Security Data Science Joshua Neil Security Analytics Leader Advanced Security Center EY Powered by
Agenda A Background, LANL and the EY/LANL Alliance Traditional Security and Operational Security Data B Science Advanced Analytics: PathScan, CodeVision, Credential C Analytics Page 2
Los Alamos National Lab (LANL) Recent Top Innovations Cyber Security Experience Impenetrable encryption prevents data from cyber terrorism ► ► National Security Laboratory ► Focused on security science to National Multipronged HIV vaccine shows promise in monkeys ► protect the nation ► Long history of networking Tree death worldwide linked to warming climate ► ► First connected to Arpanet in 1983 ChemCam inspects Mars: can it support life? ► ► Long history of cyber security ► First attack in 1983 Roadrunner firsts pave way for more powerful supercomputing ► ► Over 15 years of data collected ► Many nation state and criminal Space probes predict hazards to protect spacecraft ► attacks ► Long history of cyber R&D Portable laser tool to thwart nuclear smugglers ► ► For defense of LANL’s network and US DOD networks RAPTOR telescope witnesses black hole birth ► ► Strong analytics program Liquid-scanning technology boosts airport security ► Improved biofuel methods: may be greener, cheaper yet powerful ► Page 3
History of our work From Government Research to Commercial Application 2011 : PathScan 2000 : and 2015 : LANL data CodeVision Commercial science for 2013 : RFP for deployment go live on LANL’s national proposals to and further security network commercialize development 2007 : 2012 : Other 2014 : EY Begin USG wins rights, enterprise deployments team security moves to analytics EY from research LANL Page 4
Agenda A Background, LANL and the EY/LANL Alliance Traditional Security and Operational Security Data B Science Advanced Analytics: PathScan, CodeVision, Credential C Analytics Page 5
Signatures and Rules Traditional Cyber Security is not Statistical ► Rules and signatures ► Network IDS Example: If {bytes leaving network > X MB}, set off alarm If X is too large, easy to get around ► If X is too small, affects usability of the network ► ► Antivirus Example: If {executable contains known malware string}, set off alarm Requires having seen the malware before! ► Very easy for attackers to make new 0-day malware ► ► These brittle approaches are the reason we have so many breaches today Page 6
Threat Management / Threat Intelligence Platform Cyber Security Incident Response Detect Hunt Respond External Assessment of Threat Intelligence Threat Management Potential Attackers Collection Analysts Analysts & Hunters Cyber Reconnaissance Threat Intelligence Playbooks / Use Cases / Phishing by Fire Analysis Playbooks / Use Cases / Recon Continuous Monitoring Kill Chain Mapping Active Defence Analysts New Patterns Risk Assessment of Anomaly Analysis Playbooks / Use Cases / Exfil Critical Assets New Rules Investigations Countermeasure Red Team exercises Deployment Incidents Closed PIR Visual Analysis Page 7
Threat Management / Threat Intelligence Platform Cyber Security Incident Response Detect Hunt Respond External Assessment of Threat Intelligence Threat Management Potential Attackers Collection Analysts Analysts & Hunters Cyber Reconnaissance Threat Intelligence Playbooks / Use Cases / Phishing by Fire Analysis Playbooks / Use Cases / Recon Continuous Monitoring Kill Chain Mapping Active Defence Analysts New Patterns Risk Assessment of Anomaly Analysis Playbooks / Use Cases / Exfil Critical Assets New Rules Investigations Countermeasure Red Team exercises Deployment Incidents Closed PIR Visual Analysis Data Science NextGen Cyber Analytics Platform Infrastructure Support Research Cyber Data Maintain Operational Cyber Platform Support Statistical Develop new Maintain Visual Analysis Data Scientists Visualisation Environment Infrastructure Hunting models Scientists Layer Support Operate Technology Integrate Big Data Support IR Deploy new New Data Integrate with Platform teams models Sources CSIRT Page 8
Data Science for Operational Security Security Analytics Concepts ● ● ● ● ● ● ● ● Statistical Hunting ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ► Lack of Compromise ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ► Hunt for unknown unknowns ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ► Ask questions not currently asked by existing tools ● ● ● ● ● ● ● ● ● ● ● ► During Compromise Edge Anomaly Level ● ● ● ● ● High ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ► Analytics to explore around known compromised hosts Low ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ► Use changes in behavior to flesh out the attack extent ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● Operational Agility through Data Science Statistical Hunting New Model Development Cyber Analytics Platform Page 9
Cyber Security Analytics Platform Collaboration for a Cyber Security Platform ► Multi-TB data lake of ALL ENTERPRISE DATA (or as much as we can get!) ► Data scientists and hunters interacting with the data in an agile manner ► Industry standard analytics stack (Hadoop, Spark, HDFS etc) ► Continuous monitoring and alerting capability, agile deployment of new analytics ► Rule matching system (Boolean), custom rule creation capability Analytics Platform Threat Exfiltrate Intelligence EY Security PathScan Analytics Initial Gather & CodeVision/ Attack Encrypt Data Endpoint Platform Analytics Establish EndPoint Escalate Foothold Analytics Privilege Enable Enterprise Move Persistence Recon Laterally CodeVision/EndPoint PathScan Analytics Page 10
Page 11
Comprehensive visibility Statistical scoring along the Kill Chain Attack (Kill) Chain Progression Gather & Background Initial Establish Enable Enterprise Move Escalate Encrypt Steal Data Research Attack Foothold Persistence Recon Laterally Privilege Data Probability that Probability that Probability that reconnaissance privilege escalation communication with behavior exists (p 4 ) behavior exists (p 6 ) attacker exists (p 3 ) Probability that email is malicious (p 1 ) Probability that exfiltration behavior exists (p 8 ) 3 Probability that traversal behavior exists (p 5 ) Probability that Probability that staging behavior programs or exists(p 7 ) services are malicious (p 2 ) The overall probability of the above attack existing is a statistical combination of the individual anomaly scores. Page 12
Anything you can measure from a network Data sources for Security Analytics Typical attack lifecycle Intelligence gathering Initial exploitation Command and control Privilege escalation Data exfiltration Establish Enable Enterprise Move Escalate Gather and Background research Initial attack Steal data foothold persistence recon laterally privilege encrypt data Windows Event logs Netflow and DNS VPN Active Directory Web Endpoint IDS (Carbon Black) Page 13
Recommend
More recommend
