SlideShare una empresa de Scribd logo

RSA 2016 Security Analytics Presentation

Descargar como PPTX, PDF
Anton Chuvakin
Anton Chuvakin

RSA 2016 Security Analytics Presentation by Dr Anton Chuvakin

Tecnología
1 de 31
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other intended recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Demystifying Security Analytics: Data, Methods, Use Cases Dr. Anton Chuvakin @anton_chuvakin Research VP Gartner for Technical Professionals
#RSAC Easy, Huh? Security analytics is very easy: 1. Get data. 2. Process with algorithms. 3. Enjoy the insights!
#RSAC 1. Defining “SECURITY ANALYTICS” 2. Choosing your road to security analytics success 3. Tooling up for security analytics: myth and reality 4. Best practices for security analytics? Outline
#RSAC Detect threat better — and detect "better" threats! Decide what matters, prioritize alerts and signals. Triage alerts faster. Solve (some) security problems with less expert labor. A Little Motivation: Why Security Analytics? Beware of overhyped tools!
#RSAC Manual way How many attempts constitute malicious password guessing? 3? 5? 10? 100? Within 1 second? 1 minute? 10 minutes? How to write a rule here? Data-driven / analytics way Run ML on your data, learn from past malicious cases, update models WIN! Example: Password Guessing
#RSAC What Is Security Analytics?
#RSAC Security analytics = Some advanced analysis of some data to achieve some useful security outcome! Q: What is advanced? A: Anything better than "known good/known bad" rule matching and basic statistics (like "if 10% above average, alert"). Not only machine learning! Q: What data, specifically? A: Really, any data: From logs to flows/sessions, from transactions to various context on users, such as HR data, etc. Definition Drill-Down
#RSAC Still Mystified?
#RSAC Data/Methods/Use cases: What data is being analyzed? What methods and algorithms are being used? What specific problems are being solved? Analytics Demystifying Framework! Data sources: What data is being analyzed? Methods: What algorithms are being applied? Use cases: What problem is being solved?
#RSAC Example: DLP Alert Prioritization Data/Methods/Use cases: What data is being analyzed? - DLP alerts, user identity context, data access logs What methods and algorithms are being used? – PCA to find out which dimensions of the alert matter and how much What specific problems are being solved? – Identifying which alerts indicate significant and dangerous data theft
#RSAC Starting Your Security Analytics Journey
#RSAC 1. Analytic, data-driven mindset (!) 2. Willingness to explore data 3. Ability to collect and retain data (SIEM helps — isn't a must) 4. Some understanding of data science approaches 5. Availability of people to use the tools, prepare the data and refine the questions Security Analytics Key Success Factors
#RSAC Analytic mindset seems to determine the success of analytics and big data initiatives for security more than anything else! Really, A Mindset??! Are you a data explorer or an appliance buyer ("OOBster")? Would you look at your data or at your vendor for answers? Must you have out-of-the-box content (rules, signatures, etc.) for everything? Do you accept that data may have the answers, not the gut feel?
#RSAC Products or People: Buy, Build, Partner
#RSAC Before You Buy! Does it say BUY THE WRONG PRODUCT anywhere?
#RSAC Pros: Solve at least some problems immediately upon installation Solve select problems automatically, without tuning Cons: Risk of limited applicability of the tool beyond specific use cases Rely on vendor to pick and solve problems Buy Choice
#RSAC Pros: Leads to development of the capability that can be used to solve future problems Focus resources on organization-specific problem Cons: Extensive effort to build and then mature an analytic capability Skills requirements uncommon for IT organizations (statistics, etc.) Build Choice
#RSAC Start with DATA Explore data to find and solve PROBLEMS Grow SKILLS to identify other useful problems and solve them RETAIN KNOWLEDGE and grow analytics capability Start with PROBLEM AT HAND Find the right DATA to solve it Try different ALGORITHMS, tuning the data too LEARN and solve next problem better LOOK at other data and problems How to Avoid “Science Project” Syndrome?
#RSAC Pros: Leads to development of the customized capability Leverages vendor/provider expertise gained from previous projects Cons: Longer time to value compared to off-the-shelf products High cost of specialty consulting labor Partner Choice
