User and Entity Behavior Analytics

Similar documents
Intro to Niara. no compromise behavioral analytics. Tomas Muliuolis HPE Aruba Baltics Lead

Produkt Update: Aruba 360 Secure Fabric ClearPass 6.7 neues Lizenzmodell & IntroSpect. Reinhard Lichte, Consulting Systems Engineer

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

Intelligent Edge Protection

Behavioral Analytics A Closer Look

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Office 365 Buyers Guide: Best Practices for Securing Office 365

Compare Security Analytics Solutions

MEETING ISO STANDARDS

McAfee Skyhigh Security Cloud for Amazon Web Services

RULES VERSUS MODELS IN YOUR SIEM

Built-in functionality of CYBERQUEST

68 Insider Threat Red Flags

CIS Controls Measures and Metrics for Version 7

CIS Controls Measures and Metrics for Version 7

CloudSOC and Security.cloud for Microsoft Office 365

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

McAfee MVISION Cloud. Data Security for the Cloud Era

Automated Threat Management - in Real Time. Vectra Networks

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

how dtex fights insider threats

Insiders are the New Malware

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

RSA Security Analytics

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

Preventing Data Breaches without Constraining Business Beograd 2016

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Un SOC avanzato per una efficace risposta al cybercrime

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Stopping Advanced Persistent Threats In Cloud and DataCenters

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Not your Father s SIEM

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Driving more value from your Security Operations Center (SOC) Platform. James Hanlon Director, Splunk Security Markets Specialization, EMEA

Battle between hackers and machine learning. Alexey Lukatsky Cybersecurity Business Consultant April 03, 2019

Synchronized Security

Best Practices for Scoping Infections and Disrupting Breaches

Speed Up Incident Response with Actionable Forensic Analytics

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

10 FOCUS AREAS FOR BREACH PREVENTION

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

ForeScout Extended Module for Splunk

CyberArk Privileged Threat Analytics

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

GSX 365 Usage Reports & Security Audit

Securing Office 365 with SecureCloud

Part 1: Anatomy of an Insider Threat Attack

The Cognito automated threat detection and response platform

ARUBA 360 SECURE FABRIC

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

RSA NetWitness Suite Respond in Minutes, Not Months

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

A Security Admin's Survival Guide to the GDPR.

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

IBM QRadar User Behavior Analytics (UBA) app Version 2 Release 7. User Guide IBM

Machine Learning for User Behavior Anomaly Detection EUGENE NEYOLOV, HEAD OF R&D

Symantec Endpoint Protection Family Feature Comparison

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

HELP ME NETWORK VISIBILITY AND AI; YOU RE OUR ONLY HOPE

Go mobile. Stay in control.

Sophos Central Admin. help

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

SIEM (Security Information Event Management)

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Enhanced Threat Detection, Investigation, and Response

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

PLANNING AZURE INFRASTRUCTURE SECURITY - AZURE ADMIN ACCOUNTS PROTECTION & AZURE NETWORK SECURITY

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Part 2: How to Detect Insider Threats

Insiders: The Threat is Already Within

Best Practices in Securing a Multicloud World

TestBraindump. Latest test braindump, braindump actual test

Incident Response Agility: Leverage the Past and Present into the Future

CipherCloud CASB+ Connector for ServiceNow

Building Resilience in a Digital Enterprise

Copyright 2011 Trend Micro Inc.

SIEM Overview with OSSIM Case Study. Mohammad Husain, PhD Cal Poly Pomona

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

Cisco Firepower NGFW. Anticipate, block, and respond to threats

IBM QRadar User Behavior Analytics (UBA) app Version 2 Release 5. User Guide IBM

Data Science & Machine Learning in Cybersecurity

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

I Was APT d. What Did They Steal?

Symantec Ransomware Protection

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Cybersecurity Roadmap: Global Healthcare Security Architecture

Seceon s Open Threat Management software

RSA ECAT DETECT, ANALYZE, RESPOND!

Transcription:

User and Entity Behavior Analytics Shankar Subramaniam Co-Founder, Niara Senior Director of Customer Solutions, HPE Aruba Introspect shasubra@hpe.com

THE SECURITY GAP SECURITY SPEND DATA BREACHES 146 days median time from compromise to discovery PREVENTION & DETECTION (US $B) # BREACHES % DISCOVERED INTERNALLY SOURCES Mandiant M-Trends 2016, Verizon Data Breach Investigations 2016, IDC 2016

THE PROBLEM + PREVENTION & DETECTION NOT ENOUGH INCREASINGLY POROUS MONITORING SYSTEMS FALLING SHORT CANNOT DETECT UNKNOWN THREATS

