Download presentation
Presentation is loading. Please wait.
Published byAlison Small Modified over 8 years ago
1
Charles Herring Project Lead WitFoo July 14, 2016 Removing InfoSec Noise with Law Enforcement Paradigms Detective Bill Ritch Law Enforcement Advisor WitFoo James Clark Lead Information Security Engineer The University of Chicago
2
WitFoo Mission Event Reduction Tuning Higher level events Aggregation Automation WitFoo exists to build and mature the craft of Information Security through delivery of tools, process, community and training. Foo the Noise Cycle Reduction Context Intel Collaboration Business Metrics Own the Craft Research and Development Areas
3
Research Effectively Discover how to stop Investigative failure Study other crafts (Law Enforcement) “MO Processing should reduce events to operational levels.” Build tools to test hypothesis
4
History of Detection
5
Detection 1.0 – Event Processing Focused on Verb/Action Counts >1M daily Attributes of host
6
Detection 1.0 – Event Processing Focused on Verb/Action Counts >1M daily Attributes of host
7
Detection 1.0 – Event Processing Challenge: Scale Challenge: Context
8
Detection 1.1 - Classification Does not reduce event count
9
Detection 1.1 - Classification Does not reduce event count
10
Detection 1.1 - Classification useful for high-level guidance, further study, tuning...less useful for operations taxonomy provided by vendor or tool
11
Detection 1.2 – Triage Part 1: Priority maximize the number of survivors triage : the sorting of and allocation of treatment to patients and especially battle and disaster victims according to a system of priorities designed to maximize the number of survivors Picking where to FAIL Success is impossible Reduction through failureReduction through failure
12
Detection 1.2 – Triage Part 1: Priority maximize the number of survivors triage : the sorting of and allocation of treatment to patients and especially battle and disaster victims according to a system of priorities designed to maximize the number of survivors Picking where to FAIL Success is impossible Reduction through failureReduction through failure
13
Detection 1.0 – Event Processing Focused on Verb/Action Counts >1M daily Events (1M+) 1.0
14
Detection 2.0 – Host/User Evaluation Host/User Centric Make events into attributes Focuses on Behavior UBA/NBA Contextual attributes Vulnerability Risk Event Counts Event Types
15
Suspect Centric Investigations
16
Detection 2.0 – Host Analysis Focused on Verb/Action Counts >1M daily Still Triaging (too much noise) Events (1M+) Hosts (100k+) 1.0 2.0
17
The Research
18
Connecting Facts
19
New Hypothesis “Using Modus Operandi modeling, events can be connected to produce operational levels of higher level events reducing operational strain.” Plan: Create sets of member types and query flow tools to look for connections between the sets.
20
Incident Incident – an observed progression of a MO
21
What is the right MO? MITRE ATT&CK One size does not fit all How to operationalize in detection
22
Not all Gang Murders are Drive-bys
23
Synthetic MO Candidate Experiment Check every possible pathway (n factorial) (5,040 for 7 sets)
24
Detection 3.0 – MO Analysis Focused on Adversary Process Counts 100+ daily False Negative Conditions How to build accurate MO? (Synthetic) MO Candidate Events (1M+) Hosts (100k+) MO (100+) 1.0 2.0 3.0
25
30 Bullets = 30 Investigations?
26
Evidence Board – Link Analysis
27
Bioinformatics
28
New Hypothesis “Using Link Analysis, events can be connected to produce operational levels of higher level events reducing operational strain.” Plan: Connect incidents from 3.0 using Bioinformatics (cytoscape)
29
4.0 - Link Board (via Cytoscape) Incidents connected with correlations Nodes being used in same sets Utilizing Bio-informatics library – Cytoscape Creates “Incident Groups”
30
“Cloud of Death” = Noise
31
Bad Tips
32
Detection 4.0 – Incident Link Analysis Aggregates Incidents to Groups Daily counts are manageable Dependent on Gap coverage Dependent on Good Leads Needs good MO Events (1M+) Hosts (100k+) MO (100+) ILA (<12) 1.0 2.0 3.0 4.0
33
Research Findings MO Analysis can reveal “major crimes” and significantly reduce noise MO need to be complex to allow for multiple pathways MO Research needs to be ongoing ILA can further reduce MO noise into higher level objects without false negatives ILA can easily reveal errors in event generation from tools ILA can link coordinated attacks Event visibility gaps can lead to false negative conditions Need to expand research to users and files (beyond network)
34
Beta Program http://WitFoo.com/Beta Technologies to integrate: ArcSight LogRhythm OpenSOC Splunk SiLK BRO IDS Industries to test: Manufacturing Healthcare Finance Event Reduction Tuning Higher level events Aggregation Automation Foo the Noise Cycle Reduction Context Intel Collaboration Business Metrics Own the Craft Research and Development Areas Commercial Beta Available August 1, 2016 (by invitation)
35
Charles Herring Project Lead WitFoo July 14, 2016 Removing InfoSec Noise with Law Enforcement Paradigms Detective Bill Ritch Law Enforcement Advisor WitFoo James Clark Lead Information Security Engineer The University of Chicago
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.