Machine Learning for Threat Detection
Download as PPTX, PDF7 likes4,476 views
This document discusses user behavioral analytics and machine learning for threat detection. It summarizes that legacy security information and event management (SIEM) technologies are not adequate for detecting insider threats and advanced adversaries. It then describes how user behavioral analytics uses machine learning to develop multi-entity behavioral models across users, applications, hosts, and networks to detect anomalous behavior indicative of insider threats or advanced cyberattacks. Contact information is provided for the security consultant presenting on this topic.
![Legacy SIEM type technologies aren’t
enough to detect insider threats and
advanced adversaries and are poorly
designed for rapid incident response.
[SIEM - Security Information & Event Management]](https://image.slidesharecdn.com/8splunkuba-machinelearningforthreatdetectionharrymclaren-160514174302/85/Machine-Learning-for-Threat-Detection-4-320.jpg)
Machine Learning for Threat Detection
- 1. USER BEHAVIOURAL ANALYTICS Machine Learning for Threat Detection Harry McLaren – Security Consultant at ECS
- 2. HARRY MCLAREN •Alumnus of Edinburgh Napier •Security Consultant at ECS • SOC & CSIR Development • Splunk Consultant & Architect
- 3. ACCELERATING PACE OF DATA Volume | Velocity | Variety | Variability
- 4. Legacy SIEM type technologies aren’t enough to detect insider threats and advanced adversaries and are poorly designed for rapid incident response. [SIEM - Security Information & Event Management]
- 5. Inadequate Contextual Data 68% of respondents in the survey said that reports often only indicated changes without specifying what the change was. Innocuous Events of Interest 81% of respondents said that SIEM reports contain too much extraneous information and were overwhelmed with false positives. 2016 SIEM Efficiency Survey - Conducted by Netwrix
- 6. 1995 2002 2008 2011 2015 END-POINT SECURITY NETWORK SECURITY EARLY CORRELATION PAYLOAD ANALYSIS BEHAVIOR ANALYSIS TECHNOLOGY DEVELOPMENT CAPABILITY EVOLUTION
- 7. KILL CHAIN - EVENTS OVERLOAD
- 8. SECURITY PLATFORM DETECTING UNKNOWN THREATS SECURITY & COMPLIANCE REPORTING INCIDENT INVESTIGATIONS & FORENSICS REAL-TIME MONITORING OF KNOWN THREATS DETECTION OF INSIDER THREATS DETECTION OF ADVANCED CYBER ATTACKS Splunk Enterprise Security Splunk UBA
- 9. MACHINE LEARNING EVOLUTION EVOLUTION COMPLEXITY RULES - THRESHOLD POLICY - THRESHOLD POLICY - STATISTICS UNSUPERVISED MACHINE LEARNING POLICY - PEER GROUP STATISTICS SUPERVISED MACHINE LEARNING
- 10. DETECT ADVANCED CYBERATTACKS DETECT MALICIOUS INSIDER THREATS ANOMALY DETECTION THREAT DETECTION UNSUPERVISED MACHINE LEARNING BEHAVIOR BASELINING & MODELING REAL-TIME & BIG DATA ARCHITECTURE WHAT IS SPLUNK USER BEHAVIORAL ANALYTICS?
- 11. INSIDER THREAT John connects via VPN Administrator performs ssh (root) to a file share - finance department John executes remote desktop to a system (administrator) - PCI zone John elevates his privileges root copies the document to another file share - Corporate zone root accesses a sensitive document from the file share root uses a set of Twitter handles to chop and copy the data outside the enterprise USER ACTIVITY Day 1 . . Day 2 . . Day N
- 14. UBA 2.2 LATEST FEATURES • Threat Modeling Framework • Create custom threats using 60+ anomalies. • Enhanced Security Analytics • Visibility and baseline metrics around user, device, application and protocols. • Risk Percentile & Dynamic Peer Groups • Support for Additional 3rd Party Devices
Editor's Notes
- #2: Slide: Title
- #3: Slide: Introduction
- #4: Slide: Machine Data
- #5: Slide: Problem – Legacy SIEM
- #6: Slide: Evidence The same survey showed that over half of the respondents are trying to employ more entry level analysts to deal with the overwhelming (but largely worthless) alerts coming from their legacy SIEMs and further more turning to audits and compliance activities to overcome the SIEMs drawbacks. Sources: http://www.bloomberg.com/research/markets/news/article.asp?docKey=600-201603150921MRKTWIREUSPR_____1249121-1 http://www.information-age.com/technology/information-management/123461162/why-big-data-and-siem-dont-always-equal-big-answers-security
- #7: Slide: Technology Development
- #8: Slide: Events Overload
- #9: Slide: Splunk Security Platform
- #10: Slide: Machine Learning Evolution
- #11: Slide: Solution – Splunk UBA Splunk User Behavior Analytics is a cyber security and threat detection solution that helps organizations find hidden threats without using rules, signatures or human analysis. It uses behavior modeling, peer group analysis, real-time statistical analysis, collaborative filtering and other machine learning techniques. Has a 99% reduction of notable events in various customer based case studies, enabling analysts to focus on important threats and not waste time confirming false positives. Attack Defenses User & Entity Behavior Baseline Behavioral Peer Group Analysis Insider Threat Detection IP Reputation Analysis Reconnaissance, Botnet and C&C Analysis Statistical Analysis Data Exfiltration Models Lateral Movement Analysis Polymorphic Attack Analysis Cyber Attack / External Threat Detection Entropy/Rare Event Detection User/Device Dynamic Fingerprinting Threat Attack Correlation Data Sources Key: Identity/Authentication Active Directory/Domain Controller Single Sign-on HRIS VPN DNS, DHCP Activity Web Gateway Proxy Server Firewall DLP Security Products Malware Endpoint IDS, IPS, AV Optional: SaaS/Mobile AWS CloudTrail Box, SF.com, Dropbox, other SaaS apps Mobile Devices External Threat Feeds Threat Stream, FS-ISAC or other blacklists for IPs/domains
- #12: Slide: Example – Insider Threat
- #13: Slide: Behaviour Modelling Categories Deviation from Baseline Time series Rarity, probabilistic difference Rare sequences Outliers Advanced Behaviour Detection Beaconing Exploit kit Malware for HTTP Malware for IP Webshell Graph Models Lateral movement Resource Access Helper Models Anomalies based on rules Externals alarms handlers Session Building Connection between events Track activity from different perspectives in a kill chain Threat Models Graph-based models Session-based models Rule-based models
- #14: Demo