User Entity Behavior Analysis for Cyber Security. Dr. Chin-Hao, Eric, Mao Institute for Information Industry
|
|
- Griselda Day
- 5 years ago
- Views:
Transcription
1 User Entity Behavior Analysis for Cyber Security Dr. Chin-Hao, Eric, Mao Institute for Information Industry
2 About me Section Manager, Cyber Trust Technology Institute, Institute for Information Industry EDUCATIONS and EXPERIENCES Ph. D., National Taiwan University of Science and Technology, Computer Science Visiting scholar in Carnegie Mellon University, CyLab Presentation: FIRST 2013/2014, CSA-APAC 2013, APCERT2014, (ISC)2 APAC Congress 2016 RESEARCH EXPERIENCES big data analytics, network security, intrusion detection, mobile APP static analysis more than 20+ academic journal and conferences papers 2
3 Outline 3
4 Outline What Data Analytics in Information Security do. Supervised Learning Decision Tree if 2 Unsupervised Learning- GMiner Anomaly Detection & Graph Mining ChainSpot (Sequential) PlayWright (Graph) Recommendation System & Data Visualization CloudOrion Conclusions 4
5 What Data Analytics in Information Security do Log Analysis IDS Logs Firewall Logs Web Server Access Logs Proxy Logs Active Directory Logs Social Media Twitter, FB, 5
6 Intrusion Detection System (IDS) Host IDS (HIDS) vs. Network IDS (NIDS) Detect the known attacking signature Port, attacking vector, or payload Highly depends on human fine tuning False alarm issue Usually contains following information: Event Name, Source IP, Source Port, Dest. IP, Dest. Port, TimeStamp A well-studied domain: False Alarm Reduction Multi-steps Attacks correlation Applied scenario: SOC (security operation center), CERT, ISAC...
7 Firewall Logs Firewall: blocking connection or transmission based on known blacklist or pre-defined policy Easy to deployment and use. Lacking of analysis ability as facing unseen attacking signature. (e.g. IP, Domain Name) Contain following information: Source IP, Source Port, Dest. IP, Dest. Port, Permit/Deny Also well-studied on large-scaled connection correlation Honeypot attacking pattern analysis Botnet structure analysis
8 Web Server Accessing Log Application-layer malicious behavior detection Web Server Accessing Logs contain: Source IP, Accessed Path, Access Status, Timestamp, Http header (optional), File Size(optional) Usually, a tradeoff is between log visibility and server execution performance Only application-layer malicious behavior such as script can be detected. (entry point into system level threats) Research emerged around 2005: Analyze the accessed path to detect SQL injection Graph mining on association graph of web access Build a classifier to predict a risk of a given request Users (visitor) Behavior!!
9 Proxy Logs Proxy is an agent deployed on gateway of an enterprise network. Recorded the Web surfing behavior Why web surfing behavior is important URL connection for C&C server communication and control. Detect the phishing web site. Detect malicious scanning attack. Containing: Source IP, Dest. URL, TimeStamp, Web Agent Info., MIME Research emerged around 2010 Analyze the malware behavior inside the enterprise network. Correlate other logs (IDS, FW, AD logs, etc.) to evaluate risk of an account User s Behavior!!
10 Active Directory Logs Operating system records connections or events, between client side and server side, of registered accounts. Containing: TimeStamp, Account, Source IP, Event Name, Sub- Event Annotation, Can be used to detect hidden malicious behavior: Anomaly login/logout behavior Anomaly resource allocation Anomaly permission granting User s Behavior!! Recently, AD is well-used on event tracking, however, it resulted in issue that AD data is big scale Companies in industry focused on AD-related research in last 2-3 years.
11 Different Kinds of Machine Learning
12 Supervised Learning Decision Trees
13 A Decision Tree Example The Weather Data ID code Outlook Temperature Humidity Windy Play a Sunny Hot High False No b Sunny Hot High True No c Overcast Hot High False Yes d Rainy Mild High False Yes e Rainy Cool Normal False Yes f Rainy Cool Normal True No g Overcast Cool Normal True Yes h Sunny Mild High False No i Sunny Cool Normal False Yes j Rainy Mild Normal False Yes k Sunny Mild Normal True Yes l Overcast Mild High True Yes m Overcast Hot Normal False Yes n Rainy Mild High True No
14 A Decision Tree Example Outlook sunny overcast rainy humidity yes windy high normal false true no yes yes no Decision tree for the weather data.
