Reducing Mean Time to Know

•

1 gefällt mir•1,085 views

Slides from the webinar led by Ely Kahn and Luis Maldonado discussing strategies to reduce Mean Time to Know in detecting cybersecurity attacks, threats, or data breaches.

Software

Securely explore your data
SQRRL WEBINAR
Reducing “Mean Time to Know”

© 2015 Sqrrl | All Rights Reserved 2
YOUR WEBINAR HOSTS
•  Sqrrl cofounder / VP Business Development
•  Former Director of Cybersecurity at the
National Security Council Staff / White House
•  Degrees from Wharton and Harvard
•  Sqrrl VP Products
•  Former Director of Product Management at
Vertica, Imprivata, and DataSynapse
•  CS degree from MIT

© 2015 Sqrrl | All Rights Reserved
From securing the country to securing your enterprise
SQRRL HISTORY
Google’s
BigTable
Paper
2006
NSA Builds
Accumulo
2008
Sqrrl
Founded
2012
Sqrrl
Enterprise
1.0
2013
Sqrrl
Enterprise
2.0
2015
Investors: Patented Technology:
3

© 2015 Sqrrl | All Rights Reserved
Sqrrl’s focus today is on Detection and Analysis (i.e., cybersecurity
investigations)
INCIDENT RESPONSE LIFECYCLE
4
Source: NIST

© 2015 Sqrrl | All Rights Reserved 5
CYBERSECURITY INVESTIGATIONS TAXONOMY
Cybersecurity
Investigations
Detection Analysis
Hunting /
IOCs
Threat
Intelligence
Alerting
Alert
Resolution
Incident
Triage
Root Cause /
Forensics
Rule-Based Algorithmic

© 2015 Sqrrl | All Rights Reserved
How do we decrease Mean Time To Know?
MEAN TIME TO KNOW
Mean Time To Identify (MTTI): Detect
than an incident has occurred
Mean Time To Know (MTTK):
Understand root cause of an incident
25%
75%
MTTK
MTTI
% Time Spent on MTTI vs. MTTK
Source: Ponemon Institute
6

© 2015 Sqrrl | All Rights Reserved 8
TOP 5 WAYS TO REDUCE MTTK
1.  Big Data
2.  Linked Data Visualization
3.  Graph Exploration
4.  Investigation Workflow
5.  Advanced Analytics

© 2015 Sqrrl | All Rights Reserved 9
#1 BIG DATA
Current solutions can’t
easily handle the variety
and volume of data that
security analysts need
Volume and Variety of Data

© 2015 Sqrrl | All Rights Reserved 10
Performance Measures
#1 BIG DATA
Source: http://www.pdl.cmu.edu/SDI/2013/slides/
big_graph_nsa_rd_2013_56002v1.pdf
Source: http://arxiv.org/pdf/1406.4923v1.pdf
•  Sqrrl indexes and
stores 25,000 events
per second per node
•  Sqrrl’s core has
proven near-linear
scalability to 2000+
nodes
•  Clustered support for
processing Trillions
of events per day
Data Source Record Count
Ne#low
2,109,409,060

Cisco
ASA
Firewall
2,982,124,483

Websense
924,819,607

MsDns
503,237,033

IsaFw
207,834,546

IIS
38,941,968

Damballa
16,060

Apache
Webserver
5,615,832

ISE
671,006

Radius
1,138,001

Windows
Events
12,220,081

Symantec
EP
1,040,871

FireEye
4,305

Total
Records
6,787,072,853

Node
*
Seconds

271,800

Records/Second/Node

24,971

© 2015 Sqrrl | All Rights Reserved 11
#2 LINKED DATA VISUALIZATION
LOGS
VS.
LINKED DATA

© 2015 Sqrrl | All Rights Reserved
LINKED DATA
•  Organizes data into entities
and relationships (links)
•  More intuitive visualization
•  Surfaces meaning & context
•  Enables faster analysis
12

© 2015 Sqrrl | All Rights Reserved 13
LINKED DATA VISUALIZATION DEMO

© 2015 Sqrrl | All Rights Reserved 14
Pattern Discovery and Matching
#3 GRAPH EXPLORATION
•  Hunting for known patterns
•  Search for the HTTP transaction “triangle”
•  Locate specific instance quickly amongst large volume of transactions

© 2015 Sqrrl | All Rights Reserved 15
GRAPH EXPLORATION DEMO

© 2015 Sqrrl | All Rights Reserved 16
It is easy to get lost in a maze of searches during an investigation
#4 INVESTIGATION WORKFLOW

