SlideShare una empresa de Scribd logo

us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-Detection-Machine-Learning-And-The-SOC

J
jzadeh
1 de 80
Descargar para leer sin conexión
Copyright  ©  2015  Splunk  Inc.   BEHAVIORAL  INTRUSION  DETECTION,   MACHINE  LEARNING  AND  THE  SOC     Joseph  Zadeh   @JosephZadeh   FROM  FALSE  POSITIVES  TO   ACTIONABLE  ANALYSIS:      
2     Agenda    •  IntroducRon   •  Cybersecurity  AnalyRcs  ROI   •  Lambda  Security:  Defensive  Architectures   •  Behavioral  Intrusion  DetecRon  and  “ArRficial”   Intelligence     •  Q&A  
IntroducRon   3  
Extends  Security  Analy2cs  Leadership  by  Adding  Behavioral   Analy2cs  to  Be;er  Detect  Advanced  and  Insider  Threats   Come  see  us  at  the  Black  Hat  Booth  #347   Splunk  Acquires   Splunk  App  for   Enterprise  Security   Machine  Learning  +   +   ADVANCED  THREATS     INSIDER  THREATS    
5   Research  Background   •  Security  Research   –  First  security  talk  ever  a^ended  @  Decfon  8:  Jon  Erickson   “Number  Theory,  Complexity  Theory,  Cryptography,  and   Quantum  CompuRng”     ê  I  am  sRll  trying  to  understand  that  talk…   –  Late  90’s:  Traffic  baselines  and  Layer  2  behavioral  profiling   using  MRTG  and  first  generaRon  NMS     –  Recently:    Consultant  on  cybersecurity  analyRcs  projects  the   last  few  years  standing  up  custom  soluRons   •  Related  Research:   –  Fractal  random  walks:  predicRng  Rme  series   ê  Human  Behavior  (stocks),  Physical  Processes  (heat,  magneRsm)   ê  Molecular  kineRcs  (Brownian  moRon,  quantum  mechanics)   ê  StochasRc  Fast  Dynamo,  StochasRc  Anderson  EquaRon   ê  Time  as  a  random  process  
6   ML:  PredicRng  Time  Series        
7   A.I.  and  the  “Big”  Picture     Can  Strong  AI  help  predict..   –  The  dynamo  effect?   –  Pole  shins?   –  ExRncRon  events?   –  Military  escalaRons?   –  Cybersecurity  catastrophes?            
8   Cybersecurity  Defense:  Failings  and  MoRvaRons   Mudge,  “How  a  Hacker  Has  Helped  Influence  the  Government  -­‐  and  Vice  Versa”  Blackhat  2011     9,000  Malware  Samples  Analyzed     –  125  LOC  for  Average  Malware  Sample   –  Stuxnet  =  15,000  LOC  (120x  average  malware  sample  LOC)   –  10,000,000  =  Average  LOC  for  modern  firewall/security  stack   Key  Takeaway:    For  one  single  offensive  LOC  defenders  write  100,000  LOC   –  120:1  Stuxnet  to  average  malware   –  500:1  Simple  text  editor  to  average  malware   –  2,000:1  Malware  suite  to  average  malware   –  100,000:1  Defensive  tool  to  average  malware   –  1,000,000:1  Target  operaRng  system  to  average  malware   Bruce  Schneier,  “The  State  of  Incident  Response  by  Bruce  Schneier”  Blackhat  2014   –  G.  Akerlof,  “The  Market  for  Lemons:  Quality  Uncertainty  and  the  Market  Mechanism”        Key  Takeaway:  Security  is  a  lemons  market!   –  Prospect  theory  “As  a  species  we  are  risk  adverse  when  it  comes  to  gains  and  risk  taking  when  it  comes  to   losses”          Key  Takeaway:  We  don’t  buy  security  products  un2l  it  is  too  late!  
9   A  Philosophy  of  Defense   "Once  you  understand  The  Way  broadly,  you  can  see  it  in  all  things."    ―  Miyamoto  Musashi,  Book  of  Five  Ring  1643            
10   A  Philosophy  of  Defense   "Once  you  understand  The  Way  broadly,  you  can  see  it  in  all  things."    ―  Miyamoto  Musashi,  Book  of  Five  Ring  1643       •  Musashi  was  undefeated  samurai  (60  duels)   •  Throughout  the  book,  Musashi  implies  that  the   way  of  the  Warrior,  as  well  as  the  meaning  of  a   "True  strategist"  is  that  of  somebody  who  has   made  mastery  of  many  art  forms  away  from  that   of  the  sword…   •  Such  a  philosophy  is  fractal  –  it  has  similar   properRes  on  many  scales  
11   Fractal  Defense   "Once  you  understand  The  Way  broadly,  you  can  see  it  in  all  things."    ―  Miyamoto  Musashi,  Book  of  Five  Ring  1643       •  A  fractal  is  a  natural  phenomenon  or  a   mathemaRcal  set  that  exhibits  a  repeaRng   pa^ern  that  displays  at  every  scale.   •  Security  is  a  combinaRon  of  detecRon,   protecRon  and  response   •  Fractal  defense:  a  philosophy  for  scaling   detecRon,  protecRon  and  response  up  and   down  the  IT  ecosystem  
12   Fractal  Defense:  Example   From  our  white  paper  “Defense  at  scale:  Building  a  Central  Nervous   System  for  the  SOC”     –  Leverage  expressive  ways  to  target  TTP’s  (tacRcs,  techniques  and   procedures)  that  are  reusable  and  scalable  across  many  use  cases/ behaviors   –  Can  incorporate  classical  signatures  into  a  probabilisRc  scoring   mechanism    
13   Fractal  Defense:  Example   From  our  white  paper  “Defense  at  scale:  Building  a  Central  Nervous   System  for  the  SOC”              
14   Fractal  Defense:  Example   From  our  white  paper  “Defense  at  scale:  Building  a  Central  Nervous   System  for  the  SOC”              
F1  =  Snort  IOC  "MALWARE-­‐CNC  Win.Trojan.Zeus   encrypted  POST  Data  exfiltra2on”   F5  =    Behavioral  IOC:  Large  number  of  POST’s  and  Null  web  referrals   F3  =    Behavioral  IOC:  Periodic  traffic  over  SSL  without  valid  cer2ficate   F4  =  Behavioral   IOC:  New   domain   registered  with   correlated   whois  data   Overall  Social  Cluster  Score  =   g(F1,  F2,  F3,  F4,  F5)   Central  Nervous  System  Approach  
16   Sound  Bytes   –  Fractal  Defense:  Reuse  logic  (and  code)  across  different   security  use  cases.    Make  behavior  based  IOC’s  map  to   adversary  tacRcs,  techniques  and  procedures  for  be^er   scalability.   –  Cybersecurity  Analy2cs  ROI:    Make  security  requirements   funcRonal  by  sexng  realisRc  benchmarks  based  on  your   own  data     –  Lambda  Architecture:    a  generic  problem  solving  system   built  on  immutability  and  hybrid  batch/real-­‐Rme   workflows    
Cybersecurity   AnalyRcs  ROI   17  
18   Cybersecurity  AnalyRcs   •  MoRvaRon     –  Number  one  mistake  I  see  researchers  making  is  modeling  the   “ConRnuum  of  behaviors”  vs.  modeling  a  discrete  security  use  case   –  Help  rank  order  use  cases  for  management/researchers  without  security   background  (ranking  should  coincide  with  security  expert  intuiRon)   •  Possible  a^ack  behaviors  are  infinite!   –  Intractable  dimensionality   –  “Project  the  problem  down  to  finitely  many  sub  problems”     •  Anomaly  DetecRon  !=  AcRonable  Intelligence    
19   Cybersecurity  AnalyRcs  Roadmap   •  Step  1:    Make  a  grab  bag  of  your  favorite  use  cases/gaps  of  the  threat  surface   –  Model  primiRves:  acRonable  units  or  single  behaviors   •  Step  2:    Determine  exisRng  coverage  and  cost  of  impact  per  use  case   (APPROXIMATE!  Unless  you  are  have  been  logging  costs  of  security  events   internally  similar  to  MS…)     •  Step  3:    Build  ROI  Graph   –  What  is  your  formula  for  ROI?   •  Step  4:    Rank  Order   –  Rank  by  determining  which  ordering  provides  addiRonal  value  to  minimizing  risk   –  Our  example  uses  the  added  structure  of  LAN  and  WAN  but  you  can  complicate   things  further  by  trying  to  incorporate  adversary  capabiliRes,  point  soluRon   metrics,  etc…  
20   Enumerate  Threat  Surface   §  PtH/PtT   §  Time  of  Day  Model   §  Lateral  Reconnaissance   §  Pop  @  Risk   §  Passive  DNS   §  Data  Store  Exfiltra2on   §  Two  Factor  A;ack   §  Exploit  Kits   §  Crowd  sourced  Executable  Classifica2on   §  MITM   §  Telecommuter  Ground  Speed/ Triangula2on   §  Data  mart  reconnaissance/mapping   §  VIP  Asset  Profiling   §  User  to  Group  Behavior  Metrics   §  User  Access  Pa;ern  Models     §  Shadow  IT  misconfigura2on  and  gap   profiling   §  Beachhead/DMZ  a;ack  graph  modeling   Use  Cases:    Insider/LAN  Threats  
21   Enumerate  Threat  Surface   §  Web  Referral  Graph   §  Time  of  Day  Model   §  Heartbeat  Beacon  Detec2on   §  SSL  Side  Channel  Analysis   §  Watering  Hole  Analy2c   §  Passive  DNS  AI   §  Predic2ve  Blacklis2ng   §  URL  Rela2ve  Path  Tokens   §  Edit  Distance  Classifica2on   §  Exploit  Kits  Analy2cs   §  Pseudo  Random  Domain  Detec2on   §  Executable  Graph  Classifier   §  DNS  Tunneling     Use  Cases:    External/WAN  Threats  
22   Enumerate  Threat  Surface   §  Embedded  Systems  Behavioral   Profiles   §  BYOD  Popula2on  Analysis   §  Passive  mobile  applica2on  classifier   §  Mobile  app  store  profiling   §  Common  environment  baselines  for   mobile  users   §  Mobile  Beacon  Detec2on   §  SSL  Side  Channel  Analysis   §  Creden2al  compromise   §  Rogue  Device  Detec2on   §  HVAC  Controller  A;acks  (BacNet)   Use  Cases:    IoT  and  Shadow  IT  
23   Security  AnalyRcs  ROI   •  What  is  the  intrinsic  value  of  each  model  we  build?   –  False  PosiRve/True  PosiRve  raRos,  AUC,  etc.   –  Cost  of  ValidaRng  the  Model   –  What  is  the  risk  to  the  organizaRon  for  missing  the  threat?   –  Find  Net  New  Threats!   •  How  to  prioriRze  what  analyRc  models  to  invest  in   –  Dimensions:    Impact  Risk,  Cost  of  ValidaRon,  Cost  of  Investment,  Cost  of   Maintenance,  Adversary  Model    
Cybersecurity  AnalyRcs:  ROIv1  
Cybersecurity  AnalyRcs:  ROIv1  
Cybersecurity  AnalyRcs:  ROIv1  
27   Adversary  CapabiliRes  and  the  Threat  Surface   •  A^acker  capability  vs.  Security   Capability  is  an  important   dimension  to  consider  when   prioriRzing  new  soluRons/ analyRcs     •  Try  to  handle  the  low  hanging   fruit  to  more  complex  adversary   behavior  by  road  mapping   custom  analyRcs  based  on  gaps   in  exisRng  and  future  technology   soluRons   •  It  is  a  mistake  to  model  the  most   complex  adversaries  first    
28   Nextgen  Benchmarks   •  DARPA,  Predict.org  spearheading  the  collecRon  and  annotaRon  of   complex  data  sets  for  security  research   –  Skaion  2006  DARPA  Dataset     –  Contagio  Malware  Dump   –  CTU  University:  CTU-­‐13  Dataset.  A  Labeled  Dataset  with  Botnet,  Normal   and  Background  traffic   •  Evidence  CollecRon  and  the  SOC   –  Most  important  workflow  that  is  missing  from  large  scale  Intel/telemetry   sharing  across  organizaRons.,     •  Public  Repos  /  OSINT    
29   FuncRonal  Requirements!   •  Real  problem  in  security  is  requirements  are  non-­‐funcRonal   •  Benchmark  next  gen  product  by  isolaRng  the  sub  problems  and   holding  specific  metrics  accountable  to  real  world  data   •  How  do  you  rank  order  the  value  of  a  cybersecurity  analyRc?  
Defensive   Architectures     30  
31   Why  Build  A  Defensive  Tool?   •  Incident  Response  Is  Hard  Work!  What   can  we  automate?       A  security  analyst  is  an  oracle  whose   input  is  evidence  and  whose  output  is   True  Posi2ve,  False  Posi2ve,  True   Nega2ve  or  False  Nega2ve       –  The  list  of  possible  quesRons  is  large  but   typically  the  flow  is  a  type  of  decision  tree  for   example    
32   Why  Build  A  Defensive  Tool?   Security  Oracle  Workflow   Example  1:     Evidence  =>  Periodic  CommunicaRon   =>  LAN  to  WAN  Data  =>WAN  URL  has   Bad  ReputaRon  =>  Correlate  with  VT   =>  True  PosiRve     Example  2:    Evidence  =>  PotenRal  C2  Domain  =>   LAN  to  WAN  Data  =>  WAN  URL  is  new   Google  IP  =>  False  PosiRve  
33   Lambda  Security   •  Lambda  Architecture:  batch  +  real  Rme  compuRng  paradigm   •  Minimizes  the  complexity  in  historical  computaRons  overcoming   bo^lenecks  SOC  has  experienced  operaRng  first  gen  SIEMs   •  Data  model  that  is  append-­‐only,  distributed  and  immutable  is  opRmized   for  security  centric  workflows  and  analyst  queries    
34   Lambda  Security   •  Architecture  is  described  by  three  simple  equaRons:   batch  view  =  func2on(all  data)   real2me  view  =  func2on(real2me  view,  new  data)     query  =  func2on(batch  view,  real2me  view)      
35   Lambda  Security   •  Lambda  architecture  provides  a  design  paradigm  for  a   scalable  central  nervous  system  for  the  SOC  whose   components  include   –  Machine  learning  based  ETL(Extract/Transform/Load)     –  Distributed  crawlers     –  Automated  idenRty/session  resoluRon  and  fingerprinRng     –  Formal  evidence  collecRon  protocol  for  automated  labeling  of   incident  response  data     –  AnalyRcs  Metrics  and  establishing  benchmarks  for   heterogeneous  data    
36   When  is  a  model  ready?      
37   Lambda  Firewalls?!   Manage  the  paths  accordingly  start  building  lambda   workflows  into  Everything!!!   •  Lambda  firewall   –  StaRsRcal  whitelist  computaRon  aspect  (fuzzy  ACL’s)       –  Path  for  signatures  and  sequenRal  behaviors  that  is  more  expressive  than   PCRE   •  Central  nervous  system  approach  to  blending  signals   –  Defense  should  scale  up  and  down  the  size  of  organizaRon:  a  properly   engineered  central  nervous  system  should  be  able  to  protect  SMB  market   as  well  as  large  scale  deployments  
•  The  Complexity  Class  P-­‐Complete  and  NC   –  NC  =>  parallelizable   •  Some  problems  don’t  parallelize  well!!   –  P-­‐Complete  =>  Inherently  SequenRal   –  Any  problem  where  you  have  to  maintain  state  across  nodes:  Circuit  Value   Problem,  Linear  programming     –  Streaming  models  are  usually  harder  to  maintain  than  batch  models   38   Complexity  Class  P-­‐Complete  and  NC  
Behavioral  Intrusion   DetecRon:  Next  Gen   Signatures   39  
40     Cybersecurity  and  Graph  Mining    •  Dynamic  Temporal  Graphs   –  Social  Network  of  CommunicaRons  forms  a  dynamic  graph  that  evolves  over   Rme     –  Given  a  graph  structure  we  can  leverage  state  of  the  art  graph  mining   techniques  to  detect  anomalous  graph  pa^erns   ê  Anomalous  Clicks   ê  Rare  Sub-­‐Structures     ê  Rare  Paths   •  Anomalies  in  graphs  can  be  easy  to  idenRfy  algorithmically   –  PageRank   –  Graph  Cut/ParRRoning   –  Random  Walk  Driven  Label  PropagaRon  
Command  and  Control  (C2)   traffic  has  been  established   between  compromised   hosts  inside  the  corporate   network  and  C2  servers       Behavioral  IOC:  Mobile  C2    
C2  Infrastructure  changes  locaRons  of  command   and  control  server  new  communicaRon  path  is   established     Behavioral  IOC:  Mobile  C2    
  Behavioral  IOC:  Mobile  C2     C2  Infrastructure  changes  locaRons  of  command   and  control  server  new  communicaRon  path  is   established  
  Behavioral  IOC:  Mobile  C2    
At  each  Rme  step  (typically  a   day  or  two)  the  C2   Infrastructure  changes   locaRons  of  command  and   control  via  this  “Fluxing”   behavior.  A  subset  of  these   type  of  graph  pa^erns  is   known  as  “Fast  Fluxing”     Behavioral  IOC:  Mobile  C2    
  Behavioral  IOC:  Mobile  C2     The  constant  mobility  of   command  and  control   infrastructure  will   conRnue  this  IP/Domain   fluxing  movement  unRl   detected  
Command  and  Control  (C2)   traffic  has  been  established   between  “Beachhead”  and   command  and  control   operator     Behavioral  IOC:  Perimeter  Pivot    
Heartbeat  traffic   signals  C2  operator   that  infected  asset   is  up  and  ready  for   instrucRons     Behavioral  IOC:  Perimeter  Pivot    
Obfuscated  instrucRons   get  returned  through  an   Upstream  conversaRon   embedded  in  PHP,  .js,   Flash,  etc..     Commands  obfuscated  in   this  way  can  be  through   of  as  a  hidden   “Downstream  Beacon”     Behavioral  IOC:  Perimeter  Pivot    
Embedded  commands  can   signal  infected  asset  to   enumerate  local  informaRon  on   the  machine,  a^ach  to  open   network  shares  and  perform   lateral  reconnaissance  and   privilege  escalaRon  throughout   the  compromised  network     Behavioral  IOC:  Perimeter  Pivot    
Aner  targeted  lateral  movement  and  privilege   enumeraRon  all  cases  of  targeted  a^acks   eventually  involve  the  compromise  of  the  directory   services  roots  servers  (Usually  AD  Forest  Roots)   and  exfiltraRon  of  key  personnel  informaRon  along   with  any       Behavioral  IOC:  Perimeter  Pivot    
ExfiltraRon  and  other   pa^erns  have   different  network   components  but  are   usually  constrained  by   the  pictures  they   make  as  paths  in  a   graph…     Behavioral  IOC:  Perimeter  Pivot    
BFS/DFS  +  Other  classic  graph  search  algorithms  are  a  great   examples  of  algorithms  useful  in  detecRng  this  graph  signature   Edge  weights  can  be  encoded  with  key  security  features  to   increase  overall  model  accuracy  regardless  of  the  underlying   algorithms     Behavioral  IOC:  Perimeter  Pivot    
Fractal  Defense:    Batch  +  Real  Time  
Batch  +  Real  Time:  IdenRty  ResoluRon  
High  Risk   CommunicaRon   Cluster   Batch  +  Real  Time:  Updates  
F1  =  Snort  IOC  "MALWARE-­‐CNC  Win.Trojan.Zeus   encrypted  POST  Data  exfiltra2on”   F5  =    Behavioral  IOC:  Large  number  of  POST’s  and  Null  web  referrals   F3  =    Behavioral  IOC:  Periodic  traffic  over  SSL  without  valid  cer2ficate   F4  =  Behavioral   IOC:  New   domain   registered  with   correlated   whois  data   Overall  Social  Cluster  Score  =   g(F1,  F2,  F3,  F4,  F5)   Central  Nervous  System  Approach  
ArRficial  Intelligence   and  Defense     58  
59     Machine  Learning  and  Cybersecurity    •  Specific  Challenges   –  No  Ground  Truth:  Machine  Learning  works  best  in  the  case  of  large  amount  of  labeled   examples     –  Concept/Adversarial  Drin:  Labels  change  over  Rme   •  Lack  of  Labeled  Data  =>  “No  Free  Lunch”   –  Wolpert,  D.H.,  Macready,  W.G.  (1997),  "No  Free  Lunch  Theorems  for  OpRmizaRon",   IEEE  Transac*ons  on  Evolu*onary  Computa*on  1,  67.   –   Wolpert,  David  (1996),  " The  Lack  of  A  Priori  DisRncRons  between  Learning  Algorithms",  Neural  Computa*on,   pp.  1341-­‐1390.  
60     Limits  of  Automated  Intrusion  DetecRon    •  Travis  Goodspeed:  “Packets  in  Packets”   –  Paper  showing  any  communicaRon  medium  we  can  embed  a  covert   language  to  avoid  eavesdropping  in  open  channels   •  Can  we  programmaRcally  answer  the  quesRons:  “Does  a   communicaRon  contain  steganography?”   –  Equivalent  to  checking  if  a  computer  program  will  halt?   •  Polymorphic  Malware  =>  NFL  
61   A.I.  and  Meta-­‐Theorems   •  Is  intelligence  achievable  in  sonware  (Strong  AI)?     –  Sco^  Aronson:  Unlikely  sonware/hardware  combinaRons  are  compeRng  against   3  Billion  years  of  evoluRon   •  Keep  a  catalogue  of  deep  results  and  curiosiRes   –  Gödel's  Incompleteness   –  Church-­‐Turning   –  Blum's  Speedup  Theorem   –  No  free  Lunch   –  One  Learning  Algorithm  Hypothesis   –  Grover's/Shor’s  Algorithms   •  Track  Cuxng  Edge  ML   –   Paper:  “Building  high-­‐level  features  using  large  scale  unsupervised  learning”   ê  Andrew  Ng  and  Jeff  Dean  et  al.  (2012)  ICML  
62   HalRng  Problem   •  The  problem  is  to  determine,  given  a  program  and  an  input  to  the  program,   whether  the  program  will  eventually  halt  when  run  with  that  input   •  The  halRng  problem  is  famous  because  it  was  one  of  the  first  problems   proven  algorithmically  undecidable.    This  means  there  is  no  algorithm  which   can  be  applied  to  any  arbitrary  program  and  input  to  decide  whether  the   program  stops  when  run  with  that  input.  
63     TheoreRcal  Backbone    –  Classical  ComputaRon   ê  Logical  Consistency  of  Computer  Languages  (Church-­‐Turing)   ê  Physical  RealizaRon  of  Turning  Machine  (Church  turning  +  Von  Neumann)   ê  FloaRng  point  representaRon  with  controllable  error  propagaRon     –  Weak/Strong  AI   ê  HalRng  problem  and  No  Free  Lunch  theorems  =>  building  intelligent  sonware   is  “hard”   ê  Current  machine  learning  methods  are  a  type  of  weak  AI     –  Distributed  ComputaRon   ê  Complexity  classes  P-­‐Complete,  NC   ê  CAP  Theorem   ê  Actor  Models   ê  Batch  +  Real-­‐Time  :=  Lambda  Architecture  
64   Data  Science  in  Cybersecurity   •  What  is  a  behavior  mathemaRcally?   –  Fraud  in  Cybersecurity  manifests  itself  in  infinitely  many  possibiliRes     •  Automated  idenRficaRon  of  fraud  in  IT  is  in  some  sense   equivalent  to  trying  solve  the  halRng  problem  on  a  Turning   Machine   –  ComputaRonally  it  is  impossible  to  “enumerate”  all  possible  behaviors    
65   Blackhat  Sound  Bytes   –  Fractal  Defense:  Reuse  logic  (and  code)  across  different   security  use  cases.    Make  behavior  based  IOC’s  map  to   adversary  TacRcs,  Techniques  and  Procedures  for  be^er   scalability.   –  Cybersecurity  Analy2cs  ROI:    Make  requirements   funcRonal  by  sexng  realisRc  benchmarks  based  on  your   own  data  and  metrics     –  Lambda  Architecture:    a  generic  problem  solving  system   built  on  immutability  and  hybrid  batch/real-­‐Rme   workflows    
66   Sources  
67   Sources    
Q&A  
Thank  You  
Appendix  
71     One  Learning  Algorithm  Hypothesis    
72     TheoreRcal  Background    •  Doctoral  Research   –  Iterated  Processes:  What  happens  when  we  replace  Rme  with  a   random  process?   ê  Set  t  “=“  B(t)  where  B  is  a  Brownian  moRon   –  Can  Feynman  Path  Integral  be  defined  MathemaRcally?   ê  Feynman-­‐Kac’s  Formula:  Duality  between  PDE’s  and  SDE’s   ê  Measures  on  the  space  of  conRnuous  funcRons   –  FracRonal  Brownian  moRon  and  processes  with  long  memory   ê  Random  walks  that  are  not  Markov   ê  Malliavin  Calculus:  (Used  to  prove  Hörmander’s  Theorem)   –  Malliavin  built  a  calculus  out  of  Random  processes  replacing  Rme  by  h  in  a   Hilbert  space    
73   StochasRc  Processes  with  Long  Memory   •  Since  ancient  Rmes  the  Nile  River  has  been  known  for  its  long  periods  of   dryness  followed  by  long  periods  of  floods   •  The  hydrologist  Hurst  was  the  first  one  to  describe  these  characterisRcs  when   he  was  trying  to  solve  the  problem  of  flow  regularizaRon  of  the  Nile  River.      
74     FracRonal  Brownian  MoRon    
Copyright  ©  2015  Splunk  Inc.   Splunk  for  Security    
Thousands  of  Customers  &  Analyst  ValidaRon   76   Gartner  MQ   for  SIEM  2014  
Splunk  sonware  complements,  replaces  and  goes  beyond  tradiRonal  SIEMs.   AnalyRcs-­‐Driven  Security  Use  Cases     SECURITY  &                     COMPLIANCE   REPORTING   REAL-­‐TIME   MONITORING  OF   KNOWN  THREATS   MONITORING     OF  UNKNOWN   THREATS   INCIDENT   INVESTIGATIONS   &  FORENSICS   FRAUD     DETECTION   INSIDER     THREAT   77  
Caspida   240+  security  apps  Splunk  App  for   Enterprise  Security   Splunk  Security  Intelligence  Pla€orm   78   Palo  Alto   Networks   NetFlow  Logic   FireEye   Blue  Coat   Proxy  SG   OSSEC   Cisco  Security   Suite   AcRve   Directory   F5  Security   Juniper   Sourcefire  
Splunk  App  for  Enterprise  Security   Incident  Inves2ga2ons  &  Management  Alerts  &  Dashboards  &  Reports   Sta2s2cal  Outliers  &  Risk  Scoring  &  User  Ac2vity   Threat  Intel  &  Asset  &  Iden2ty  Integra2on   Pre-­‐built  searches,  alerts,  reports,  dashboards,  incident  workflow,  and  threat  intelligence  feeds   79  
IT   OperaRons   ApplicaRon   Delivery   Business   AnalyRcs   Industrial  Data   and  Internet  of   Things   80   Splunk  Is  Used  Across  IT  and  the  Business   Business   AnalyRcs   Industrial  Data   and  Internet  of   Things   Security,     Compliance   and  Fraud   Strong  ROI  &  facilitates  cross-­‐department  collaboraEon  

Recomendados

DeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingPriyanka Aash
 
AI for Cybersecurity Innovation
AI for Cybersecurity InnovationAI for Cybersecurity Innovation
AI for Cybersecurity InnovationPete Burnap
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondogglePriyanka Aash
 
Seguridad por oscuridad (paper)
Seguridad por oscuridad (paper)Seguridad por oscuridad (paper)
Seguridad por oscuridad (paper)Arturo Cruz
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 
Testbed For Ids
Testbed For IdsTestbed For Ids
Testbed For Idsamiable_indian
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Huntingchrissanders88
 

Recomendados

DeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingPriyanka Aash
 
AI for Cybersecurity Innovation
AI for Cybersecurity InnovationAI for Cybersecurity Innovation
AI for Cybersecurity InnovationPete Burnap
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondogglePriyanka Aash
 
Seguridad por oscuridad (paper)
Seguridad por oscuridad (paper)Seguridad por oscuridad (paper)
Seguridad por oscuridad (paper)Arturo Cruz
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 
Testbed For Ids
Testbed For IdsTestbed For Ids
Testbed For Idsamiable_indian
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Huntingchrissanders88
 
Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Ram Shankar Siva Kumar
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!Priyanka Aash
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesDragos, Inc.
 
Reducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationReducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationSergey Soldatov
 
INTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHYINTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHYSylvain Martinez
 
Lookingglass whitepaper
Lookingglass whitepaperLookingglass whitepaper
Lookingglass whitepaperDaniel Coulbourne
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Network security using data mining concepts
Network security using data mining conceptsNetwork security using data mining concepts
Network security using data mining conceptsJaideep Ghosh
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Futureamiable_indian
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
 
Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Malachi Jones
 
Secure data aggregation technique for wireless sensor networks in the presenc...
Secure data aggregation technique for wireless sensor networks in the presenc...Secure data aggregation technique for wireless sensor networks in the presenc...
Secure data aggregation technique for wireless sensor networks in the presenc...LeMeniz Infotech
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Attack Simulation And Threat Modeling -Olu Akindeinde
Attack Simulation And Threat Modeling -Olu AkindeindeAttack Simulation And Threat Modeling -Olu Akindeinde
Attack Simulation And Threat Modeling -Olu AkindeindeBipin Upadhyay
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillFrode Hommedal
 
Beating ips 34137
Beating ips 34137Beating ips 34137
Beating ips 34137Spiros Fraganastasis
 
Finding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection ExploitsFinding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection Exploitsamiable_indian
 
Us67903 using universo_online_marcioghiraldelli_paymentgatewaymonitoringwiths...
Us67903 using universo_online_marcioghiraldelli_paymentgatewaymonitoringwiths...Us67903 using universo_online_marcioghiraldelli_paymentgatewaymonitoringwiths...
Us67903 using universo_online_marcioghiraldelli_paymentgatewaymonitoringwiths...Sid Ugrankar
 
Taking Splunk to the Next Level – Management - Advanced
Taking Splunk to the Next Level – Management - AdvancedTaking Splunk to the Next Level – Management - Advanced
Taking Splunk to the Next Level – Management - AdvancedSplunk
 

Más contenido relacionado

La actualidad más candente

Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Ram Shankar Siva Kumar
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!Priyanka Aash
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesDragos, Inc.
 
Reducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationReducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationSergey Soldatov
 
INTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHYINTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHYSylvain Martinez
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Network security using data mining concepts
Network security using data mining conceptsNetwork security using data mining concepts
Network security using data mining conceptsJaideep Ghosh
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Futureamiable_indian
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
 
Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Malachi Jones
 
Secure data aggregation technique for wireless sensor networks in the presenc...
Secure data aggregation technique for wireless sensor networks in the presenc...Secure data aggregation technique for wireless sensor networks in the presenc...
Secure data aggregation technique for wireless sensor networks in the presenc...LeMeniz Infotech
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Attack Simulation And Threat Modeling -Olu Akindeinde
Attack Simulation And Threat Modeling -Olu AkindeindeAttack Simulation And Threat Modeling -Olu Akindeinde
Attack Simulation And Threat Modeling -Olu AkindeindeBipin Upadhyay
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillFrode Hommedal
 
Finding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection ExploitsFinding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection Exploitsamiable_indian
 

La actualidad más candente (20)

Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
 
Reducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationReducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformation
 
INTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHYINTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHY
 
Lookingglass whitepaper
Lookingglass whitepaperLookingglass whitepaper
Lookingglass whitepaper
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Network security using data mining concepts
Network security using data mining conceptsNetwork security using data mining concepts
Network security using data mining concepts
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Future
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
 
The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined Networks
 
Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015
 
Secure data aggregation technique for wireless sensor networks in the presenc...
Secure data aggregation technique for wireless sensor networks in the presenc...Secure data aggregation technique for wireless sensor networks in the presenc...
Secure data aggregation technique for wireless sensor networks in the presenc...
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
 
Attack Simulation And Threat Modeling -Olu Akindeinde
Attack Simulation And Threat Modeling -Olu AkindeindeAttack Simulation And Threat Modeling -Olu Akindeinde
Attack Simulation And Threat Modeling -Olu Akindeinde
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
 
Beating ips 34137
Beating ips 34137Beating ips 34137
Beating ips 34137
 
Finding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection ExploitsFinding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection Exploits
 

Destacado

Us67903 using universo_online_marcioghiraldelli_paymentgatewaymonitoringwiths...
Us67903 using universo_online_marcioghiraldelli_paymentgatewaymonitoringwiths...Us67903 using universo_online_marcioghiraldelli_paymentgatewaymonitoringwiths...
Us67903 using universo_online_marcioghiraldelli_paymentgatewaymonitoringwiths...Sid Ugrankar
 
Taking Splunk to the Next Level – Management - Advanced
Taking Splunk to the Next Level – Management - AdvancedTaking Splunk to the Next Level – Management - Advanced
Taking Splunk to the Next Level – Management - AdvancedSplunk
 
SplunkLive 2011 Advanced Session
SplunkLive 2011 Advanced SessionSplunkLive 2011 Advanced Session
SplunkLive 2011 Advanced SessionSplunk
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security OperationsPriyanka Aash
 
Using Hadoop to Drive Down Fraud for Telcos
Using Hadoop to Drive Down Fraud for TelcosUsing Hadoop to Drive Down Fraud for Telcos
Using Hadoop to Drive Down Fraud for TelcosCloudera, Inc.
 
Transforming incident Response to Intelligent Response using Graphs
Transforming incident Response to Intelligent Response using GraphsTransforming incident Response to Intelligent Response using Graphs
Transforming incident Response to Intelligent Response using GraphsRam Shankar Siva Kumar
 
Machine learning Mindmap
Machine learning MindmapMachine learning Mindmap
Machine learning MindmapYee Jie NG
 
Jim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for CybersecurityJim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for Cybersecurityidsecconf
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceMichael Roytman
 
Machine Learning for Threat Detection
Machine Learning for Threat DetectionMachine Learning for Threat Detection
Machine Learning for Threat DetectionNapier University
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Alex Pinto
 
Machine Learning + Analytics in Splunk
Machine Learning + Analytics in SplunkMachine Learning + Analytics in Splunk
Machine Learning + Analytics in SplunkSplunk
 
(SEC326) Security Science Using Big Data
(SEC326) Security Science Using Big Data(SEC326) Security Science Using Big Data
(SEC326) Security Science Using Big DataAmazon Web Services
 
Computer security - A machine learning approach
Computer security - A machine learning approachComputer security - A machine learning approach
Computer security - A machine learning approachSandeep Sabnani
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
When Cyber Security Meets Machine Learning
When Cyber Security Meets Machine LearningWhen Cyber Security Meets Machine Learning
When Cyber Security Meets Machine LearningLior Rokach
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Risk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsRisk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsPriyanka Aash
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Cybereason
 

Destacado (20)

Us67903 using universo_online_marcioghiraldelli_paymentgatewaymonitoringwiths...
Us67903 using universo_online_marcioghiraldelli_paymentgatewaymonitoringwiths...Us67903 using universo_online_marcioghiraldelli_paymentgatewaymonitoringwiths...
Us67903 using universo_online_marcioghiraldelli_paymentgatewaymonitoringwiths...
 
Taking Splunk to the Next Level – Management - Advanced
Taking Splunk to the Next Level – Management - AdvancedTaking Splunk to the Next Level – Management - Advanced
Taking Splunk to the Next Level – Management - Advanced
 
SplunkLive 2011 Advanced Session
SplunkLive 2011 Advanced SessionSplunkLive 2011 Advanced Session
SplunkLive 2011 Advanced Session
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security Operations
 
Using Hadoop to Drive Down Fraud for Telcos
Using Hadoop to Drive Down Fraud for TelcosUsing Hadoop to Drive Down Fraud for Telcos
Using Hadoop to Drive Down Fraud for Telcos
 
Transforming incident Response to Intelligent Response using Graphs
Transforming incident Response to Intelligent Response using GraphsTransforming incident Response to Intelligent Response using Graphs
Transforming incident Response to Intelligent Response using Graphs
 
Merging fraud in a full IP environment
Merging fraud in a full IP environmentMerging fraud in a full IP environment
Merging fraud in a full IP environment
 
Machine learning Mindmap
Machine learning MindmapMachine learning Mindmap
Machine learning Mindmap
 
Jim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for CybersecurityJim Geovedi - Machine Learning for Cybersecurity
Jim Geovedi - Machine Learning for Cybersecurity
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data Science
 
Machine Learning for Threat Detection
Machine Learning for Threat DetectionMachine Learning for Threat Detection
Machine Learning for Threat Detection
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
 
Machine Learning + Analytics in Splunk
Machine Learning + Analytics in SplunkMachine Learning + Analytics in Splunk
Machine Learning + Analytics in Splunk
 
(SEC326) Security Science Using Big Data
(SEC326) Security Science Using Big Data(SEC326) Security Science Using Big Data
(SEC326) Security Science Using Big Data
 
Computer security - A machine learning approach
Computer security - A machine learning approachComputer security - A machine learning approach
Computer security - A machine learning approach
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101
 
When Cyber Security Meets Machine Learning
When Cyber Security Meets Machine LearningWhen Cyber Security Meets Machine Learning
When Cyber Security Meets Machine Learning
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Risk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsRisk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security Controls
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
 

Similar a us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-Detection-Machine-Learning-And-The-SOC

[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defenceOWASP EEE
 
The Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact UsThe Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact UsPECB
 
Arm the World with SPN based Security
Arm the World with SPN based SecurityArm the World with SPN based Security
Arm the World with SPN based SecurityLiwei Ren任力偉
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationRaffael Marty
 
Cyber Space Operation- Offensive Cyber Space Operation
Cyber Space Operation- Offensive Cyber Space OperationCyber Space Operation- Offensive Cyber Space Operation
Cyber Space Operation- Offensive Cyber Space OperationRubal Sagwal
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Harry McLaren
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and DefenseErik Iker
 
BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6Rod Soto
 
Cyber Security
Cyber SecurityCyber Security
Cyber Securityfrcarlson
 
Splunk für Security
Splunk für SecuritySplunk für Security
Splunk für SecuritySplunk
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Incident Response in Cyber-Relevant Time - OpenC2
Incident Response in Cyber-Relevant Time - OpenC2Incident Response in Cyber-Relevant Time - OpenC2
Incident Response in Cyber-Relevant Time - OpenC2Vasileios Mavroeidis
 
1_Introduction.pdf
1_Introduction.pdf1_Introduction.pdf
1_Introduction.pdfssuserfb92ae
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdfCecilSu
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...TI Safe
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 

Similar a us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-Detection-Machine-Learning-And-The-SOC (20)

[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
 
The Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact UsThe Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact Us
 
Arm the World with SPN based Security
Arm the World with SPN based SecurityArm the World with SPN based Security
Arm the World with SPN based Security
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
 
Cyber Space Operation- Offensive Cyber Space Operation
Cyber Space Operation- Offensive Cyber Space OperationCyber Space Operation- Offensive Cyber Space Operation
Cyber Space Operation- Offensive Cyber Space Operation
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and Defense
 
BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
This is Next-Gen
This is Next-GenThis is Next-Gen
This is Next-Gen
 
Splunk für Security
Splunk für SecuritySplunk für Security
Splunk für Security
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Incident Response in Cyber-Relevant Time - OpenC2
Incident Response in Cyber-Relevant Time - OpenC2Incident Response in Cyber-Relevant Time - OpenC2
Incident Response in Cyber-Relevant Time - OpenC2
 
1_Introduction.pdf
1_Introduction.pdf1_Introduction.pdf
1_Introduction.pdf
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdf
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 

us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-Detection-Machine-Learning-And-The-SOC

