Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chris@CyberSparta.com www.cybersparta.com Neil@Cyberqgroup.com.com www.cyberqgroup.com.

Published byJosé Ignacio Velázquez Duarte Modified over 6 years ago

Similar presentations

Presentation on theme: "Chris@CyberSparta.com www.cybersparta.com Neil@Cyberqgroup.com.com www.cyberqgroup.com."— Presentation transcript:

1

2

3 146 days – the average time before an organisation discovers it has been internally compromised.
Organisations generate huge volumes of fragmented data. Understanding the security threats within the data is increasingly challenging. You are only one zero day from being owned. Response and containment is critical

4

5 Why AI and ML? Artificial Intelligence is the broader concept of machines being able to carry out tasks in a way that we would consider “smart”. Machine Learning is a current application of AI based around the idea that we should really just be able to give machines access to data and let them learn for themselves Machine Learning is a subset of the larger field of Artificial Intelligence. At current levels of maturity, ML is mostly applied statistics. Most ML algorithms process a set of data and create a matrix of the characteristics. That matrix of characteristics is called your “model” and it will be used for evaluating additional data against. The model is the output of training your ML algorithm with data and is what is used to evaluate other data to determine what it is. When you use your ML model in hunting, for instance, you run new data against the model and the results are things that an analyst should then look at closer. Supervised machine learning uses labeled training data to make predictions about unlabeled data. Given a set of known good and known bad examples, you can create a binary classifier capable of taking in new transactions and deciding if they look more similar to the good training set or the bad training set. Supervised - you’ll need a set of data separated between the types you are trying to build your model to recognize. Unsupervised ML is essentially anomaly detection. Unsupervised ML is extremely powerful but usually better suited to broader use cases.

6 What are the key challenges in a SOC context?
1.Resources 2.Big picture 3.Event info - structured & unstructured 4.Perspectives 1)Experts, dealing with bigger haystacks [BD4S] 2)Overwhelmed, trade-offs, inter-relationships between fixes [SPECTRE] 3)Top10 – why? Much useful info is not structured – how to make sense? Risks? 4) Language needs to vary by persona – adaptive vizs?

7 A1.Resources

8 A2.The Big Picture

9 A3.Event/log info naive processing of event data - long term problem of storage of junk data

10 A4.Perspectives - Visualisations

11 CISO CEO Hacker Defender Conversation with AI Persona I Can Destroy
You I Will Protect You Hacker Defender I Know My Risks How Secure Are We? CISO CEO

12 What are opportunities for ML in Security Operations?
1.Physical ML 2.Correlation 3.Enrichment 4.Incident Analysis 5.Malware Analysis 6.Anomalies 1)Switch camera example 2)Most common use. Closeness of fit? Degs of certainty? [BD4S] 3)“meta model” approach? 4)Learning from past incidents – trends? 5)Modelling/emulation, AMSEL, injection of symptoms 6)What is normal? Body temp vars?

13 B1. Physical ML Camera vs switch

14 B2. Correlation

15 B3. Enrichment

16 B4. Incident Analysis

17 B5. Malware Analysis

18 B6. Anomalies Understanding normality - sensitivity analysis cf temp changes

19 Current innovations – evaluating effectiveness
1.Mock attacks 2.UEBA 3.Analyst behaviour 4.Intel Analysis 5.Method Analysis 1)Test envts, injection of malware symptoms 2)UEBA? Economics? 3)What are they good at – and not? Where support needed? 4)What sources of intel/info work best and when? 5)What methods have most success in detection and when?

20 C1. Mock Attacks Computer is running extremely slow (seems like a VIRUS) Antivirus and firewall protection is unexpectedly disabled Modifications on the Registry Unwanted toolbars on your Web Browser Even if you remove them, they might return each time you restart your computer Unfamiliar and peculiar error messages Programs won’t run or files won’t open Can’t access certain drives on your computer File sizes

21 C2. UEBA UEBA detects and stops an insider threats Account Compromise
Employee monitoring Identity access management Privileged account use Cloud application security

22 C3. Analyst Behavior Analysis

23 C4. Analysis of intelligence sources

24 C5. Analysis of Methods

25 Current innovations – continuous improvement
1.Training ML algorithms 2.Resource prioritization 3. Flexible consumption 4. Adaptation 1)Sensitivity analysis etc 2)Switch to most effective resources 3) Use of intel resources e.g. CASBs? 4)AADSS approach

26 D1. Resource prioritisation

27 D2. Flexible consumption
CASBs etc

28 D3. ML Adaptation AADSS

29 Summary

30 THANKS TO HELPERS !!!!!

Download ppt "Chris@CyberSparta.com www.cybersparta.com Neil@Cyberqgroup.com.com www.cyberqgroup.com."

Similar presentations

Albert Gatt Corpora and Statistical Methods Lecture 13.

Albert Gatt Corpora and Statistical Methods Lecture 13.
CPSC 502, Lecture 15Slide 1 Introduction to Artificial Intelligence (AI) Computer Science cpsc502, Lecture 15 Nov, 1, 2011 Slide credit: C. Conati, S.

CPSC 502, Lecture 15Slide 1 Introduction to Artificial Intelligence (AI) Computer Science cpsc502, Lecture 15 Nov, 1, 2011 Slide credit: C. Conati, S.
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.

Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.

What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.
John Prisco President and CEO Triumfant, Inc. Our defenses are designed to defeat threats we have seen before. We have very little protection against.

John Prisco President and CEO Triumfant, Inc. Our defenses are designed to defeat threats we have seen before. We have very little protection against.
THE NEED FOR CONTEXT 1 Applying Machine Learning to Incident Response Matt

THE NEED FOR CONTEXT 1 Applying Machine Learning to Incident Response Matt
Cognitive & Organizational Challenges of Big Data in Cyber Defence. YALAVARTHI ANUSHA 1.

Cognitive & Organizational Challenges of Big Data in Cyber Defence. YALAVARTHI ANUSHA 1.
Cryptography and Network Security

Cryptography and Network Security
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.

DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Get rid of SaveNShop ads infections

Get rid of SaveNShop ads infections
The Power of Using Artificial Intelligence

The Power of Using Artificial Intelligence
Introducing Precictive Analytics

Introducing Precictive Analytics
Technical Implementation: Security Risks

Technical Implementation: Security Risks
Security Risks Todays Lesson Security Risks Security Precautions

Security Risks Todays Lesson Security Risks Security Precautions
Proactive Incident Response

Proactive Incident Response
Protect your Digital Enterprise

Protect your Digital Enterprise
Advanced Endpoint Security Data Connectors-Charlotte January 2016

Advanced Endpoint Security Data Connectors-Charlotte January 2016
Bhakthi Liyanage SQL Saturday Atlanta 15 July 2017

Bhakthi Liyanage SQL Saturday Atlanta 15 July 2017
ssue.

ssue.

Similar presentations

Ads by Google