#RSAC However … even if you decide to buy, you may still need to build and definitely tune (both initially and over time!) Warning: Buy Is Often "Buy Then Build"? Buy advantages: Solve at least some problems within 30 days after deployment Solve select problems automatically, without much tuning Supported commercial product may be more comforting to security leaders Rely on vendor expertise with algorithms and statistics; vendor can employ scientists and statisticians
#RSAC Tooling Up
#RSAC There is no one "security analytics market." There is no specific "security analytics technology." (and no "big data security analytics technology"). Security analytics is a concept! Several types of very different commercial tools use it. You can also build your own tools — and use OSS heavily: Ever heard of Hadoop? ELK stack? R? Tools: The Mythology Edition
#RSAC 1. User behavior analytics (UBA, sometimes UEBA for “entity”) 2. Network traffic analysis (NTA, not a common name yet) … and also: Broad-scope data analysis tools with solid and proven security use cases Tools: The Reality Edition
#RSAC But Wait … Where Is SIEM? Source: Gartner (May 2015) Requirement Likely tool type to use Collect log data for compliance, run reports Log management Perform near-real-time security correlation SIEM Detect user anomalies and solve other typical data-intensive problems UBA or other commercial tool Solve organization-specific data intensive problems; collect and analyze diverse data types at high volume Custom-built big data security platform
#RSAC UBA or UEBA: What's Inside the Box? Details Example Data Logs (from SIEM or directly), DLP alerts, flows, network metadata, IAM data, HR data, etc. System authentication logs and Active Directory user information. Methods Supervised machine learning, unsupervised learning, statistical modeling, etc. Self-to-self comparison, peer comparison and activity model vs. time. Use cases Compromised account detection, predeparture data theft, employee sabotage, shared account abuse, etc. Detect account takeover by a malicious external attacker.
#RSAC Compromised Accounts Found Departing Users Stealing IP Geolocation Anomaly Anomalous Behavior in VPN Activity Customer Service Rep. Privacy Breaches Source Code Compromised Compromised System Behavior Retired Devices Still in Service Unauthorized Access to Patient Records Privileged Accounts Shared Example UBA Tool Wins!
#RSAC Network Traffic Analysis: What's Inside the Box? Details Example Data Flows data and network session metadata (to Layer 7), payload data; flows DNS and WHOIS data as context. Application layer traffic data coupled with WHOIS domain registration data. Methods Supervised machine learning, clustering, network modeling, etc. Network activity model over time, traffic volume model by protocol, etc. Use cases Data exfiltration, attacker lateral movement within the network and malware spreading. Detect data exfiltration by the attacker based on traffic volume per protocol per use model.
#RSAC 1. SIEM collectors feed SIEM and Hadoop (some direct data collection into Hadoop): One data repository for everything ("data lake") 2. Selective data structuring (Hadoop to MongoDB and PostgreSQL): Tableau fed from Postgres, custom tools fed from Mongo Also, Solr runs off Hadoop 3. Shared data scientist pool (+ 1 "security data scientist") 4. Visualization and query tools built for junior analysts One Implementation: How They Did It?
#RSAC Not Yet!
#RSAC  Given an early stage of these technologies, tool acquisition needs to be targeted at specific problems because there are no "general security analytics tools" on sale. (BUY route)  There is not enough data on the comparative effectiveness of various analytic approaches and algorithms (implemented in vendor tools) versus real-world problems. (BUY route)  Think of the problems first, target purchases at problems, do validate that the vendor of choice has a record of solving such problems. (BUY route)  Think of the data first, and start exploring, then bring tools and components as needed (BUILD route) Recommendations
#RSAC  Make the commercial tools EASY TO TEST and PROVE VALUE  Evolve analytics tools to ALGORITHM PORTABILITY  Create CATALOGUE of USE CASES where various analytics tools work well IN REAL WORLD  Add more BRAINPOWER to all security tools! INDUSTRY CALL TO ACTION!

