Presentation is loading. Please wait.

Presentation is loading. Please wait.

Charles Herring Project Lead WitFoo July 14, 2016 Removing InfoSec Noise with Law Enforcement Paradigms Detective Bill Ritch Law Enforcement Advisor WitFoo.

Published byAlison Small Modified over 8 years ago

Similar presentations

Presentation on theme: "Charles Herring Project Lead WitFoo July 14, 2016 Removing InfoSec Noise with Law Enforcement Paradigms Detective Bill Ritch Law Enforcement Advisor WitFoo."— Presentation transcript:

1 Charles Herring Project Lead WitFoo July 14, 2016 Removing InfoSec Noise with Law Enforcement Paradigms Detective Bill Ritch Law Enforcement Advisor WitFoo James Clark Lead Information Security Engineer The University of Chicago

2 WitFoo Mission Event Reduction Tuning Higher level events Aggregation Automation WitFoo exists to build and mature the craft of Information Security through delivery of tools, process, community and training. Foo the Noise Cycle Reduction Context Intel Collaboration Business Metrics Own the Craft Research and Development Areas

3 Research Effectively Discover how to stop Investigative failure Study other crafts (Law Enforcement) “MO Processing should reduce events to operational levels.” Build tools to test hypothesis

4 History of Detection

5 Detection 1.0 – Event Processing Focused on Verb/Action Counts >1M daily Attributes of host

6 Detection 1.0 – Event Processing Focused on Verb/Action Counts >1M daily Attributes of host

7 Detection 1.0 – Event Processing Challenge: Scale Challenge: Context

8 Detection 1.1 - Classification Does not reduce event count

9 Detection 1.1 - Classification Does not reduce event count

10 Detection 1.1 - Classification useful for high-level guidance, further study, tuning...less useful for operations taxonomy provided by vendor or tool

11 Detection 1.2 – Triage Part 1: Priority maximize the number of survivors triage : the sorting of and allocation of treatment to patients and especially battle and disaster victims according to a system of priorities designed to maximize the number of survivors Picking where to FAIL Success is impossible Reduction through failureReduction through failure

12 Detection 1.2 – Triage Part 1: Priority maximize the number of survivors triage : the sorting of and allocation of treatment to patients and especially battle and disaster victims according to a system of priorities designed to maximize the number of survivors Picking where to FAIL Success is impossible Reduction through failureReduction through failure

13 Detection 1.0 – Event Processing Focused on Verb/Action Counts >1M daily Events (1M+) 1.0

14 Detection 2.0 – Host/User Evaluation Host/User Centric Make events into attributes Focuses on Behavior UBA/NBA Contextual attributes Vulnerability Risk Event Counts Event Types

15 Suspect Centric Investigations

16 Detection 2.0 – Host Analysis Focused on Verb/Action Counts >1M daily Still Triaging (too much noise) Events (1M+) Hosts (100k+) 1.0 2.0

17 The Research

18 Connecting Facts

19 New Hypothesis “Using Modus Operandi modeling, events can be connected to produce operational levels of higher level events reducing operational strain.” Plan: Create sets of member types and query flow tools to look for connections between the sets.

20 Incident Incident – an observed progression of a MO

21 What is the right MO? MITRE ATT&CK One size does not fit all How to operationalize in detection

22 Not all Gang Murders are Drive-bys

23 Synthetic MO Candidate Experiment Check every possible pathway (n factorial) (5,040 for 7 sets)

24 Detection 3.0 – MO Analysis Focused on Adversary Process Counts 100+ daily False Negative Conditions How to build accurate MO? (Synthetic) MO Candidate Events (1M+) Hosts (100k+) MO (100+) 1.0 2.0 3.0

25 30 Bullets = 30 Investigations?

26 Evidence Board – Link Analysis

27 Bioinformatics

28 New Hypothesis “Using Link Analysis, events can be connected to produce operational levels of higher level events reducing operational strain.” Plan: Connect incidents from 3.0 using Bioinformatics (cytoscape)

29 4.0 - Link Board (via Cytoscape) Incidents connected with correlations Nodes being used in same sets Utilizing Bio-informatics library – Cytoscape Creates “Incident Groups”

30 “Cloud of Death” = Noise

31 Bad Tips

32 Detection 4.0 – Incident Link Analysis Aggregates Incidents to Groups Daily counts are manageable Dependent on Gap coverage Dependent on Good Leads Needs good MO Events (1M+) Hosts (100k+) MO (100+) ILA (<12) 1.0 2.0 3.0 4.0

33 Research Findings MO Analysis can reveal “major crimes” and significantly reduce noise MO need to be complex to allow for multiple pathways MO Research needs to be ongoing ILA can further reduce MO noise into higher level objects without false negatives ILA can easily reveal errors in event generation from tools ILA can link coordinated attacks Event visibility gaps can lead to false negative conditions Need to expand research to users and files (beyond network)

34 Beta Program http://WitFoo.com/Beta Technologies to integrate: ArcSight LogRhythm OpenSOC Splunk SiLK BRO IDS Industries to test: Manufacturing Healthcare Finance Event Reduction Tuning Higher level events Aggregation Automation Foo the Noise Cycle Reduction Context Intel Collaboration Business Metrics Own the Craft Research and Development Areas Commercial Beta Available August 1, 2016 (by invitation)

35 Charles Herring Project Lead WitFoo July 14, 2016 Removing InfoSec Noise with Law Enforcement Paradigms Detective Bill Ritch Law Enforcement Advisor WitFoo James Clark Lead Information Security Engineer The University of Chicago

Download ppt "Charles Herring Project Lead WitFoo July 14, 2016 Removing InfoSec Noise with Law Enforcement Paradigms Detective Bill Ritch Law Enforcement Advisor WitFoo."

Similar presentations

New Challenges in M&E Lets go. Scaling Up Monitoring & Evaluation Strategic Information PROGRAM GUIDANCE RESULT NEEDS OPPORTUNITIES Resources New directions.

New Challenges in M&E Lets go. Scaling Up Monitoring & Evaluation Strategic Information PROGRAM GUIDANCE RESULT NEEDS OPPORTUNITIES Resources New directions.
Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.

Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Look Who’s Talking: Discovering Dependencies between Virtual Machines Using CPU Utilization HotCloud 10 Presented by Xin.

Look Who’s Talking: Discovering Dependencies between Virtual Machines Using CPU Utilization HotCloud 10 Presented by Xin.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
APPLICATION OF A RISK-BASED DECISION SUPPORT TOOL FOR EVALUATING AVIATION TECHNOLOGY INTEGRATION TO A CONTROLLED-FLIGHT-INTO-TERRAIN ACCIDENT by Denise.

APPLICATION OF A RISK-BASED DECISION SUPPORT TOOL FOR EVALUATING AVIATION TECHNOLOGY INTEGRATION TO A CONTROLLED-FLIGHT-INTO-TERRAIN ACCIDENT by Denise.
Cumulative Violation For any window size  t  Communication-Efficient Tracking for Distributed Cumulative Triggers Ling Huang* Minos Garofalakis.

Cumulative Violation For any window size  t  Communication-Efficient Tracking for Distributed Cumulative Triggers Ling Huang* Minos Garofalakis.
ChemConnect Leading in negotiation solutions for commercial products.

ChemConnect Leading in negotiation solutions for commercial products.
LÊ QU Ố C HUY ID: QLU13069 1. OUTLINE  What is data mining ?  Major issues in data mining 2.

LÊ QU Ố C HUY ID: QLU OUTLINE  What is data mining ?  Major issues in data mining 2.
Solution Overview for NIPDEC- CDAP July 15, 2005.

Solution Overview for NIPDEC- CDAP July 15, 2005.
Texas House of Representatives Committee on Criminal Jurisprudence Testimony of Randall S. James Banking Commissioner Texas Department of Banking August.

Texas House of Representatives Committee on Criminal Jurisprudence Testimony of Randall S. James Banking Commissioner Texas Department of Banking August.
© 2014 The MITRE Corporation. All rights reserved. Greg Nelson June 23, 2014 Aviation Safety Information Analysis and Sharing (ASIAS) Overview.

© 2014 The MITRE Corporation. All rights reserved. Greg Nelson June 23, 2014 Aviation Safety Information Analysis and Sharing (ASIAS) Overview.
Created by Lt. S. Albright – Paramedic SCEMS Triage Tag Training Manual.

Created by Lt. S. Albright – Paramedic SCEMS Triage Tag Training Manual.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
‹#› September 2015 Cloud-CISC Cloud Cyber Incident Information Sharing Center.

‹#› September 2015 Cloud-CISC Cloud Cyber Incident Information Sharing Center.

Similar presentations

Ads by Google