© 2015 Sqrrl | All Rights Reserved 17
INVESTIGATION WORKFLOW DEMO

© 2015 Sqrrl | All Rights Reserved 18
#5 ADVANCED ANALYTICS
Peer Group
Outlier
Algorithmic approaches to anomaly detection

© 2015 Sqrrl | All Rights Reserved 19
ADVANCED ANALYTICS DEMO

© 2015 Sqrrl | All Rights Reserved 20
www.sqrrl.com
HOW TO LEARN MORE?
• Read our white paper or product paper
• Schedule a demo or proof of concept
• Request a VM or evaluation software

Empfohlen

Sqrrl February Webinar: Breaking Down Data SilosSqrrl

Sqrrl Overview for Stac ResearchSqrrl

Sqrrl March Webinar: How to Build a Big AppSqrrl

October 2014 Webinar: Cybersecurity Threat DetectionSqrrl

Sqrrl June Webinar: An Accumulo Love StorySqrrl

Sqrrl Enterprise: Big Data Security Analytics Use CaseSqrrl

Threat Hunting for Command and Control ActivitySqrrl

Sqrrl Enterprise: Integrate, Explore, AnalyzeSqrrl

Empfohlen

Sqrrl February Webinar: Breaking Down Data SilosSqrrl

Sqrrl Overview for Stac ResearchSqrrl

Sqrrl March Webinar: How to Build a Big AppSqrrl

October 2014 Webinar: Cybersecurity Threat DetectionSqrrl

Sqrrl June Webinar: An Accumulo Love StorySqrrl

Sqrrl Enterprise: Big Data Security Analytics Use CaseSqrrl

Threat Hunting for Command and Control ActivitySqrrl

Sqrrl Enterprise: Integrate, Explore, AnalyzeSqrrl

Machine Learning for Incident Detection: Getting StartedSqrrl

Grace Hopper Open Source Day Findings | Thorn & Cloudera CaresCloudera, Inc.

2016 Cybersecurity Analytics State of the UnionCloudera, Inc.

Fighting cyber fraud with hadoopNiel Dunnage

Fighting cybersecurity threats with Apache Spotmarkgrover

Meet sqrrl: The Cambridge company commercializing the NSA's surveillance enab...Saul Tannenbaum

Imperative Induced Innovation - Patrick W. Dowd, Ph. Dscoopnewsgroup

Data Tools and the Data Scientist ShortageWes McKinney

Cloudera Fast Forward Labs: The Vision and the Challenge of Applied Machine L...Cloudera, Inc.

Modern Honey Network at Bay Area Open Source Security HackersJason Trost

Getting Started with Splunk Breakout SessionSplunk

Hopper energyserviceshopperdev

Apache SpotAustin Leahy

Scalar Security Roadshow - Ottawa PresentationScalar Decisions

PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadkówPROIDEA

How to Build Continuous Ingestion for the Internet of ThingsCloudera, Inc.

Overcoming the Challenges of Architecting for the CloudZscaler

CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA

Get started with Cloudera's cyber solutionCloudera, Inc.

The Sysdig Secure DevOps PlatformAshnikbiz

Get Started with Cloudera’s Cyber SolutionCloudera, Inc.

Building+a+Security+Operations+Center.pptEthioTelecom_Getahun Biratu

Weitere ähnliche Inhalte

Was ist angesagt?

Machine Learning for Incident Detection: Getting StartedSqrrl

Grace Hopper Open Source Day Findings | Thorn & Cloudera CaresCloudera, Inc.

2016 Cybersecurity Analytics State of the UnionCloudera, Inc.

Fighting cyber fraud with hadoopNiel Dunnage

Fighting cybersecurity threats with Apache Spotmarkgrover

Meet sqrrl: The Cambridge company commercializing the NSA's surveillance enab...Saul Tannenbaum

Imperative Induced Innovation - Patrick W. Dowd, Ph. Dscoopnewsgroup

Data Tools and the Data Scientist ShortageWes McKinney

Cloudera Fast Forward Labs: The Vision and the Challenge of Applied Machine L...Cloudera, Inc.

Modern Honey Network at Bay Area Open Source Security HackersJason Trost

Getting Started with Splunk Breakout SessionSplunk

Hopper energyserviceshopperdev

Apache SpotAustin Leahy

Was ist angesagt? (13)

Machine Learning for Incident Detection: Getting Started

Grace Hopper Open Source Day Findings | Thorn & Cloudera Cares

2016 Cybersecurity Analytics State of the Union

Fighting cyber fraud with hadoop

Fighting cybersecurity threats with Apache Spot

Meet sqrrl: The Cambridge company commercializing the NSA's surveillance enab...

