Threat Detection - Trends and

TechnologyMarch 26, 2019

Threat Detection - Trends and Technology

Today’s web conference is generously sponsored by:

Lastlinehttps://www.lastline.com/

Threat Detection - Trends and Technology

Moderator

Gabe is a technologist at heart who has been tinkering from an early age. In addition to running ISSA-UK, he has worked in 14 countries and across numerous sectors, bootstrapped a cloud cryptocurrency crowdfunding platform into profitability, built security programs from the ground up, led multi-million pound security service transitions and performed in-depth security engineering in SCADA environments. His current passions involve security economics, shifting security left, and the changing perception of information security in both business and the public eye.

Gabe Chomic, President, ISSA-UK

Threat Detection - Trends and Technology

Speaker

Mohan is the Chief Technical Officer at RANK Software Inc. RANK is a Security Analytics company based out of Toronto, Canada. RANK makes Cybersecurity Simple, Accurate and Actionable. We analyze billions of events in near real-time to identify both internal and external threats. Our predictive modeling systems identify high risk user, machine and application behavior before they become a threat.He managed a Billion dollar Fulfillment Business at Amazon. Responsible for optimization algorithms, scaling (10s of billions of events per day) and availability of Amazon’s Global Fulfillment Platform –including Robotic systems. Site Leader for Amazon’s Toronto development center.Mohan has also built and managed Contextual Systems and Mobile Advertising at BlackBerry (Research in Motion). Introduced Big Data technologies at BlackBerry, forged vendor partnerships and managed Software Development teams across 3 countries.

Mohan Rao, CTO, RANK Software

Threat Detection –Trends and Technology

SOLVING A HARD PROBLEM

Human Intelligence works, but there aren’t enough of them

Key Points:

• 3.5

• Reduced Investigation Time

• Time Saved

Source: Crowd Research Partners — 2018 Threat Hunting Report

Lots of Tools out there, but are they being used correctly ?

Key Points:• Severity and

frequency of attacks are increasing.

• 3.5 million fewer people than jobs

• $7.6 billion invested in cybersecurity companies

• $150 billion total revenues in cyber

Unfair Game – protect all, breach one

Security Solutions have not Kept Up!Existing Tools and Resources are not Sufficient

• Billions of events per day. Handled in Batch

• False Positives• Silo’d Systems

• Slow Human Reaction• Delayed Response

• 3 Million Gap in Qualified Personnel.

Scale

Complexity

Manual

Resources

Threat Hunting and Security Analytics?

The process of proactively and iteratively searching throughnetworks to detect and isolate advanced threats that evade existingsecurity solutions.

This is in contrast to traditional threat management measures, suchas firewalls, intrusion detection systems (IDS), malware sandbox(computer security) and SIEM systems, which typically involve aninvestigation of evidence-based data after there has been a warningof a potential threat

Source: Wikipedia

CYBER SECURITY – THREAT MANAGEMENT FUNDAMENTAL TRUTHS

Key Points:• 75% of respondents

believe that threat hunting is of MAJOR IMPORTANCE

1. Batch analytics are too little & too late!

2. Context is king!

3. Data fidelity is a MUST!

Running a query that takes 2 hours so you can learn what next question to ask DOESN’T WORK!

Streaming data enrichment for essential time savings

Ingest data any source (Network, End Points, SIEM, etc.) for complete visibility

Normalized field names across all data sources (i.e. dest_ip vs. DestinationHostAddress) for best accuracy

SIEMs using summarized data — useless for threat management

Real time data stream ingestion without losing fidelity

BATCH ANALYTICS ARE TOO LITTLE & TOO LATE!TIMELY INVESTIGATION AND RESPONSE IS CRITICAL

• Kerberos, NTLM, AD integration.

• Building user sessions is hard but very useful.

• Internal & External Context at Ingestion Time

• Geo Location, Threat Intelligence, Malware IOCs.

• Pre-defined queries assist in threat hunting

• Threat detection repositories (Sigma) enable content sharing

• Single window for detailed context

• Take action in one system

• Quickly make determinations

Real Time Asset Mapping

Real Time Data Enrichment

Execute Custom & Pre-Configured

Hunts

Visualization & UX

CONTEXT IS KING!CORRELATING NETWORK TRAFFIC AND END POINT DATA TO PROVIDE COMPLETE VISIBILITY

Scalable Event Processing

Framework

Real Time Data Enrichment

Real Time Asset Mapping

Secondary Analysis

• Ingest & correlate multiple sources

• Internal / external events • >10Gb per second

• Add context from across your network

• Risk score helps identify credible threats

• Massive reduction in false positives

• Mapping IPs to machine names/user names

• Normalized field names across all data sources

• Increased accuracy

• Context to explain anomaly causes

• Assemble the story in a single system

DATA FIDELITY IS A MUST!SUMMARIZED DATA LACKS VALUE NECESSARY FOR EFFECTIVE THREAT MANAGEMENT

The Straight Goods

• Summarized Data is not useful!• Mapping attributes to a common

schema is vital.

• Data should be searchable from disparate data sources through a common query language

• Duplicating data can be super expensive!No Data

Duplication

POWERFUL PRACTICAL AI & MLUNSUPERVISED LEARNING NEEDS ANALYST INPUT TO BE EFFECTIVE

Model/Algorithm Ensemble

• Labeled Data Sets do not exist• False Positives are a reality

• Active Learning / Reinforcement Learning needed to improve accuracy

• Anomalies without explanations are useless Explainable AI

Incident Prediction

• Kill-chain correlation• Bayesian Networks, Probabilistic Models

Collaboration FrameworkCOMMUNITY INSIGHT SHARING

Anonymize• No Personally identifiable information• Curated

• Share and consume information instantaneously

Real-time

Collective Intelligence

• Reduce false positives• Improve Detections• Sigma, Mitre etc.

