The document discusses how security analytics can be operationalized to accelerate threat detection. It argues that security analytics uses techniques like mathematics, statistics and machine learning to analyze large datasets, unlike traditional security analysis. The document provides examples of how a security analytics platform identified intellectual property theft and outlines an operational process for integrating security analytics with existing security tools and incident response workflows. It introduces Interset as a company that uses artificial intelligence and machine learning on big datasets to swiftly identify threats and provide contextual insights to security operations teams.

1. 1 | © 2017 Interset Software
How to Operationalize Big Data Security Analytics
Jay Lillie, Director Field Operations

2. 2 | © 2017 Interset Software
Analytics in the security domain is
misunderstood
(And it’s the fault of security vendors!)

3. 3 | © 2017 Interset Software
Analysis and Analytics are not interchangeable
Analysis Analytics⊃
I can perform analysis
on anything, including
data!
“Analytics is a subset of analysis”
Analytics is a special
type of analysis that can
be performed on data!

4. 4 | © 2017 Interset Software
Analytics in the security domain is misunderstood
Analytics
Analysis ▪ philosophical
▪ interpretive
▪ subjective
▪ exploratory
Analysis MAY be…

5. 5 | © 2017 Interset Software
Analytics in the security domain is misunderstood
▪ mathematics
▪ statistics
▪ data science
▪ machine learning
Analytics MUST have…
▪ queries
▪ rules & thresholds
Security “analytics” is too often…
??
???

6. 6 | © 2017 Interset Software
Analytics focuses on different domain knowledge
Security Analytics

7. 7 | © 2017 Interset Software
So how do we meaningfully bring them together?

8. 8 | © 2017 Interset Software
Accelerate detection activities with
analytics
Do what smart, talented people do… only faster…
and with no pesky sleep required.

9. 9 | © 2017 Interset Software
Identify
Develop
organizational
understanding
Protect
Implement the
appropriate
safeguards
Detect
Identify the
occurrence of
a cybersecurity
event
Respond
Take action
regarding a
detected
cybersecurity
event
Recover
Restore any
capabilities or
services that
were impaired
NIST Cybersecurity Framework
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

10. 10 | © 2017 Interset Software
Identify
Develop
organizational
understanding
Protect
Implement the
appropriate
safeguards
Detect
Identify the
occurrence of
a cybersecurity
event
Respond
Take action
regarding a
detected
cybersecurity
event
Recover
Restore any
capabilities or
services that
were impaired
NIST Cybersecurity Framework
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

11. 11 | © 2017 Interset Software
Common security operations patterns…
Security Information and
Event Management (SIEM)
Log Management System
(LMS)
Endpoint & Data Loss
Prevention (DLP)
Identity and Access
Management (IAM)
Network
Business Applications Security Operations
Collect
logs
from
various
sources
Write queries
Define rules
Manage
alerts
Attack
reconstruction
Detect Respond
Case Mgmnt / Svc Desk

12. 12 | © 2017 Interset Software
….common problems
Security Information and
Event Management (SIEM)
Log Management System
(LMS)
Endpoint & Data Loss
Prevention (DLP)
Identity and Access
Management (IAM)
Network
Business Applications
Collect
logs
from
various
sources
Endless new queries
Modify rules to have
higher thresholds
Ignore
alerts
Painfully long
reconstruction
We don’t know
where to start
looking for threats.
We don’t have the
staff to analyze
10,000 alerts per day.
60-80% of
alerts are false
positives.
Rules based systems
are brittle, hard to
maintain.