Recomendados

New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert
 
Impactful Storytelling - Enhance Your Value and Influence .pdf
Impactful Storytelling - Enhance Your Value and Influence .pdfImpactful Storytelling - Enhance Your Value and Influence .pdf
Impactful Storytelling - Enhance Your Value and Influence .pdfJoelRodriguze
 
Rf troubleshooting advanced kelly griffin_peter lane
Rf troubleshooting advanced kelly griffin_peter laneRf troubleshooting advanced kelly griffin_peter lane
Rf troubleshooting advanced kelly griffin_peter laneAruba, a Hewlett Packard Enterprise company
 
Modèle de sécurité organisationnelle
Modèle de sécurité organisationnelleModèle de sécurité organisationnelle
Modèle de sécurité organisationnelleMarc-Andre Heroux
 
ビルトインサーバーLoRaWANゲートウェイ LPS8v2日本語ユーザーマニュアル
ビルトインサーバーLoRaWANゲートウェイ LPS8v2日本語ユーザーマニュアルビルトインサーバーLoRaWANゲートウェイ LPS8v2日本語ユーザーマニュアル
ビルトインサーバーLoRaWANゲートウェイ LPS8v2日本語ユーザーマニュアルCRI Japan, Inc.
 
2021/0/15 - Solarwinds supply chain attack: why we should take it sereously
2021/0/15 - Solarwinds supply chain attack: why we should take it sereously2021/0/15 - Solarwinds supply chain attack: why we should take it sereously
2021/0/15 - Solarwinds supply chain attack: why we should take it sereouslySirris
 

Recomendados

New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert
 
Impactful Storytelling - Enhance Your Value and Influence .pdf
Impactful Storytelling - Enhance Your Value and Influence .pdfImpactful Storytelling - Enhance Your Value and Influence .pdf
Impactful Storytelling - Enhance Your Value and Influence .pdfJoelRodriguze
 
Rf troubleshooting advanced kelly griffin_peter lane
Rf troubleshooting advanced kelly griffin_peter laneRf troubleshooting advanced kelly griffin_peter lane
Rf troubleshooting advanced kelly griffin_peter laneAruba, a Hewlett Packard Enterprise company
 
Modèle de sécurité organisationnelle
Modèle de sécurité organisationnelleModèle de sécurité organisationnelle
Modèle de sécurité organisationnelleMarc-Andre Heroux
 
ビルトインサーバーLoRaWANゲートウェイ LPS8v2日本語ユーザーマニュアル
ビルトインサーバーLoRaWANゲートウェイ LPS8v2日本語ユーザーマニュアルビルトインサーバーLoRaWANゲートウェイ LPS8v2日本語ユーザーマニュアル
ビルトインサーバーLoRaWANゲートウェイ LPS8v2日本語ユーザーマニュアルCRI Japan, Inc.
 
2021/0/15 - Solarwinds supply chain attack: why we should take it sereously
2021/0/15 - Solarwinds supply chain attack: why we should take it sereously2021/0/15 - Solarwinds supply chain attack: why we should take it sereously
2021/0/15 - Solarwinds supply chain attack: why we should take it sereouslySirris
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeSounil Yu
 
2010 02 09 Ms Tech Days Owasp Asvs Sgi V01
2010 02 09 Ms Tech Days Owasp Asvs Sgi V012010 02 09 Ms Tech Days Owasp Asvs Sgi V01
2010 02 09 Ms Tech Days Owasp Asvs Sgi V01Sébastien GIORIA
 
Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Identity Days
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Preventiondj1arry
 
IPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsIPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsMustafa Khaleel
 
SX1302 LoRaWANゲートウェイ LIG16 日本語ユーザーマニュアル
SX1302 LoRaWANゲートウェイ LIG16 日本語ユーザーマニュアルSX1302 LoRaWANゲートウェイ LIG16 日本語ユーザーマニュアル
SX1302 LoRaWANゲートウェイ LIG16 日本語ユーザーマニュアルCRI Japan, Inc.
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture AddWeb Solution Pvt. Ltd.
 
