Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Machine Learning for Threat Detection

3.684 visualizaciones

Publicado el

A presentation by Harry McLaren at The Cyber Academy

Publicado en: Tecnología
  • Inicia sesión para ver los comentarios

Machine Learning for Threat Detection

  1. 1. USER BEHAVIOURAL ANALYTICS Machine Learning for Threat Detection Harry McLaren – Security Consultant at ECS
  2. 2. HARRY MCLAREN •Alumnus of Edinburgh Napier •Security Consultant at ECS • SOC & CSIR Development • Splunk Consultant & Architect
  3. 3. ACCELERATING PACE OF DATA Volume | Velocity | Variety | Variability
  4. 4. Legacy SIEM type technologies aren’t enough to detect insider threats and advanced adversaries and are poorly designed for rapid incident response. [SIEM - Security Information & Event Management]
  5. 5. Inadequate Contextual Data 68% of respondents in the survey said that reports often only indicated changes without specifying what the change was. Innocuous Events of Interest 81% of respondents said that SIEM reports contain too much extraneous information and were overwhelmed with false positives. 2016 SIEM Efficiency Survey - Conducted by Netwrix
  6. 6. 1995 2002 2008 2011 2015 END-POINT SECURITY NETWORK SECURITY EARLY CORRELATION PAYLOAD ANALYSIS BEHAVIOR ANALYSIS TECHNOLOGY DEVELOPMENT CAPABILITY EVOLUTION
  7. 7. KILL CHAIN - EVENTS OVERLOAD
  8. 8. SECURITY PLATFORM DETECTING UNKNOWN THREATS SECURITY & COMPLIANCE REPORTING INCIDENT INVESTIGATIONS & FORENSICS REAL-TIME MONITORING OF KNOWN THREATS DETECTION OF INSIDER THREATS DETECTION OF ADVANCED CYBER ATTACKS Splunk Enterprise Security Splunk UBA
  9. 9. MACHINE LEARNING EVOLUTION EVOLUTION COMPLEXITY RULES - THRESHOLD POLICY - THRESHOLD POLICY - STATISTICS UNSUPERVISED MACHINE LEARNING POLICY - PEER GROUP STATISTICS SUPERVISED MACHINE LEARNING
  10. 10. DETECT ADVANCED CYBERATTACKS DETECT MALICIOUS INSIDER THREATS ANOMALY DETECTION THREAT DETECTION UNSUPERVISED MACHINE LEARNING BEHAVIOR BASELINING & MODELING REAL-TIME & BIG DATA ARCHITECTURE WHAT IS SPLUNK USER BEHAVIORAL ANALYTICS?
  11. 11. INSIDER THREAT John connects via VPN Administrator performs ssh (root) to a file share - finance department John executes remote desktop to a system (administrator) - PCI zone John elevates his privileges root copies the document to another file share - Corporate zone root accesses a sensitive document from the file share root uses a set of Twitter handles to chop and copy the data outside the enterprise USER ACTIVITY Day 1 . . Day 2 . . Day N
  12. 12. MULTI-ENTITY BEHAVIORAL MODEL APPLICATION USER HOST NETWORK DATA
  13. 13. UBA 2.2 LATEST FEATURES • Threat Modeling Framework • Create custom threats using 60+ anomalies. • Enhanced Security Analytics • Visibility and baseline metrics around user, device, application and protocols. • Risk Percentile & Dynamic Peer Groups • Support for Additional 3rd Party Devices
  14. 14. QUESTIONS / CONTACT twitter.com/cyberharibu harry.mclaren@ecs.co.uk harrymclaren.co.uk/blog

×