15 Supervised Learning Fuzzy Rule-based Classifier
16 if 2 : An Interpretable Fuzzy Rule Filter for Web Log Post-Compromised Malicious Activity Monitoring Chih-Hung Hsieh, Yu-Siang Shen, Chao-Wen Li, and Jain-Shing Wu AsiaJCIS
17 Motivation Traditionally, log tracking depending on heavy human effort Common method for identifying APT attacks become less useful because of various camouflages: VPN, Packing. That means you should have lots of time, domain experience, and good luck very much! 17
18 Interpretable Fuzzy Rule Filter (if 2 ) In fuzzy logic, a fuzzy rule base consists of multiple fuzzy rules with following structure 18
19 Exp. 3 Using if 2 to Analyze Web Access Log One real web access log dataset from a certain organization in Taiwan was collected for usage of demonstrating the performance of if 2. Total 5.36 gigabytes and 45,669,917 records from 545 distinct internet addresses are analyzed and labeled. There are only 22 suspicious internet addresses and 523 benign ones, and it is a typically extremely unbalanced dataset. 19
20 The 11 Statistics Used as Features 20
21 Exp. Resulted Rules The Human interpretable rule base of if 2 to differentiate suspicious internet addresses of 545-IPs from benign ones. 21
22 Anomaly Detection Probability Model - ChainSpot 22
23 ChainSpot: Mining Service Logs for Cyber Security Threat Detection 23
24 Motivation Target of APT is usually specific and personal Attackers usually invade enterprise and access sensitive data by using compromised accounts. We focus on detecting anomaly behavior or behavioral deviation for each employee (account) in an enterprise. 24
25 ChainSpot -Method We concern the anomaly behaviors extracted from Active Directory (Kerberos or NTLM authentication) & Proxy Server (web surfing usage) for each account. Sequential Data Synchronizer Correlate heterogeneous data (ADand Proxy) based on IP Address and interval time (3 days) of SOC Tickets AD Proxy 3 days SOC Ticket i timeline 25
26 ChainSpot -Method ChainSpot model sequential behaviors as a probabilistic model as baseline, and any change on employee s behaviors will results in an anomaly which may imply: Account has been compromised APT exists in an employee s host To properly model the sequential behaviors as a probabilistic model for each account, and to detect the anomalies based on deviation of account s behaviors. Markov Model for building probabilistic model Graph Edit Distance for estimating behavioral deviation 26
27 ChainSpot Method Markov Model For each account, we will build his Markov model using his normal action sequences Transition Probability Matrix An example of Markov Model 27
28 Heterogeneous Data Correlation For each account, we build his personal profile of state sequences which describe this account s sequential behaviors. Each state in a sequential data consists of followings For AD log sequence Event (e.g., No 4624, 4634) Reply Code (Only > 0x12, 0x18) For Proxy log sequence A Meta Behavior describing web surfing. ( e.g., GET and Download on microsoft.com then Failed ) HTTP Method E,g., GET, POST, Download or Upload Download when size in > size out Upload when size in < size out Domain Name Second Level Domain Access Result E.g., Allowed, Failed, 28
29 Experiment regarding to real environment Environment & Dataset Description: Contains about 1,089 accounts. Duration from 2015/08/01 to 2015/08/31. The active directory domain service of Windows Servers ver R2 results in 27,902,857 logs. The proxy service in the same duration generates 78,044,332 logs. Dataset Number of Categories in SOC Tickets: 6 29
30 Experiments (Cont d) Evaluation We divide Aug. logs of each account into three partitions: Training data A half of unlabeled data mapped by SOC Tickets Abnormal Testing data Labeled data mapped by SOC Tickets Normal Testing data Selection from all unlabeled data except Training data Compare the difference of Training data between Anomaly and Normal Testing data Experiment Hypothesis 30
31 Effectiveness of ChainSpot Hypothesis: The general effectiveness measuring gives 85.66% and87.17% success rates in terms of averaging on various types or averaging on different accounts. 31
32 How tight between Accounts (AD, Proxy) and IPs 32
33 AD Case Study -d Multiple Accounts login from single IP in short time 4658 Normal Testing 4661 Training Abnormal Testing Abnormal Data has no4661 -> 4662, > 4658 A handle to an object was requested (4661) Abnormal Data has > x18, x18 -> 4768 A Kerberos authentication ticket (TGT) was requested (4768) An operation was performed on an object (4662) The handle to an object was closed (4658) Kerberos pre-authentication failed (Bad Password) (4771 0x18) There is no complete service path in abnormal data, and which has error authentication by bad password 33
34 AD Case Study - administrator Too many logins in closing time Normal Testing Training Abnormal Testing An account failed to log on (4625) Abnormal Data has no followings : The handle to an object was closed (4658) A handle to an object was requested (4661) A new process has been created (4688) A Kerberos authentication ticket (TGT) was requested (4768) Kerberos pre-authentication failed (Bad PWD) (4771 0x18) A user account was locked out (4740) Abnormal and Normal Data both have followings : An account failed to log on (4625) Special privileges assigned to new logon (4672) The domain controller attempted to validate the credentials for an account (4776) 34
35 Proxy Case Study - b Host connects to Malicious Domain 35
36 Anomaly Detection Graph Mining - Playwright 36
37 Playwright: a Web Server-side Suspects Detector 37
38 Current Framework of Playwright 38
