• Speaker: LisaHuffSpeakerBio: LisaHuffworksfora User BehaviorAnalysiscompanywhereshefocusesonconsultingwithorganizationstounderstandtheirongoingsecuritychallengeswithexistingsolutionsaswellasdiscusswaysofprovidingmorevisibilityintouserbehaviorwithinorganizationsandhowthisaddsmuchneededvisibilitytoanalystandSOCteams. Lisahasbeeninthenetworkingandsecurityspaceforcloseto20yearsandhasworkedwithsomeofthelargest organizationstohelpthembetterunderstandthei ongoingchallengestheyfacewithstayingaheadofthreatstotheirorganization.
PresentationTitle: UBAAwakensPresentationDescription: HowDataScienceisreplacingsignaturesandrules
SpeakerBIO
Agenda
• Securitymonitoringthroughlogs• Somefamiliar incidents• Howdetectionischanging• Applyingmachinelearning• Userbehavioranalytics
Today’ssecuritymonitoringbestpractices
VISIBILITYREQUIREMENT
Apotentiallyharmfulactivityrequires
detection
SIGNALDETECTIONANDMONITORING
Aproductisdeployed todetecttheactivityandmonitorgoing forward
LOGANDINCIDENTMANAGEMENT
Everygood/bad eventisbeing logged toaSIEMforcorrelationand
investigation
Afewrequirements,lotsoflogfeeds
Lateralmovement
RemoteEmployees
DataExfiltration
MaliciousactivityandMalware
Windowslogs
VPNlogs
Cloudlogs
UNIXlogs
DLPlogs
Proxylogs
Networkprotection logs
Firewalllogs
Hostprotectionlogs
Physicalbadgelogs
NAClogs
DHCPlogs
IPSlogs
WiFi logs
Databaselogs
WAFlogs
Fileaccesslogs
BYODadmissionlogs
Processlogs
Activitymonitoring requirements Gatheredlogsandartifacts
Analystworkflow
i
i i
i
i
i
!
i i
ii
ii
i
i
i
i
!
StashofLogs CorrelationRulesandAlertsCreateIncidents
Caseassemblyandinvestigationthrough logsearch
TheTargetbreach,youareonlyhuman…
Source:http://www.darkreading.com/attacks-and-breaches/target-ignored-data-breach-alarms/d/d-id/1127712Source:http://www.scmagazine.com/target-did-not-respond-to-fireeye-security-alerts-prior-to-breach-according-to-report/article/338201/Source:http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
• ~Thanksgiving/Christmas 2013,40mrecordsofcreditanddebitcardnumberswerestolenusingPOSMalwareatTarget
• FireEye sentalertsofthethen-unknownmalwarebutwerewrongfullyinterpretedandignored.
• FromDarkReading’s interviewwithTarget:► "Basedontheirinterpretationandevaluationofthatactivity,
theteamdeterminedthatitdidnotwarrantimmediatefollowup,"shesaid."Withthebenefitofhindsight,weareinvestigatingwhether,ifdifferentjudgmentshadbeenmade,theoutcomemayhavebeendifferent."
NeimanMarcus…needleintheneedle-stack• ~1.1mCreditcardsinformationexposed(NYT,Jan13,2014)• IndustryAverages
► Theaverageenterprise, logs~160m-200mevents aday► Theaverageenterpriselogsupto150ksecurityeventsaday
• NeimanMarcushad60ksecurityalerteventsperday,yetsufferedfroma3monthbreach.(DamballaStateofInfectionsReport2014)
• Thosearejustsecurityalerts,numbersexcludenoteworthyinfrastructureevents
Source:http://www.nytimes.com/2014/01/24/business/neiman-marcus-breach-affected-1-1-million-cards.htmlSource:https://www.damballa.com/downloads/r_pubs/Damballa_Q114_State_of_Infections_Report.pdf
ImpossibleSignal/NoiseRatio
Snowden...Inthosewetrust.• Highlyprivilegedandtrusteduserwithaccessrightsto
sensitiveinformation• Createsthemotherofalldataleaks• Noteworthy
► Changeshisbehaviorovertime► Avoidsstepping inanytraps► Nomalware,onlycredentials– mostlyhisown► Appearstobejustlikeanyothertrustedinsideruser
Source:https://www.washingtonpost.com/politics/intelligence-leaders-push-back-on-leakers-media/2013/06/09/fff80160-d122-11e2-a73e-826d299ff459_story.html
Toananalyst,heappearsjustlikeanyoneelse
Alertfatigueresultsinmissedincidents
SignaltoNoiseratioisunmanageable
Oneuser’smaliciousactivity,isanotheruser’sstandard
IsthisyourSOC?
TracinganalertinSIEM- TaketheAlertLogandextractsomefeatures- SearchforHostnames/Users/IPsfromtheAlertandgetanassetlist- Extractalllogsthatanswerthatuser/assetlist- READALLTHELOGS!
Theconnectiongraph
Stitchingtogetheruseractivitiesthatcrossaccounts,devices,IPsandnetworksrequiresanewtypeofdatastructure:
• Integratesstatechanges– sothattheattackersstaysvisibleashechangesaccounts,IPs,acrossasession
• Incorporatestime- tounderstandthatChappenedafterBhappenedafterA
• Abstractsindividualevents– sothattheentiresessioncanbequeried
0
50
100
150
200
250
300
350
400
450
500
China Ukraine Germany Canada UnitedStates
Frequency
VPNAccesssourcesforuserBarbara
Learningauser’sbehaviorovertime
UserBarbara connectedtoVPNfromUSUserBarbara connectedtoVPNfromUSUserBarbara connectedtoVPNfromUSUserBarbara connectedtoVPNfromGRUserBarbara connectedtoVPNfromGR....UserBarbara connectedtoVPNfromCN
Letdataspeakforitself…
0
50
100
150
200
250
300
350
400
450
500
China Ukraine Germany Canada UnitedStates
Frequency
VPNAccesssourcesforuserBarbara
• BarbararegularlyconnectsfromUnitedStates
• ItisabnormalforBarbaratoconnectfromChina
• BarbaraneverconnectedfromBrazil
Applyingmachinelearningtouserbehavior
• Whoisthisusertotheorganization?• Whatarethisuser’speers• Doesthisuserhaveanyspecialcharacteristics?• IsheanExecutive?Aprivilegeduserperhaps?
• Whendoestheuserusuallylogin?• Whendidwelastseethisuser?
Applyingmachinelearningtouserbehavior
• Whereistheuserconnectingfrom?ISPs,States,Countries,etc…
• Whendoestheuserusuallylogin• IsthesourceIPknownasgood/badIP?
Applyingmachinelearningtouserbehavior
• Whousedthisassetbefore?• Whatkindofuserslogintothisasset• Whatactionsarenormallyperformedonthisasset
Applyingmachinelearningtouserbehavior
• Whichusersusethisnetwork• Whatpeergroupsareusingthisnetwork• Whatkindactivitieshappenonthisnetwork
Applyingmachinelearningtouserbehavior
• Whichusersnormallyusethisserver• Whichusersaretheadministratorstothisserver• Whatapplicationsrunonthisserver• Howdousersnormallyaccessthisserver
Applyingmachinelearningtouserbehavior
• Isthisalertacommonalertintheorganization• Hasthisalerteverfiredbeforeonthisasset• Hasthisalerteverfiredbeforeforthisuser
Applyingmachinelearningtouserbehavior
• Whichusersaccessthisapplication• Whathostsholdthisapplication• Whatargumentsareusedwiththisapplication
Letstrythisagain,withuserbehavioranalytics
• UserBarbarahas• AbnormallyloggedinusingVPNfrom China• Isaccessingnetworkssheneveraccessedbefore• Nooneinherpeergroupusesthisserver• Normallyonlyreadsthisfileandnoteditsit• Analerthasfiredformalware• Firsttimethismalwareisseen inthisorganization
Top Related