THE NEED FOR CONTEXT 1 Applying Machine Learning to Incident Response Matt

Slides:



Advertisements
Similar presentations
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Advertisements

Life Beyond Levels. Independence looks like…Inquisitiveness Looks like…Reflection looks like…Collaboration looks like… I make excellent use of all opportunities.
Security intelligence: solving the puzzle for actionable insight Fran Howarth Senior analyst, security Bloor Research.
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
Quantitative Research and Analytics, Proprietary and Confidential1 Ryan Michaluk
Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.
Normative vs. Descriptive vs. Pragmatic. Sad reality Faculty, staff and students are using mobile devices today, with or without our help (probably without)
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.
Non-Experimental designs: Developmental designs & Small-N designs
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
September 2003 Fraud Formalization and Detection Bharat Bhargava, Yuhui Zhong, Yunhua Lu Center for Education and Research in Information Assurance and.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Ken Paiboon User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon
Educational Solutions for Workforce Development PILOT WORKSHOP EVALUATION MARY RICHARDSON MER CONSULTING.
AfL – A pupil perspective Presented by Sean, Lucy, Najeeb and Nayaab PORTSWOOD PRIMARY SCHOOL PRIDE PASSION SUCCESS.
2005 HR Retreat: Employment Teampriority-health.comSecurity Event Management February GR ISSA Meeting Security Event Management Correlation, Categorization,
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
Chapter 5: Requirement Engineering Process Omar Meqdadi SE 2730 Lecture 5 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Using Identity Credential Usage Logs to Detect Anomalous Service Accesses Daisuke Mashima Dr. Mustaque Ahamad College of Computing Georgia Institute of.
For ABA Importance of Individual Subjects Enables applied behavior analysts to discover and refine effective interventions for socially significant behaviors.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Leveraging Asset Reputation Systems to Detect and Prevent Fraud and Abuse at LinkedIn Jenelle Bray Staff Data Scientist Strata + Hadoop World New York,
.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.
Network security Product Group 2 McAfee Network Security Platform.
Computer security By Isabelle Cooper.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
INSTANT PEOPLE INSIGHTS Injazat partners with Qlearsite to bring ‘People Analytics’ to Leaders across the UAE. The art of leadership is getting a boost.
Cryptography and Network Security Sixth Edition by William Stallings.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE September Integrating Policy with Applications.
Copyright Paula Matuszek Kinds of Machine Learning.
Role Of Network IDS in Network Perimeter Defense.
Course Overview Q560: Experimental Methods in Cognitive Science Lecture 1.
IS3220 Information Technology Infrastructure Security
Azure Machine Learning Introduction to Azure ML. Setting Expectations This presentation is for you if…  you hear the buzzword “Machine Learning” and.
2© Copyright 2013 EMC Corporation. All rights reserved. Cyber Intelligence Fighting Cyber Crime Insert Event Date LEADERS EDGE.
1 PROPRIETARY AND CONFIDENTIAL, MARITZ COPYRIGHT 2009July Next Generation Customer Experience Management Webinar 24 th September 2009 Roger Sant.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
1 Current Trends in Enterprise IT Network Security Key Takeaways Based on 100 Survey Responses © 2016 Lumeta Corporation.
Contextual Security Intelligence Suite™ Preventing Data Breaches without Constraining Business.
Why SIEM – Why Security Intelligence??
WEB ANALYTICS TIPSHEET key learnings from 100+ program implementations.
Protect your Digital Enterprise
Deployment Planning Services
How Artificial Intelligence is Changing the Supply Chain
Machine Learning for Cloud Security
AI Powered ADS A STEP BY STEP GUIDE TO EXTREME PERSONALIZATION
Transfer Learning: Analyst-Sourcing Behavioral Classification

Global Consumer Insights
Security Operations Without Going Blind
THE NEXT GENERATION MSSP
How to Operationalize Big Data Security Analytics
Security Operations Without Going Blind
Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Matthew Gardiner Product Marketing.
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Panda Adaptive Defense Platform and Services
Human (user) behavior patterns and analytics
Automating Security Operations using Phantom
Enabling ML Based Research
Cyber Security - Protecting Information
Integrating Deep Learning with Cyber Forensics
Detection Detect the breach and protect the data. By,
Coventry University, UK
Yining ZHAO Computer Network Information Center,
Security intelligence: solving the puzzle for actionable insight
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Deconstructing Identity Analytics for Higher Risk Awareness
Presentation transcript:

THE NEED FOR CONTEXT 1 Applying Machine Learning to Incident Response Matt

Who Am I?Who I Am Not. Product manager –fraud prevention to infosec Former math(s) geek Solution skeptic Frequent ranter A data scientist A security practitioner A marketer