39 The Anomaly Logs Filter Module Intention 1 Web log volume too large to inspect with bare eyes Input Raw logs from web access record Output Filtered logs Example Illegal Characters Verify Module Unsual Parameter Usage Verify 39
40 The Attack Scene Matching Module Intention 2 There may not be only one candidate of attacking Tactics, Techniques, and Processes (TTPs). Input Kinds of filtered logs Output Attacking Scene with Associated Filtered logs 40
41 The Graph Constructor Module Intention 3 Concretize entities and associated relations of suspicious activities. Input Each Attacking Scene with Associated Filtered logs Output Suspicious Activity Graph Heterogeneous Graph Bipartite Graph hack.asp 1.asp asp Hacker maintains 3 IPs personal_taglist.asp cisc_search.asp Homogenous Graph 41
42 The Graph Pattern Matching Intention 4 Module Find trigger points (or threat seeds) where attacker is in an attempt to invade target Input Suspicious Activity Graph Output Heterogeneous Graph Bipartite Graph Homogenous Graph Entity labeled as suspect 42
43 Case 1 : IIS Logs System Compromise Case 2 : Apache Logs SQL Injection for Data Leakage Case 3 : Apache Logs System Compromise 43
44 Case 1 : IIS Logs System Compromise Case 2 : Apache Logs SQL Injection for Data Leakage Case 3 : Apache Logs System Compromise 44
45 Suspicious Activity Graph Construction - IIS Scope of Attacking Each IP correlates multiple files with illegal character. Scope of Attacking File Name IP Address Status Code Illegal Character Hacker s Action (File) Hacker s Action (IP Addres 45
46 Initial Threat Seed Finding: with priori knowledge about the threat pattern Our forensics team gives us priori knowledge to form the following patterns:
47 Initial Seeds Finding Regarding to Known Pattern How to ranking nodes in a graph based on their referring to each other. A B Page Rank Algorithm C Originally be used to rank Google retrieved pages 47
48 Is IP which hacker used different from others in Suspicious Activity Graph?! - IIS Problem: Investigate the role of IP Address in Suspicious Activity Graph Input: IPs x IPs Matrix n ij : num of Queried same File IP i to IP j 0: Queried by different File Output: Clustering Result IP 1 IP 2... IP N IP 1 IP 2 IP N n 11 0 n 1N n n NN IP X IP 48
49 Initial Threat Seed Finding: with priori knowledge about the threat pattern Blue: True Positive Green: Suspicious N i : The PR Score of ith IP N max : The Maximum PR Score Pagerank Evidence IPs Never Miss E E E E E-01 N i : The BP Score of ith IP N max : The Maximum BP Score Evidence IPs 1.00E E+00 Belief Propagation Miss
50 Initial Seeds Finding without Known Pattern How about the case that you don t have any priori knowledge SVD Effect of SVD 50
51 c0 Is IP which hacker used different from others in Suspicious Activity Graph?! (Cont d) SVD c c c c2 Malicious Benign c2 51
52 Limitation - SVD Hackers usually use different IPs to achieve their goal Test the Trojan (China Chopper) Weak Link IP Scan the architecture of website Outlier (Decomposition) & Pattern (Pagerank) Weak Link This kind of IP is not an outlier and easily ignored by SVD File Name IP Address Hacker s Action (IP Address) IP 1 China Chopp er IP 2 52
53 Limitation - SVD How to resolve Weak Link problem?! Use Graph Mining Algo. to propagate the threat score from IP1 (Seed) to IP2 Random Walk with Restart (RWR) Threat Seed as Start Point Weak Link File Name IP Address IP 1 China Chopp er IP 2 Hacker s Action (IP Address) 53
54 How to propagate the confidence once you have suspect candidate Random walk with restart
55 Threat Seed Propagation Given Data- or Knowledge-Driven Threat Seeds N i : The RWR Score of ith IP N max : The Maximum PR Score Blue: True Positive Green: Suspicious RWR Evidence IPs Never Miss
56 Threat Seed Propagation Given Data- or Knowledge-Driven Threat Seeds N i : The RWR Score of ith IP N max : The Maximum PR Score RWR Evidence IPs Blue: True Positive Green: Suspicious Never Miss
57 Case 1 : IIS Logs System Compromise Case 2 : Apache Logs SQL Injection for Data Leakage Case 3 : Apache Logs System Compromise 57
58 Suspicious Activity Graph Construction - Apache Case 2: Frequently SQL Injection 1. Previous Pattern can t be used because of./ is the index page (e.g., index.php, index.html and so on) 2. Need to consider the attribute: Illegal Characteristic File Name IP Address Illegal Character Hacker s Action (File) Hacker s Action (IP Address) Hacker s Illegal Character 58
59 Problem: Investigate the role of IP Address in Suspicious Activity Graph Outliers may be the candidates of initial threat seeds Input: Initial Threat Seed Finding: without priori knowledge IPs x (File m, IllegalChar n ) Matrix n ij : num of queried same (File m, IllegalChar n ) Output: by IP i and IP j 0: Never Queried by (File m, IllegalChar n ) Clustering Result (File m, IllegalChar n ) 1 (File m, IllegalChar n ) mxn IP 1 IP 2... IP N n 11 0 n mxnx1 n n mxnxn IP X (File m, IllegalChar n ) 59
60 Initial Threat Seed Finding: with priori knowledge about the threat pattern Our forensics team gives us priori knowledge to form the following patterns:
61 Initial Threat Seed Finding: with priori knowledge about the threat pattern N i : The PR Score of ith IP PAGERANK N max : The Maximum PR Score Blue: True Positive Green: Suspicious Evidence IPs Miss
62 Initial Threat Seed Finding: with priori knowledge about the threat pattern PAGERANK N i : The PR Score of ith IP N max : The Maximum PR Score Never Miss Blue: True Positive Green: SuspiciousEvidence IPs
63 c Initial Threat Seed Finding: without priori knowledge TENSOR c Only Query./ # Query is similar to normal c c c Malicious Benign c2 We change same # Query of with others