Packets never lie: An in-depth overview of 802.11 frames
Packets never lie: An in-depth overview of 802.11 framesPackets never lie: An in-depth overview of 802.11 frames
Packets never lie: An in-depth overview of 802.11 framesAruba, a Hewlett Packard Enterprise company
 
Identity Access Management (IAM)
Identity Access Management (IAM)Identity Access Management (IAM)
Identity Access Management (IAM)Prof. Jacques Folon (Ph.D)
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web securityxKinAnx
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsSounil Yu
 
Digital Signage Systems - The Modern Hacker's Outreach
Digital Signage Systems - The Modern Hacker's OutreachDigital Signage Systems - The Modern Hacker's Outreach
Digital Signage Systems - The Modern Hacker's OutreachZero Science Lab
 
Introduction to malware analysis with Cuckoo Sandbox
Introduction to malware analysis with Cuckoo SandboxIntroduction to malware analysis with Cuckoo Sandbox
Introduction to malware analysis with Cuckoo Sandboxsysinsider
 
Netskope Overview
Netskope OverviewNetskope Overview
Netskope OverviewNetskope
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model PresentationGowdhaman Jothilingam
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review ChecklistEberly Wilson
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
A Data Modelling Framework to Unify Cyber Security Knowledge
A Data Modelling Framework to Unify Cyber Security KnowledgeA Data Modelling Framework to Unify Cyber Security Knowledge
A Data Modelling Framework to Unify Cyber Security KnowledgeVaticle
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsPeter Rawsthorne
 
Junos routing overview from Juniper
Junos routing overview from JuniperJunos routing overview from Juniper
Junos routing overview from JuniperNam Nguyen
 
Demystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use CasesDemystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use CasesPriyanka Aash
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security OperationsPriyanka Aash
 

Más contenido relacionado

La actualidad más candente

Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeSounil Yu
 
2010 02 09 Ms Tech Days Owasp Asvs Sgi V01
2010 02 09 Ms Tech Days Owasp Asvs Sgi V012010 02 09 Ms Tech Days Owasp Asvs Sgi V01
2010 02 09 Ms Tech Days Owasp Asvs Sgi V01Sébastien GIORIA
 
Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Identity Days
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Preventiondj1arry
 
IPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsIPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsMustafa Khaleel
 
SX1302 LoRaWANゲートウェイ LIG16 日本語ユーザーマニュアル
SX1302 LoRaWANゲートウェイ LIG16 日本語ユーザーマニュアルSX1302 LoRaWANゲートウェイ LIG16 日本語ユーザーマニュアル
SX1302 LoRaWANゲートウェイ LIG16 日本語ユーザーマニュアルCRI Japan, Inc.
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web securityxKinAnx
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsSounil Yu
 
Digital Signage Systems - The Modern Hacker's Outreach
Digital Signage Systems - The Modern Hacker's OutreachDigital Signage Systems - The Modern Hacker's Outreach
Digital Signage Systems - The Modern Hacker's OutreachZero Science Lab
 
Introduction to malware analysis with Cuckoo Sandbox
Introduction to malware analysis with Cuckoo SandboxIntroduction to malware analysis with Cuckoo Sandbox
Introduction to malware analysis with Cuckoo Sandboxsysinsider
 
Netskope Overview
Netskope OverviewNetskope Overview
Netskope OverviewNetskope
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review ChecklistEberly Wilson
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
A Data Modelling Framework to Unify Cyber Security Knowledge
A Data Modelling Framework to Unify Cyber Security KnowledgeA Data Modelling Framework to Unify Cyber Security Knowledge
A Data Modelling Framework to Unify Cyber Security KnowledgeVaticle
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsPeter Rawsthorne
 
