SlideShare a Scribd company logo

Creating Your Own Threat Intel Through Hunting & Visualization

Raffael Marty, profile picture
Raffael Marty

The document discusses the creation of internal threat intelligence through hunting and visualization, emphasizing the limitations of traditional security methods that rely on past knowledge. It advocates for the use of big data lakes and interactive visualization to enhance the analysis and detection of unique threats within an organization. The presentation also highlights the importance of analyst-driven exploration and the role of data science in identifying patterns and anomalies in security data.

Internet
Related topics:
Data Mining Insights
1 of 36
Downloaded 290 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Raffael Marty, CEO Creating Your Own Threat Intel Through Hunting & Visualization Tenerife, Spain February, 2016
Creating Your Own Threat Intel Through Hunting & Visualization Raffael Marty, CEO
Security. Analytics. Insight.3 Contents HUNTING AKA INTERNAL THREAT INTELLIGENCE THREAT INTELLIGENCE A PROCESS AND INFRASTRUCTURE VIEW 1 2 VISUALIZATION A THREAT INTELLIGENCE GOLD MINE 3
Threat Intelligence
Security. Analytics. Insight.5 • Products / Tools • Firewall - Blocks traffic based on pre-defined rules • Web Application Firewall - Monitors for signs of known malicious activity in Web traffic • Intrusion Prevention System - Looks for ‘signs’ of known attacks in traffic and protocol violations • Anti Virus - Looks for ‘signs’ of known attacks on the end system • Malware Sandbox - Runs new binaries and monitors their behavior for malicious signs • Security Information Management - Uses pre-defined rules to correlate signs from different data streams to augment intelligence • Vulnerability Scanning - Searches for known vulnerabilities and vulnerable software • Rely on pattern matching and signatures based knowledge from the past • Reactive -> always behind • Unknown and new threats -> won’t be detected • ‘Imperfect’ patterns and rules -> cause a lot of false positives We Are Monitoring - What is Going Wrong? Defense Has Been Relying On Past Knowledge
Security. Analytics. Insight.6 Event Funnel - How We Used To Do It data rule-based
 correlation prioritization simple
 statistics attack candidates • What rules do you write? • Do the vendor provided rules work for you? • How do you define a priority 10 event? • High false positive rate! • Unless alerts are VERY focussed • High false negative rate! • Do you know what you don’t know?
Security. Analytics. Insight.7 Then Came Threat Intelligence • How many hits do you really get? • You are missing most attacks IOCs • How do you match these efficiently against a real-time stream? • How do you de- duplicate and normalize these feeds? attack candidates 70–90% OF MALWARE SAMPLES ARE UNIQUE TO AN ORGANIZATION.
Security. Analytics. Insight.8 Removing the Event Funnel - Hello Data Lake any 
 data Big Data Lake Rules • Storing more, and more diverse data • Kafka and “dynamic parsing” • Enabling large-scale processing • Spark, SparkStreaming, Storm, Parquet • Using “standard” data access (SQL, REST) • Plug in any other tool! context IOCs This per-se is not new …
Security. Analytics. Insight.9 Adding Interactive - Analyst Driven Exploration any 
 data Big Data Lake Rules context IOCs … but first we get the human in the loop … Hunting • interactive visualization • analyst driven • machine assisted
Security. Analytics. Insight.10 Hunting Creates Internal Threat Intelligence any 
 data Big Data Lake Rules context IOCs … then, let’s rethink our rules … Novel, Advanced Attacks internal TI
Security. Analytics. Insight.11 Hunting Creates Internal Threat Intelligence any 
 data Big Data Lake Rules context IOCs … then, let’s rethink our rules … patterns anyone? internal TI Novel, Advanced Attacks Low False Positive Alerts Patterns
Security. Analytics. Insight.12 Buzzword Bingo any 
 data Big Data Lake Rules context IOCs … and finally, we are buzzword compliant … behavioral monitoring
 scoring anomaly detection machine learning artificial intelligence “models” data science internal TI Patterns
Security. Analytics. Insight.13 How Does All That Architecture Stuff Matter? In the following we’ll explore how this all matters … … but first, let’s see how visualization plays a key role here.
14Visualization
Security. Analytics. Insight.15 “How Can We See, 
