The SIEM That Gives SIEM a Good Name. Avi Chesla Founder & CTO

Transcription

1 The SIEM That Gives SIEM a Good Name Avi Chesla Founder & CTO

2 The Sad Story of SIEM Right idea. Bad execution. SIEM came on the scene 10 years ago, but failed, why? The dot-com boom - attacks grew sky-high - organizations deployed more and more security tools. SIEM vendors responded by attempting to create more robust and scalable databases BUT the system was still based on the same old manual and static correlation rules. The number of correlation rules grew exponentially The Big Rules Problem is Born.

3 Agenda Big & Dynamic Cyber Data The BIG RULES Problem Fundamental Flaw in SIEM Design A Way Out of This Mess: AI (NLP) empow s NG SIEM It s Not Too Late to WIN in SIEM

4 Big & Dynamic Cyber Data 4

5 Big & Dynamic Cyber Data [Dynamic content stats] 300,000 new malware/day [Kaspersky] 400,000 new malicious programs/day [AV-Test] 46,000 new phishing sites/day [webroot] 65,000 new malicious URLs/day [McAfee] XX,XXX new suspect URLs/day New CVE reports *Webroot, McAfee, AV-test org, Kaspersky, CVE 5

6 The BIG RULES Problem Goal: Define a high level correlation rule: IF [A] OR [B] AND-THEN [C] THEN Alert [name, risk,confidence, action ] Where, [A] - a host victim to an intrusion that can lead to privilege escalation [B] - a host victim to a brute force attack [C] - and then the same victim host (user account) starts to generate unusual account activities 6

7 The BIG RULES Problem Goal: Define a high level correlation rule: IF [A] OR [B] AND-THEN [C] THEN Alert [name, risk,confidence, action ] Where, [A] - a host victim to an intrusion that can lead to privilege escalation [B] - a host victim to a brute force attack [C] - and then the same victim host (user account) starts to generate unusual account activities [A]? [B]? [C]? a1 c2 a3 a2 b1 b2 b3 c1 7

8 The BIG RULES Problem Goal: Define a high level correlation rule: IF [A] OR [B] AND-THEN [C] THEN Alert [name, risk,confidence, action ] Where, [A] - a host victim to an intrusion that can lead to privilege escalation [B] - a host victim to a brute force attack [C] - and then the same victim host (user account) starts to generate unusual account activities if a1 OR b1 AND-THEN c1 THEN ALERT [name, risk, confidence, action ] if a2 OR b2 AND-THEN c2 THEN ALERT [name, risk, confidence, action ] if a3 OR b3 AND-THEN c3 THEN ALERT [name, risk, confidence, action ] if ai OR bi AND-THEN ci THEN ALERT [name, risk, confidence, action ] 8

9 The BIG RULES Problem Big and dynamic data 9

10 The BIG RULES Problem Correlations Complex! Too many rules Very expensive SIEMs are fighting the attack patterns of the past Cyber-data 10

11 The Fundamental Flaw 11

12 Adaptive Correlation Rules 12

13 Is There a Way Out of This Mess? Data Classification Using NLP Natural Language Processing - a field of artificial intelligence concerned with the interactions between computers and human (natural) languages NLP enables a machine to process structured and unstructured data and to get conclusions out of it 13

14 A Way Out of This Mess Big and dynamic data 14

15 A Way Out of This Mess ADAPTIVE & PREDICTABLE CORRELATIONS Big and dynamic data 15

16 Goal: Define a high level correlation rule: Problem Solved! IF [A] OR [B] AND-THEN [C] THEN Alert [name, risk,confidence, action ] Where, [A] - a host victim to an intrusion that can lead to privilege escalation [B] - a host victim to a brute force attack [C] - and then the same victim host (user account) starts to generate unusual account activities [A] [B] [C] 16

17 Goal: Define a high level correlation rule: Problem Solved! IF [A] OR [B] AND-THEN [C] THEN Alert [name, risk,confidence, action ] Where, [A] - a host victim to an intrusion that can lead to privilege escalation [B] - a host victim to a brute force attack [C] - and then the same victim host (user account) starts to generate unusual account activities [A] [B] [C] NLP NLP NLP NLP a1 a3 a2 b1 b2 b3 c1 c2 17

18 BIG RULES Problem Correlations Cyber-data 18

19 Problem Solved! Correlations Predictable and adaptive cause-andeffect connections between the classes Correlation can be done automatically New sources of data can be seamlessly added and classified Cyber-data 19

20 Problem Solved! 20

21 Problem Solved! NLP 21

22 The SIEM That Gives SIEM a Good Name

23 Security SYSTEM Effectiveness More and more security tools provide a diminishing Return on Investment SIEM systems have failed! Too many silos Too many rules Too much data Too many false positives 23

24 The SIEM that Gives SIEM a Good Name Security SYSTEM Effectiveness Next Generation SIEM Rules Are Meant to be Broken No Rules! Too many silos Too many rules Too much data Too many false positives 24