Junos routing overview from Juniper
Junos routing overview from JuniperJunos routing overview from Juniper
Junos routing overview from JuniperNam Nguyen
 

La actualidad más candente (20)

Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor Landscape
 
2010 02 09 Ms Tech Days Owasp Asvs Sgi V01
2010 02 09 Ms Tech Days Owasp Asvs Sgi V012010 02 09 Ms Tech Days Owasp Asvs Sgi V01
2010 02 09 Ms Tech Days Owasp Asvs Sgi V01
 
Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 
IPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsIPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnels
 
SX1302 LoRaWANゲートウェイ LIG16 日本語ユーザーマニュアル
SX1302 LoRaWANゲートウェイ LIG16 日本語ユーザーマニュアルSX1302 LoRaWANゲートウェイ LIG16 日本語ユーザーマニュアル
SX1302 LoRaWANゲートウェイ LIG16 日本語ユーザーマニュアル
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
 
Packets never lie: An in-depth overview of 802.11 frames
Packets never lie: An in-depth overview of 802.11 framesPackets never lie: An in-depth overview of 802.11 frames
Packets never lie: An in-depth overview of 802.11 frames
 
Identity Access Management (IAM)
Identity Access Management (IAM)Identity Access Management (IAM)
Identity Access Management (IAM)
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web security
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: Revolutions
 
Digital Signage Systems - The Modern Hacker's Outreach
Digital Signage Systems - The Modern Hacker's OutreachDigital Signage Systems - The Modern Hacker's Outreach
Digital Signage Systems - The Modern Hacker's Outreach
 
Introduction to malware analysis with Cuckoo Sandbox
Introduction to malware analysis with Cuckoo SandboxIntroduction to malware analysis with Cuckoo Sandbox
Introduction to malware analysis with Cuckoo Sandbox
 
Netskope Overview
Netskope OverviewNetskope Overview
Netskope Overview
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
A Data Modelling Framework to Unify Cyber Security Knowledge
A Data Modelling Framework to Unify Cyber Security KnowledgeA Data Modelling Framework to Unify Cyber Security Knowledge
A Data Modelling Framework to Unify Cyber Security Knowledge
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural Decisions
 
Junos routing overview from Juniper
Junos routing overview from JuniperJunos routing overview from Juniper
Junos routing overview from Juniper
 

Similar a RSA 2016 Security Analytics Presentation

Demystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use CasesDemystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use CasesPriyanka Aash
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security OperationsPriyanka Aash
 
Data Mining and Data Warehouse
Data Mining and Data WarehouseData Mining and Data Warehouse
Data Mining and Data WarehouseAnupam Sharma
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
Data Science.pptx NEW COURICUUMN IN DATA
Data Science.pptx NEW COURICUUMN IN DATAData Science.pptx NEW COURICUUMN IN DATA
Data Science.pptx NEW COURICUUMN IN DATAjaved75
 
Applying Auto-Data Classification Techniques for Large Data Sets
Applying Auto-Data Classification Techniques for Large Data SetsApplying Auto-Data Classification Techniques for Large Data Sets
Applying Auto-Data Classification Techniques for Large Data SetsPriyanka Aash
 
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagenullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagen|u - The Open Security Community
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesPriyanka Aash
 
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of AlertsA Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of AlertsPriyanka Aash
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCigital
 
SIEM evaluator guide for soc analyst
SIEM evaluator guide for soc analystSIEM evaluator guide for soc analyst
SIEM evaluator guide for soc analystInfosecTrain
 
Gse uk-cedrinemadera-2018-shared
Gse uk-cedrinemadera-2018-sharedGse uk-cedrinemadera-2018-shared
Gse uk-cedrinemadera-2018-sharedcedrinemadera
 
Making Internet Of Things Device Data Just Work!
Making Internet Of Things Device Data Just Work!Making Internet Of Things Device Data Just Work!
Making Internet Of Things Device Data Just Work!Memoori
 
High time to add machine learning to your information security stack
High time to add machine learning to your information security stackHigh time to add machine learning to your information security stack
High time to add machine learning to your information security stackMinhaz A V
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissanceCloudera, Inc.
 
Data science Nagarajan and madhav.pptx
Data science Nagarajan and madhav.pptxData science Nagarajan and madhav.pptx
Data science Nagarajan and madhav.pptxNagarajanG35
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
Big data and Marketing by Edward Chenard
Big data and Marketing by Edward ChenardBig data and Marketing by Edward Chenard
Big data and Marketing by Edward ChenardEdward Chenard
 
#MarketingShake - Edward Chenard - Descubrí el poder del Big Data para Transf...
#MarketingShake - Edward Chenard - Descubrí el poder del Big Data para Transf...#MarketingShake - Edward Chenard - Descubrí el poder del Big Data para Transf...
#MarketingShake - Edward Chenard - Descubrí el poder del Big Data para Transf...amdia
 

Similar a RSA 2016 Security Analytics Presentation (20)

Demystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use CasesDemystifying Security Analytics: Data, Methods, Use Cases
Demystifying Security Analytics: Data, Methods, Use Cases
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security Operations
 
Data Mining and Data Warehouse
Data Mining and Data WarehouseData Mining and Data Warehouse
Data Mining and Data Warehouse
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
Data Science.pptx NEW COURICUUMN IN DATA
Data Science.pptx NEW COURICUUMN IN DATAData Science.pptx NEW COURICUUMN IN DATA
Data Science.pptx NEW COURICUUMN IN DATA
 
Applying Auto-Data Classification Techniques for Large Data Sets
Applying Auto-Data Classification Techniques for Large Data SetsApplying Auto-Data Classification Techniques for Large Data Sets
Applying Auto-Data Classification Techniques for Large Data Sets
 
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagenullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
 
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of AlertsA Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself Secure
 
SIEM evaluator guide for soc analyst
SIEM evaluator guide for soc analystSIEM evaluator guide for soc analyst
SIEM evaluator guide for soc analyst
 
Gse uk-cedrinemadera-2018-shared
Gse uk-cedrinemadera-2018-sharedGse uk-cedrinemadera-2018-shared
Gse uk-cedrinemadera-2018-shared
 
Making Internet Of Things Device Data Just Work!
Making Internet Of Things Device Data Just Work!Making Internet Of Things Device Data Just Work!
Making Internet Of Things Device Data Just Work!
 
High time to add machine learning to your information security stack
High time to add machine learning to your information security stackHigh time to add machine learning to your information security stack
High time to add machine learning to your information security stack
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity Renaissance
 
Data science Nagarajan and madhav.pptx
Data science Nagarajan and madhav.pptxData science Nagarajan and madhav.pptx
Data science Nagarajan and madhav.pptx
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
Big data and Marketing by Edward Chenard
Big data and Marketing by Edward ChenardBig data and Marketing by Edward Chenard
Big data and Marketing by Edward Chenard
 
#MarketingShake - Edward Chenard - Descubrí el poder del Big Data para Transf...
#MarketingShake - Edward Chenard - Descubrí el poder del Big Data para Transf...#MarketingShake - Edward Chenard - Descubrí el poder del Big Data para Transf...
#MarketingShake - Edward Chenard - Descubrí el poder del Big Data para Transf...
 

Más de Anton Chuvakin

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsAnton Chuvakin
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinAnton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...Anton Chuvakin
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022Anton Chuvakin
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC Anton Chuvakin
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020Anton Chuvakin
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton Chuvakin
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinAnton Chuvakin
 

Más de Anton Chuvakin (20)

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
 

Último

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Último (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

RSA 2016 Security Analytics Presentation

  • 1. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other intended recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Demystifying Security Analytics: Data, Methods, Use Cases Dr. Anton Chuvakin @anton_chuvakin Research VP Gartner for Technical Professionals
  • 2. #RSAC Easy, Huh? Security analytics is very easy: 1. Get data. 2. Process with algorithms. 3. Enjoy the insights!
  • 3. #RSAC 1. Defining “SECURITY ANALYTICS” 2. Choosing your road to security analytics success 3. Tooling up for security analytics: myth and reality 4. Best practices for security analytics? Outline
  • 4. #RSAC Detect threat better — and detect "better" threats! Decide what matters, prioritize alerts and signals. Triage alerts faster. Solve (some) security problems with less expert labor. A Little Motivation: Why Security Analytics? Beware of overhyped tools!
  • 5. #RSAC Manual way How many attempts constitute malicious password guessing? 3? 5? 10? 100? Within 1 second? 1 minute? 10 minutes? How to write a rule here? Data-driven / analytics way Run ML on your data, learn from past malicious cases, update models WIN! Example: Password Guessing
  • 7. #RSAC Security analytics = Some advanced analysis of some data to achieve some useful security outcome! Q: What is advanced? A: Anything better than "known good/known bad" rule matching and basic statistics (like "if 10% above average, alert"). Not only machine learning! Q: What data, specifically? A: Really, any data: From logs to flows/sessions, from transactions to various context on users, such as HR data, etc. Definition Drill-Down
  • 9. #RSAC Data/Methods/Use cases: What data is being analyzed? What methods and algorithms are being used? What specific problems are being solved? Analytics Demystifying Framework! Data sources: What data is being analyzed? Methods: What algorithms are being applied? Use cases: What problem is being solved?
  • 10. #RSAC Example: DLP Alert Prioritization Data/Methods/Use cases: What data is being analyzed? - DLP alerts, user identity context, data access logs What methods and algorithms are being used? – PCA to find out which dimensions of the alert matter and how much What specific problems are being solved? – Identifying which alerts indicate significant and dangerous data theft
  • 11. #RSAC Starting Your Security Analytics Journey
  • 12. #RSAC 1. Analytic, data-driven mindset (!) 2. Willingness to explore data 3. Ability to collect and retain data (SIEM helps — isn't a must) 4. Some understanding of data science approaches 5. Availability of people to use the tools, prepare the data and refine the questions Security Analytics Key Success Factors
  • 13. #RSAC Analytic mindset seems to determine the success of analytics and big data initiatives for security more than anything else! Really, A Mindset??! Are you a data explorer or an appliance buyer ("OOBster")? Would you look at your data or at your vendor for answers? Must you have out-of-the-box content (rules, signatures, etc.) for everything? Do you accept that data may have the answers, not the gut feel?
  • 14. #RSAC Products or People: Buy, Build, Partner
  • 15. #RSAC Before You Buy! Does it say BUY THE WRONG PRODUCT anywhere?
  • 16. #RSAC Pros: Solve at least some problems immediately upon installation Solve select problems automatically, without tuning Cons: Risk of limited applicability of the tool beyond specific use cases Rely on vendor to pick and solve problems Buy Choice
  • 17. #RSAC Pros: Leads to development of the capability that can be used to solve future problems Focus resources on organization-specific problem Cons: Extensive effort to build and then mature an analytic capability Skills requirements uncommon for IT organizations (statistics, etc.) Build Choice
  • 18. #RSAC Start with DATA Explore data to find and solve PROBLEMS Grow SKILLS to identify other useful problems and solve them RETAIN KNOWLEDGE and grow analytics capability Start with PROBLEM AT HAND Find the right DATA to solve it Try different ALGORITHMS, tuning the data too LEARN and solve next problem better LOOK at other data and problems How to Avoid “Science Project” Syndrome?
  • 19. #RSAC Pros: Leads to development of the customized capability Leverages vendor/provider expertise gained from previous projects Cons: Longer time to value compared to off-the-shelf products High cost of specialty consulting labor Partner Choice
  • 20. #RSAC However … even if you decide to buy, you may still need to build and definitely tune (both initially and over time!) Warning: Buy Is Often "Buy Then Build"? Buy advantages: Solve at least some problems within 30 days after deployment Solve select problems automatically, without much tuning Supported commercial product may be more comforting to security leaders Rely on vendor expertise with algorithms and statistics; vendor can employ scientists and statisticians
  • 22. #RSAC There is no one "security analytics market." There is no specific "security analytics technology." (and no "big data security analytics technology"). Security analytics is a concept! Several types of very different commercial tools use it. You can also build your own tools — and use OSS heavily: Ever heard of Hadoop? ELK stack? R? Tools: The Mythology Edition
  • 23. #RSAC 1. User behavior analytics (UBA, sometimes UEBA for “entity”) 2. Network traffic analysis (NTA, not a common name yet) … and also: Broad-scope data analysis tools with solid and proven security use cases Tools: The Reality Edition
  • 24. #RSAC But Wait … Where Is SIEM? Source: Gartner (May 2015) Requirement Likely tool type to use Collect log data for compliance, run reports Log management Perform near-real-time security correlation SIEM Detect user anomalies and solve other typical data-intensive problems UBA or other commercial tool Solve organization-specific data intensive problems; collect and analyze diverse data types at high volume Custom-built big data security platform
  • 25. #RSAC UBA or UEBA: What's Inside the Box? Details Example Data Logs (from SIEM or directly), DLP alerts, flows, network metadata, IAM data, HR data, etc. System authentication logs and Active Directory user information. Methods Supervised machine learning, unsupervised learning, statistical modeling, etc. Self-to-self comparison, peer comparison and activity model vs. time. Use cases Compromised account detection, predeparture data theft, employee sabotage, shared account abuse, etc. Detect account takeover by a malicious external attacker.
  • 26. #RSAC Compromised Accounts Found Departing Users Stealing IP Geolocation Anomaly Anomalous Behavior in VPN Activity Customer Service Rep. Privacy Breaches Source Code Compromised Compromised System Behavior Retired Devices Still in Service Unauthorized Access to Patient Records Privileged Accounts Shared Example UBA Tool Wins!
  • 27. #RSAC Network Traffic Analysis: What's Inside the Box? Details Example Data Flows data and network session metadata (to Layer 7), payload data; flows DNS and WHOIS data as context. Application layer traffic data coupled with WHOIS domain registration data. Methods Supervised machine learning, clustering, network modeling, etc. Network activity model over time, traffic volume model by protocol, etc. Use cases Data exfiltration, attacker lateral movement within the network and malware spreading. Detect data exfiltration by the attacker based on traffic volume per protocol per use model.
  • 28. #RSAC 1. SIEM collectors feed SIEM and Hadoop (some direct data collection into Hadoop): One data repository for everything ("data lake") 2. Selective data structuring (Hadoop to MongoDB and PostgreSQL): Tableau fed from Postgres, custom tools fed from Mongo Also, Solr runs off Hadoop 3. Shared data scientist pool (+ 1 "security data scientist") 4. Visualization and query tools built for junior analysts One Implementation: How They Did It?
  • 30. #RSAC  Given an early stage of these technologies, tool acquisition needs to be targeted at specific problems because there are no "general security analytics tools" on sale. (BUY route)  There is not enough data on the comparative effectiveness of various analytic approaches and algorithms (implemented in vendor tools) versus real-world problems. (BUY route)  Think of the problems first, target purchases at problems, do validate that the vendor of choice has a record of solving such problems. (BUY route)  Think of the data first, and start exploring, then bring tools and components as needed (BUILD route) Recommendations
  • 31. #RSAC  Make the commercial tools EASY TO TEST and PROVE VALUE  Evolve analytics tools to ALGORITHM PORTABILITY  Create CATALOGUE of USE CASES where various analytics tools work well IN REAL WORLD  Add more BRAINPOWER to all security tools! INDUSTRY CALL TO ACTION!