64 Threat Seed Propagation Given Data- or Knowledge-Driven Threat Seeds Use and (Tensor Results Outlier ) as Start Points for Random Walk with Restart (RWR) We expect that (in Unknown Data) can be detected by RWR Input: IPs x IPs Matrix n ij : num of queried same (File m, IllegalChar n ) by IP i and IP j 0: Never Queried by (File m, IllegalChar n ) c IP 1 IP 2 IP N IP 1 IP 2... IP N n 11 0 n 1N n n NN IP X IP Unknown Data c2
65 Threat Seed Propagation Given Data- or Knowledge-Driven Threat Seeds N i : The RWR Score of ith IP N max : The Maximum PR Score
66 Threat Seed Propagation Given Data- or Knowledge-Driven Threat Seeds N i : The RWR Score of ith IP N max : The Maximum PR Score RWR
67 Case 1 : IIS Logs System Compromise Case 2 : Apache Logs SQL Injection for Data Leakage Case 3 : Apache Logs System Compromise 67
68 Case 3: Suspicious Activity Graph Construction - Apache Scope of Attacking Each IP correlates multiple files with illegal character. Scope of Attacking File Name IP Address Status Code Illegal Character Hacker s Action (File) Hacker s Action (IP Addres 68
69 Case 3: Is role of IP different from others file hacker used in Suspicious Activity Graph?1 - Apache Problem: Investigate the role of IP Address in Suspicious Activity Graph Input: IPs x IPs Matrix n ij : num of Queried same File IP i to IP j 0: Queried by different File Output: Clustering Result IP 1 IP 2... IP N IP 1 IP 2 IP N n 11 0 n 1N n n NN IP X IP 69
70 c1 Case 3: Is role of IP different from others file hacker used in Suspicious Activity Graph?1 - Apache (Cont d) Benign c c2 SVD Benign c Benign c Malicious Benign c0 70
71 Case 3: Why using Propagation to evaluate Suspicious IPs?! - Apache The correlation between Files and IPs can t be evaluate in decomposition SVD We mention that evidence have the following patterns: Patterns Fil e Fil e Fil e IP Fil e Fil e Fil e Fil e 71
72 Case 3: Why using Propagation to evaluate Suspicious IPs?! - Apache (Cont d) Design a directed homogeneous graph to illustrate above patterns we found In this pattern, we expect to obtain high score IPs from graph when using propagation algorithm Pagerank Fil e Fil e Fil e Fil e IP Fil e Fil e Fil e 72
73 3.00E-01 Case 3: Why using Propagation to evaluate Suspicious IPs?! (Cont d) High Score IPs N i : The PR Score of ith IP PAGERANK N max : The Maximum PR Score Blue: True Positive Green: Suspicious Evidence IPs Miss E E E E E E
74 CloudOrion Cloud Threats Analytics 74
75 Men in The Cloud Detection Cloud Drive File of Team A File of Team B Team A Team B 75
76 CloudOrion- Google Drives Logs Analyzing cloud user behavior Access Log Scenario Policy Administrator Home Mobile Office 76
77 Visualization Threats Explorer Intuition to aware the potential threats in cloud Drill-down and quick response visualization analytics Full and deep views between cloud resources and users behavior User and Entity Behavior Analysis Danger Zone User access log 77
78 CTA UEBA Collaborative Filtering Using machine learning and artificial intelligence that analyze cloud logs via API sets CTA in cloud apart from state-ofthe-art cloud security solution Maliciou On Duty s Behavio r Off Duty Temporal Analysis Time-Series Analysis Deep Learning Spatial Analysis 78
79 Scenario Policy Enforcement Manage Google Drive and OAuth Tokens Decreasing risks of data leakage via Scenario Policy deployment :20:24 GMT Login from US IP Super Travel Policy :10:23 GMT Modify a file in Drive from Taiwan IP Detecting account compromising by 10+ scenario policies 79
80 Abnormal Behavior Detection Construct user behavior model over files in Drive User and Entity Behavior (UEBA) Quick identify potential threats Reversed collaborative filtering from file access behavior Edit, view and other behavior Drive file proximity score measuring User access log Detecting insider suspect with highrisk behavior Users past access behavior matrix User recent access behavior vector 80 Structure-oriented risk propagation
81 Case Study Inspected more than 1200 user accounts with more than 400,000 event logs every day About 100,000 distinct user-file access records every day Mantain 1200 increamental individual behavior models Find out anomaly access record from humongous of logs Automatically 81
82 Conclusions Easy start Anaconda Python ( ipython notebook!! Scikit-learn ( Tensor Flow ( Bokeh ( NetworkX ( ElasticSearch ( 82
83 Conclusions Good Tutorial Document Clustering with Python Using Machine Learning to Track IoT Vulnerability and Threats Unstructured data Structure data Together them 83
84 Thanks & Welcome Collaboration Ching-Hao, Eric, Mao Ph. D. CTTI,III, Taiwan 84
85 85
Protecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationIntroduction Challenges with using ML Guidelines for using ML Conclusions
Introduction Challenges with using ML Guidelines for using ML Conclusions Misuse detection Exact descriptions of known bad behavior Anomaly detection Deviations from profiles of normal behavior First proposed
More informationEmerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan
Emerging Threat Intelligence using IDS/IPS Chris Arman Kiloyan Who Am I? Chris AUA Graduate (CS) Thesis : Cyber Deception Automation and Threat Intelligence Evaluation Using IDS Integration with Next-Gen
More informationIntrusion Detection System using AI and Machine Learning Algorithm
Intrusion Detection System using AI and Machine Learning Algorithm Syam Akhil Repalle 1, Venkata Ratnam Kolluru 2 1 Student, Department of Electronics and Communication Engineering, Koneru Lakshmaiah Educational
More informationSobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.
