Defendect International Presentaion for CBRNE Threat Detection
Threat Detection - Trends and Technology...Threat Detection - Trends and Technology Moderator Gabe...
Transcript of Threat Detection - Trends and Technology...Threat Detection - Trends and Technology Moderator Gabe...
Threat Detection - Trends and
TechnologyMarch 26, 2019
Threat Detection - Trends and Technology
Today’s web conference is generously sponsored by:
Lastlinehttps://www.lastline.com/
Threat Detection - Trends and Technology
Moderator
Gabe is a technologist at heart who has been tinkering from an early age. In addition to running ISSA-UK, he has worked in 14 countries and across numerous sectors, bootstrapped a cloud cryptocurrency crowdfunding platform into profitability, built security programs from the ground up, led multi-million pound security service transitions and performed in-depth security engineering in SCADA environments. His current passions involve security economics, shifting security left, and the changing perception of information security in both business and the public eye.
Gabe Chomic, President, ISSA-UK
Threat Detection - Trends and Technology
Speaker
Mohan is the Chief Technical Officer at RANK Software Inc. RANK is a Security Analytics company based out of Toronto, Canada. RANK makes Cybersecurity Simple, Accurate and Actionable. We analyze billions of events in near real-time to identify both internal and external threats. Our predictive modeling systems identify high risk user, machine and application behavior before they become a threat.He managed a Billion dollar Fulfillment Business at Amazon. Responsible for optimization algorithms, scaling (10s of billions of events per day) and availability of Amazon’s Global Fulfillment Platform –including Robotic systems. Site Leader for Amazon’s Toronto development center.Mohan has also built and managed Contextual Systems and Mobile Advertising at BlackBerry (Research in Motion). Introduced Big Data technologies at BlackBerry, forged vendor partnerships and managed Software Development teams across 3 countries.
Mohan Rao, CTO, RANK Software
Threat Detection –Trends and Technology
SOLVING A HARD PROBLEM
Human Intelligence works, but there aren’t enough of them
Key Points:
• 3.5
• Reduced Investigation Time
• Time Saved
Source: Crowd Research Partners — 2018 Threat Hunting Report
Lots of Tools out there, but are they being used correctly ?
Key Points:• Severity and
frequency of attacks are increasing.
• 3.5 million fewer people than jobs
• $7.6 billion invested in cybersecurity companies
• $150 billion total revenues in cyber
Unfair Game – protect all, breach one
Security Solutions have not Kept Up!Existing Tools and Resources are not Sufficient
• Billions of events per day. Handled in Batch
• False Positives• Silo’d Systems
• Slow Human Reaction• Delayed Response
• 3 Million Gap in Qualified Personnel.
Scale
Complexity
Manual
Resources
Threat Hunting and Security Analytics?
The process of proactively and iteratively searching throughnetworks to detect and isolate advanced threats that evade existingsecurity solutions.
This is in contrast to traditional threat management measures, suchas firewalls, intrusion detection systems (IDS), malware sandbox(computer security) and SIEM systems, which typically involve aninvestigation of evidence-based data after there has been a warningof a potential threat
Source: Wikipedia
CYBER SECURITY – THREAT MANAGEMENT FUNDAMENTAL TRUTHS
Key Points:• 75% of respondents
believe that threat hunting is of MAJOR IMPORTANCE
1. Batch analytics are too little & too late!
2. Context is king!
3. Data fidelity is a MUST!
Running a query that takes 2 hours so you can learn what next question to ask DOESN’T WORK!
Streaming data enrichment for essential time savings
Ingest data any source (Network, End Points, SIEM, etc.) for complete visibility
Normalized field names across all data sources (i.e. dest_ip vs. DestinationHostAddress) for best accuracy
SIEMs using summarized data — useless for threat management
Real time data stream ingestion without losing fidelity
BATCH ANALYTICS ARE TOO LITTLE & TOO LATE!TIMELY INVESTIGATION AND RESPONSE IS CRITICAL
• Kerberos, NTLM, AD integration.
• Building user sessions is hard but very useful.
• Internal & External Context at Ingestion Time
• Geo Location, Threat Intelligence, Malware IOCs.
• Pre-defined queries assist in threat hunting
• Threat detection repositories (Sigma) enable content sharing
• Single window for detailed context
• Take action in one system
• Quickly make determinations
Real Time Asset Mapping
Real Time Data Enrichment
Execute Custom & Pre-Configured
Hunts
Visualization & UX
CONTEXT IS KING!CORRELATING NETWORK TRAFFIC AND END POINT DATA TO PROVIDE COMPLETE VISIBILITY
Scalable Event Processing
Framework
Real Time Data Enrichment
Real Time Asset Mapping
Secondary Analysis
• Ingest & correlate multiple sources
• Internal / external events • >10Gb per second
• Add context from across your network
• Risk score helps identify credible threats
• Massive reduction in false positives
• Mapping IPs to machine names/user names
• Normalized field names across all data sources
• Increased accuracy
• Context to explain anomaly causes
• Assemble the story in a single system
DATA FIDELITY IS A MUST!SUMMARIZED DATA LACKS VALUE NECESSARY FOR EFFECTIVE THREAT MANAGEMENT
The Straight Goods
• Summarized Data is not useful!• Mapping attributes to a common
schema is vital.