13. 13 | © 2017 Interset Software
Analytics works differently than analysis tools
Endpoint (inc. DLP)
Access, Auth, & Actions
Network (NetFlow)
Enrichment Data
SecurityDataLake
(Integrated)
Security Analytics
Dashboard&
Hand-off
Orchestration / Automation
OpenDXL
Case Mgmnt / Svc Desk
REST API
Detect Respond
Acquire
“Which things matter?”
Bring logs and streaming
sources together
Baseline
“What is normal?”
Incorporate the patterns
of behavior that make
each entity like (and
unlike) others
Score
“Where are the risks?”
Principled analytical
methods surface
quantified potential
threats
Act
“Who takes action?”
Predetermined or ad hoc;
automated or manual

14. 14 | © 2017 Interset Software
SIEM
The services a SIEM provides still have a place!
Endpoint (inc. DLP)
SIEM
Access, Auth, & Actions
Network (NetFlow)
Enrichment Data
SecurityDataLake
(Integrated)
Security Analytics
Dashboard&
Hand-off
Orchestration / Automation
OpenDXL
Case Mgmnt / Svc Desk
REST API
SIEM

15. 15 | © 2017 Interset Software
A holistic response requires integrated data
Auth data
Application /
Service
VPN
Shared Resource
Bring the threat to me:
Who are my riskiest users,
servers, websites…?
Find the threat faster:
Where are the riskiest periods of
time, who interacts with what…?
Integrated to
give the
broadest
possible view
Many sources
yield a single,
meaningful
result set
Find a Threat Lead
Conduct a Threat Hunt

16. 16 | © 2017 Interset Software
Strategically operationalize your security
analytics
Use the right tool, at the right time, in the right place…

17. 17 | © 2017 Interset Software
Understand where you want to go first
Detect Respond
▪ Know what you want to find
▪ Decide how you want to respond
▪ Then, use these to determine what you must
detect

18. 18 | © 2017 Interset Software
People
ProcessTechnology
Operationalization is a full-spectrum exercise
▪ Security Operations Center
(SOC)
▪ IT Help Desk
▪ Cyber Incident Response
Team (CIRT)
▪ Non-IT Coordination
▪ Service Desk (e.g., ITIL)
▪ Cyber threat
▪ Forensics / Evidence gathering
▪ Non-IT intersections
▪ Awareness / Escalation
▪ Case Management
▪ Orchestration
▪ Authentication / Access
Control
▪ Enrichment Sources
Security Operations

19. 19 | © 2017 Interset Software
examples

20. 20 | © 2017 Interset Software
Incident Detection: Theft of intellectual property
X
2 Engineers
stole data
1 Year
$1 Million Spent
Large security
vendor failed to
find anything
2 Weeks
Easily
identified the 2
Engineers
Found 3
additional users
stealing data in
North America
Found 8
additional users
stealing data in
China

21. 21 | © 2017 Interset Software
Operations Integration: Process-based roadmap
Generate
alert
SIEM
Investigate
threat
SOC
Close
investigation
SOC
Coordinate
response
Svc Desk
non-
significant
incident
finding
additional
action
required
alert Create
ticket
Svc Desk
escalate

22. 22 | © 2017 Interset Software
Operations Integration: Process-based roadmap
Detect
events
SIEM
Discover
significant
risk
Interset
Create
ticket
Svc Desk
Investigate
threat
SOC
Close
investigation
SOC
Coordinate
response
Svc Desk
non-
significant
incident
finding
additional
action
required
event risk escalation
Other
reported
behavior
varies
notification
1
logs
3 5 6
7
varies
Collect
logs
2
Enrichment
data
varies
4
8
9

23. 23 | © 2017 Interset Software
Linking technology: Analytics to orchestration
Dashboard&
Hand-off
Orchestration / Automation
OpenDXL
Case Mgmnt / Svc Desk
REST API
Respond
Lock account
Isolate node
Run script
▪ Fast: Yes, faster than a human
▪ Certainty: Not a single alert, but a
distinguishable set of behaviors
▪ Predictable: Nothing gets missed
And more…

24. 24 | © 2017 Interset Software
Who is Interset?

25. 25 | © 2017 Interset Software
Interset Summary
Security analytics combined
with AI / machine-learning is
transformative. Interset big-
data processing swiftly
pinpoints threats, while
expanding visibility to get a
contextual picture of
enterprise risk.
We distill billions of events into hundreds of anomalies…
Then into a handful of actionable SOC leads.
Jay Lillie
Director Field Ops
jlillie@interset.com