Attacks involving legitimate credentials COMPROMISED 40 million credit cards were stolen from Target s severs STOLEN CREDENTIALS MALICIOUS Edward Snowden stole more than 1.7 million classified documents INTENDED TO LEAK INFORMATION NEGLIGENT Employees uploading sensitive information to personal Dropbox for easy access DATA LEAKAGE

Behavioral Analytics AUTOMATED DETECTION of threats inside the organization FORCE MULTIPLIER for security analysts

Basics of Behavioral Analytics MACHINE LEARNING UNSUPERVISED + SEMI-SUPERVISED Behavioral Analytics BASELINES HISTORICAL + PEER GROUP

Behavior Many different dimensions Authentication AD logins Internal Resource Access Finance servers Remote Access VPN logins External Activity C&C, personal email Behavioral Analytics SaaS Activity Office 365, Box Cloud IaaS AWS, Azure Exfiltration DLP, Email Physical Access badge logs

DETECTING AN ANOMALY Internal Resource Access Finance servers Behavioral Analytics ABNORMAL APPLICATION ACCESS

Finding the malicious in the anomalous Behavioral Analytics MACHINE LEARNING SUPERVISED UNSUPERVISED THIRD PARTY ALERTS DLP Sandbox Firewalls STIX Rules Etc.

Ransomware Example Indicators C&C Communication UEBA DGA Detection e.g. iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.], xxlvbrloxvriy2c5[.], sqjolphimrr7jqw6[.], 76jdd2ir2embyv47[.] SMB based bot scanning Behavioral Analytics on baseline behavior of systems and detecting anomalous communication patterns Stateful Risk Score for Compromised System

Data Exfiltration Example Indicators Access to internal sensitive information UEBA Abnormal access to internal data Moving sensitive data offshore Abnormal USB writes Abnormal Uploads to Box, Dropbox High Risk Score for user

Abnormal Privileged Insider Activity Example Indicators Privilege Escalation UEBA Escalation of privileges for user not entitled to admin role Abnormal Data access Excessive Service Ticket requests Abnormal data access patterns High Risk Score for user

Need for dimensionality Multiple techniques, Expertise in security domain Supervised Supervised with manual review Unsupervised DNS-DGA (Naïve Bayes) DNS Exfiltration (Logistic Regression) DNS Tunneling (K-means clustering) UBA-Server (SVD with Mahalanobis distance) GUEBA (z-score)

Data Source Diversity Matters Type Examples Purpose Network activity Firewall IDS/IPS Web Proxy Email Bro logs, Network traffic Network flows Lateral movement Abnormal resource access Browser exploits Malware activity Suspicious file downloads Command and control activity Beaconing Remote Access activity VPN logs Credential theft, password sharing Identity AD, DHCP logs Credential violations Account takeover Privilege escalations Infrastructure DNS logs Command and control activity Tunneling Exfiltration 3rd party alerts FireEye, WildFire alerts Incorporate alerts into user risk profiles Threat Intelligence feeds Commercial & STIX feeds Perform historical impact assessment Endpoint Logs DLP, FIM Suspicious file activity USB, cloud based file exfiltration Physical activity Badge logs Building access violations Tailgating

Lateral Movement Features Authentication activity Successful/Failed login activity rates Password change rates Odd time of logins New host logins Excessive user logons on hosts Locked/disabled/expired account/restricted workstation logins Access to internal applications / servers/ peers Odd time of access (first and last access) Upload/download deviations Abnormal activity duration/ session count New server / application / peer access Port counts Data Source AD Logs Packets NetFlow Firewall logs

Account Takeover Features Authentication activity Service ticket request rates Unique/New service ticket requests Account creation/ disable/ lockout / deletion rates Group change deviations Locked/disabled/expired account/restricted workstation logins Access to internal applications/ servers/ peers Odd time of access (first and last access) Upload/download deviations Activity duration/ session counts New server / application access New host access Port counts Data Source AD Logs Packets NetFlow Firewall logs

Infiltration / Credential Compromise Features Land-speed violations: Access from different locations that violate the physical limits of movement between them (city or country) City: New city access for the first time Activity duration/ session counts Bytes in, bytes out Odd time of access (first and last access) VPN logs Data Source

Exfiltration Features Data Source DNS-Exfiltration DNS logs or traffic Access to internet / external applications / cloud apps Packets Time of access Upload/download deviations NetFlow Activity duration/ session counts New server / application access Firewall logs Port counts Country visited New /Counts Web Proxy logs Entropy Mismatch Email activity Odd time of email activity Upload/download deviations Attachment size/volumes Email counts Suspicious / disposable domains Activity to non-corporate or non-affiliated domains Endpoint Activity Volume of data written to USB, first time USB writes New processes / Registry changes New file creations/ modifications/ opened/ created Changes in file read/write/deletes/ permissions Email traffic Email logs File Integrity Monitoring DLP logs Endpoint logs