Sobering statistics The frequency and sophistication of cybersecurity attacks are getting worse. 146 >63% $500B $3.8M The median # of days that attackers reside within a victim s network before detection
More informationMEETING ISO STANDARDS
WHITE PAPER MEETING ISO 27002 STANDARDS September 2018 SECURITY GUIDELINE COMPLIANCE Organizations have seen a rapid increase in malicious insider threats, sensitive data exfiltration, and other advanced
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationAutomated Response in Cyber Security SOC with Actionable Threat Intelligence
Automated Response in Cyber Security SOC with Actionable Threat Intelligence while its biggest weakness is lack of visibility: SOCs still can t detect previously unknown threats, which is a consistent
More informationData Sources for Cyber Security Research
Data Sources for Cyber Security Research Melissa Turcotte mturcotte@lanl.gov Advanced Research in Cyber Systems, Los Alamos National Laboratory 14 June 2018 Background Advanced Research in Cyber Systems,
More informationFirst Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.
18 QUALYS SECURITY CONFERENCE 2018 First Look Showcase Expanding our prevention, detection and response solutions Marco Rottigni Chief Technical Security Officer, Qualys, Inc. Secure Enterprise Mobility
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationAn Anomaly-Based Intrusion Detection System for the Smart Grid Based on CART Decision Tree
An Anomaly-Based Intrusion Detection System for the Smart Grid Based on CART Decision Tree P. Radoglou-Grammatikis and P. Sarigiannidis* University of Western Macedonia Department of Informatics & Telecommunications
More informationthe SWIFT Customer Security
TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This
More informationUser and Entity Behavior Analytics
User and Entity Behavior Analytics Shankar Subramaniam Co-Founder, Niara Senior Director of Customer Solutions, HPE Aruba Introspect shasubra@hpe.com THE SECURITY GAP SECURITY SPEND DATA BREACHES 146 days
More informationFirst Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.
18 QUALYS SECURITY CONFERENCE 2018 First Look Showcase Expanding our prevention, detection and response solutions Sumedh Thakar Chief Product Officer, Qualys, Inc. Secure Enterprise Mobility Identity (X.509,
More informationWHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX
WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX 1 INTRODUCTION The MITRE Corporation Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK ) Matrix provides a model
More informationApplication Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks
Application Security Rafal Chrusciel Senior Security Operations Analyst, F5 Networks r.chrusciel@f5.com Agenda Who are we? Anti-Fraud F5 Silverline DDOS protection WAFaaS Threat intelligence & malware
More informationNot your Father s SIEM
Not your Father s SIEM Getting Better Insights & Results Bill Thorn Director, Security Operations Apollo Education Group Agenda Why use a SIEM? What is a SIEM? Benefits of Using a SIEM Considerations Before
More informationFIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?
WHAT IS FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT? While firewalls started life simply protecting networks from outside hacks and attacks, the role of the firewall has greatly evolved to take
More informationIntrusion Detection by Combining and Clustering Diverse Monitor Data
Intrusion Detection by Combining and Clustering Diverse Monitor Data TSS/ACC Seminar April 5, 26 Atul Bohara and Uttam Thakore PI: Bill Sanders Outline Motivation Overview of the approach Feature extraction
More informationPreventing Data Breaches without Constraining Business Beograd 2016
Contextual Security Intelligence Preventing Data Breaches without Constraining Business Beograd 2016 200+ employees > 50% y/y growth over year London Tower 42, 25 Old Broad Street, London EC2N 1HN Paris
More informationIT Services IT LOGGING POLICY
IT LOGGING POLICY UoW IT Logging Policy -Restricted- 1 Contents 1. Overview... 3 2. Purpose... 3 3. Scope... 3 4. General Requirements... 3 5. Activities to be logged... 4 6. Formatting, Transmission and
More informationMACHINE LEARNING Example: Google search
MACHINE LEARNING Lauri Ilison, PhD Data Scientist 20.11.2014 Example: Google search 1 27.11.14 Facebook: 350 million photo uploads every day The dream is to build full knowledge of the world and know everything
More informationOverview Intrusion Detection Systems and Practices
Overview Intrusion Detection Systems and Practices Chapter 13 Lecturer: Pei-yih Ting Intrusion Detection Concepts Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy
More informationAutomated Threat Management - in Real Time. Vectra Networks
Automated Threat Management - in Real Time Security investment has traditionally been in two areas Prevention Phase Active Phase Clean-up Phase Initial Infection Key assets found in the wild $$$$ $$$ $$
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationDetecting Credential Spearphishing Attacks in Enterprise Settings
Detecting Credential Spearphishing Attacks in Enterprise Settings Grant Ho UC Berkeley Aashish Sharma, Mobin Javed, Vern Paxson, David Wagner 1 Spear Phishing Targeted email that tricks victim into giving
More informationSymantec Endpoint Protection Family Feature Comparison
Symantec Endpoint Protection Family Feature Comparison SEP SBE SEP Cloud SEP Cloud SEP 14.2 Device Protection Laptop, Laptop Laptop, Tablet Laptop Tablet & & Smartphone Smartphone Meter Per Device Per
More informationClassification of Log Files with Limited Labeled Data
Classification of Log Files with Limited Labeled Data Stefan Hommes, Radu State, Thomas Engel University of Luxembourg 15.10.2013 1 Motivation Firewall log files store all accepted and dropped connections.
More informationIntrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis
Intrusion Detection Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 22-1 1. Intruders 2. Intrusion
More informationn Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network
Always Remember Chapter #1: Network Device Configuration There is no 100 percent secure system, and there is nothing that is foolproof! 2 Outline Learn about the Security+ exam Learn basic terminology
More informationSeceon s Open Threat Management software
Seceon s Open Threat Management software Seceon s Open Threat Management software (OTM), is a cyber-security advanced threat management platform that visualizes, detects, and eliminates threats in real
More informationImperva Incapsula Website Security
Imperva Incapsula Website Security DA T A SH E E T Application Security from the Cloud Imperva Incapsula cloud-based website security solution features the industry s leading WAF technology, as well as
More informationIntro to Niara. no compromise behavioral analytics. Tomas Muliuolis HPE Aruba Baltics Lead
Intro to Niara no compromise behavioral analytics Tomas Muliuolis HPE Aruba Baltics Lead THE SECURITY GAP SECURITY SPEND DATA BREACHES 146 days median time from compromise to discovery PREVENTION & DETECTION
More informationJoe Stocker, CISSP, MCITP, VTSP Patriot Consulting
Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting Microsoft Cloud Evangelist at Patriot Consulting Principal Systems Architect with 17 Years of experience Technical certifications: MCSE, MCITP Office
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationNETWORK THREATS DEMAN
SELF-DEFENDING NETWORK NETWORK THREATS DEMAN NEW SECURITY: STRATEGIES TECHNOLOGIES Self-Propagating Threats A combination of: self propagating threats Collaborative applications Interconnected environments
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Analyze & prioritize alerts across various sources The cornerstone of security
More informationOffice 365 Buyers Guide: Best Practices for Securing Office 365
Office 365 Buyers Guide: Best Practices for Securing Office 365 Microsoft Office 365 has become the standard productivity platform for the majority of organizations, large and small, around the world.
More informationDetect Cyber Threats with Securonix Proxy Traffic Analyzer
Detect Cyber Threats with Securonix Proxy Traffic Analyzer Introduction Many organizations encounter an extremely high volume of proxy data on a daily basis. The volume of proxy data can range from 100
More informationAn advanced data leakage detection system analyzing relations between data leak activity
An advanced data leakage detection system analyzing relations between data leak activity Min-Ji Seo 1 Ph. D. Student, Software Convergence Department, Soongsil University, Seoul, 156-743, Korea. 1 Orcid
More informationSecurity Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management
Seven Habits of Cyber Security for SMEs Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management Security Policy is an important
More informationStopping Advanced Persistent Threats In Cloud and DataCenters
Stopping Advanced Persistent Threats In Cloud and DataCenters Frederik Van Roosendael PSE Belgium Luxembourg 10/9/2015 Copyright 2013 Trend Micro Inc. Agenda How Threats evolved Transforming Your Data
More informationWhite Paper. Why IDS Can t Adequately Protect Your IoT Devices
White Paper Why IDS Can t Adequately Protect Your IoT Devices Introduction As a key component in information technology security, Intrusion Detection Systems (IDS) monitor networks for suspicious activity
More informationEndpoint Protection : Last line of defense?
Endpoint Protection : Last line of defense? First TC Noumea, New Caledonia 10 Sept 2018 Independent Information Security Advisor OVERVIEW UNDERSTANDING ENDPOINT SECURITY AND THE BIG PICTURE Rapid development
More informationSecuring Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager
with the IEC 62443-4-2 Standard What You Should Know Vance Chen Product Manager Industry Background As the Industrial IoT (IIoT) continues to expand, more and more devices are being connected to networks.
More informationWITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:
SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE Protecting your business assets and sensitive data requires regular vulnerability assessment,
More informationForeScout Extended Module for Carbon Black
ForeScout Extended Module for Carbon Black Version 1.0 Table of Contents About the Carbon Black Integration... 4 Advanced Threat Detection with the IOC Scanner Plugin... 4 Use Cases... 5 Carbon Black Agent
More informationManaging an Active Incident Response Case. Paul Underwood, COO
Managing an Active Incident Response Case Paul Underwood, COO 2 About Us Paul Underwood - COO Emagined Security is a leading professional services firm for Information Security, Privacy & Compliance solutions.
More informationAvanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.
Avanan for G Suite Technical Overview Contents Intro 1 How Avanan Works 2 Email Security for Gmail 3 Data Security for Google Drive 4 Policy Automation 5 Workflows and Notifications 6 Authentication 7
More informationIntegrated, Intelligence driven Cyber Threat Hunting
Integrated, Intelligence driven Cyber Threat Hunting THREAT INVESTIGATION AND RESPONSE PLATFORM Zsolt Kocsis IBM Security Technical Executive, CEE zsolt.kocsis@hu.ibm.com 6th Nov 2018 Build an integrated
More informationModern Realities of Securing Active Directory & the Need for AI
Modern Realities of Securing Active Directory & the Need for AI Our Mission: Hacking Anything to Secure Everything 7 Feb 2019 Presenters: Dustin Heywood (EvilMog), Senior Managing Consultant, X-Force Red
More informationIntelligent and Secure Network
Intelligent and Secure Network BIG-IP IP Global Delivery Intelligence v11.2 IP Intelligence Service Brian Boyan - b.boyan@f5.com Tony Ganzer t.ganzer@f5.com 2 Agenda Welcome & Intro Introduce F5 IP Intelligence
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationTechnical Brief: Domain Risk Score Proactively uncover threats using DNS and data science
Technical Brief: Domain Risk Score Proactively uncover threats using DNS and data science 310 Million + Current Domain Names 11 Billion+ Historical Domain Profiles 5 Million+ New Domain Profiles Daily
More informationGo mobile. Stay in control.
Go mobile. Stay in control. Enterprise Mobility + Security Jeff Alexander Sr. Technical Evangelist http://about.me/jeffa36 Mobile-first, cloud-first reality 63% 80% 0.6% Data breaches Shadow IT IT Budget
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationCybersecurity Roadmap: Global Healthcare Security Architecture
SESSION ID: TECH-W02F Cybersecurity Roadmap: Global Healthcare Security Architecture Nick H. Yoo Chief Security Architect Disclosure No affiliation to any vendor products No vendor endorsements Products
More informationCIS Controls Measures and Metrics for Version 7
Level 1.1 Utilize an Active Discovery Tool 1.2 Use a Passive Asset Discovery Tool 1.3 Use DHCP Logging to Update Asset Inventory 1.4 Maintain Detailed Asset Inventory 1.5 Maintain Asset Inventory Information
More informationAnalytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS
Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS Overview Cyberattacks are increasingly getting more frequent, more sophisticated and more widespread than ever
More informationDDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH
DDoS Protector Block Denial of Service attacks within seconds Simon Yu Senior Security Consultant CISSP-ISSAP, MBCS, CEH 2012 Check Point Software Technologies Ltd. [PROTECTED] All rights reserved. 2012
More informationHELP ME NETWORK VISIBILITY AND AI; YOU RE OUR ONLY HOPE
SESSION ID: SPO3-T10 HELP ME NETWORK VISIBILITY AND AI; YOU RE OUR ONLY HOPE Chris Morales Head of Security Analytics Vectra Networks Steve McGregory Sr. Director, Threat Intelligence Research Center Ixia,
More informationA Measurement Companion to the CIS Critical Security Controls (Version 6) October
A Measurement Companion to the CIS Critical Security Controls (Version 6) October 2015 1 A Measurement Companion to the CIS Critical Security Controls (Version 6) Introduction... 3 Description... 4 CIS
More informationAgile Security Solutions
Agile Security Solutions Piotr Linke Security Engineer CISSP CISA CRISC CISM Open Source SNORT 2 Consider these guys All were smart. All had security. All were seriously compromised. 3 The Industrialization
More informationWatson Developer Cloud Security Overview
Watson Developer Cloud Security Overview Introduction This document provides a high-level overview of the measures and safeguards that IBM implements to protect and separate data between customers for
More informationData Science & Machine Learning in Cybersecurity
Data Science & Machine Learning in Cybersecurity Author: SaiGanesh Gopalakrishnan Lead Product Manager, Cybersecurity Solutions, AT&T Date: 05/22/2017 2017 AT&T Intellectual Property. All rights reserved.
More informationTHE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson
THE RSA NETWITNESS SUITE REINVENT YOUR SIEM Presented by: Walter Abeson 1 Reality Goals GOALS VERSUS REALITY OF SIEM 1.0 Single compliance & security interface Analyze & prioritize alerts across various
More informationNovetta Cyber Analytics
Know your network. Arm your analysts. Introduction Novetta Cyber Analytics is an advanced network traffic analytics solution that empowers analysts with comprehensive, near real time cyber security visibility
More informationSIEM (Security Information Event Management)
SIEM (Security Information Event Management) Topic: SECURITY and RISK Presenter: Ron Hruby Topics Threat landscape Breaches and hacks Leadership and accountability Evolution of security technology What
More informationSOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD
RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD OVERVIEW Information security has been a major challenge for organizations since the dawn of the
More informationAppSpider Enterprise. Getting Started Guide
AppSpider Enterprise Getting Started Guide Contents Contents 2 About AppSpider Enterprise 4 Getting Started (System Administrator) 5 Login 5 Client 6 Add Client 7 Cloud Engines 8 Scanner Groups 8 Account
More informationManaged Endpoint Defense
DATA SHEET Managed Endpoint Defense Powered by CB Defense Next-gen endpoint threat detection and response DEPLOY AND HARDEN. Rapidly deploy and optimize endpoint prevention with dedicated security experts
More informationhow dtex fights insider threats
how dtex fights insider threats Over the past several years, organizations have begun putting more and more focus on the end user. But security teams are quickly realizing that tools like traditional UBA
More informationATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS
PARTNER BRIEF ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS INTRODUCTION Attivo Networks has partnered with McAfee to detect real-time in-network threats and to automate incident response
More informationSecurity Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE
Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE Cyber Security Services Security Testing - a requirement for a secure business ISACA DAY in SOFIA Agenda No Agenda Some minimum theory More real
More informationCHARLES DARWIN, CYBERSECURITY VISIONARY
SESSION ID: SPO1-W12 CHARLES DARWIN, CYBERSECURITY VISIONARY Dan Schiappa SVP and GM, Products Sophos @dan_schiappa It is not the strongest of the species that survives, nor the most intelligent that survives.
