Infosecurity Europe 2016: Detect Insider and Advanced Threats by Leveraging Machine Learning
•Download as PPT, PDF•
1 like•346 views
Splunk User Behaviour Analytics presentation from inbooth theatre at Infosecurity Europe 2016
Recommended
Recommended
More Related Content
Viewers also liked
Viewers also liked (20)
Similar to Infosecurity Europe 2016: Detect Insider and Advanced Threats by Leveraging Machine Learning
Similar to Infosecurity Europe 2016: Detect Insider and Advanced Threats by Leveraging Machine Learning (20)
More from Splunk
More from Splunk (20)
Recently uploaded
Recently uploaded (20)
Infosecurity Europe 2016: Detect Insider and Advanced Threats by Leveraging Machine Learning
- 1. Copyright © 2016 Splunk Inc. Detect Insider and Advanced Threats by Leveraging Machine Learning
- 2. Fill out the Postcard and win a SONOS Play:1 today "currentTrack":{ "artist":"College", "title":"Teenage Color - Anoraak Remix", "album":"Nightdrive With You", "albumArtURI":"/getaa?s=1&u=x- sonos-spotify%3aspotify%253atrack %253a3DjBDQs8ebkxMBo2V8V3SH %3fsid%3d9%26flags%3d32", "duration":347, "uri":"x-sonos-spotify:spotify %3atrack %3a3DjBDQs8ebkxMBo2V8V3SH? sid=9&flags=32" },
- 3. Are you using Splunk already?
- 4. IN 2014, INDUSTRY SPENT $1.7 Billion SECURE EMAIL GATEWAY $1.3 Billion SECURE WEB GATEWAY $2.8 Billion ENDPOINT PROTECTION $1.2 Billion INTRUSION PREVENTION $9.4 Billion FIREWALL
- 5. $16+ Billion So why do we need even more tools?
- 6. FAMILIAR WITH THESE THREATS? January 2015 February 2015 February 2015 Morgan Stanley 730K PII Records Anthem Insurance 80M Patient Records Office of Personal Management 22M PII Records July 2015 Ashley Madison 37M PII Records
- 7. SO, WHAT IS THE COMPROMISED / MISUSED CREDENTIALS OR DEVICES LACK OF RESOURCES (SECURITY EXPERTISE) LACK OF ALERT PRIORITIZATION & EXCESSIVE FALSE POSITIVES PROBLEM?
- 8. EXTERNAL ATTACK USER ACTIVITY Peter and Sam access a compromised website - backdoor gets installed The attacker uses Peter’s stolen credential and VPNs into Domain Controller The attacker uses the backdoors to download and execute WCE – password cracker Peter’s and Sam’s devices begin communicating with CnC The attacker logs in as Sam and accesses sensitive documents from a file share The attacker steals the admin Kerberos ticket and escalates the privileges for Sam The attacker uses Peter’s VPN credential to connect, copies the docs to an external staging server, and logs out after three hours Day 1 . . Day 2 . . Day N
- 9. INSIDER THREAT John connects via VPN Administrator performs ssh (root) to a file share - finance department John executes remote desktop to a system (administrator) - PCI zone John elevates his privileges root copies the document to another file share - Corporate zone root accesses a sensitive document from the file share root uses a set of Twitter handles to chop and copy the data outside the enterprise USER ACTIVITY Day 1 . . Day 2 . . Day N
- 10. WHAT IS SPLUNK UBA? DETECT MALICIOUS INSIDER THREATS DETECT ADVANCED CYBERATTACKS
- 11. THE FOUNDATION ANOMALY DETECTION THREAT DETECTION UNSUPERVISED MACHINE LEARNING BEHAVIOR BASELINING & MODELING REAL-TIME & BIG DATA ARCHITECTURE
- 12. REAL-TIME & BIG DATA ARCHITECTURE SCALABLE ARCHITECTURE 0.5 Billion EVENTS
- 14. DESIGNED FOR A HUNTER ANOMALY DETECTION APPLYING ML AGAINST BEHAVIOR BASELINES
- 15. DESIGNED FOR A SOC ANALYST THREAT DETECTION ML DRIVEN AUTOMATED ANOMALY CORRELATION
- 16. INSIDER THREAT Day 1 . . Day 2 . . Day N John connects via VPN Administrator performs ssh (root) to a file share - finance department John executes remote desktop to a system (administrator) - PCI zone John elevates his privileges root copies the document to another file share - Corporate zone root accesses a sensitive document from the file share root uses a set of Twitter handles to chop and copy the data outside the enterprise USER ACTIVITY Unusual Machine Access (Lateral Movement; Individual & Peer Group) Unusual Zone (CorpPCI) traversal (Lateral Movement) Unusual Activity Sequence Unusual Zone Combination (PCICorp) Unusual File Access (Individual & Peer Group) Multiple Outgoing Connections & Unusual SSL session duration