Generalized Behavioral Analytics Data Selection Data Sources (Proxy / FW / AD / VPN logs, packets ) Target Entities (users/hosts) Use Case Filter (data filters) Feature Examples Time Counter Cardinality New Value Location First and last access each day Volume of downloaded or uploaded bytes Number of email recipients per sender Country visited for the first time Geo-location of VPN logon Behavior Profiling Baseline (Peer, History) Window (Duration) Profiling Model (SVD, RBM, BayesNet, K-means, Decision tree ) Anomaly Detection Real-time vs. Offline Distance (Mahalanobis, Energy) Event Generation (Severity, Stage)

Behavioral analytics for resource access - server Identifying abnormal access to high value servers by time and download volume Data Selection Data Sources (Proxy logs, server logs, flows, packets ) Target Entities (Users to be profiled) Use Case Filter (High-value server) Features Time (First/last access) Counter (Volume of download) Behavior Profiling Baseline ( History) Window (14 days) Profiling Model (SVD) Anomaly Detection Real-time vs. Offline (Offline) Distance (Mahalanobis) Event Generation (100% Severity, Internal Activity)

Behavioral Analytics for Resource Access - Building Identifying abnormal access to physical facility Data Selection Data Sources (Badge logs) Target Entities (Users to be profiled) Use Case Filter (No filter) Features Time (First/last access) Behavior Profiling Baseline ( Peer) Window (14 days) Profiling Model (SVD) Anomaly Detection Real-time vs. Offline (Offline) Distance (Mahalanobis) Event Generation (100% Severity, Internal Activity)

Behavioral Analytics for Resource Access - Files Detecting abnormally high PDF downloads Data Selection Data Sources (Packets or proxy logs) Target Entities (Users to be profiled) Use Case Filter (High-value server; PDFs only) Features Counter (Volume of download) Behavior Profiling Baseline (Peer, History) Window (14 days) Profiling Model (ZScore) Anomaly Detection Real-time vs. Offline (Offline) Distance (Mahalanobis) Event Generation (100% Severity, Internal Activity)

Behavioral Analytics for access to job sites Identifying flight risk users Data Selection Data Sources (Packets or proxy logs) Target Entities (Users to be profiled) Use Case Filter (Job/salary site URLs) Features Cardinality (# unique visits) Behavior Profiling Baseline (Peer) Window (14 days) Profiling Model (SVD) Anomaly Detection Real-time vs. Offline (Offline) Distance (Mahalanobis) Event Generation (100% Severity, Internal Activity)

Differentiated Risk Scoring Contextually weighted model Hidden Markov Model Unlike competitors that linearly add up scores for all detected events E.g., a C&C event followed by a privilege escalation event is treated differently from two consecutive C&C events Score incorporates: Sequencing of events Distribution of events across kill chain stage Severity and confidence of alerts Customer input to shape risk score at a granular level

Adaptive Learning Analytics Module Results Analyst Feedback Incorporate analyst/business context Ability to train models for exception handling, risk scoring Granular exceptions User/ Application/ Baseline Type E.g., user Bob s access of AWS is exempt from peer detection because he is an admin Global / user specific whitelists E.g., site xyzinc facilitates vulnerable PDF file downloads but it is an authorized partner site

Anomaly detection after applying SVD Unsupervised Machine Learning In the case of UBA-Server, we have 5 features first/last access time, upload/download volume, number of eflows and duration We evaluate Mahalanobis distance, to determine if it is an anomaly A score of >60 is an anomaly Y A B X X: time of first access and Y: download volume A B B A A 1 st principal axis 2 nd principal axis B

Risk Scoring Bayesian inference model Bayes Theorem : Risk Score (RS) : P(B / A) P(A / B)*P(B) P(A) P(RS / f 1, f 2, f 3, f 4 ) P( f 1, f 2, f 3, f 4 / RS)*P(RS) P( f 1, f 2, f 3, f 4 ) Improvements for single event trigger P(RS / f 1, f 2, f 3, f 4 ) P( f 1 / RS)*P( f 2 / RS)*P( f 3 / RS)*P( f 4 / RS)*P(RS) where, f 1 max( severity *confidence*time_ decay) alerts f 2 (severity *confidence) /100) i attack stages f 3 (highest _ sqrt _ of _ sev *conf ) f 4 ln i alerts i ( severity *confidence*time_ decay) P(RS) is assumed to have a uniform probability distribution

Thank You 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback