Mais conteúdo relacionado Semelhante a User and Entity Behavior Analytics using the Sqrrl Behavior Graph (20) User and Entity Behavior Analytics using the Sqrrl Behavior Graph2. Presenters
2© 2016 Sqrrl | All Rights Reserved
Joe Travaglini
Director of Products
Chris McCubbin
Director of Data Science
6. “AI”, Perceptrons,
seeking an AGI
1960 19901980 2000 2010 20161970
Expert Systems
-
Backpropagation
“AI Winter”
-
ML splits from AI
Kernelized SVM’s
-
Boosting/Ensembles
-
Big data storage
Resurgence of NN
methods
-
New optimization
techniques
-
Big data computation
Brief history of machine learning
6
User and Entity
Behavior
Analytics (UEBA)
© 2016 Sqrrl | All Rights Reserved
7. How does UEBA complement a SIEM?
SIEM UEBA
Velocity of Data Real-time alerting based on
streaming data flows
Batch-based analytics on large
historical data sets
Anomaly Detection Static, rule-based Self-learning
Types of Anomalies Event-based Entity-based
Algorithms Standard deviation, simple
matching
Supervised machine learning,
unsupervised machine learning,
Bayesian, graph algorithms
False Positive Rate Higher Lower
Infrastructure Typically RAID Typically Hadoop
7© 2016 Sqrrl | All Rights Reserved
8. Why did ML fail for IDS in the early 2000s?
8© 2016 Sqrrl | All Rights Reserved
9. How has machine learning improved?
Before (IDS) Now (UEBA)
Data Quantity Smaller data (short historical
baselines)
Big data (long historical baselines)
Data Variety Single data source (network
packets)
Correlation across diverse data
sources (endpoint, perimeter,
network, threat intel, etc.)
Machine Learning
Technology
Inductive logic programming, pattern
recognition, relational databases
Random forests, deep learning,
Hadoop/Spark/NoSQL
Machine Learning
Usage
“Black Box” techniques Open source with analyst feedback
loops
Machine Learning
Approaches
Searching for general anomalies Constraining search to look for Kill
Chain behaviors
9© 2016 Sqrrl | All Rights Reserved
11. © 2016 Sqrrl | All Rights Reserved 11
Source: http://setosa.io/ev/principal-component-analysis/
The kill chain as a modeling constraint
12. Case Study: Lateral Movement Detector
• Lateral
Movement:
Multiple host
logins,
credential
theft
• Active
Directory
• Windows
event logs
• Unsupervised
machine
learning for
rarity
detection
• Graph
algorithm for
chaining
• Analyst
whitelisting
of false
positives
© 2016 Sqrrl | All Rights Reserved 12
18. Proactively and iteratively looking for unknown or advanced threats
UEBA and Risk Scores Linked Data
Automating the Hunt
18© 2016 Sqrrl | All Rights Reserved
19. The Sqrrl Detection and Response Platform
SECURITY DATA
NETWORK DATA
ENDPOINT/IDENTITY DATA
Firewall /
IDS
Threat
Intel
Processes
HR
Bro
SIEM
Alerts
NetflowProxy
© 2016 Sqrrl | All Rights Reserved 19
21. How To Learn More?
Go to sqrrl.com to…
• Download Sqrrl’s Threat Hunting White Paper, a SANS collaboration
• Download Sqrrl’s Threat Hunting eBook for Executives
• Download the Sqrrl Product Paper
• Request a Test Drive VM
• Reach out to us at info@sqrrl.com
Thank you!
© 2016 Sqrrl | All Rights Reserved 21