Data Lake -> Automated SOC

Threat Detection - Trends and Technology

Speaker

For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” Brian was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. He founded Hive Media and served as CEO. As the co-founder of RedSeal Systems, Brian conceived of the overall design and features of the product and was granted two patents related to network security. Brian was also founder and CEO of self-funded Blade Software that released the industry’s first commercial IPS/FW testing tool.

Brian Laing, SVP, Corporate Development & Strategic Alliances, Lastline

Complex Threats

C & C

COMMUNICATION

DRIVE-BY EXPLOIT MALWARE

DOWNLOAD

Identify Threats

at the Perimeter

INTERNAL RECON

PORT SCANS

ASSET

DISCOVER

Y

PRIVILEGE

ESCALATION

RDP

PROTOCOL

LARGE

FILE UPLOAD

Detect Lateral Movement

and Internal Threats

Data Exfiltration

BAD ACTOR

Alert Enrichment via

Global Threat Intelligence

EMPLOYEE

ENGINEERING

MACHINE

ENGINEERING

CODE SERVER

Unique Detection Approach

Threat Behaviors

• Understanding Threats

• Sandbox Analysis

+

High Fidelity Results

=

Network Behaviors

• Network Baseline

• Outliers / Anomalies

More data sources Better input data Deep expertise in security and machine learning

The Lastline AI Advantage

Local PacketsLocal FlowsLocal Files

Lastline’s Application of Machine Learning

WEB

Lastline | Partner | Customer

Global Threat

Intelligence Network

EMAIL

Data

Nod

e

Manage

r

Detectio

n Engine

Lastline Data Sensors

Network

Customer Networks

Threat ResearchCustomers Data

Threat + Behavioral IntelAnomalies

Network SignaturesNTA Models

Network TrafficBehavioral

Output

Event Data

Network Flows

Shared IntelOpen API

AI-Powered Behavior Analysis

Physical Hardware

Guest OS

Full System Emulation

Emulated Machine

7 XP

Lastline Emulator

Unknown Apps/Docs

User Interaction

IP Reputation

Network Signatures

Anomaly Detection

File Behaviors,

IP Reputation, Digital

Signatures, etc…

Complete Threat Visibility

C & C

COMMUNICATION

DRIVE-BY EXPLOIT MALWARE

DOWNLOAD

Identify Threats

at the Perimeter

INTERNAL RECON

PORT SCANS

ASSET

DISCOVER

Y

PRIVILEGE

ESCALATION

RDP

PROTOCOL

LARGE

FILE UPLOAD

Detect Lateral Movement

and Internal Threats

Automated Data Aggregation High Fidelity, Prioritized Alerts

Data Exfiltration

BAD ACTOR

Alert Enrichment via

Global Threat Intelligence

EMPLOYEE

ENGINEERING

MACHINE

ENGINEERING

CODE SERVER

Complete Context

Threat Detection - Trends and Technology

Speaker

Thomas has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organizations. He is currently security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated.

Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and speaker at events like SANS DFIR EMEA, DeepSec, Shmoocon, and various BSides events..

Thomas Fischer, Security Advocate and Threat Researcher

Finding a Suitable Threat Intelligence ProviderThomas Fischer

Understanding TI

➢Which TI vendor is fit for purpose?

➢What metrics do you use to track quality over time?

➢How do you extract value?

Understand your Environment

➢ Know your Threat Model

➢What are you looking to supplement❑ Latest spear-phising

❑ Latest crypto attacks

❑ APTs

Where is your Focus?

BreachKill-Chain

PhaseHunting & Response

What Makes a Good IoC

➢ Low False-Positive (FP) rate

➢Actionable❑ Quality of Context

➢Machine Readable

Actionable Information

➢Quality of information❑ Relevance (Should we care?)

❑ Accuracy (Is it true?)

❑ Completeness (Do we have enough details?)

❑ Timeliness (Is it still valid? Quick to publish?, Expiry dates?)

❑ Ingestibilty (Can we process/interpret it?)

➢ Scope of an information source ⇒ coverage❑ Detection method (How the information was

obtained?)

❑ Vantage (What is the focus of collection?)

❑ Volume (How much data is provided?)

Challenge: Fit for Purpose

➢ Best match for you focus?

➢Data Diversity❑ Coverage: IP, Domain, URLs, reputation, risks, …

❑ Are sources revealed?

➢ Test indicators in operation

➢ Labelling – How is an IoC defined

Challenge: Machine Readable

➢What formats are provided❑ CSV, XML, JSON

❑ STIX

❑ API access

➢ Filtering❑ Keywords

❑ Labelling

Challenge: Data Standardisation

➢No Standardisation

Challenge: Data Standardisation

➢No Standardisation

Challenge: First Seen?

Threat Actor Start

Discovered by Researcher

Indicators Available

Threat Actor Infrastructure Active

Time

Recommendations

➢Work with Data analysts

➢Move towards “Capability Driven Threat Intelligence”

➢Accept Failure

➢ Think and map uses cases

➢ Can’t measure everything

➢No one size fits all

Final Word

When looking for a provider,

set up a controlled experiment

to evaluate