More informationCIS Controls Measures and Metrics for Version 7
Level One Level Two Level Three Level Four Level Five Level Six 1.1 Utilize an Active Discovery Tool Utilize an active discovery tool to identify devices connected to the organization's network and update
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats You have a mandate to build and secure a network that supports ongoing innovation Mobile access Social collaboration Public / private hybrid
More informationRiskSense Attack Surface Validation for IoT Systems
RiskSense Attack Surface Validation for IoT Systems 2018 RiskSense, Inc. Surfacing Double Exposure Risks Changing Times and Assessment Focus Our view of security assessments has changed. There is diminishing
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats Digital Transformation on a Massive Scale 15B Devices Today Attack Surface 500B Devices In 2030 Threat Actors $19T Opportunity Next 10 Years
More informationTrend Micro. Apex One as a Service / Apex One. Best Practice Guide for Malware Protection. 1 Best Practice Guide Apex One as a Service / Apex Central
Trend Micro Apex One as a Service / Apex One Best Practice Guide for Malware Protection 1 Best Practice Guide Apex One as a Service / Apex Central Information in this document is subject to change without
More informationIntroduction to Data Mining and Data Analytics
1/28/2016 MIST.7060 Data Analytics 1 Introduction to Data Mining and Data Analytics What Are Data Mining and Data Analytics? Data mining is the process of discovering hidden patterns in data, where Patterns
More informationPT Unified Application Security Enforcement. ptsecurity.com
PT Unified Application Security Enforcement ptsecurity.com Positive Technologies: Ongoing research for the best solutions Penetration Testing ICS/SCADA Security Assessment Over 700 employees globally Over
More informationDynamic Datacenter Security Solidex, November 2009
Dynamic Datacenter Security Solidex, November 2009 Deep Security: Securing the New Server Cloud Virtualized Physical Servers in the open Servers virtual and in motion Servers under attack 2 11/9/09 2 Dynamic
More informationCyberArk Privileged Threat Analytics
CyberArk Privileged Threat Analytics Table of Contents The New Security Battleground: Inside Your Network 3 Privileged account security 3 Collect the right data 4 Detect critical threats 5 Alert on critical
More informationADVANCED, UNKNOWN MALWARE IN THE HEART OF EUROPE
ADVANCED, UNKNOWN MALWARE IN THE HEART OF EUROPE AGENDA Network Traffic Analysis: What, Why, Results Malware in the Heart of Europe Bonus Round 2 WHAT: NETWORK TRAFFIC ANALYSIS = Statistical analysis,
More informationIntegrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement
Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement The Challenge: Smarter Attackers and Dissolving Perimeters Modern enterprises are simultaneously
More informationPhishing in the Age of SaaS
Phishing in the Age of SaaS AN ESSENTIAL GUIDE FOR BUSINESSES AND USERS The Cloud Security Platform Q3 2017 intro Phishing attacks have become the primary hacking method used against organizations. In
More informationThe prevent of advanced persistent threat
Available online www.jocpr.com Journal of Chemical and Pharmaceutical Research, 2014, 6(7):572-576 Research Article ISSN : 0975-7384 CODEN(USA) : JCPRC5 The prevent of advanced persistent threat Guangmingzi
More informationThe Rise of the Purple Team
SESSION ID: AIR-W02 The Rise of the Purple Team Robert Wood Head of Security Nuna @robertwood50 William Bengtson Senior Security Program Manager Nuna @waggie2009 Typical Team Responsibilities Red Vulnerability
More informationCYBERSECURITY RISK LOWERING CHECKLIST
CYBERSECURITY RISK LOWERING CHECKLIST The risks from cybersecurity attacks, whether external or internal, continue to grow. Leaders must make thoughtful and informed decisions as to the level of risk they
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationUn SOC avanzato per una efficace risposta al cybercrime
Un SOC avanzato per una efficace risposta al cybercrime Identificazione e conferma di un incidente @RSAEMEA #RSAEMEASummit @masiste75 Mauro Costantini - Presales Consultant Agenda A look into the threat
More informationGladiator Incident Alert
Gladiator Incident Alert Allen Eaves Sabastian Fazzino FINANCIAL PERFORMANCE RETAIL DELIVERY IMAGING PAYMENT SOLUTIONS INFORMATION SECURITY & RISK MANAGEMENT ONLINE & MOBILE 1 2016 Jack Henry & Associates,
More informationAvoiding Information Overload: Automated Data Processing with n6
Avoiding Information Overload: Automated Data Processing with n6 Paweł Pawliński pawel.pawlinski@cert.pl 26th annual FIRST conference Boston, June 23rd 2014 Who we are part of national CERT for Poland
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationMicrosoft Advance Threat Analytics (ATA) at LLNL NLIT Summit 2018
Microsoft Advance Threat Analytics (ATA) at LLNL NLIT Summit 2018 May, 22, 2018 John Wong wong76@llnl.gov Systems & Network Associate This work was performed under the auspices of the U.S. Department of
More informationThreat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)
Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN) JP Vasseur, PhD - Cisco Fellow jpv@cisco.com Maik G. Seewald, CISSP Sr. Technical Lead maseewal@cisco.com June 2016 Cyber
More informationCloudSOC and Security.cloud for Microsoft Office 365
Solution Brief CloudSOC and Email Security.cloud for Microsoft Office 365 DID YOU KNOW? Email is the #1 delivery mechanism for malware. 1 Over 40% of compliance related data in Office 365 is overexposed
More information