Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Picture is Worth 1,000 Rows

Liz Maida, Co-founder & CEO, Uplevel Security (acquired by McAfee)

  • Be the first to comment

A Picture is Worth 1,000 Rows

  1. 1. A Picture is Worth 1,000 Rows 
 Elisabeth Maida, Founder & CEO, Uplevel
  2. 2. 40 Security Vendors 1,000 Alerts Per Week 3.5 million Indicators Per Month Security teams are overwhelmed with data
  3. 3. “You need to know what to look for in order to find it” • Can create searches to generate high priority events • Need to know what searches to write • Rules require on-going support and maintenance • Complex queries can be difficult to decode and interpret - “what exactly is this searching for?” • Interactions between overlapping rules can be difficult to untangle
  4. 4. Graphs can provide a visual indication of activity requiring investigation
  5. 5. Graph algorithms can help identify events that should be investigated and remediated as a unit - Alerts about the same underlying event generated by different security devices - Sequential events about an ongoing attack - Multiple users targeted using the same tactic or by the same threat actor - Alerts constituting a progressing attack or attack vectors
  6. 6. Alert Event triggered by a security product identifying potentially malicious behavior 
 Attribute Technical characteristic such as “file hash” 
 Indicator Threat intelligence indicating that a specific attribute (or group of attributes) identifies malicious behavior Terminology
  7. 7. Community detection algorithms can help identify related alerts Mark Needham and Amy E. Hodler, Graph Algorithms: Practical Examples in Apache Spark and Neo4j
  8. 8. Pre-processing the graph can enhance the community detection Potential Malware Activity
  9. 9. Centrality algorithms can help prioritize alert clusters Mark Needham and Amy E. Hodler, Graph Algorithms: Practical Examples in Apache Spark and Neo4j
  10. 10. FireEye, Double Dragon: APT41, a Dual Espionage and Cyber Crime Operation Output of our pre-processing can also be used to generate new indicators
  11. 11. Other opportunities for graph algorithms in cybersecurity • Creating attack pattern fingerprints and using graph pattern matching and subgraph isomorphism • Applying label propagation to cascade maliciousness through the graph • Using centrality and betweenness to assess commonality of tactics, techniques, and procedures across attackers
  12. 12. Thank you!

×