Embed Size (px)
Citation preview
1. What has AI learned from security operations?
2. What has security operations learned from AI?
3. What does security operations look like after AI happens?
Questions for today
1. What has AI learned from security operations?
Questions for today
Why do you need a SOC?
Two things we can do in security operations are:
1. Slow attackers down
2. Accelerate detection and response
TIME
An effective SOC provides the benefit of speed of response time to a security incident
Cost
Impact
Initial
infection
Time
Mo
ney
Time to
contain
Time to
detect
Data Loss, Exfiltration,
Intellectual Property
Consulting, Incident Response,
Damage Control
Legal,
HR, Fines
Time is money for security operations
Average cost of a data breach is $3.92 million1
Total cost of Maersk ransomware attack = $350 million
1 2019 Ponemon Cost of Data Breach Study
Data Loss, Exfiltration,
Intellectual Property
Consulting, Incident Response,
Damage Control
Cost
Impact
Time
Mo
ney
AI accelerates detection & response
Initial
infection
Legal,
HR, FinesReducing time to detect and contain significantly lowers cost
Time to
contain
Time to
detect
Dwell Time + Contain Time
=
Unauthorised Access Time to Asset
Where is time spent?
Threat awareness
• Knowledge of:
• Threat presence
• Intent
• Activities
Agility
• The rapidity of which identified intrusions are successfully:
• Contained
• Irradiated
• Normative business operations restored
Security operations dimensions
James Webb – CISO;
Appalachian State University
Incident response maturity
James Webb – CISO;
Appalachian State University
Agility
Th
reat
aw
are
ness
1
2
3
5
Maturity Typical
Detection
Typical
Response
Risk
Awareness
5. Predictive
Defense
Internal
(Hunting,
Waylay) +
External
Highly proactive Very High
4. Intelligence
Driven
Internal
(Hunting) +
External
Threat /
Adversary
Driven
High
3. Process
Driven
Internal
(Hunting) +
External
Service driven
(SLAs)Medium
2. Tool Driven /
Signature BasedExternal Tool Driven Low
1. Reactive /
Adhoc
External,
User Report
Reformat,
Reinstall,
Restore
Very Low
4
2. What has security operations learned from AI?
Questions for today
The five questions that data science answers
Is this A or B (or C or D)? Classification
How much / How many? Regression
How is this data organised? Clustering
Is this weird? Anomaly
What action should be taken? Reinforcement
TTPs /
Methods
Tools
Network
Artifacts
Domain
IP
Looking for what the threat doesD
ete
cti
on
Du
rab
ilit
y
Transient
Persistent
Threat CoverageKnown Novel
Hash
Signatures
Threat Intel
AI Models
Fast, labeled coverage of known threats
• Tools
• Exploits
• Known attacker infrastructure
• Environment-specific indicators
Durable coverage
• Both novel and known attacks
• Difficult and expensive to evade
Combine data science and security research
Security Research
• Identify, prioritize, and characterize fundamental attacker behaviors
• Validate models
Data Science
• Determine best approach to identify behavior
• Develop and tune models
Attacker Behavior models
• High-fidelity detection of things attackers must do
• No signatures: find known and unknown
It’s all about detecting attacker behaviors
Command and Control
Advanced C2: human control
Botnet C2
Reconnaissance
Network sweeps and scans
Advanced: AD, RPC, shares
Lateral Movement
Stolen accounts
Exploits
Backdoors
Exfiltration
Data movement
Methods, e.g. tunnels
Security Research
• Identify, prioritise, and characterise fundamental attacker behaviours
• Validate models
Data Science
• Determine best approach to identify behaviour
• Develop and tune models
Prioritising incidents using a time series of events
Botnet monetization
Internal recon
Lateral movement
Acquire dataExfiltrate
data
Standard C&C
Custom C&C
Custom C&C & RAT
Opportunistic threats
Targeted threatsInitial infection
3. What does security operations look like after AI happens?
Questions for today
• When to automate
• When not to automate
• Keep humans in the loop, don’t give the all keys to the machines
• Free up analysts time for higher value, higher interest work
Automation that augments and empowers
SOC Visibility Triad: Operational Flow
Visibility, Detection, Analytics Correlation Coordination, Response
SOC Visibility Triad: Operational Flow
ENDPOINT
NETWORK
Visibility, Detection, Analytics Correlation Coordination, Response
SOC Visibility Triad: Operational Flow
ENDPOINT
NETWORK
Endpoint
Network
Users
Applications
Threats
Vulnerabilities
Users, Applications, TIP, etc.
SIEM
PRIORITIZED
INCIDENTS
Visibility, Detection, Analytics Correlation Coordination, Response
SOC Visibility Triad: Operational Flow
ENDPOINT
NETWORK
Endpoint
Network
Users
Applications
Threats
Vulnerabilities
Users, Applications, TIP, etc.
OR
CH
ES
TR
AT
ION
an
d A
UT
OM
AT
ION
ENDPOINT
NETWORK
USERS,
APPLICATIONS
(AD, IDM, CASB,
etc.)
SIEM
Firewall
VERIFIED
INCIDENTS
Network
Alerts
Endpoint
Alerts
Visibility, Detection, Analytics Correlation Coordination, Response
Vectra Cognito: The ultimate network detection and response platform
Cognito platform
Investigate and hunt in a cloud-
based application
Cognito Recall
Send security-enriched metadata
to data lakes and/or SIEM
Cognito Stream
Detect and prioritize hidden
threats at speed using AI
Cognito Detect
• Cloud, user, datacenter
• Security-enriched
• Real time and historical
• Scalable architecture
Workload reduction from triaging, correlating and prioritising events into incidents
Source: https://www.vectra.ai/download/2019-black-hat-edition-of-the-attacker-behavior-industry-report
Workload reduction of 174X
14,644 / (57+27) = 174.33
“This solution excels at rolling up numerous alerts to create a single incident
to investigate that describes a chain of related activities, rather than isolated
alerts that an analyst then has to piece together.”
- Gartner Market Guide for IDPS
AI delivers real-world security operations benefits
“Vectra Cognito helps close the skills gap"
“Vectra Cognito makes threat hunting more efficient”
”With Cognito, I can focus on the highest-risk threats”
“Vectra has helped us reduce our business risk”
Commodity trading business
7000 employees, 60 countries, $10bn revenue
15,000 customers, 14,000 supplier
By self admission at level 1-2 security maturity
Looking at a security programme which was “Security by Policy”
2 people to run this programme
Entered a POC for detection alongside EDR
Automated and integrated SOC quickly delivered an efficient and powerful service
Off-loaded policy to a single person who built policy from industry regulations and SOC interactions
SOC now at level 4-5 security maturity
Saved significant amounts of money for their company and has had increase in budget based on performance
SOC visibility in action
Vectra Cognito AI powered Network
Detection and Response (NDR) Platform
Download case study
1. What has AI learned from security operations?
2. What has security operations learned from AI?
3. What does security operations look like after AI happens?
Time is the most important metric for detecting and responding before damage occurs
Machine learning works best when applied to a specific task
Increased threat awareness and operational agility
Answers for today
Thank you
vectra.ai