- 17. PROXY SERVER PROXY SERVER FIREWALL FIREWALL WHAT DOES SPLUNK UBA NEED? ACTIVE DIRECTORY / DOMAIN CONTROLLER ACTIVE DIRECTORY / DOMAIN CONTROLLER DNS, DHCP DNS, DHCP SPLUNK ENTERPRISE ANY SIEM AT A MINIMUM
- 18. Demo
- 19. WHY SPLUNK UBA? THE MOST ADVANCED UEBA TECHNOLOGY THE LARGEST INVESTMENT IN MACHINE LEARNING A COMPLETE SOLUTION FROM SPLUNK DETECT THE UNKNOWNS IMPROVE SOC & HUNTER EFFICIENCY
- 20. WHAT CUSTOMERS HAVE TO SAY ABOUT SPLUNK UBA Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather than the traditional rules-based approaches that doesn’t scale. We are pleased with the efficacy and efficiency of this solution as it makes the life of our SOC analysts’ way better. Mark Grimse, VP IT Security, Rambus A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insider threats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found Splunk UBA to be one of the most advanced technologies within the behavioral analytics space. Randolph Barr, CSO, Saba
- 21. Fill out the Postcard and win a SONOS Play:1 today "currentTrack":{ "artist":"College", "title":"Teenage Color - Anoraak Remix", "album":"Nightdrive With You", "albumArtURI":"/getaa?s=1&u=x- sonos-spotify%3aspotify%253atrack %253a3DjBDQs8ebkxMBo2V8V3SH %3fsid%3d9%26flags%3d32", "duration":347, "uri":"x-sonos-spotify:spotify %3atrack %3a3DjBDQs8ebkxMBo2V8V3SH? sid=9&flags=32" },
- 22. Thank you
Editor's Notes
- If you look back in the technology evolution It all started with Antivirus scanners, then network security to segment the networks. Then we got to early correlation in 2008 with traditional traditional Security Information Event Management stuff like 10 failed logons followed by a successful logon. After all of these we saw a big trend in object analysis. The sense that you might have with Palo Alto Networks Wildfire sandboxing technology - Analyse a PDF files behaviour when you open it and see if it is malicious or not. Now we are starting a new era with Machine learning behaviour analytics from big data.
- This is from an IDC report. We see that there have been 10 billion spent on firewalls. All sandboxing technologies included. You probably have this today.
- The market is about 16 billion dollars but we still need more tools. Why?
- Why? Because we still se breaches happening. If we look back at last year we saw some high profile breaches.
- Attacks are more sophisticated and personalised. 100% of breaches use legitimate accounts & credentials. The available tools are producing way more alerts than any one person or team can cope with and many of them are false positives. And to compound that problem there is a lack of available security expertise. There is 100% employment amongst security professionals. “Do not just rely on perimeter security. Use a threat intelligence platform to be able to recognize potential malware activity from multiple threat intelligence sources and act upon it.”
- Let’s think about an insider threat. If somebody is authorized and can access the information. The firewall will not help you, the proxy server will not help you, the IPS will not help you. You might have a DLP system but it will probably not be implemented properly. They are very difficult configure. Performs ssh – Lateral movement. This can happen in any organisation and its difficult to detect these flows as malicious against all the other legitimate flows. If you define this chain of events and look for it again it might detect it. But, if any of these steps are changed it will not be seen again.