Then Why Me And This Topic? Confidential and Proprietary 3 Data Science is a very broad field, new for security Machine Learning is currently beloved by InfoSec marketing teams Product managers need to be the realists

Today’s Topics De-mystifying the buzzwords Ultimate goals of machine learning in your organisation Domain expertise is a must Context must be applied before the algorithms Significant strides being made (and where) Prompt response seen from attackers

DE-MYSTIFYING THE BUZZWORDS

Big Data Analytics “Big data is like teenage sex: everyone talks about it, nobody really knows how to do it, everyone thinks everyone else is doing it, so everyone claims they are doing it” — Dan Ariely

Machine Learning 7

Baselining & Anomaly Detection 8

Peer Group Analysis 9

Artificial Intelligence 10

WHY? 11 What information is going to be produced? Why is it important to the security team? How easily can it be explained? Who will be capable of digesting and acting upon it?

ULTIMATE GOALS OF ML IN YOUR ORGANISATION

Do You Have Data Scientists On Staff? Yes. –You need data and a toolkit –Unfinished results are okay –Unsupervised learning helps –Alerting data scientists is okay No. –You need simple results –Value is prioritisation –Key question: “Is this normal?” –Just fewer alerts please

Data Scientists On Staff - Unsupervised Confidential and Proprietary 14 Purpose: Reveal hidden info No target variable Learns patterns that segregate data into groups/clusters “Discovered” groups reveal hidden structure in data

15

Data Scientists On Staff - Results Confidential and Proprietary 16 A lot of dead-ends (but that’s okay) Reveals extensive misconfigurations and unpredictable behaviour Identifies valuable areas to explore deeper with the experts Leads to supervised learning algorithms the security team can use

No DS Staff – Simple Results Confidential and Proprietary 17 Purpose: Make predictions Known target variable Learns patterns corresponding to target values Makes predictions on new data (blind to actual outcomes)

No DS Staff – “Is This Normal?” (Group) Confidential and Proprietary 18 Anomalous findings in a specific data set (example: DNS)

No DS Staff – “Is This Normal?” (Asset) Confidential and Proprietary 19 Basic counting has an immense value Live Security Platinum –1 instance dwm –1,200 instances

No DS Staff – “Is This Normal”? (User) Confidential and Proprietary 20 Stray from the baseline for a specific individual

No DS Staff – “Is This Normal?” Confidential and Proprietary 21 Viewing the Anomalies and Commonalities with the alerts –Same asset has a unique process running –Large spike in firewall traffic from primary user 12 hours earlier

No DS Staff – Rare ‘Alert’ Use Case Confidential and Proprietary 22 Premise 1: Malicious links have something(s) in common Premise 2: The commonalities are hard to spot with the naked eye – – – – Premise 3: Given enough data, algorithms can find these hidden common factors and learn to separate good links from bad ones –This is machine learning!

3 Most Important Factors In “ML Solution” Implemented the analysis techniques without bias 2. Understand the domain enough to understand the data 3. Combines techniques and adds context to quickly explain results

DOMAIN EXPERTISE

Interesting… Useless… 25

Not All Data Is Relevant Confidential and Proprietary 26

An Absolute Must 27

APPLYING CONTEXT BEFORE MATH(S)

Trading Noise 29

Context to Understand 30 WHO: John Hand, cloud operations WHERE: Primary asset ‘mac-7345’ WHAT: Massive spike in firewall traffic to AWS WHEN: Friday, 23 rd February

Root Cause… Sooner Confidential and Proprietary Data was generated –Understand why it was generated –Automate the explanation 2. Analyse the root cause instead of data –You shouldn’t have to make sense of a raw log line –If you know what was actually done, you can decide if it was misuse/abuse

SIGNIFICANT STRIDES

Gartner: UBA (or UEBA) Definition: User and entity behaviour analytics (UEBA) evaluates the activity of users and other entities (for example, applications, IP addresses, devices and networks) in combination with resource access to discover security infractions. UEBA profiles the behaviour of individuals, groups of individuals and, optionally, other entities (for example, devices) to discover malicious behaviour. “It achieves a better signal-to-noise ratio than security information and event management (SIEM) or data loss prevention (DLP)…”

But It Will Take Time…

Still Early Days Confidential and Proprietary 35 Look out for solutions: –Promising too much – “works for credit card fraud and insider threats” –Lacking focus – “identifies anomalies in any data set” –Selling on buzzwords – “Big Data anomaly detection approach using identity as a threat surface along with contextual access, intelligent security analytics…” Run a POC –Your team needs to see it analyse your data

ATTACKER RESPONSE

Just Don’t Rely Too Heavily On ML

The Importance of The Feedback Loop 38

Remember to always ask “WHY?” 39 What information is going to be produced? Why is it important to the security team? How easily can it be explained? Who will be capable of digesting and acting upon it?

THANK YOU

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.