  • 1. Copyright  ©  2015  Splunk  Inc.   BEHAVIORAL  INTRUSION  DETECTION,   MACHINE  LEARNING  AND  THE  SOC     Joseph  Zadeh   @JosephZadeh   FROM  FALSE  POSITIVES  TO   ACTIONABLE  ANALYSIS:      
  • 2. 2     Agenda    •  IntroducRon   •  Cybersecurity  AnalyRcs  ROI   •  Lambda  Security:  Defensive  Architectures   •  Behavioral  Intrusion  DetecRon  and  “ArRficial”   Intelligence     •  Q&A  
  • 4. Extends  Security  Analy2cs  Leadership  by  Adding  Behavioral   Analy2cs  to  Be;er  Detect  Advanced  and  Insider  Threats   Come  see  us  at  the  Black  Hat  Booth  #347   Splunk  Acquires   Splunk  App  for   Enterprise  Security   Machine  Learning  +   +   ADVANCED  THREATS     INSIDER  THREATS    
  • 5. 5   Research  Background   •  Security  Research   –  First  security  talk  ever  a^ended  @  Decfon  8:  Jon  Erickson   “Number  Theory,  Complexity  Theory,  Cryptography,  and   Quantum  CompuRng”     ê  I  am  sRll  trying  to  understand  that  talk…   –  Late  90’s:  Traffic  baselines  and  Layer  2  behavioral  profiling   using  MRTG  and  first  generaRon  NMS     –  Recently:    Consultant  on  cybersecurity  analyRcs  projects  the   last  few  years  standing  up  custom  soluRons   •  Related  Research:   –  Fractal  random  walks:  predicRng  Rme  series   ê  Human  Behavior  (stocks),  Physical  Processes  (heat,  magneRsm)   ê  Molecular  kineRcs  (Brownian  moRon,  quantum  mechanics)   ê  StochasRc  Fast  Dynamo,  StochasRc  Anderson  EquaRon   ê  Time  as  a  random  process  
  • 6. 6   ML:  PredicRng  Time  Series        
  • 7. 7   A.I.  and  the  “Big”  Picture     Can  Strong  AI  help  predict..   –  The  dynamo  effect?   –  Pole  shins?   –  ExRncRon  events?   –  Military  escalaRons?   –  Cybersecurity  catastrophes?            
  • 8. 8   Cybersecurity  Defense:  Failings  and  MoRvaRons   Mudge,  “How  a  Hacker  Has  Helped  Influence  the  Government  -­‐  and  Vice  Versa”  Blackhat  2011     9,000  Malware  Samples  Analyzed     –  125  LOC  for  Average  Malware  Sample   –  Stuxnet  =  15,000  LOC  (120x  average  malware  sample  LOC)   –  10,000,000  =  Average  LOC  for  modern  firewall/security  stack   Key  Takeaway:    For  one  single  offensive  LOC  defenders  write  100,000  LOC   –  120:1  Stuxnet  to  average  malware   –  500:1  Simple  text  editor  to  average  malware   –  2,000:1  Malware  suite  to  average  malware   –  100,000:1  Defensive  tool  to  average  malware   –  1,000,000:1  Target  operaRng  system  to  average  malware   Bruce  Schneier,  “The  State  of  Incident  Response  by  Bruce  Schneier”  Blackhat  2014   –  G.  Akerlof,  “The  Market  for  Lemons:  Quality  Uncertainty  and  the  Market  Mechanism”        Key  Takeaway:  Security  is  a  lemons  market!   –  Prospect  theory  “As  a  species  we  are  risk  adverse  when  it  comes  to  gains  and  risk  taking  when  it  comes  to   losses”          Key  Takeaway:  We  don’t  buy  security  products  un2l  it  is  too  late!  
  • 9. 9   A  Philosophy  of  Defense   "Once  you  understand  The  Way  broadly,  you  can  see  it  in  all  things."    ―  Miyamoto  Musashi,  Book  of  Five  Ring  1643            
  • 10. 10   A  Philosophy  of  Defense   "Once  you  understand  The  Way  broadly,  you  can  see  it  in  all  things."    ―  Miyamoto  Musashi,  Book  of  Five  Ring  1643       •  Musashi  was  undefeated  samurai  (60  duels)   •  Throughout  the  book,  Musashi  implies  that  the   way  of  the  Warrior,  as  well  as  the  meaning  of  a   "True  strategist"  is  that  of  somebody  who  has   made  mastery  of  many  art  forms  away  from  that   of  the  sword…   •  Such  a  philosophy  is  fractal  –  it  has  similar   properRes  on  many  scales  
  • 11. 11   Fractal  Defense   "Once  you  understand  The  Way  broadly,  you  can  see  it  in  all  things."    ―  Miyamoto  Musashi,  Book  of  Five  Ring  1643       •  A  fractal  is  a  natural  phenomenon  or  a   mathemaRcal  set  that  exhibits  a  repeaRng   pa^ern  that  displays  at  every  scale.   •  Security  is  a  combinaRon  of  detecRon,   protecRon  and  response   •  Fractal  defense:  a  philosophy  for  scaling   detecRon,  protecRon  and  response  up  and   down  the  IT  ecosystem  
  • 12. 12   Fractal  Defense:  Example   From  our  white  paper  “Defense  at  scale:  Building  a  Central  Nervous   System  for  the  SOC”     –  Leverage  expressive  ways  to  target  TTP’s  (tacRcs,  techniques  and   procedures)  that  are  reusable  and  scalable  across  many  use  cases/ behaviors   –  Can  incorporate  classical  signatures  into  a  probabilisRc  scoring   mechanism    
  • 13. 13   Fractal  Defense:  Example   From  our  white  paper  “Defense  at  scale:  Building  a  Central  Nervous   System  for  the  SOC”              
  • 14. 14   Fractal  Defense:  Example   From  our  white  paper  “Defense  at  scale:  Building  a  Central  Nervous   System  for  the  SOC”              
  • 15. F1  =  Snort  IOC  "MALWARE-­‐CNC  Win.Trojan.Zeus   encrypted  POST  Data  exfiltra2on”   F5  =    Behavioral  IOC:  Large  number  of  POST’s  and  Null  web  referrals   F3  =    Behavioral  IOC:  Periodic  traffic  over  SSL  without  valid  cer2ficate   F4  =  Behavioral   IOC:  New   domain   registered  with   correlated   whois  data   Overall  Social  Cluster  Score  =   g(F1,  F2,  F3,  F4,  F5)   Central  Nervous  System  Approach  
  • 16. 16   Sound  Bytes   –  Fractal  Defense:  Reuse  logic  (and  code)  across  different   security  use  cases.    Make  behavior  based  IOC’s  map  to   adversary  tacRcs,  techniques  and  procedures  for  be^er   scalability.   –  Cybersecurity  Analy2cs  ROI:    Make  security  requirements   funcRonal  by  sexng  realisRc  benchmarks  based  on  your   own  data     –  Lambda  Architecture:    a  generic  problem  solving  system   built  on  immutability  and  hybrid  batch/real-­‐Rme   workflows    
  • 18. 18   Cybersecurity  AnalyRcs   •  MoRvaRon     –  Number  one  mistake  I  see  researchers  making  is  modeling  the   “ConRnuum  of  behaviors”  vs.  modeling  a  discrete  security  use  case   –  Help  rank  order  use  cases  for  management/researchers  without  security   background  (ranking  should  coincide  with  security  expert  intuiRon)   •  Possible  a^ack  behaviors  are  infinite!   –  Intractable  dimensionality   –  “Project  the  problem  down  to  finitely  many  sub  problems”     •  Anomaly  DetecRon  !=  AcRonable  Intelligence    
  • 19. 19   Cybersecurity  AnalyRcs  Roadmap   •  Step  1:    Make  a  grab  bag  of  your  favorite  use  cases/gaps  of  the  threat  surface   –  Model  primiRves:  acRonable  units  or  single  behaviors   •  Step  2:    Determine  exisRng  coverage  and  cost  of  impact  per  use  case   (APPROXIMATE!  Unless  you  are  have  been  logging  costs  of  security  events   internally  similar  to  MS…)     •  Step  3:    Build  ROI  Graph   –  What  is  your  formula  for  ROI?   •  Step  4:    Rank  Order   –  Rank  by  determining  which  ordering  provides  addiRonal  value  to  minimizing  risk   –  Our  example  uses  the  added  structure  of  LAN  and  WAN  but  you  can  complicate   things  further  by  trying  to  incorporate  adversary  capabiliRes,  point  soluRon   metrics,  etc…  
  • 20. 20   Enumerate  Threat  Surface   §  PtH/PtT   §  Time  of  Day  Model   §  Lateral  Reconnaissance   §  Pop  @  Risk   §  Passive  DNS   §  Data  Store  Exfiltra2on   §  Two  Factor  A;ack   §  Exploit  Kits   §  Crowd  sourced  Executable  Classifica2on   §  MITM   §  Telecommuter  Ground  Speed/ Triangula2on   §  Data  mart  reconnaissance/mapping   §  VIP  Asset  Profiling   §  User  to  Group  Behavior  Metrics   §  User  Access  Pa;ern  Models     §  Shadow  IT  misconfigura2on  and  gap   profiling   §  Beachhead/DMZ  a;ack  graph  modeling   Use  Cases:    Insider/LAN  Threats  
  • 21. 21   Enumerate  Threat  Surface   §  Web  Referral  Graph   §  Time  of  Day  Model   §  Heartbeat  Beacon  Detec2on   §  SSL  Side  Channel  Analysis   §  Watering  Hole  Analy2c   §  Passive  DNS  AI   §  Predic2ve  Blacklis2ng   §  URL  Rela2ve  Path  Tokens   §  Edit  Distance  Classifica2on   §  Exploit  Kits  Analy2cs   §  Pseudo  Random  Domain  Detec2on   §  Executable  Graph  Classifier   §  DNS  Tunneling     Use  Cases:    External/WAN  Threats  
  • 22. 22   Enumerate  Threat  Surface   §  Embedded  Systems  Behavioral   Profiles   §  BYOD  Popula2on  Analysis   §  Passive  mobile  applica2on  classifier   §  Mobile  app  store  profiling   §  Common  environment  baselines  for   mobile  users   §  Mobile  Beacon  Detec2on   §  SSL  Side  Channel  Analysis   §  Creden2al  compromise   §  Rogue  Device  Detec2on   §  HVAC  Controller  A;acks  (BacNet)   Use  Cases:    IoT  and  Shadow  IT  
  • 23. 23   Security  AnalyRcs  ROI   •  What  is  the  intrinsic  value  of  each  model  we  build?   –  False  PosiRve/True  PosiRve  raRos,  AUC,  etc.   –  Cost  of  ValidaRng  the  Model   –  What  is  the  risk  to  the  organizaRon  for  missing  the  threat?   –  Find  Net  New  Threats!   •  How  to  prioriRze  what  analyRc  models  to  invest  in   –  Dimensions:    Impact  Risk,  Cost  of  ValidaRon,  Cost  of  Investment,  Cost  of   Maintenance,  Adversary  Model    
  • 27. 27   Adversary  CapabiliRes  and  the  Threat  Surface   •  A^acker  capability  vs.  Security   Capability  is  an  important   dimension  to  consider  when   prioriRzing  new  soluRons/ analyRcs     •  Try  to  handle  the  low  hanging   fruit  to  more  complex  adversary   behavior  by  road  mapping   custom  analyRcs  based  on  gaps   in  exisRng  and  future  technology   soluRons   •  It  is  a  mistake  to  model  the  most   complex  adversaries  first    
  • 28. 28   Nextgen  Benchmarks   •  DARPA,  Predict.org  spearheading  the  collecRon  and  annotaRon  of   complex  data  sets  for  security  research   –  Skaion  2006  DARPA  Dataset     –  Contagio  Malware  Dump   –  CTU  University:  CTU-­‐13  Dataset.  A  Labeled  Dataset  with  Botnet,  Normal   and  Background  traffic   •  Evidence  CollecRon  and  the  SOC   –  Most  important  workflow  that  is  missing  from  large  scale  Intel/telemetry   sharing  across  organizaRons.,     •  Public  Repos  /  OSINT    
  • 29. 29   FuncRonal  Requirements!   •  Real  problem  in  security  is  requirements  are  non-­‐funcRonal   •  Benchmark  next  gen  product  by  isolaRng  the  sub  problems  and   holding  specific  metrics  accountable  to  real  world  data   •  How  do  you  rank  order  the  value  of  a  cybersecurity  analyRc?  
  • 31. 31   Why  Build  A  Defensive  Tool?   •  Incident  Response  Is  Hard  Work!  What   can  we  automate?       A  security  analyst  is  an  oracle  whose   input  is  evidence  and  whose  output  is   True  Posi2ve,  False  Posi2ve,  True   Nega2ve  or  False  Nega2ve       –  The  list  of  possible  quesRons  is  large  but   typically  the  flow  is  a  type  of  decision  tree  for   example    
  • 32. 32   Why  Build  A  Defensive  Tool?   Security  Oracle  Workflow   Example  1:     Evidence  =>  Periodic  CommunicaRon   =>  LAN  to  WAN  Data  =>WAN  URL  has   Bad  ReputaRon  =>  Correlate  with  VT   =>  True  PosiRve     Example  2:    Evidence  =>  PotenRal  C2  Domain  =>   LAN  to  WAN  Data  =>  WAN  URL  is  new   Google  IP  =>  False  PosiRve  
  • 33. 33   Lambda  Security   •  Lambda  Architecture:  batch  +  real  Rme  compuRng  paradigm   •  Minimizes  the  complexity  in  historical  computaRons  overcoming   bo^lenecks  SOC  has  experienced  operaRng  first  gen  SIEMs   •  Data  model  that  is  append-­‐only,  distributed  and  immutable  is  opRmized   for  security  centric  workflows  and  analyst  queries    
  • 34. 34   Lambda  Security   •  Architecture  is  described  by  three  simple  equaRons:   batch  view  =  func2on(all  data)   real2me  view  =  func2on(real2me  view,  new  data)     query  =  func2on(batch  view,  real2me  view)      
  • 35. 35   Lambda  Security   •  Lambda  architecture  provides  a  design  paradigm  for  a   scalable  central  nervous  system  for  the  SOC  whose   components  include   –  Machine  learning  based  ETL(Extract/Transform/Load)     –  Distributed  crawlers     –  Automated  idenRty/session  resoluRon  and  fingerprinRng     –  Formal  evidence  collecRon  protocol  for  automated  labeling  of   incident  response  data     –  AnalyRcs  Metrics  and  establishing  benchmarks  for   heterogeneous  data    
  • 36. 36   When  is  a  model  ready?      
  • 37. 37   Lambda  Firewalls?!   Manage  the  paths  accordingly  start  building  lambda   workflows  into  Everything!!!   •  Lambda  firewall   –  StaRsRcal  whitelist  computaRon  aspect  (fuzzy  ACL’s)       –  Path  for  signatures  and  sequenRal  behaviors  that  is  more  expressive  than   PCRE   •  Central  nervous  system  approach  to  blending  signals   –  Defense  should  scale  up  and  down  the  size  of  organizaRon:  a  properly   engineered  central  nervous  system  should  be  able  to  protect  SMB  market   as  well  as  large  scale  deployments  
  • 38. •  The  Complexity  Class  P-­‐Complete  and  NC   –  NC  =>  parallelizable   •  Some  problems  don’t  parallelize  well!!   –  P-­‐Complete  =>  Inherently  SequenRal   –  Any  problem  where  you  have  to  maintain  state  across  nodes:  Circuit  Value   Problem,  Linear  programming     –  Streaming  models  are  usually  harder  to  maintain  than  batch  models   38   Complexity  Class  P-­‐Complete  and  NC  
  • 39. Behavioral  Intrusion   DetecRon:  Next  Gen   Signatures   39  
  • 40. 40     Cybersecurity  and  Graph  Mining    •  Dynamic  Temporal  Graphs   –  Social  Network  of  CommunicaRons  forms  a  dynamic  graph  that  evolves  over   Rme     –  Given  a  graph  structure  we  can  leverage  state  of  the  art  graph  mining   techniques  to  detect  anomalous  graph  pa^erns   ê  Anomalous  Clicks   ê  Rare  Sub-­‐Structures     ê  Rare  Paths   •  Anomalies  in  graphs  can  be  easy  to  idenRfy  algorithmically   –  PageRank   –  Graph  Cut/ParRRoning   –  Random  Walk  Driven  Label  PropagaRon  
  • 41. Command  and  Control  (C2)   traffic  has  been  established   between  compromised   hosts  inside  the  corporate   network  and  C2  servers       Behavioral  IOC:  Mobile  C2    
  • 42. C2  Infrastructure  changes  locaRons  of  command   and  control  server  new  communicaRon  path  is   established     Behavioral  IOC:  Mobile  C2    
  • 43.   Behavioral  IOC:  Mobile  C2     C2  Infrastructure  changes  locaRons  of  command   and  control  server  new  communicaRon  path  is   established  
  • 45. At  each  Rme  step  (typically  a   day  or  two)  the  C2   Infrastructure  changes   locaRons  of  command  and   control  via  this  “Fluxing”   behavior.  A  subset  of  these   type  of  graph  pa^erns  is   known  as  “Fast  Fluxing”     Behavioral  IOC:  Mobile  C2    
  • 46.   Behavioral  IOC:  Mobile  C2     The  constant  mobility  of   command  and  control   infrastructure  will   conRnue  this  IP/Domain   fluxing  movement  unRl   detected  
  • 47. Command  and  Control  (C2)   traffic  has  been  established   between  “Beachhead”  and   command  and  control   operator     Behavioral  IOC:  Perimeter  Pivot    
  • 48. Heartbeat  traffic   signals  C2  operator   that  infected  asset   is  up  and  ready  for   instrucRons     Behavioral  IOC:  Perimeter  Pivot    
  • 49. Obfuscated  instrucRons   get  returned  through  an   Upstream  conversaRon   embedded  in  PHP,  .js,   Flash,  etc..     Commands  obfuscated  in   this  way  can  be  through   of  as  a  hidden   “Downstream  Beacon”     Behavioral  IOC:  Perimeter  Pivot    
  • 50. Embedded  commands  can   signal  infected  asset  to   enumerate  local  informaRon  on   the  machine,  a^ach  to  open   network  shares  and  perform   lateral  reconnaissance  and   privilege  escalaRon  throughout   the  compromised  network     Behavioral  IOC:  Perimeter  Pivot    
  • 51. Aner  targeted  lateral  movement  and  privilege   enumeraRon  all  cases  of  targeted  a^acks   eventually  involve  the  compromise  of  the  directory   services  roots  servers  (Usually  AD  Forest  Roots)   and  exfiltraRon  of  key  personnel  informaRon  along   with  any       Behavioral  IOC:  Perimeter  Pivot    
  • 52. ExfiltraRon  and  other   pa^erns  have   different  network   components  but  are   usually  constrained  by   the  pictures  they   make  as  paths  in  a   graph…     Behavioral  IOC:  Perimeter  Pivot    
  • 53. BFS/DFS  +  Other  classic  graph  search  algorithms  are  a  great   examples  of  algorithms  useful  in  detecRng  this  graph  signature   Edge  weights  can  be  encoded  with  key  security  features  to   increase  overall  model  accuracy  regardless  of  the  underlying   algorithms     Behavioral  IOC:  Perimeter  Pivot    
  • 54. Fractal  Defense:    Batch  +  Real  Time  
  • 55. Batch  +  Real  Time:  IdenRty  ResoluRon  
  • 56. High  Risk   CommunicaRon   Cluster   Batch  +  Real  Time:  Updates  
  • 57. F1  =  Snort  IOC  "MALWARE-­‐CNC  Win.Trojan.Zeus   encrypted  POST  Data  exfiltra2on”   F5  =    Behavioral  IOC:  Large  number  of  POST’s  and  Null  web  referrals   F3  =    Behavioral  IOC:  Periodic  traffic  over  SSL  without  valid  cer2ficate   F4  =  Behavioral   IOC:  New   domain   registered  with   correlated   whois  data   Overall  Social  Cluster  Score  =   g(F1,  F2,  F3,  F4,  F5)   Central  Nervous  System  Approach  
  • 58. ArRficial  Intelligence   and  Defense     58  
  • 59. 59     Machine  Learning  and  Cybersecurity    •  Specific  Challenges   –  No  Ground  Truth:  Machine  Learning  works  best  in  the  case  of  large  amount  of  labeled   examples     –  Concept/Adversarial  Drin:  Labels  change  over  Rme   •  Lack  of  Labeled  Data  =>  “No  Free  Lunch”   –  Wolpert,  D.H.,  Macready,  W.G.  (1997),  "No  Free  Lunch  Theorems  for  OpRmizaRon",   IEEE  Transac*ons  on  Evolu*onary  Computa*on  1,  67.   –   Wolpert,  David  (1996),  " The  Lack  of  A  Priori  DisRncRons  between  Learning  Algorithms",  Neural  Computa*on,   pp.  1341-­‐1390.  
  • 60. 60     Limits  of  Automated  Intrusion  DetecRon    •  Travis  Goodspeed:  “Packets  in  Packets”   –  Paper  showing  any  communicaRon  medium  we  can  embed  a  covert   language  to  avoid  eavesdropping  in  open  channels   •  Can  we  programmaRcally  answer  the  quesRons:  “Does  a   communicaRon  contain  steganography?”   –  Equivalent  to  checking  if  a  computer  program  will  halt?   •  Polymorphic  Malware  =>  NFL  
  • 61. 61   A.I.  and  Meta-­‐Theorems   •  Is  intelligence  achievable  in  sonware  (Strong  AI)?     –  Sco^  Aronson:  Unlikely  sonware/hardware  combinaRons  are  compeRng  against   3  Billion  years  of  evoluRon   •  Keep  a  catalogue  of  deep  results  and  curiosiRes   –  Gödel's  Incompleteness   –  Church-­‐Turning   –  Blum's  Speedup  Theorem   –  No  free  Lunch   –  One  Learning  Algorithm  Hypothesis   –  Grover's/Shor’s  Algorithms   •  Track  Cuxng  Edge  ML   –   Paper:  “Building  high-­‐level  features  using  large  scale  unsupervised  learning”   ê  Andrew  Ng  and  Jeff  Dean  et  al.  (2012)  ICML  
  • 62. 62   HalRng  Problem   •  The  problem  is  to  determine,  given  a  program  and  an  input  to  the  program,   whether  the  program  will  eventually  halt  when  run  with  that  input   •  The  halRng  problem  is  famous  because  it  was  one  of  the  first  problems   proven  algorithmically  undecidable.    This  means  there  is  no  algorithm  which   can  be  applied  to  any  arbitrary  program  and  input  to  decide  whether  the   program  stops  when  run  with  that  input.  
  • 63. 63     TheoreRcal  Backbone    –  Classical  ComputaRon   ê  Logical  Consistency  of  Computer  Languages  (Church-­‐Turing)   ê  Physical  RealizaRon  of  Turning  Machine  (Church  turning  +  Von  Neumann)   ê  FloaRng  point  representaRon  with  controllable  error  propagaRon     –  Weak/Strong  AI   ê  HalRng  problem  and  No  Free  Lunch  theorems  =>  building  intelligent  sonware   is  “hard”   ê  Current  machine  learning  methods  are  a  type  of  weak  AI     –  Distributed  ComputaRon   ê  Complexity  classes  P-­‐Complete,  NC   ê  CAP  Theorem   ê  Actor  Models   ê  Batch  +  Real-­‐Time  :=  Lambda  Architecture  
  • 64. 64   Data  Science  in  Cybersecurity   •  What  is  a  behavior  mathemaRcally?   –  Fraud  in  Cybersecurity  manifests  itself  in  infinitely  many  possibiliRes     •  Automated  idenRficaRon  of  fraud  in  IT  is  in  some  sense   equivalent  to  trying  solve  the  halRng  problem  on  a  Turning   Machine   –  ComputaRonally  it  is  impossible  to  “enumerate”  all  possible  behaviors    
  • 65. 65   Blackhat  Sound  Bytes   –  Fractal  Defense:  Reuse  logic  (and  code)  across  different   security  use  cases.    Make  behavior  based  IOC’s  map  to   adversary  TacRcs,  Techniques  and  Procedures  for  be^er   scalability.   –  Cybersecurity  Analy2cs  ROI:    Make  requirements   funcRonal  by  sexng  realisRc  benchmarks  based  on  your   own  data  and  metrics     –  Lambda  Architecture:    a  generic  problem  solving  system   built  on  immutability  and  hybrid  batch/real-­‐Rme   workflows    
  • 71. 71     One  Learning  Algorithm  Hypothesis    
  • 72. 72     TheoreRcal  Background    •  Doctoral  Research   –  Iterated  Processes:  What  happens  when  we  replace  Rme  with  a   random  process?   ê  Set  t  “=“  B(t)  where  B  is  a  Brownian  moRon   –  Can  Feynman  Path  Integral  be  defined  MathemaRcally?   ê  Feynman-­‐Kac’s  Formula:  Duality  between  PDE’s  and  SDE’s   ê  Measures  on  the  space  of  conRnuous  funcRons   –  FracRonal  Brownian  moRon  and  processes  with  long  memory   ê  Random  walks  that  are  not  Markov   ê  Malliavin  Calculus:  (Used  to  prove  Hörmander’s  Theorem)   –  Malliavin  built  a  calculus  out  of  Random  processes  replacing  Rme  by  h  in  a   Hilbert  space    
  • 73. 73   StochasRc  Processes  with  Long  Memory   •  Since  ancient  Rmes  the  Nile  River  has  been  known  for  its  long  periods  of   dryness  followed  by  long  periods  of  floods   •  The  hydrologist  Hurst  was  the  first  one  to  describe  these  characterisRcs  when   he  was  trying  to  solve  the  problem  of  flow  regularizaRon  of  the  Nile  River.      
  • 74. 74     FracRonal  Brownian  MoRon    
  • 75. Copyright  ©  2015  Splunk  Inc.   Splunk  for  Security    
  • 76. Thousands  of  Customers  &  Analyst  ValidaRon   76   Gartner  MQ   for  SIEM  2014  
  • 77. Splunk  sonware  complements,  replaces  and  goes  beyond  tradiRonal  SIEMs.   AnalyRcs-­‐Driven  Security  Use  Cases     SECURITY  &                     COMPLIANCE   REPORTING   REAL-­‐TIME   MONITORING  OF   KNOWN  THREATS   MONITORING     OF  UNKNOWN   THREATS   INCIDENT   INVESTIGATIONS   &  FORENSICS   FRAUD     DETECTION   INSIDER     THREAT   77  
  • 78. Caspida   240+  security  apps  Splunk  App  for   Enterprise  Security   Splunk  Security  Intelligence  Pla€orm   78   Palo  Alto   Networks   NetFlow  Logic   FireEye   Blue  Coat   Proxy  SG   OSSEC   Cisco  Security   Suite   AcRve   Directory   F5  Security   Juniper   Sourcefire  
  • 79. Splunk  App  for  Enterprise  Security   Incident  Inves2ga2ons  &  Management  Alerts  &  Dashboards  &  Reports   Sta2s2cal  Outliers  &  Risk  Scoring  &  User  Ac2vity   Threat  Intel  &  Asset  &  Iden2ty  Integra2on   Pre-­‐built  searches,  alerts,  reports,  dashboards,  incident  workflow,  and  threat  intelligence  feeds   79  
  • 80. IT   OperaRons   ApplicaRon   Delivery   Business   AnalyRcs   Industrial  Data   and  Internet  of   Things   80   Splunk  Is  Used  Across  IT  and  the  Business   Business   AnalyRcs   Industrial  Data   and  Internet  of   Things   Security,     Compliance   and  Fraud   Strong  ROI  &  facilitates  cross-­‐department  collaboraEon