UBAAwakensHowdatascienceisreplacingsignaturesandrules

• Speaker: LisaHuffSpeakerBio: LisaHuffworksfora User BehaviorAnalysiscompanywhereshefocusesonconsultingwithorganizationstounderstandtheirongoingsecuritychallengeswithexistingsolutionsaswellasdiscusswaysofprovidingmorevisibilityintouserbehaviorwithinorganizationsandhowthisaddsmuchneededvisibilitytoanalystandSOCteams. Lisahasbeeninthenetworkingandsecurityspaceforcloseto20yearsandhasworkedwithsomeofthelargest organizationstohelpthembetterunderstandthei ongoingchallengestheyfacewithstayingaheadofthreatstotheirorganization.

PresentationTitle: UBAAwakensPresentationDescription: HowDataScienceisreplacingsignaturesandrules

SpeakerBIO

Agenda

• Securitymonitoringthroughlogs• Somefamiliar incidents• Howdetectionischanging• Applyingmachinelearning• Userbehavioranalytics

Securitymonitoringthroughlogs

Today’ssecuritymonitoringbestpractices

VISIBILITYREQUIREMENT

Apotentiallyharmfulactivityrequires

detection

SIGNALDETECTIONANDMONITORING

Aproductisdeployed todetecttheactivityandmonitorgoing forward

LOGANDINCIDENTMANAGEMENT

Everygood/bad eventisbeing logged toaSIEMforcorrelationand

investigation

Afewrequirements,lotsoflogfeeds

Lateralmovement

RemoteEmployees

DataExfiltration

MaliciousactivityandMalware

Windowslogs

VPNlogs

Cloudlogs

UNIXlogs

DLPlogs

Proxylogs

Networkprotection logs

Firewalllogs

Hostprotectionlogs

Physicalbadgelogs

NAClogs

DHCPlogs

IPSlogs

WiFi logs

Databaselogs

WAFlogs

Fileaccesslogs

BYODadmissionlogs

Processlogs

Activitymonitoring requirements Gatheredlogsandartifacts

Analystworkflow

i

i i

i

i

i

!

i i

ii

ii

i

i

i

i

!

StashofLogs CorrelationRulesandAlertsCreateIncidents

Caseassemblyandinvestigationthrough logsearch

Inthepress…Familiarincidents.

TheTargetbreach,youareonlyhuman…

Source:http://www.darkreading.com/attacks-and-breaches/target-ignored-data-breach-alarms/d/d-id/1127712Source:http://www.scmagazine.com/target-did-not-respond-to-fireeye-security-alerts-prior-to-breach-according-to-report/article/338201/Source:http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

• ~Thanksgiving/Christmas 2013,40mrecordsofcreditanddebitcardnumberswerestolenusingPOSMalwareatTarget

• FireEye sentalertsofthethen-unknownmalwarebutwerewrongfullyinterpretedandignored.

• FromDarkReading’s interviewwithTarget:► "Basedontheirinterpretationandevaluationofthatactivity,

theteamdeterminedthatitdidnotwarrantimmediatefollowup,"shesaid."Withthebenefitofhindsight,weareinvestigatingwhether,ifdifferentjudgmentshadbeenmade,theoutcomemayhavebeendifferent."

NeimanMarcus…needleintheneedle-stack• ~1.1mCreditcardsinformationexposed(NYT,Jan13,2014)• IndustryAverages

► Theaverageenterprise, logs~160m-200mevents aday► Theaverageenterpriselogsupto150ksecurityeventsaday

• NeimanMarcushad60ksecurityalerteventsperday,yetsufferedfroma3monthbreach.(DamballaStateofInfectionsReport2014)

• Thosearejustsecurityalerts,numbersexcludenoteworthyinfrastructureevents

Source:http://www.nytimes.com/2014/01/24/business/neiman-marcus-breach-affected-1-1-million-cards.htmlSource:https://www.damballa.com/downloads/r_pubs/Damballa_Q114_State_of_Infections_Report.pdf

ImpossibleSignal/NoiseRatio

Snowden...Inthosewetrust.• Highlyprivilegedandtrusteduserwithaccessrightsto

sensitiveinformation• Createsthemotherofalldataleaks• Noteworthy

► Changeshisbehaviorovertime► Avoidsstepping inanytraps► Nomalware,onlycredentials– mostlyhisown► Appearstobejustlikeanyothertrustedinsideruser

Source:https://www.washingtonpost.com/politics/intelligence-leaders-push-back-on-leakers-media/2013/06/09/fff80160-d122-11e2-a73e-826d299ff459_story.html

Toananalyst,heappearsjustlikeanyoneelse

Alertfatigueresultsinmissedincidents

SignaltoNoiseratioisunmanageable

Oneuser’smaliciousactivity,isanotheruser’sstandard

IsthisyourSOC?

Anewhope…

TracinganalertinSIEM- TaketheAlertLogandextractsomefeatures- SearchforHostnames/Users/IPsfromtheAlertandgetanassetlist- Extractalllogsthatanswerthatuser/assetlist- READALLTHELOGS!

Theconnectiongraph

Stitchingtogetheruseractivitiesthatcrossaccounts,devices,IPsandnetworksrequiresanewtypeofdatastructure:

• Integratesstatechanges– sothattheattackersstaysvisibleashechangesaccounts,IPs,acrossasession

• Incorporatestime- tounderstandthatChappenedafterBhappenedafterA

• Abstractsindividualevents– sothattheentiresessioncanbequeried

Useractivitysessionasaconnectedgraph

Applyingmachinelearning

0

50

100

150

200

250

300

350

400

450

500

China Ukraine Germany Canada UnitedStates

Frequency

VPNAccesssourcesforuserBarbara

Learningauser’sbehaviorovertime

UserBarbara connectedtoVPNfromUSUserBarbara connectedtoVPNfromUSUserBarbara connectedtoVPNfromUSUserBarbara connectedtoVPNfromGRUserBarbara connectedtoVPNfromGR....UserBarbara connectedtoVPNfromCN

Letdataspeakforitself…

0

50

100

150

200

250

300

350

400

450

500

China Ukraine Germany Canada UnitedStates

Frequency

VPNAccesssourcesforuserBarbara

• BarbararegularlyconnectsfromUnitedStates

• ItisabnormalforBarbaratoconnectfromChina

• BarbaraneverconnectedfromBrazil

Applyingmachinelearningtouserbehavior

• Whoisthisusertotheorganization?• Whatarethisuser’speers• Doesthisuserhaveanyspecialcharacteristics?• IsheanExecutive?Aprivilegeduserperhaps?

• Whendoestheuserusuallylogin?• Whendidwelastseethisuser?

Applyingmachinelearningtouserbehavior

• Whereistheuserconnectingfrom?ISPs,States,Countries,etc…

• Whendoestheuserusuallylogin• IsthesourceIPknownasgood/badIP?

Applyingmachinelearningtouserbehavior

• Whousedthisassetbefore?• Whatkindofuserslogintothisasset• Whatactionsarenormallyperformedonthisasset

Applyingmachinelearningtouserbehavior

• Whichusersusethisnetwork• Whatpeergroupsareusingthisnetwork• Whatkindactivitieshappenonthisnetwork

Applyingmachinelearningtouserbehavior

• Whichusersnormallyusethisserver• Whichusersaretheadministratorstothisserver• Whatapplicationsrunonthisserver• Howdousersnormallyaccessthisserver

Applyingmachinelearningtouserbehavior

• Isthisalertacommonalertintheorganization• Hasthisalerteverfiredbeforeonthisasset• Hasthisalerteverfiredbeforeforthisuser

Applyingmachinelearningtouserbehavior

• Whichusersaccessthisapplication• Whathostsholdthisapplication• Whatargumentsareusedwiththisapplication

Applyingmachinelearningtouserbehavior

• Whoaccessesthisfilenormally• Wherewasthisfileisaccessedfrom

Userbehavioranalytics

Sothatalertagain…

“AnalerthasfiredwithmalwareonhostX”

Howmanyofyouranalystswoulddismissit?

Letstrythisagain,withuserbehavioranalytics

• UserBarbarahas• AbnormallyloggedinusingVPNfrom China• Isaccessingnetworkssheneveraccessedbefore• Nooneinherpeergroupusesthisserver• Normallyonlyreadsthisfileandnoteditsit• Analerthasfiredformalware• Firsttimethismalwareisseen inthisorganization

Thankyouwww.exabeam.com