9 22:02:41 2004] [info] created shared memory segment #10813446! [Tue Mar 9 22:02:41 2004] [notice] Apache/1.3.29 (Unix) mod_ssl/2.8.16 OpenSSL/0.9.7c configured -- resuming normal operations! [Tue Mar 9 22:02:41 2004] [info] Server built: Mar 7 2004 13:38:59! pausing [http://xmlrevenue.com/s.php?username=jenneypan&keywords=Online +Gambling] for 50000 ms! [Tue Mar 9 22:04:16 2004] [error] [client 218.93.92.137] mod_security: Access denied with code 200. Pattern match "Basic" at HEADER.! [Tue Mar 9 22:07:16 2004] [error] [client 203.121.182.190] mod_security: Invalid character detected [4]! 123.123.123.123 - - [26/Apr/2000:00:23:50 -0400] "GET /pics/5star.gif HTTP/ 1.0" 200 1031 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"! 123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /pics/a2hlogo.jpg HTTP/1.0" 200 4282 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"! 123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /cgi-bin/newcount? jafsof3&width=4&font=digital&noshow HTTP/1.0" 200 36 "http:// www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"! [Tue Mar 9 22:02:41 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)! [Tue Mar 9 22:03:26 2004] [error] [client 218.93.92.137] mod_security:! [Tue Mar 9 22:07:16 2004] [error] [client 203.121.182.190] mod_security: Invalid character detected [4]! 123.123.123.123 - - [26/Apr/2000:00:23:50 -0400] "GET /pics/5star.gif HTTP/ 1.0" 200 1031 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"! 123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /pics/a2hlogo.jpg HTTP/1.0" 200 4282 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"! 123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /cgi-bin/newcount? jafsof3&width=4&font=digital&noshow HTTP/1.0" 200 36 "http:// www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"! [Tue Mar 9 22:02:41 2004] [notice] Accept mutex: sysvsem (Default: sysvsem) BIG DATA & LITTLE LOOPS
  • 9. BIG DATA & LITTLE LOOPS * Loop Disposition: Logic, Human, or Other?
  • 10. APPLIED RISK ANALYTICS Use of technology, data, research & statistics to solve problems associated with losses or costs due to security vulnerabilities / gaps in a system -- resulting in the deployment of optimized detection, prevention, or response capabilities.
  • 12. WHAT IS THE DIFFERENCE BETWEEN RISK ANALYTICS AND RISK METRICS?
  • 14. Such as... Metrics Analytics $ Loss Txns Purchase trends of high loss users # Compromised Accts IP Sources of bad login attempts % of Spam Messages Delivered Spam subject lines generating most clicks Minutes of downtime Most process-intensive applications # Customer Contacts Generated Highest-contact exception flows
  • 15. YMMV
  • 17. Applied where? Where risks manifest in observable behavior Where system owners make decisions Where controls can be optimized by better recognizing identity, intent, or change
  • 18. Decisions, Decisions Authorize Block Good false positive Bad false negative RESPONSE POPULATION Incorrect decisions have a cost Correct decisions are free (usually) Good Action Gets Blocked Bad Action Gets Through Downstream Impacts
  • 19. BIG DATA & LITTLE LOOPS Why are you picking on me?Boo-yah! Still getting away with it. <Sigh> Nobody understands me.
  • 20. Such as... Populations - Users, Transactions, Messages, Packets, API calls, Files Actions - Allow, Block, Challenge, Review, Retry, Quarantine, Add privileges, Upgrade privileges, Make Offer Costs - Fraud, Data leakage, Customer churn, Customer contacts, Downstream liability
  • 21. Applying Decisions Risk management is decision management ACTOR ATTEMPTS ACTION SUBMIT WHAT IS THE REQUEST HOW TO HONOR THE REQUEST SHOULD WE HONOR? RESULT ACTION OCCURS
  • 22. For example: ACTOR ATTEMPTS PAYMENT p (actor attempting payment is accountholder) Decision Authorize Review Refer Request Authentication Decline f(variable A + Variable B + ...) SUBMIT
  • 23. Flavors of Risk Models I deviate significantly from a normal (good) pattern I summarize a known bad pattern fa(x), fb(x), fc(x) fq(x), fr(x), fs(x)
  • 26. Study history... User IP Country <> Billing Country Buying prepaid mobile phones Add new shipping address in cart However Buyer = Phone reseller, static machine ID How much $$ is at risk? What is “normal” for this customer? What “bad” profiles does this match?
  • 27. SHALL WE PLAY A GAME? (SINCE WE CAN’T PLAY “CLUE” FOR EVERY LOGIN TRANSACTION NEW USER MESSAGE FRIEND REQUEST ATTACHMENT PACKET WINK POKE CLICK WE BUILD RISK MODELS)
  • 28. Model Development Process Target -> Yes/No questions best Find Data, Variable Creation -> Best part Data Prep -> Worst part Model Training -> Pick an algorithm Assessment -> Catch vs FP rate Deployment -> Decisioning vs Detection
  • 29. User IP Country <> Billing Country Buying prepaid mobile phones Add new shipping address in cart Buyer = Phone reseller, static machine ID How much $$ is at risk? What is “normal” for this customer? What “bad” profiles does this match? GEOLOCATE IP CONVERT GEO TO COUNTRY CODE FLAG ON MISMATCH CART CATEGORY MERCH RISK LEVEL DATE ADDED ADDRESS TYPE STRING MATCHING CUSTOMER PROFILE DEVICE ID DEVICE HISTORYTXN-$-AMT CHURN RISK, CLV, TXNS, LOGINS, STOLEN CC,
  • 30. Model Training Some algorithms: - Regression: Determines the best equation describe relationship between control variable and independent variables Linear Regression: Best equation is a line Logistic Regression: Best equation is a curve (exponential properties) - Bayesian: Used to estimate regression models, useful when working w/small data sets - Neural Nets: Can approximate any type of non-linear function, often highly predictive, but doesn’t explain the relationship between control and independent variables
  • 32. P-VALUE OF SIGNIFICANCE, THROW OUT IF > .05 VARIANCE IN DEPENDENT VARIABLE EXPLAINED BY INDEPENDENT VARIABLES DEPENDENT VARIABLE INDEPENDENT VARIABLES FACTOR ODDS OF DEPENDENT GO UP WHEN INDEPENDENT VAR INCREMENTED P-VALUE SHOULD BE < SIGNIFICANCE LEVEL (.05)
  • 33.
  • 34. GAIN More gain/lift = more efficient predictions Catch as much as possible (as much of the “bads”) Minimize the overall affected
  • 35. Target In the end, we only hit what we aim at
  • 36. And now an example Everyone loves a good 419 scam
  • 37. 419 example: the 411 Trigger - Contact receives 419 from a (free) business email account, who contacts victim OOB Backtrack - Password was changed (user had to go through reset process) - Contacts, inbox, outbox deleted - Nigerian IP login Elaboration - “Reply-to”: changed an “i” to an “l” (same ISP) - Only takes Western Union
  • 38. 419 example: with love, from Abuja What is the question? - p(ATO) - p(Spam:scam) - p(Fake acct creation) What are our available answer/action sets? What else can we do to detect/mitigate?
  • 39. 419 example: Reducing 911s Variables - “New” session variables: New login IP, new login IP country, new cookie/machine ID - “Change” account variables: Change password, change secondary email, change name, change public profile - “New” activity variables: Send to all contacts, # of accounts in “cc” or “bcc”, Edit/delete contacts en masse - Association variables: New recipients, New “reply-to” fields, “Similar” accounts created/associated (fuzzy=more difficult) User empowerment - Stronger password reset options (SMS) - Transparency: Other current sessions, past session history (IPs, logins) - Auto-logout all other sessions upon password reset - Reporting: Details of elaboration as well as cut and paste messages
  • 40. Recap Protecting customers requires understanding not just technology but also behavior. This requires: - Activity data - Clear definitions of “good” vs “bad” results - Constant feedback - Analysis Designing data-driven defenses - Decisions that can be automated w/data - Where/what data sets to use - Business drivers to keep in mind An example BIG DATA & LITTLE LOOPS p (bad) f(variable A + Variable B + ...)
  • 41. Prediction is very difficult, especially about the future Niels Bohr Allison Miller @selenakyle