Data Sources for Cyber Security Research

Similar documents
The Importance of Interpretability in Cyber Security Analytics

Automated Threat Management - in Real Time. Vectra Networks

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

RSA NetWitness Suite Respond in Minutes, Not Months

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Compare Security Analytics Solutions

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Detecting Threats via Network Anomalies

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Incident Response Agility: Leverage the Past and Present into the Future

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

AMP-Based Flow Collection. Greg Virgin - RedJack

RiskSense Attack Surface Validation for IoT Systems

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Advanced Threat Intelligence to Detect Advanced Malware Jim Deerman

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

Forensic Network Analysis in the Time of APTs

Strategy is Key: How to Successfully Defend and Protect. Session # CS1, February 19, 2017 Karl West, CISO, Intermountain Healthcare

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Security & Phishing

Fidelis Overview. ISC 2 DoD and Industry Forum. Rapid Detection and Automated Incident Response DoD & Commercial Active Defense Use Cases

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Enhancing Threat Intelligence Data. 05/24/2017 DC416

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

The New Era of Cognitive Security

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

ForeScout Extended Module for Splunk

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

CompTIA CSA+ Cybersecurity Analyst

CYBER RESILIENCE & INCIDENT RESPONSE

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

External Supplier Control Obligations. Cyber Security

Designing and Building a Cybersecurity Program

Cybersecurity Roadmap: Global Healthcare Security Architecture

An Aflac Case Study: Moving a Security Program from Defense to Offense

Behavioral Analytics A Closer Look

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

Are we breached? Deloitte's Cyber Threat Hunting

How can we gain the insights and control we need to optimize the performance of applications running on our network?

Take Risks in Life, Not with Your Security

SentinelOne Technical Brief

Chapter X Security Performance Metrics

SentinelOne Technical Brief

Technical Brief: Domain Risk Score Proactively uncover threats using DNS and data science

K12 Cybersecurity Roadmap

Reserve Bank of India Cyber Security Framework

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

CYBERSECURITY RISK LOWERING CHECKLIST

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales

Rethinking Security CLOUDSEC2016. Ian Farquhar Distinguished Sales Engineer Field Lead for the Gigamon Security Virtual Team

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Rethinking Security: The Need For A Security Delivery Platform

Popular SIEM vs aisiem

BUILDING AND MAINTAINING SOC

PALANTIR CYBERMESH INTRODUCTION

CyberArk Privileged Threat Analytics

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

Intrusion Detection by Combining and Clustering Diverse Monitor Data

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

RULES VERSUS MODELS IN YOUR SIEM

The GenCyber Program. By Chris Ralph

Detecting breach. There are only two types of organisations in the world... Terry Greer-King Director, Cyber security, UK & Africa May 2017

CA Host-Based Intrusion Prevention System r8

Doing Analysis Carnegie Mellon University

68 Insider Threat Red Flags

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Managed Endpoint Defense

The Cognito automated threat detection and response platform

Novetta Cyber Analytics

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

align security instill confidence

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Chapter X Security Performance Metrics

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

MITIGATE CYBER ATTACK RISK

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

RiskSense Attack Surface Validation for Web Applications

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

Avoiding Information Overload: Automated Data Processing with n6

Threat Intel for All: There s More to Your Data than Meets the Eye

Speed Up Incident Response with Actionable Forensic Analytics

Transcription:

Data Sources for Cyber Security Research Melissa Turcotte mturcotte@lanl.gov Advanced Research in Cyber Systems, Los Alamos National Laboratory 14 June 2018

Background

Advanced Research in Cyber Systems, LANL Cyber research group at large DOE national research laboratory. Identify gaps, emerging threats Data collection and sensors Modelling and simulation Tool/product development Our perspective Assume the initial compromise will happen; consequently largely focused on inside-the-perimeter detection.

Cyber Security and Data Science

Attackers have a significant advantage Defenders aim to protect networks from both known and unknown threats Networks are becoming larger, more complex and permeable Contractor networks Wireless Mobiles and BYOD Attackers need only identify and exploit a single weakness FireEye M-Trends Report 2018

Applicability of Data Science Signatures are fragile and reactive Leverage anomaly detection and classification to proactively identify new threats Robust approaches must focus on fundamental behaviours rather than specific features that are easily modified

Data Sources

Sensors and Collection Perimeter network data Network flow events, proxy logs, firewall logs Full packet capture Internal network data Network flow events, full packet capture DNS data, DHCP logs, e-mail metadata, other central server logs Distributed, comprehensive computer data Event/system logs Processes, application, I/O, network, user authentication activity End Goal: Comprehensive modelling through data fusion.

Cyber Data Challenges High volume, can be difficult to collect and process Where collected, not necessarily for cybersecurity purposes Debugging Where collected, not intended for analytics Primary purpose is to support human operations Variety of formats, fields, etc.. Data consistency Not a priority for operational staff Sensors break Collection gets forgotten in configuration changes Collection dumps overflow Collection gets turned off stuff happens

Less (or not) useful in it s raw form and requires transformation or combination with other data sets prior to analysis IP vs hostname (or other) Inconsistent username identifiers Periodicity user driven actions vs background noise Important to be aware of when modelling Low signal to noise ratio Rarity of labelled data presents a challenge for supervised learning. No ground truth Collection, storage, and use has security, privacy, and human subject research implications Get involved with the operational staff collecting data and/or data engineers.

Research Opportunities

Public Data Sets To motivate a larger research effort focused on operational cyber data LANL have released three publicly available datasets: 9 month time-series user/computer bipartite, 2014 58 day comprehensive, 2015 90 day Netflow and Window Event Logs, 2017 Internally collected from the LANL corporate network: No outside (Internet) associations Parsed and normalised (to some extent) https://csr.lanl.gov/data/

Research Opportunities Per entity (computer, user, edges, etc..) models that enable anomaly detection Changepoint detection methods Streaming methods for online detection Extreme value theory for identifying surprising spikes in non-standard, heavy-tailed distributions Score new and rare activity Latent factor models Community detection approaches Unique edges New (%) 2e+05 1e+05 0e+00 0.06 0.04 0.02 0.00 0 5 10 15 20 25 30 35 40 45 50 55 Day User< >Process User< >Computer

12 11 eventid For a given entity, extrapolate to higher-level more interpretable actions. Remove or separate user-driven events and correlations Day 10 9 8 7 4624l2 4624l3 4624l7 4768 4769 4776 07:00 08:00 09:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 Time Event times for a user in the LANL network

Data fusion and meta analysis to increase signal to noise ratio Individual detectors can generate many false positives, combining multiple weak indicators will provide strength to detections. P-value combiners Characterise risk within the network Host-user risk analysis. Time-delay metrics on network penetration. Network segmentation. Command & Control Phishing Malicious Process Internal Recon Data Exfiltration Lateral Movement Data Staging Privilege Escalation

How do we make anomaly detection more practical? Data analytics and anomaly detection is very immature (and uncommon) in actual cybersecurity operations. Cyber defenders generally discount these approaches in favour of signature detection and intuition Anomaly detection approaches suffer from: High false positives Lack of interpretability Inability to triage Three common characteristics of good leads: relevant, detailed, and actionable. Incident Response & Computer Forensics, Luttgens et al.

Final Remarks Traditional, signature-based methods are insufficient Too much attention is given to perimeter prevention Internal data collection and analysis is critical Historically limited to governments Commercial product offerings are beginning to appear Increasing demand for data scientists Data is growing in volume and variety Demonstrated success using statistics

Questions? mturcotte@lanl.gov

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback