Post on 16-Apr-2017
SQRRL THREAT HUNTING PLATFORM
ADAM FUCHSCTO, SQRRL
COMMITTER, ACCUMULOMEMBER, ASF
© 2016 Sqrrl Data, Inc. All rights reserved. 2
Accelerating InvestigationsLOG DATA BEHAVIOR GRAPH
VS.
© 2016 Sqrrl Data, Inc. All rights reserved. 3
The Sqrrl Threat Hunting Platform
SECURITY DATA
NETWORK DATA
ENDPOINT/IDENTITY DATA
Firewall / IDS
Threat Intel
Bro
SIEM Alerts
NetflowProxy
ProcessesHR
© 2016 Sqrrl Data, Inc. All rights reserved. 4
Sqrrl ArchitectureSecurity
Visualization + API
Physical
Data Storage
Data Model
Processing
InterfaceAudit
EncryptionLabeling +
Policy
Query Engine: Accumulo Iterators
Bulk/Graph Processing: YARN +
SparkRaw Events Linked Data
HDFS Accumulo+
Commodity Hardware
© 2016 Sqrrl Data, Inc. All rights reserved. 5
The Apache Accumulo ProjectAccumulo Stores Sorted Key, Value Pairs
High Performance WritesGreat ScalabilityEmbedded Processing (Iterators)
We leverage Accumulo for:Low-Latency Information Retrieval IndexingDistributed ProcessingGraph OrganizationIngest-Time AggregationSecure Storage
Behavioral Analytics
© 2016 Sqrrl Data, Inc. All rights reserved. 7
Attack Chain Behavior detectionAdversary behavior is modeled based on a kill chainKill chain alignment of behavior detection analytics:
Helps to determine attack penetration and riskSupports arguments of completeness of detection coverage
© 2016 Sqrrl Data, Inc. All rights reserved. 8
Kill Chain-Based Behavioral Analytic Example
• Lateral Movement:Multiple host logins, credential theft
• Active Directory
• Windows event logs
• Unsupervised machine learning for rarity detection
• Graph algorithm for chaining
• Analyst whitelisting of false positives
© 2016 Sqrrl Data, Inc. All rights reserved. 9
Collating Results For Visualization and AnalysisBehavioral Analytics Entity Risk Scoring
Raw Data
Modeled Data (Graph)
API Applications
AnalyticsAnalyticsAnalyticsAnalytics
Target. Hunt. Disrupt.