Imperative Induced Innovation - Patrick W. Dowd, Ph. D

Data Tools and the Data Scientist Shortage

Cloudera Fast Forward Labs: The Vision and the Challenge of Applied Machine L...

Modern Honey Network at Bay Area Open Source Security Hackers

Getting Started with Splunk Breakout Session

Hopper energyservices

Apache Spot

Ähnlich wie Reducing Mean Time to Know

Scalar Security Roadshow - Ottawa PresentationScalar Decisions

PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadkówPROIDEA

How to Build Continuous Ingestion for the Internet of ThingsCloudera, Inc.

Overcoming the Challenges of Architecting for the CloudZscaler

CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA

Get started with Cloudera's cyber solutionCloudera, Inc.

The Sysdig Secure DevOps PlatformAshnikbiz

Get Started with Cloudera’s Cyber SolutionCloudera, Inc.

Building+a+Security+Operations+Center.pptEthioTelecom_Getahun Biratu

Building a Security Operations CenterLymanAlphaBlob

Building+a+Security+Operations+Center.pptAzim191210

Cisco Connect Ottawa 2018 dna assurance shortest path to network innocenceCisco Canada

Cisco and Splunk: Under the Hood of Cisco IT Breakout SessionSplunk

AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling

The Four Horsemen of Mobile SecuritySkycure

RapidScale Virtualization GPU ComputeRapidScale

Sqrrl 2.0 Launch WebinarSqrrl

AWS live hack: Docker + Snyk Container on AWSEric Smalling

Transform your organization with cisco cloudsolarisyougood

A Connected Data Landscape: Virtualization and the Internet of ThingsInside Analysis

Ähnlich wie Reducing Mean Time to Know (20)

Scalar Security Roadshow - Ottawa Presentation

PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków

How to Build Continuous Ingestion for the Internet of Things

Overcoming the Challenges of Architecting for the Cloud

CONFidence2015: Real World Threat Hunting - Martin Nystrom

Get started with Cloudera's cyber solution

The Sysdig Secure DevOps Platform

Get Started with Cloudera’s Cyber Solution

Building+a+Security+Operations+Center.ppt

Building a Security Operations Center

Building+a+Security+Operations+Center.ppt

Cisco Connect Ottawa 2018 dna assurance shortest path to network innocence

Cisco and Splunk: Under the Hood of Cisco IT Breakout Session

AWS live hack: Atlassian + Snyk OSS on AWS

The Four Horsemen of Mobile Security

RapidScale Virtualization GPU Compute

Sqrrl 2.0 Launch Webinar

AWS live hack: Docker + Snyk Container on AWS

Transform your organization with cisco cloud

A Connected Data Landscape: Virtualization and the Internet of Things

Mehr von Sqrrl

Transitioning Government TechnologySqrrl

Leveraging Threat Intelligence to Guide Your HuntsSqrrl

How to Hunt for Lateral Movement on Your NetworkSqrrl

Building a Next-Generation Security Operations Center (SOC)Sqrrl

User and Entity Behavior Analytics using the Sqrrl Behavior GraphSqrrl

Threat Hunting Platforms (Collaboration with SANS Institute)Sqrrl

Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl

Modernizing Your SOC: A CISO-led TrainingSqrrl

Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Sqrrl

Leveraging DNS to Surface Attacker ActivitySqrrl

The Art and Science of Alert TriageSqrrl

The Linked Data AdvantageSqrrl

Sqrrl Datasheet: Cyber HuntingSqrrl

Benchmarking The Apache Accumulo Distributed Key–Value StoreSqrrl

Scalable Graph Clustering with PregelSqrrl

What's Next for Google's BigTableSqrrl

April 2015 Webinar: Cyber Hunting with SqrrlSqrrl

Performance Models for Apache AccumuloSqrrl

Sqrrl May Webinar: Data-Centric SecuritySqrrl

Sqrrl November Webinar: Encryption and Security in AccumuloSqrrl

Mehr von Sqrrl (20)

Transitioning Government Technology

Leveraging Threat Intelligence to Guide Your Hunts

How to Hunt for Lateral Movement on Your Network

Building a Next-Generation Security Operations Center (SOC)

User and Entity Behavior Analytics using the Sqrrl Behavior Graph

Threat Hunting Platforms (Collaboration with SANS Institute)

Sqrrl and IBM: Threat Hunting for QRadar Users

Modernizing Your SOC: A CISO-led Training

Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together

Leveraging DNS to Surface Attacker Activity

The Art and Science of Alert Triage

The Linked Data Advantage

Sqrrl Datasheet: Cyber Hunting

Benchmarking The Apache Accumulo Distributed Key–Value Store

Scalable Graph Clustering with Pregel

What's Next for Google's BigTable

April 2015 Webinar: Cyber Hunting with Sqrrl

Performance Models for Apache Accumulo

Sqrrl May Webinar: Data-Centric Security

Sqrrl November Webinar: Encryption and Security in Accumulo

Kürzlich hochgeladen

The title is not connected to what is insideshinachiaurasa2

Define the academic and professional writing..pdfPearlKirahMaeRagusta1

MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit

Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd

%in Soweto+277-882-255-28 abortion pills for sale in sowetomasabamasaba

%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba

Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba

WSO2CON2024 - It's time to go PlatformlessWSO2

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE9953056974 Low Rate Call Girls In Saket, Delhi NCR

Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions

%in Harare+277-882-255-28 abortion pills for sale in Hararemasabamasaba

%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba

Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics

Announcing Codolex 2.0 from GDK SoftwareJim McKeeth

Kürzlich hochgeladen (20)

The title is not connected to what is inside

Define the academic and professional writing..pdf

MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...

Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

%in Soweto+277-882-255-28 abortion pills for sale in soweto

%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein

WSO2CON2024 - It's time to go Platformless

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

%in Harare+277-882-255-28 abortion pills for sale in Harare

%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...

Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024

Announcing Codolex 2.0 from GDK Software

Reducing Mean Time to Know

1. Securely explore your data SQRRL WEBINAR Reducing “Mean Time to Know”

2. © 2015 Sqrrl | All Rights Reserved 2 YOUR WEBINAR HOSTS •  Sqrrl cofounder / VP Business Development •  Former Director of Cybersecurity at the National Security Council Staff / White House •  Degrees from Wharton and Harvard •  Sqrrl VP Products •  Former Director of Product Management at Vertica, Imprivata, and DataSynapse •  CS degree from MIT

3. © 2015 Sqrrl | All Rights Reserved From securing the country to securing your enterprise SQRRL HISTORY Google’s BigTable Paper 2006 NSA Builds Accumulo 2008 Sqrrl Founded 2012 Sqrrl Enterprise 1.0 2013 Sqrrl Enterprise 2.0 2015 Investors: Patented Technology: 3

5. © 2015 Sqrrl | All Rights Reserved 5 CYBERSECURITY INVESTIGATIONS TAXONOMY Cybersecurity Investigations Detection Analysis Hunting / IOCs Threat Intelligence Alerting Alert Resolution Incident Triage Root Cause / Forensics Rule-Based Algorithmic

6. © 2015 Sqrrl | All Rights Reserved How do we decrease Mean Time To Know? MEAN TIME TO KNOW Mean Time To Identify (MTTI): Detect than an incident has occurred Mean Time To Know (MTTK): Understand root cause of an incident 25% 75% MTTK MTTI % Time Spent on MTTI vs. MTTK Source: Ponemon Institute 6

7. © 2015 Sqrrl | All Rights Reserved Sqrrl MTTK Case Study Large Telecommunications Company Results Challenge Sqrrl Solution Ensured compliance with data security regulations Reduce investigation time from days/weeks to minutes Visibility across more data than previously possible Analyzing more than 1 year of multi-structured security data including for Advanced Persistent (APT), fraud, and insider threats •  Aggregate and store all data •  Gather and profile employee and device behaviors •  Search, query and analyze behaviors, details and anomalies 7

10. © 2015 Sqrrl | All Rights Reserved 10 Performance Measures #1 BIG DATA Source: http://www.pdl.cmu.edu/SDI/2013/slides/ big_graph_nsa_rd_2013_56002v1.pdf Source: http://arxiv.org/pdf/1406.4923v1.pdf •  Sqrrl indexes and stores 25,000 events per second per node •  Sqrrl’s core has proven near-linear scalability to 2000+ nodes •  Clustered support for processing Trillions of events per day Data Source Record Count Ne#low 2,109,409,060 Cisco ASA Firewall 2,982,124,483 Websense 924,819,607 MsDns 503,237,033 IsaFw 207,834,546 IIS 38,941,968 Damballa 16,060 Apache Webserver 5,615,832 ISE 671,006 Radius 1,138,001 Windows Events 12,220,081 Symantec EP 1,040,871 FireEye 4,305 Total Records 6,787,072,853 Node * Seconds 271,800 Records/Second/Node 24,971

14. © 2015 Sqrrl | All Rights Reserved 14 Pattern Discovery and Matching #3 GRAPH EXPLORATION •  Hunting for known patterns •  Search for the HTTP transaction “triangle” •  Locate specific instance quickly amongst large volume of transactions