Más contenido relacionado La actualidad más candente (13) Similar a Reducing Mean Time to Know (20) Reducing Mean Time to Know2. © 2015 Sqrrl | All Rights Reserved 2
YOUR WEBINAR HOSTS
• Sqrrl cofounder / VP Business Development
• Former Director of Cybersecurity at the
National Security Council Staff / White House
• Degrees from Wharton and Harvard
• Sqrrl VP Products
• Former Director of Product Management at
Vertica, Imprivata, and DataSynapse
• CS degree from MIT
3. © 2015 Sqrrl | All Rights Reserved
From securing the country to securing your enterprise
SQRRL HISTORY
Google’s
BigTable
Paper
2006
NSA Builds
Accumulo
2008
Sqrrl
Founded
2012
Sqrrl
Enterprise
1.0
2013
Sqrrl
Enterprise
2.0
2015
Investors: Patented Technology:
3
4. © 2015 Sqrrl | All Rights Reserved
Sqrrl’s focus today is on Detection and Analysis (i.e., cybersecurity
investigations)
INCIDENT RESPONSE LIFECYCLE
4
Source: NIST
5. © 2015 Sqrrl | All Rights Reserved 5
CYBERSECURITY INVESTIGATIONS TAXONOMY
Cybersecurity
Investigations
Detection Analysis
Hunting /
IOCs
Threat
Intelligence
Alerting
Alert
Resolution
Incident
Triage
Root Cause /
Forensics
Rule-Based Algorithmic
6. © 2015 Sqrrl | All Rights Reserved
How do we decrease Mean Time To Know?
MEAN TIME TO KNOW
Mean Time To Identify (MTTI): Detect
than an incident has occurred
Mean Time To Know (MTTK):
Understand root cause of an incident
25%
75%
MTTK
MTTI
% Time Spent on MTTI vs. MTTK
Source: Ponemon Institute
6
7. © 2015 Sqrrl | All Rights Reserved
Sqrrl MTTK Case Study
Large Telecommunications Company
Results
Challenge Sqrrl Solution
Ensured
compliance with
data security
regulations
Reduce
investigation time
from days/weeks to
minutes
Visibility across
more data than
previously possible
Analyzing more than 1 year of
multi-structured security data including
for Advanced Persistent (APT), fraud,
and insider threats
• Aggregate and store all data
• Gather and profile employee
and device behaviors
• Search, query and analyze
behaviors, details and anomalies
7
8. © 2015 Sqrrl | All Rights Reserved 8
TOP 5 WAYS TO REDUCE MTTK
1. Big Data
2. Linked Data Visualization
3. Graph Exploration
4. Investigation Workflow
5. Advanced Analytics
9. © 2015 Sqrrl | All Rights Reserved 9
#1 BIG DATA
Current solutions can’t
easily handle the variety
and volume of data that
security analysts need
Volume and Variety of Data
10. © 2015 Sqrrl | All Rights Reserved 10
Performance Measures
#1 BIG DATA
Source: http://www.pdl.cmu.edu/SDI/2013/slides/
big_graph_nsa_rd_2013_56002v1.pdf
Source: http://arxiv.org/pdf/1406.4923v1.pdf
• Sqrrl indexes and
stores 25,000 events
per second per node
• Sqrrl’s core has
proven near-linear
scalability to 2000+
nodes
• Clustered support for
processing Trillions
of events per day
Data Source Record Count
Ne#low
2,109,409,060
Cisco
ASA
Firewall
2,982,124,483
Websense
924,819,607
MsDns
503,237,033
IsaFw
207,834,546
IIS
38,941,968
Damballa
16,060
Apache
Webserver
5,615,832
ISE
671,006
Radius
1,138,001
Windows
Events
12,220,081
Symantec
EP
1,040,871
FireEye
4,305
Total
Records
6,787,072,853
Node
*
Seconds
271,800
Records/Second/Node
24,971
11. © 2015 Sqrrl | All Rights Reserved 11
#2 LINKED DATA VISUALIZATION
LOGS
VS.
LINKED DATA
12. © 2015 Sqrrl | All Rights Reserved
LINKED DATA
• Organizes data into entities
and relationships (links)
• More intuitive visualization
• Surfaces meaning & context
• Enables faster analysis
12
13. © 2015 Sqrrl | All Rights Reserved 13
LINKED DATA VISUALIZATION DEMO
14. © 2015 Sqrrl | All Rights Reserved 14
Pattern Discovery and Matching
#3 GRAPH EXPLORATION
• Hunting for known patterns
• Search for the HTTP transaction “triangle”
• Locate specific instance quickly amongst large volume of transactions
15. © 2015 Sqrrl | All Rights Reserved 15
GRAPH EXPLORATION DEMO
16. © 2015 Sqrrl | All Rights Reserved 16
It is easy to get lost in a maze of searches during an investigation
#4 INVESTIGATION WORKFLOW
17. © 2015 Sqrrl | All Rights Reserved 17
INVESTIGATION WORKFLOW DEMO
18. © 2015 Sqrrl | All Rights Reserved 18
#5 ADVANCED ANALYTICS
Peer Group
Outlier
Algorithmic approaches to anomaly detection
19. © 2015 Sqrrl | All Rights Reserved 19
ADVANCED ANALYTICS DEMO
20. © 2015 Sqrrl | All Rights Reserved 20
www.sqrrl.com
HOW TO LEARN MORE?
• Read our white paper or product paper
• Schedule a demo or proof of concept
• Request a VM or evaluation software