Is That Normal? Behaviour Modelling On The Cheap
1 like1,114 views
The document discusses behavior modeling in cybersecurity, specifically focusing on cost-effective strategies for monitoring and analyzing data breaches. It emphasizes the importance of proper data management and actionable insights, advocating for the use of relational databases and metadata to improve efficiency. Key takeaways include starting small, building on success, and reducing workload for security teams through effective logging and monitoring practices.
Is That Normal? Behaviour Modelling On The Cheap
- 1. Is That Normal? Behaviour modelling on the cheap Mark Nunnikhoven, bunch of letters @marknca Just like you probably can’t see this, I can’t see the backchannel Tweet me now @marknca, I’ll reply after the talk…
- 2. What is it? What folks are doing
- 3. Today’s talk Context The gap Getting started
- 4. Recently…
- 6. 450 000 000
- 7. Target 27-Nov-2013—15-Dec-2013 First CEO “resignation” due to information security incident
- 8. The Home Depot Early May-2014—Late Aug-2014 a/k/a “Target 2”
- 9. ebay Late Feb-2014—Mid May-2014 Nominated for “Worst Communications During An Incident”
- 10. Houston Astros 17-Jun–2013—17-Oct-2014 “Oh shit, they tried to trade me for an old bus and a hot dog vendor?”
- 11. Amazing visualization from Information Is Beautiful “World’s Biggest Data Breaches & Hacks”
- 12. 0d Because it was successful, it was “an APT”…at least according to marketing
- 13. KISS Simple works. A lot. With minimal effort Why waste a “bunker buster” when they left the door open?
- 14. The Problem
- 15. Data Restrict inbound Restrict outbound Heavily monitor access
- 16. User Restrict inbound Allow outbound Little to no monitoring
- 18. Authentication Authorization Yes, we only use 2 types of controls to police this space. Amazing isn’t it?
- 19. Authentication Authorization Behaviour analysis 3 is more than 2. So that’s an immediate win when reporting up to your boss(es)
- 20. How?
- 21. What to look at All traffic leaving user space
- 22. What to look at All traffic leaving user space
- 23. What to look for Malicious patterns You might want to consider buying something here or at least Martin’s solution However, if you don’t have a strong process for handling alerts don’t bother!
- 24. What to look for Odd access patterns You can buy products that help here but we can get good ROI with DIY If you already have a SIEM, put this effort into tuning it’s rules & alerts
- 25. Starting point …and only a starting point
- 26. The Goal Provide actionable information to your team You’re never going to get 100% automated here BUT you can reduce your team’s workload
- 27. In order of importance Access Transactions Authentication << fancy circles for no particular reason
- 28. And then? Dump it all in a database Yes, an old school relational database
- 29. Dump it? Well no…that’ll cause problems* * Only if you want to do anything with the data. If you want a(nother) shelfware project, go ahead The #1 problem with RDBMS is that few people consider what they want to get _out_ of them
- 30. Hardware Table Structure Desktop Hour Bigger Day Biggest Week Bigger-est Month Ridiculous This talk has “on the Cheap” in the title. Stop showing off It’s amazing what an old school DB can do when structured properly There is a reason why we’ve stuck with the tech for 40+ years
- 31. Anything else? Add metadata on ingestion* * You’re trying to save computation later on. And it’s easier to line up usernames or groups now rather than later. You can do fun things with caching too I felt like using the term “metadata” would add more credibility and a nice NSA-esque feeling here
- 32. Indices? Store the timestamp as YYYY-MM-DD-HH-MM-SS* * No wiggle room. It’s easier to do computations on this way First person to say “what about seconds since the epoch?” gets a free gift It’s not a good gift. You don’t want it. Trust me on this
- 33. Hardware Query Breadth (in tables) Desktop 1 Bigger 2-3 Biggest 3-5 Bigger-est 3-5 Ridiculous Didn’t you get the message on 2 slides ago? How you structure your query has a major impact on performance That should be obvious. If not, it is now
- 34. Hardware Query Size (in dimensions) More dimensions == slower performance but potentially more useful answers Use your judgement here Desktop 2-3 Bigger 3-5 Biggest 5-7 Bigger-est 5-7 Ridiculous Seriously, WTF?
- 35. How do I frame questions for the data? Based on the average of X, what are the outliers? * select min(thing_I_want) from (group_of_things_I_want) select max(thing_I_want) from (group_of_things_I_want) Not the Malcolm Gladwell Outliers, actual math-y type ones
- 36. Questions you should ask your data? <Timeline for logins> <Period of access for user> <Size of transaction> <Number of domains per day> * These four will net a lot of interesting info Start simple, build up the questions you ask based on success “If it isn’t actionable, get rid of it”, Rob Edwards < awesome guy
- 37. Use your logs Reduce work for your team Start small, build
- 38. Thanks! Mark Nunnikhoven @marknca Now send me a tweet ;-)