 Not To Confirm - But To Learn” - Edward Tufte
Security. Analytics. Insight.16 Why Visualization?dport time
Security. Analytics. Insight.17 SELECT count(distinct protocol) FROM flows; SELECT count(distinct port) FROM flows; SELECT count(distinct src_network) FROM flows; SELECT count(distinct dest_network) FROM flows; SELECT port, count(*) FROM flows GROUP BY port; SELECT protocol, count(CASE WHEN flows < 200 THEN 1 END) AS [<200], count(CASE WHEN flows>= 201 AND flows < 300 THEN 1 END) 
 AS [201 - 300], count(CASE WHEN flows>= 301 AND flows < 350 THEN 1 END) 
 AS [301 - 350], count(CASE WHEN flows>= 351 THEN 1 END) AS [>351] FROM flows GROUP BY protocol; SELECT port, count(distinct src_network) FROM flows GROUP BY port; SELECT src_network, count(distinct dest_network) FROM flows GROUP BY port; SELECT src_network, count(distinct dest_network) AS dn, sum(flows) FROM flows GROUP BY port, dn; SELECT port, protocol, count(*) FROM flows GROUP BY port, protocol; SELECT sum(flows), dest_network FROM flows GROUP BY dest_network; … One Graph Summarizes Dozens of Queries port dest_network protocol src_network flows
Security. Analytics. Insight.18 Visualization To … Present / Communicate Discover / Explore
Security. Analytics. Insight.19 We will have a look at a couple components from earlier: • Context • Data Science • Clustering • Seriation - Data Science Gone Wrong • Time-series Analysis Analytics Components
Security. Analytics. Insight.20 Did You Know? Users accessing Sharepoint servers User Sharepoint Server data processing visualization This graph of users accessing sharepoint servers, does not immediately reveal any interesting patterns.
Security. Analytics. Insight.21 Did You Know - How Context Tells a Story Using HR data as context Remote User San Francisco Office User Sharepoint Server data processing visualization HR data Using color to add context to the graph helps immediately identify outliers and potential problems.
Security. Analytics. Insight.22 • Simple stuff works! • dc(dest), dc(d_port) • What is normal? • Use data science / data mining to prepare data. Then visualize the output for human analyst. Data Science in Security - Words of Caution
Security. Analytics. Insight.23 Challenges With Clustering Network Traffic The graph shows an abstract space with colors being machine identified clusters. Hard Questions: • What are these clusters? • Do Web servers cluster? • What are good clusters? • What’s anomalous?
Security. Analytics. Insight.24 Data Science That Works threshold outliers have different magnitudes
Security. Analytics. Insight.25 Approximate Curve fitting a curve distance to curve
Security. Analytics. Insight.26 Data Mining Applied better 
 threshold
27Hunting
Security. Analytics. Insight.28 Hunting - Ready, Fire, Aim • Analysts are your best and most expensive resource • They need the right tools and data • Speed (see earlier architecture) • Interaction (visual!) • Machine-assisted insight Examples • Exploring DNS traffic • High business impact machine analysis • Lateral movement
Security. Analytics. Insight.29 HBI Metric Analysis Visually learn, Test, Automate
Security. Analytics. Insight.30 HBI Metric Analysis - If you like Black Backgrounds
Security. Analytics. Insight.31 We have tried many thing: • Social Network Analysis • Seasonality detection • Entropy over time • Frequent pattern mining • Clustering All kinds of challenges. Simple works! Let’s Get Mathematical U−matrix 4.28e−05 0.0461 0.0921
Security. Analytics. Insight.32 Simple - Data Abstraction
Security. Analytics. Insight.33 Lateral Movement - Cross Network Communications Challenges • Scale • You will find one of everything • Defining white-lists and keeping them up to date (i.e., network and asset hygiene) VPN DMZ Office GIA Unknown Internet AWS
Security. Analytics. Insight.34 http://secviz.org List: secviz.org/mailinglist Twitter: @secviz Share, discuss, challenge, and learn about security visualization. Security Visualization Community
Security. Analytics. Insight.35 BlackHat Workshop Visual Analytics Delivering Actionable Security Intelligence July 30,31 & August 1,2 - Las Vegas, USA big data | analytics | visualization http://secviz.org
Security. Analytics. Insight.36 After some exploration … raffael.marty@pixlcloud.com http://slideshare.net/zrlram http://secviz.org and @secviz Further resources:

More Related Content

PPTX
Delivering Security Insights with Data Analytics and Visualization
Raffael Marty
 
PDF
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Chris Gates
 
PPTX
Resilience reloaded - more resilience patterns
Uwe Friedrichsen
 
PDF
Hunting: Defense Against The Dark Arts
Spyglass Security
 
PPTX
Introduction to Penetration Testing
Andrew McNicol
 
PPTX
Cloud Security using NIST guidelines
Srishti Ahuja
 
PPTX
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
PDF
Red Team Framework
👀 Joe Gray
 
Delivering Security Insights with Data Analytics and Visualization
Raffael Marty
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Chris Gates
 
Resilience reloaded - more resilience patterns
Uwe Friedrichsen
 
Hunting: Defense Against The Dark Arts
Spyglass Security
 
Introduction to Penetration Testing
Andrew McNicol
 
Cloud Security using NIST guidelines
Srishti Ahuja
 
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
Red Team Framework
👀 Joe Gray
 

What's hot (20)

PDF
A Thorough Comparison of Delta Lake, Iceberg and Hudi
Databricks
 
PDF
Vulnerability Management Program
Dennis Chaupis
 
PDF
Micro segmentation and zero trust for security and compliance - Guardicore an...
YouAttestSlideshare
 
PDF
Next Generation War: EDR vs RED TEAM
BGA Cyber Security
 
PDF
CSSLP & OWASP & WebGoat
Surachai Chatchalermpun
 
PPTX
Threat Hunting with Splunk
Splunk
 
PDF
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
PDF
[Round table] zeroing in on zero trust architecture
Denise Bailey
 
PPTX
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
PDF
Splunk 6.4 Administration.pdf
nitinscribd
 
PDF
Maturity Model of Security Disciplines
Florian Roth
 
PPTX
Kafka + Uber- The World’s Realtime Transit Infrastructure, Aaron Schildkrout
confluent
 
PDF
Threat Modeling Everything
Anne Oikarinen
 
PPTX
DSOMM
penetration Tester
 
PPTX
SOC Architecture Workshop - Part 1
Priyanka Aash
 
PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PDF
Devsecops superstar un movimiento masivo
Luciano Moreira da Cruz
 
PDF
Application Threat Modeling
Priyanka Aash
 
PDF
Securing the Elastic Stack for free
Elasticsearch
 
A Thorough Comparison of Delta Lake, Iceberg and Hudi
Databricks
 
Vulnerability Management Program
Dennis Chaupis
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
YouAttestSlideshare
 
Next Generation War: EDR vs RED TEAM
BGA Cyber Security
 
CSSLP & OWASP & WebGoat
Surachai Chatchalermpun
 
Threat Hunting with Splunk
Splunk
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
[Round table] zeroing in on zero trust architecture
Denise Bailey
 
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
Splunk 6.4 Administration.pdf
nitinscribd
 
Maturity Model of Security Disciplines
Florian Roth
 
Kafka + Uber- The World’s Realtime Transit Infrastructure, Aaron Schildkrout
confluent
 
Threat Modeling Everything
Anne Oikarinen
 
DSOMM
penetration Tester
 
SOC Architecture Workshop - Part 1
Priyanka Aash
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Devsecops superstar un movimiento masivo
Luciano Moreira da Cruz
 
Application Threat Modeling
Priyanka Aash
 
Securing the Elastic Stack for free
Elasticsearch
 
Ad

Similar to Creating Your Own Threat Intel Through Hunting & Visualization (20)

PPTX
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
PDF
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
PPTX
Splunk Enterpise for Information Security Hands-On
Splunk
 
PPTX
Cybersecurity - Jim Butterworth
TechBiz Forense Digital
 
PPTX
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk
 
PPTX
Understanding Intrusion Detection & Prevention Systems (1).pptx
Rineri1
 
PPTX
Using Splunk for Information Security
Shannon Cuthbertson
 
PPTX
Using Splunk for Information Security
Splunk
 
PDF
Visualization in the Age of Big Data
Raffael Marty
 
PPTX
Discover advanced threats with threat intelligence - Jeremy Li
Jeremy Li
 
PDF
AI on Spark for Malware Analysis and Anomalous Threat Detection
Databricks
 
PPTX
Novetta Cyber Analytics
Novetta
 
PPTX
Sumo Logic Cert Jam - Security Analytics
Sumo Logic
 
PPT
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
PDF
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Sumo Logic
 
PDF
SplunkSummit 2015 - Splunk User Behavioral Analytics
Splunk
 
PDF
The Golden Rules - Detecting more with RSA Security Analytics
Demetrio Milea
 
PDF
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
PDF
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
APNIC
 
PPTX
Security From The Big Data and Analytics Perspective
All Things Open
 
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
Splunk Enterpise for Information Security Hands-On
Splunk
 
Cybersecurity - Jim Butterworth
TechBiz Forense Digital
 
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Rineri1
 
Using Splunk for Information Security
Shannon Cuthbertson
 
Using Splunk for Information Security
Splunk
 
Visualization in the Age of Big Data
Raffael Marty
 
Discover advanced threats with threat intelligence - Jeremy Li
Jeremy Li
 
AI on Spark for Malware Analysis and Anomalous Threat Detection
Databricks
 
Novetta Cyber Analytics
Novetta
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic
 
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Sumo Logic
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
Splunk
 
The Golden Rules - Detecting more with RSA Security Analytics
Demetrio Milea
 
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
APNIC
 
Security From The Big Data and Analytics Perspective
All Things Open
 
Ad

More from Raffael Marty (20)

PDF
Exploring the Defender's Advantage
Raffael Marty
 
PPTX
How To Drive Value with Security Data
Raffael Marty
 
PDF
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Raffael Marty
 
PDF
Artificial Intelligence – Time Bomb or The Promised Land?
Raffael Marty
 
PDF
Understanding the "Intelligence" in AI
Raffael Marty
 
PDF
Security Chat 5.0
Raffael Marty
 
PDF
AI & ML in Cyber Security - Why Algorithms are Dangerous
Raffael Marty
 
PDF
AI & ML in Cyber Security - Why Algorithms Are Dangerous
Raffael Marty
 
PPTX
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
Raffael Marty
 
PDF
Security Insights at Scale
Raffael Marty
 
PDF
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
PDF
Big Data Visualization
Raffael Marty
 
PDF
Workshop: Big Data Visualization for Security
Raffael Marty
 
PDF
Visualization for Security
Raffael Marty
 
PDF
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
PDF
DAVIX - Data Analysis and Visualization Linux
Raffael Marty
 
PDF
Cloud - Security - Big Data
Raffael Marty
 
PDF
Cyber Security – How Visual Analytics Unlock Insight
Raffael Marty
 
PDF
AfterGlow
Raffael Marty
 
PDF
Supercharging Visualization with Data Mining
Raffael Marty
 
Exploring the Defender's Advantage
Raffael Marty
 
How To Drive Value with Security Data
Raffael Marty
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Raffael Marty
 
Artificial Intelligence – Time Bomb or The Promised Land?
Raffael Marty
 
Understanding the "Intelligence" in AI
Raffael Marty
 
Security Chat 5.0
Raffael Marty
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
Raffael Marty
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
Raffael Marty
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
Raffael Marty
 
Security Insights at Scale
Raffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Big Data Visualization
Raffael Marty
 
Workshop: Big Data Visualization for Security
Raffael Marty
 
Visualization for Security
Raffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
DAVIX - Data Analysis and Visualization Linux
Raffael Marty
 
Cloud - Security - Big Data
Raffael Marty
 
Cyber Security – How Visual Analytics Unlock Insight
Raffael Marty
 
AfterGlow
Raffael Marty
 
Supercharging Visualization with Data Mining
Raffael Marty
 

Recently uploaded (20)

PDF
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
PPTX
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
PDF
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
PDF
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PDF
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PDF
💰 𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓 💰
GRAB
 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
PPTX
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
 
PPTX
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
💰 𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓 💰
GRAB
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
 
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
innovation process that make everything different.pptx
SoumyadipPaul18
 

Creating Your Own Threat Intel Through Hunting & Visualization

  • 1. Raffael Marty, CEO Creating Your Own Threat Intel Through Hunting & Visualization Tenerife, Spain February, 2016
  • 2. Creating Your Own Threat Intel Through Hunting & Visualization Raffael Marty, CEO
  • 3. Security. Analytics. Insight.3 Contents HUNTING AKA INTERNAL THREAT INTELLIGENCE THREAT INTELLIGENCE A PROCESS AND INFRASTRUCTURE VIEW 1 2 VISUALIZATION A THREAT INTELLIGENCE GOLD MINE 3
  • 5. Security. Analytics. Insight.5 • Products / Tools • Firewall - Blocks traffic based on pre-defined rules • Web Application Firewall - Monitors for signs of known malicious activity in Web traffic • Intrusion Prevention System - Looks for ‘signs’ of known attacks in traffic and protocol violations • Anti Virus - Looks for ‘signs’ of known attacks on the end system • Malware Sandbox - Runs new binaries and monitors their behavior for malicious signs • Security Information Management - Uses pre-defined rules to correlate signs from different data streams to augment intelligence • Vulnerability Scanning - Searches for known vulnerabilities and vulnerable software • Rely on pattern matching and signatures based knowledge from the past • Reactive -> always behind • Unknown and new threats -> won’t be detected • ‘Imperfect’ patterns and rules -> cause a lot of false positives We Are Monitoring - What is Going Wrong? Defense Has Been Relying On Past Knowledge
  • 6. Security. Analytics. Insight.6 Event Funnel - How We Used To Do It data rule-based
 correlation prioritization simple
 statistics attack candidates • What rules do you write? • Do the vendor provided rules work for you? • How do you define a priority 10 event? • High false positive rate! • Unless alerts are VERY focussed • High false negative rate! • Do you know what you don’t know?
  • 7. Security. Analytics. Insight.7 Then Came Threat Intelligence • How many hits do you really get? • You are missing most attacks IOCs • How do you match these efficiently against a real-time stream? • How do you de- duplicate and normalize these feeds? attack candidates 70–90% OF MALWARE SAMPLES ARE UNIQUE TO AN ORGANIZATION.
  • 8. Security. Analytics. Insight.8 Removing the Event Funnel - Hello Data Lake any 
 data Big Data Lake Rules • Storing more, and more diverse data • Kafka and “dynamic parsing” • Enabling large-scale processing • Spark, SparkStreaming, Storm, Parquet • Using “standard” data access (SQL, REST) • Plug in any other tool! context IOCs This per-se is not new …
  • 9. Security. Analytics. Insight.9 Adding Interactive - Analyst Driven Exploration any 
 data Big Data Lake Rules context IOCs … but first we get the human in the loop … Hunting • interactive visualization • analyst driven • machine assisted
  • 10. Security. Analytics. Insight.10 Hunting Creates Internal Threat Intelligence any 
 data Big Data Lake Rules context IOCs … then, let’s rethink our rules … Novel, Advanced Attacks internal TI
  • 11. Security. Analytics. Insight.11 Hunting Creates Internal Threat Intelligence any 
 data Big Data Lake Rules context IOCs … then, let’s rethink our rules … patterns anyone? internal TI Novel, Advanced Attacks Low False Positive Alerts Patterns
  • 12. Security. Analytics. Insight.12 Buzzword Bingo any 
 data Big Data Lake Rules context IOCs … and finally, we are buzzword compliant … behavioral monitoring
 scoring anomaly detection machine learning artificial intelligence “models” data science internal TI Patterns
  • 13. Security. Analytics. Insight.13 How Does All That Architecture Stuff Matter? In the following we’ll explore how this all matters … … but first, let’s see how visualization plays a key role here.
  • 15. Security. Analytics. Insight.15 “How Can We See, 
 Not To Confirm - But To Learn” - Edward Tufte
  • 16. Security. Analytics. Insight.16 Why Visualization?dport time
  • 17. Security. Analytics. Insight.17 SELECT count(distinct protocol) FROM flows; SELECT count(distinct port) FROM flows; SELECT count(distinct src_network) FROM flows; SELECT count(distinct dest_network) FROM flows; SELECT port, count(*) FROM flows GROUP BY port; SELECT protocol, count(CASE WHEN flows < 200 THEN 1 END) AS [<200], count(CASE WHEN flows>= 201 AND flows < 300 THEN 1 END) 
 AS [201 - 300], count(CASE WHEN flows>= 301 AND flows < 350 THEN 1 END) 
 AS [301 - 350], count(CASE WHEN flows>= 351 THEN 1 END) AS [>351] FROM flows GROUP BY protocol; SELECT port, count(distinct src_network) FROM flows GROUP BY port; SELECT src_network, count(distinct dest_network) FROM flows GROUP BY port; SELECT src_network, count(distinct dest_network) AS dn, sum(flows) FROM flows GROUP BY port, dn; SELECT port, protocol, count(*) FROM flows GROUP BY port, protocol; SELECT sum(flows), dest_network FROM flows GROUP BY dest_network; … One Graph Summarizes Dozens of Queries port dest_network protocol src_network flows
  • 18. Security. Analytics. Insight.18 Visualization To … Present / Communicate Discover / Explore
  • 19. Security. Analytics. Insight.19 We will have a look at a couple components from earlier: • Context • Data Science • Clustering • Seriation - Data Science Gone Wrong • Time-series Analysis Analytics Components
  • 20. Security. Analytics. Insight.20 Did You Know? Users accessing Sharepoint servers User Sharepoint Server data processing visualization This graph of users accessing sharepoint servers, does not immediately reveal any interesting patterns.
  • 21. Security. Analytics. Insight.21 Did You Know - How Context Tells a Story Using HR data as context Remote User San Francisco Office User Sharepoint Server data processing visualization HR data Using color to add context to the graph helps immediately identify outliers and potential problems.
  • 22. Security. Analytics. Insight.22 • Simple stuff works! • dc(dest), dc(d_port) • What is normal? • Use data science / data mining to prepare data. Then visualize the output for human analyst. Data Science in Security - Words of Caution
  • 23. Security. Analytics. Insight.23 Challenges With Clustering Network Traffic The graph shows an abstract space with colors being machine identified clusters. Hard Questions: • What are these clusters? • Do Web servers cluster? • What are good clusters? • What’s anomalous?
  • 24. Security. Analytics. Insight.24 Data Science That Works threshold outliers have different magnitudes
  • 25. Security. Analytics. Insight.25 Approximate Curve fitting a curve distance to curve
  • 26. Security. Analytics. Insight.26 Data Mining Applied better 
 threshold
  • 28. Security. Analytics. Insight.28 Hunting - Ready, Fire, Aim • Analysts are your best and most expensive resource • They need the right tools and data • Speed (see earlier architecture) • Interaction (visual!) • Machine-assisted insight Examples • Exploring DNS traffic • High business impact machine analysis • Lateral movement
  • 29. Security. Analytics. Insight.29 HBI Metric Analysis Visually learn, Test, Automate
  • 30. Security. Analytics. Insight.30 HBI Metric Analysis - If you like Black Backgrounds
  • 31. Security. Analytics. Insight.31 We have tried many thing: • Social Network Analysis • Seasonality detection • Entropy over time • Frequent pattern mining • Clustering All kinds of challenges. Simple works! Let’s Get Mathematical U−matrix 4.28e−05 0.0461 0.0921
  • 33. Security. Analytics. Insight.33 Lateral Movement - Cross Network Communications Challenges • Scale • You will find one of everything • Defining white-lists and keeping them up to date (i.e., network and asset hygiene) VPN DMZ Office GIA Unknown Internet AWS
  • 34. Security. Analytics. Insight.34 http://secviz.org List: secviz.org/mailinglist Twitter: @secviz Share, discuss, challenge, and learn about security visualization. Security Visualization Community
  • 35. Security. Analytics. Insight.35 BlackHat Workshop Visual Analytics Delivering Actionable Security Intelligence July 30,31 & August 1,2 - Las Vegas, USA big data | analytics | visualization http://secviz.org
  • 36. Security. Analytics. Insight.36 After some exploration … raffael.marty@pixlcloud.com http://slideshare.net/zrlram http://secviz.org and @secviz Further resources: