Applying a data driven approach to machine learning

Transcription

1 Andrew Hollister LogRhythm Applying a data driven approach to machine learning

2 Definition - machine learning The science of enabling computers to learn without being explicitly programmed to do so. Machine learning applies statistics and algorithms at scale on large amounts of data. One of the goals for machine learning is to achieve artificial intelligence.

3 Machine learning :: The silver bullet?

4 Identifying anomalies and threats Spectrum of attacks Vulnerability: Known Method: Known Frequency: High Vulnerability: Known Method: Unknown Frequency: Medium Vulnerability: Unknown Method: Unknown Frequency: Low Real-time, scenario-based, and multiple detection methods Statistical analysis, supervised and unsupervised machine learning, deep learning

5 Machine learning: indications or conclusions? I don t want false positives Give me insights to threats I wouldn t otherwise know about CERTAINTY INSIGHT

6 Example use cases for machine learning Account compromise Insider threats Privileged account abuse Data exfiltration

7 Data and machine learning The effectiveness of machine learning relies on having access to large sets of high-quality, rich, structured data capturing network activities across numerous endpoints

8 The data challenge

9 Sample log data :19: <LOC4:DBUG> Sep 28 03:18:09 probe LogRhythmDpi: EVT:001 4b03743f-8d06-4bdb-a9fe-63b6bb833376: , ,1205,25,00:50:56:a7:00:df,00:50:56:a7:35:ad,6,956,339816/339816,11920/11920,501/501, , ,7/7,dname=lrxm.uk.emea.logrhythm. com,command=ehlo MAIL RCPT Update For Tracking# ,object=250,objectname=Invoice.pdf

10 Who, what and when :19: <LOC4:DBUG> Sep 28 03:18:09 probe LogRhythmDpi: EVT:001 4b03743f-8d06-4bdb-a9fe-63b6bb833376: , ,1205,25,00:50:56:a7:00:df,00:50:56:a7:35:ad,6,956,339816/339816,11920/11920,501/501, , ,7/7,dname=lrxm.uk.emea.logrhythm. com,command=ehlo MAIL RCPT Update For Tracking# ,object=250,objectname=Invoice.pdf

11 :19: <LOC4:DBUG> Sep 28 03:18:09 probe LogRhythmDpi: EVT:001 4b03743f-8d06-4bdb-a9fe-63b6bb833376: , ,1205,25,00:50:56:a7:00:df,00:50:56:a7:35:ad,6,956,339816/339816,11920/11920,501/501, , ,7/7,dname=lrxm.uk.emea.logrhythm. com,command=ehlo MAIL RCPT Update For Tracking# ,object=250,objectname=Invoice.pdf <Event xmlns=' Name='Microsoft-Windows-Security-Auditing' Guid='{ A5BA- 3E3B0328C30D}'/><EventID>4688</EventID><Version>1</Version><Level>Information</Level><Task>Process Creation</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime=' T20:03: Z'/><EventRecordID>4828</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='14908'/><Channel>Security</Channel><Computer>LRXM</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>UK\bsmith</Data><Data Name='SubjectUserName'>LRXM$</Data><Data Name='SubjectDomainName'></Data><Data Name='SubjectLogonId'>0x4d26e</Data><Data Name='NewProcessId'>0x202c</Data><Data Name='NewProcessName'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x23ec</Data><Data Name='CommandLine'>psexec -accepteula -i -s \\dc01 cmd.exe</data></eventdata></event> {"timestamp": ,"zoneid": ,"zoneplan":"enterprise","ownerid": ,"zonename":"example.com","hosterid":100,"brandid":100,"rayid":"2c47e04 7f6114fff","securityLevel":"high","flags":2,"client":{"ip":" ","srcPort":0,"ipClass":"noRecord","country":"us","sslProtocol":"TLSv1","sslCipher":"ECDHE-RSA-AES128- SHA","sslFlags":0,"deviceType":"desktop","asNum":209},"clientRequest":{"bytes":1501,"bodyBytes":0,"httpHost":"asdfghjk.example.com:443","httpMethod":"GET","uri":"/wsg/pu blic/nab/v1/ /endpoints","httpprotocol":"http/1.1","flags":0,"headers":[{"name":"x-sncr-client-platform","value":"handset"}, {"name":"x-sncr-client-modelmapping","value":"fusionone.android.samsung coreprimeltevzw"}, {"name":"x-sncr-app-id","value":"verizon.b926205e26978f8a"}, {"name":"x-sncr-clientosversion","value":"android4.4.4"}, {"name":"x-sncr-client-version","value":"bass "}, {"name":"authorization-domain","value":"sncr.token"}, {"name":"x-f1- caps","value":"gd;http;https"}, {"name":"content-type","value":"application/xml"}, {"name":"x-f1- loc","value":" DEN","sslClientHello":{"version":769,"random":"V40a62vXunF4dcZpeBuJ7lU095asDRHnmY1RJcD1W9Y=","sessionId":"xmK7C6a/NzYNnYkOjzSBKTorbF5KOdByo4P6uvsD9Sc=","ciph ersuites":[4, 5, 47, 53, 49154, 49156, 49157, 49164, 49166, 49167, 49159, 49161, 49162, 49169, 49171, 49172, 51, 57, 50, 56, 10, 49155, 49165, 49160, 49170, 22, 19, 9, 21, 18, 3, 8, 20, 17, 255],"compression":[0],"extensions":[{"type":11,"value":"AwABAg=="}

12 Structured security data in four easy steps Collect Parse Classify Enrich Commercial Custom Cloud Extract Normalise Type Common taxonomy Technology agnostic Context Infusion

13 Data Sources

14 Machine Learning in four easy steps Normalise your data Collection Parsing Classification Enrichment Associate to identity Direct Inferred Unknown Identify anomalies Scenario based Behaviour based Hybrid analytics Determine the threat Enrich context Evaluate threat Take action Does the log have an identity? Does the log relate to an identity? Is the identity human or machine? Is the pattern malicious? Does the identity usually behave this way? Is the activity normal? Is it interesting? Is it actionable? Is it meaningful compared to other alarms?

15 Determining the threat by anomaly type Anomalous Informational Operational Security Employee on vacation Change of password Job change Training on access controls Compromised account Insider threat

16 Intelligent output based on structured input

17 5 key take aways

18 5 key take aways ML is not the silver bullet for all cyber threats ML requires volumes of high quality data ML provides Insights (vs Certainty of rules) Know the use cases you are trying to solve and use the right type of analytics Algorithms are only part of the picture - Intelligent output relies on curated input