25 The SIEM that Gives SIEM a Good Name Security SYSTEM Effectiveness Next Generation SIEM Abstract away the security complexity and create a proactive security ecosystem, while using your existing tools Identify advanced threats missed by single point solutions Automate adaptive incident response Remove noise & improve visibility per your business and risk needs Measures and reports on how well your products work together and their ROI 25

26 The Problem We Solve Harvest and abstract the organization s existing network and security infrastructure s capabilities in order to create a smart and proactive security ecosystem. The Breakthrough: Our AI (NLP Classifiers) autonomously understands the intent behind each piece of data that the existing network infrastructure generates, no matter the source, and knows to identify if these pieces form a real attack story against the organization. If so, the platform s orchestration engine executes adaptive investigation and response actions that are optimally synched to each threat. 26

27 Assemble Your Defense Strategies Vendor Agnostic Intent-based Security Language Dictates and enforces optimized security defense strategies. Define: IOC hunting External recon Privileges escalation Call home Financial data scraping PII data scraping Defense Strategy Model(s) NG Firewall filters Detection policy (Risks in focus) Investigation policy Kill process ACLs Response policy 27

28 Assemble Your Defense Strategies Vendor Agnostic Intent-based Security Language Dictates and enforces optimized security defense strategies. IOC hunting External recon Call home Financial data scraping Defense Strategy Model(s) Out-of-the box pre-built defense strategies - Security Apps PII data scraping Define: empow s Apps Store Privileges escalation Detection policy (Risks in focus) Investigation policy Kill process ACLs NG Firewall filters Response policy 28

29 Assemble Your Defense Strategies Vendor Agnostic Intent-based Security Language Dictates and enforces optimized security defense strategies. Define: IOC hunting External recon Create Your own Apps Privileges escalation Call home Financial data scraping PII data scraping Defense Strategy Model(s) Detection policy (Risks in focus) Investigation policy Kill process ACLs NG Firewall filters Response policy 29

30 Assemble Your Defense Strategies Vendor Agnostic Intent-based Security Language Dictates and enforces optimized security defense strategies. Define: IOC hunting External recon Privileges escalation Call home Financial data scraping PII data scraping Defense Strategy Model(s) NG Firewall filters Detection policy (Risks in focus) Investigation policy Kill process ACLs Response policy 30

31 The Process Behind the Promise Defense Strategy Model(s) Seamless Integration with The Existing Tools 31

32 The Process Behind the Promise NLP Deciphers the event intent Defense Strategy Model(s) 32

33 The Process Behind the Promise NLP Deciphers the event intent Defense Strategy Model(s) Search & Read 33

34 The Process Behind the Promise Intent: NLP RAT (Remote Access) Deciphers the event intent Defense Strategy Model(s) Intent: Financial Stealware [hijack online banking sessions] Search & Read Understand 34

35 The Process Behind the Promise Auto-correlation of intents, integrates inputs from empow s NTA, determines the Risk, and the overall attack story Deciphers the event intent Creates investigation and response procedures based on intent 35

36 The Process Behind the Promise Auto-correlation of intents, integrates inputs from empow s NTA, determines the Risk, and the overall attack story AI (NLP) that understands INTENT Deciphers the event intent Creates investigation and response procedures based on intent 36

37 Auto-correlation Detect the ATTACK STORY The Process Behind the Promise Auto-correlation of intents, integrates inputs from empow s NTA, determines the Risk, and the overall attack story Deciphers the event intent Creates investigation and response procedures based on intent 37

38 The Process Behind the Promise Auto-correlation of intents, integrates inputs from empow s NTA, determines the Risk, and the overall attack story Deciphers the event intent Creates investigation and response procedures based on intent ADAPTIVE ORCHESTRATION 38

39 The SIEM that Gives SIEM a Good Name 39

40 About empow APPROACH SOLUTION DNA & TEAM Turn what you have into what you need The Next Gen SIEM platform Data science, software-defined and product strategy security professionals, SOC & incident response. ADOPTION AND RECOGNITION Selected and deployed by several large customers in North America and Europe Oct $19M Founded Raised Employees Offices Patents Filed. Core patents granted 40

41 What Our Customers Say Are you frustrated with the 10+ years so-called "innovation" within the SIEM technology stack? Are you demanding PREVENTIVE controls and automated mitigation for 80%+ of known risks with a platform that is flexible enough to fit your unique tech environment? Are you frustrated with the continuous hype of snake oil solutions that come with offensive pricing models that fail to meet your expectations? Me too... My recommendation? Call Avi and the team at empow. p.s. Over the course of my 23 years in cyber security I have recommended very, very few products, but trust me, you will be impressed with this team. Dannie Combs, CISO, Donnelley Financial Solutions As a university, we need to share things, to be open, but still protect our users privacy - this makes us a big juicy target for cyber attackers. empow's Security Platform allowed us to optimize our security coverage, while ensuring privacy and extending visibility of what is happening in our network. Michail Bletsas, Director of Network and Computing Systems, MIT Media Lab 41

42 Be our guest at Infosec Europe booth #M6