- What can we find with the UBA product? The unique is that it is Use Case driven. It can detect those malicious insider threats. Detect advanced cyber attacks User activity things
- The foundation is a real time big data architecture. All of the data you send to it will be analyzed and behaviors of the data will be analyzed using models. This is all done with unsupervised machine learning. If you familiar with ML you know there it comes in 2 flavours: supervised and unsupervised. With supervised the system flags up things and you need to typically says yes or no if this is bad or not. With unsupervised the system learns on its own. We need about two weeks for a user and about 10k-20k data points, and from this we automatically learn the behavior to see if it is wrong or right. Based on this behavior we find any outlier to see if anything is wrong. There are hundreds of types of Anomalies – somebody signs on at a strange time. Somebody signs into a system they usually don’t sign into. Somebody sends data to a system they don’t usually send data to.
- The system is based on a real time data architecture. Scales in a similar way to Splunk Enterprise and uses the map reduce concepts. Scales to more than half a billion events per day.
- We are doing behaviour modeling on all the data that is being sent in. The product is called User Behaviour Analytics however we don’t just focus on the user. There are other products that just focus on the user. We could call the product User and Entity Behaviour Analytics as we analyze all behaviour from all entities. This means from Host, from Network, (Segments, IPs…), Applications, Data. All of this is then joined together. One user, on a specific host, within the office network is doing an SSH connection or Win file transfer. SFDC, SNOW etc is accessing a specific data on a specific host. For each such entity we create a relationship model. A behaviour model.
- We do a User & Entity Behvaiour Baseline – This is what I just showed you. Consider your system is already compromised when installing UBA. The threat behaviours will seem normal. We might miss a threat. To get around this we also do a Peer group Analysis. Based on this we will see that users in a specific department in a region might have one guy that is behaving differently to his peers. We will then surface an already infected account. There many other attack defenses as you can see on the slide here.
- Based around all of these behaviour models are anomalies. These anomalies are designed to be used by a Hunter. Somebody who is doing a security analysis and doing research. This might be a hundreds of even thousands of anomalies that this Hunter will go through to paint a picture of the current status or for investigating an incident or a user or entity.
- However this is not something you want to do every day as part of your standard procedures. UBA will also take these Anomalies to the next level by connecting them through visualizations and graphs and so on into Threats. How did they get in? How did they step through the network? Which systems did they access? If its not too late, which data did they exfiltrate? SOC analysts want the bigger picture and this will be their way of consuming the output of UBA. UBA does both Anomaly detection and threat detection out of the box. Speeds up the efficiency of your SOC and security team.
- If we look at the previous chain of events for the malicious insider, this is how UBA would aid in preventing that from happening. We can see Join connected with VPN and elevates his privileges. This means there is an unusual sequence of events for that user. We also see that he is connecting to an unusual zone (Corp->PCI). Everyone one of these are all anomalies are joined together to one threat which the SOC analyst can review.
- Here are some real world examples that our customer are seeing either in production or in the evaluation process. A retail customer has detected some lateral movements they did not want. A high tech company detected some IP theft. We have also seen in the manufacturing company some Pass the hash attacks for a MS system. You might be familiar with it. Multiple occurences of malware being detected where the Endpoint protection did not see it, but it was detected through anomalous behaviour of the hosts and users.
- You can feed data from Splunk Enterprise or, for that matter, any other SIEM solution. At a minimum UBA needs information about users, flows and hosts. UBA does not retain event data pertaining to threats and anomalies – to complete the solution UBA can export its detected threats to Splunk Enterprise Security where they are surfaced as Notable Events.
- User details scroll down here Demo_admin / UBA123
- To conclude and then I will point you to where you can find more resources of Splunk UBA. It is the biggest investment in machine learning in the industry and Splunk gives you a complete and full solution that gives you the end to end visibility and different use cases and the full lifecycle of the machine data from the collection phase to incident investigation to machine learning and then back. Splunk UBA improves your security operations center and your hunter efficiency.