• Data should be searchable from disparate data sources through a common query language
• Duplicating data can be super expensive!No Data
Duplication
POWERFUL PRACTICAL AI & MLUNSUPERVISED LEARNING NEEDS ANALYST INPUT TO BE EFFECTIVE
Model/Algorithm Ensemble
• Labeled Data Sets do not exist• False Positives are a reality
• Active Learning / Reinforcement Learning needed to improve accuracy
• Anomalies without explanations are useless Explainable AI
Incident Prediction
• Kill-chain correlation• Bayesian Networks, Probabilistic Models
Collaboration FrameworkCOMMUNITY INSIGHT SHARING
Anonymize• No Personally identifiable information• Curated
• Share and consume information instantaneously
Real-time
Collective Intelligence
• Reduce false positives• Improve Detections• Sigma, Mitre etc.
Data Lake -> Automated SOC
Threat Detection - Trends and Technology
Speaker
For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” Brian was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. He founded Hive Media and served as CEO. As the co-founder of RedSeal Systems, Brian conceived of the overall design and features of the product and was granted two patents related to network security. Brian was also founder and CEO of self-funded Blade Software that released the industry’s first commercial IPS/FW testing tool.
Brian Laing, SVP, Corporate Development & Strategic Alliances, Lastline
Complex Threats
C & C
COMMUNICATION
DRIVE-BY EXPLOIT MALWARE
DOWNLOAD
Identify Threats
at the Perimeter
INTERNAL RECON
PORT SCANS
ASSET
DISCOVER
Y
PRIVILEGE
ESCALATION
RDP
PROTOCOL
LARGE
FILE UPLOAD
Detect Lateral Movement
and Internal Threats
Data Exfiltration
BAD ACTOR
Alert Enrichment via
Global Threat Intelligence
EMPLOYEE
ENGINEERING
MACHINE
ENGINEERING
CODE SERVER
Unique Detection Approach
Threat Behaviors
• Understanding Threats
• Sandbox Analysis
+
High Fidelity Results
=
Network Behaviors
• Network Baseline
• Outliers / Anomalies
More data sources Better input data Deep expertise in security and machine learning
The Lastline AI Advantage
Local PacketsLocal FlowsLocal Files
Lastline’s Application of Machine Learning
WEB
Lastline | Partner | Customer
Global Threat
Intelligence Network
Data
Nod
e
Manage
r
Detectio
n Engine
Lastline Data Sensors
Network
Customer Networks
Threat ResearchCustomers Data
Threat + Behavioral IntelAnomalies
Network SignaturesNTA Models
Network TrafficBehavioral
Output
Event Data
Network Flows
Shared IntelOpen API
AI-Powered Behavior Analysis
Physical Hardware
Guest OS
Full System Emulation
Emulated Machine
7 XP
Lastline Emulator
Unknown Apps/Docs
User Interaction
IP Reputation
Network Signatures
Anomaly Detection
File Behaviors,
IP Reputation, Digital
Signatures, etc…
Complete Threat Visibility
C & C
COMMUNICATION
DRIVE-BY EXPLOIT MALWARE
DOWNLOAD
Identify Threats
at the Perimeter
INTERNAL RECON
PORT SCANS
ASSET
DISCOVER
Y
PRIVILEGE
ESCALATION
RDP
PROTOCOL
LARGE
FILE UPLOAD
Detect Lateral Movement
and Internal Threats
Automated Data Aggregation High Fidelity, Prioritized Alerts
Data Exfiltration
BAD ACTOR
Alert Enrichment via
Global Threat Intelligence
EMPLOYEE
ENGINEERING
MACHINE
ENGINEERING
CODE SERVER
Complete Context
Threat Detection - Trends and Technology
Speaker
Thomas has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organizations. He is currently security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated.
Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and speaker at events like SANS DFIR EMEA, DeepSec, Shmoocon, and various BSides events..
Thomas Fischer, Security Advocate and Threat Researcher
Finding a Suitable Threat Intelligence ProviderThomas Fischer
Understanding TI
➢Which TI vendor is fit for purpose?
➢What metrics do you use to track quality over time?
➢How do you extract value?
Understand your Environment
➢ Know your Threat Model
➢What are you looking to supplement❑ Latest spear-phising
❑ Latest crypto attacks
❑ APTs
Where is your Focus?
BreachKill-Chain
PhaseHunting & Response
What Makes a Good IoC
➢ Low False-Positive (FP) rate
➢Actionable❑ Quality of Context
➢Machine Readable
Actionable Information
➢Quality of information❑ Relevance (Should we care?)
❑ Accuracy (Is it true?)
❑ Completeness (Do we have enough details?)
❑ Timeliness (Is it still valid? Quick to publish?, Expiry dates?)
❑ Ingestibilty (Can we process/interpret it?)
➢ Scope of an information source ⇒ coverage❑ Detection method (How the information was
obtained?)
❑ Vantage (What is the focus of collection?)
❑ Volume (How much data is provided?)
Challenge: Fit for Purpose
➢ Best match for you focus?
➢Data Diversity❑ Coverage: IP, Domain, URLs, reputation, risks, …
❑ Are sources revealed?
➢ Test indicators in operation
➢ Labelling – How is an IoC defined
Challenge: Machine Readable
➢What formats are provided❑ CSV, XML, JSON
❑ STIX
❑ API access
➢ Filtering❑ Keywords
❑ Labelling
Challenge: Data Standardisation
➢No Standardisation
Challenge: Data Standardisation
➢No Standardisation
Challenge: First Seen?
Threat Actor Start
Discovered by Researcher
Indicators Available
Threat Actor Infrastructure Active
Time
Recommendations
➢Work with Data analysts
➢Move towards “Capability Driven Threat Intelligence”
➢Accept Failure
➢ Think and map uses cases
➢ Can’t measure everything
➢No one size fits all
Final Word
When looking for a provider,
set up a controlled experiment
to evaluate