Embed Size (px)
Citation preview
USER BEHAVIOURAL ANALYTICSMachine Learning for Threat DetectionHarry McLaren – Security Consultant at ECS
HARRY MCLAREN
•Alumnus of Edinburgh Napier•Security Consultant at ECS • SOC & CSIR Development• Splunk Consultant & Architect
ACCELERATING PACE OF DATAVolume | Velocity | Variety | Variability
Legacy SIEM type technologies aren’t enough to detect insider threats and advanced adversaries and are poorly
designed for rapid incident response.
[SIEM - Security Information & Event Management]
Inadequate Contextual Data68% of respondents in
the survey said that reports often only indicated changes
without specifying what the change was.
Innocuous Events of Interest
81% of respondents said that SIEM reports contain
too much extraneous information and were
overwhelmed with false positives.
2016 SIEM Efficiency Survey - Conducted by Netwrix
19952002
2008
2011
2015
END-POINT SECURITY
NETWORK SECURITY EARLY CORRELATION PAYLOAD ANALYSIS BEHAVIOR ANALYSIS
TECHNOLOGY DEVELOPMENT
CAPA
BILI
TY
EVOLUTION
KILL CHAIN - EVENTS OVERLOAD
SECURITY PLATFORM
DETECTING UNKNOWN THREATS
SECURITY & COMPLIANCE
REPORTING
INCIDENT INVESTIGATIONS
& FORENSICS
REAL-TIME MONITORING OF
KNOWN THREATS
DETECTION OF INSIDER THREATS
DETECTION OF ADVANCED
CYBER ATTACKS
Splunk Enterprise Security Splunk UBA
MACHINE LEARNING EVOLUTION
EVOLUTION
COM
PLEX
ITY
RULES - THRESHOLDPOLICY - THRESHOLD
POLICY - STATISTICS
UNSUPERVISED MACHINE LEARNING
POLICY - PEER GROUP STATISTICS
SUPERVISED MACHINE LEARNING
DETECT ADVANCED CYBERATTACKS
DETECT MALICIOUS INSIDER THREATS
ANOMALY DETECTION
THREAT DETECTION
UNSUPERVISED MACHINE LEARNING
BEHAVIOR BASELINING &
MODELING
REAL-TIME & BIG DATA
ARCHITECTURE
WHAT IS SPLUNK USER BEHAVIORAL ANALYTICS?
INSIDER THREAT
John connects via VPN
Administrator performs ssh (root) to a file share - finance department
John executes remote desktop to a system (administrator) - PCI zone
John elevates his privileges
root copies the document to another file share - Corporate zone
root accesses a sensitive document from the file share
root uses a set of Twitter handles to chop and copy the data outside the enterprise
USER ACTIVITYDay 1
.
.Day 2
.
.
Day N
MULTI-ENTITY BEHAVIORAL MODEL
APPLICATION
USER
HOST
NETWORK
DATA
UBA 2.2 LATEST FEATURES• Threat Modeling Framework • Create custom threats using 60+ anomalies.
• Enhanced Security Analytics• Visibility and baseline metrics around user,
device, application and protocols.• Risk Percentile & Dynamic Peer Groups• Support for Additional 3rd Party Devices
QUESTIONS / CONTACT
twitter.com/cyberharibu
harrymclaren.co.uk/blog
