Más contenido relacionado La actualidad más candente (20) Similar a Mastering Next Gen SIEM Use Cases (Part 1) (20) Mastering Next Gen SIEM Use Cases (Part 1)1. © Copyright 2017 NETMONASTERY Inc
Mastering NextGen
SIEM Use Cases
1
Shomiron DAS GUPTA, Founder, CEO
NETMONASTERY Inc.
BUILDING LOGIC FOR HUNTING ADVANCED THREATS
CAT
SERIES
2. © Copyright 2017 NETMONASTERY Inc
Who is this speaking?
2
Founder of NETMONASTERY, we built DNIF - An
Integrated Threat Hunting Platform for the CSOC
Research on Detection, Hunting and …. ML
One of the few guys that does defense for a
living
GCIA 2000 - 18Yrs of Intrusion Detection,
Handling
WHAT I DO FOR A LIVING
@shomiron
3. © Copyright 2017 NETMONASTERY Inc
What can we expect to learn
3
1. Change the we think about detection
2. More about Objectives, Strategies and Tools
3. Use Case Workshop - Threat Hunting Process
4. Thinking SWIFT
5. How to setup your threat hunting workshop
THIS THREE PART SERIES
4. © Copyright 2017 NETMONASTERY Inc
Agenda Items
1. Objectives - of what we are trying to achieve
2. Strategy - on how we will need to think
3. Process - breakdown of the steps
4. The Toolkit - we will need to get started
5. Q & A
4
THIS SESSION - PART 1
5. © Copyright 2017 NETMONASTERY Inc
RATHER … WHAT IS THREAT HUNTING
ProActively
Looking for
Threats, EOI’s,
IOC’s
Objectives for NextGen SIEM
5
Use 3rd party
validation to
identify false
positives
Engineer security
strategies into
playbooks
7. © Copyright 2017 NETMONASTERY Inc 7
Strategy for NextGen Threats
known - known
Threats you know about and you know how to
detect them - THINK SIEM
known - unknown
Threats you know about but you don’t know
how to detect them
unknown - unknown
Threats that you don’t know about and you
don’t know how to detect them
YOU VS YOUR ADVERSARIES - DONALD RUMSFELD
Donald RUMSFELD
8. © Copyright 2017 NETMONASTERY Inc
Process Engineering
8
SHORTEST PATH TO SUCCESS
Marking out a
boundary
It always helps in
rolling out detection
strategies that can
be measured, large
infrastructures have
the tendency to
generate noisy
results. Limiting
scope and growing
in phases .. helps.
Identify, watch
and learn
Build from what you
know, start marking
out your challenge
areas and learn
from activities that
you would like to
monitor the idea is
to identify the
current state and
detect anomalies
against the profile.
Detect outliers
from events
Build profilers that
run past recorded
datasets to identify
events that have
never been seen
before or anomalies
that have crossed
the known good
patterns of
operations.
Investigate and
feed forward
Using hunting
strategies to cross
validate threats
against 3rd party
sources and actively
investigate events
to identify FP’s.
Feed forward to the
learning chain and
to rationalize
scores.
9. © Copyright 2017 NETMONASTERY Inc
■ NextGen SIEM / Threat Hunting Platform
● Critical Event Sources
● Integrations for Validation, Response
■ 3rd Party Validation Sources
● File, Hash, Domain, URL, Email, Registrar, IP, ASN
■ Playbook Repo for the SOC
● Build / Modify
● Train / Assist
Toolkit for NextGen Threats
9
HOW TO SUCCEED WITH THREAT HUNTING
10. © Copyright 2017 NETMONASTERY Inc
Attack Surfaces
10
TARGET THREAT LANDSCAPE
USER ENDPOINT APPLICATIONCREDENTIALS
Insider Attack Credential Theft
Endpoint
Compromise
Application
Attack
Building Use Cases to Detect Anomalies to
Each Attack Surface
11. © Copyright 2017 NETMONASTERY Inc
Next Session
11
USE CASE WORKSHOP
USER ENDPOINT APPLICATIONCREDENTIALS
Insider Attack Credential Theft
Endpoint
Compromise
Application
Attack
Building Use Cases to Detect Anomalies to
Each Attack Surface
Notas del editor Marking out a boundary - limit your scope
Identify threads to monitor and learn
Identify outliers
Investigate