infosecurity europe 2016: detect insider and advanced threats by leveraging machine learning
TRANSCRIPT
Copyright © 2016 Splunk Inc.
Detect Insider and Advanced Threats by Leveraging Machine Learning
Fill out the Postcard and win a SONOS Play:1 today
"currentTrack":{ "artist":"College", "title":"Teenage Color - Anoraak Remix", "album":"Nightdrive With You", "albumArtURI":"/getaa?s=1&u=x-sonos-spotify%3aspotify%253atrack%253a3DjBDQs8ebkxMBo2V8V3SH%3fsid%3d9%26flags%3d32", "duration":347, "uri":"x-sonos-spotify:spotify%3atrack%3a3DjBDQs8ebkxMBo2V8V3SH?sid=9&flags=32" },
Are you using Splunk already?
IN 2014, INDUSTRY SPENT
$1.7 Billion
SECURE EMAIL GATEWAY
$1.3 Billion
SECURE WEB GATEWAY
$2.8 Billion
ENDPOINT PROTECTION
$1.2 Billion
INTRUSION PREVENTION
$9.4 Billion
FIREWALL
$16+ BillionSo why do we needeven more tools?
FAMILIAR WITH THESE THREATS?
January 2015 February 2015 February 2015
Morgan Stanley
730K
PII Records
Anthem Insurance
80M
Patient Records
Office of Personal Management22M
PII Records
July 2015
Ashley Madison
37M
PII Records
SO, WHAT IS THECOMPROMISED / MISUSED CREDENTIALS OR DEVICES
LACK OF RESOURCES (SECURITY EXPERTISE)
LACK OF ALERT PRIORITIZATION & EXCESSIVE FALSE POSITIVES
PROBLEM?
EXTERNAL ATTACK
USER ACTIVITYPeter and Sam access a compromised website -
backdoor gets installed
The attacker uses Peter’s stolen credential and VPNs into Domain Controller
The attacker uses the backdoors to download and execute WCE – password cracker
Peter’s and Sam’s devices begin communicating with CnC
The attacker logs in as Sam and accesses sensitive documents from a file share
The attacker steals the admin Kerberos ticket and escalates the privileges for Sam
The attacker uses Peter’s VPN credential to connect, copies the docs to an external staging server, and logs
out after three hours
Day 1
.
.
Day 2
.
.
Day N
INSIDER THREAT
John connects via VPN
Administrator performs ssh (root) to a file share - finance department
John executes remote desktop to a system (administrator) - PCI zone
John elevates his privileges
root copies the document to another file share - Corporate zone
root accesses a sensitive document from the file share
root uses a set of Twitter handles to chop and copy the data outside the enterprise
USER ACTIVITY
Day 1
.
.
Day 2
.
.
Day N
WHAT ISSPLUNK UBA?
DETECT MALICIOUS INSIDER THREATS
DETECT ADVANCED CYBERATTACKS
THE FOUNDATION
ANOMALY DETECTION THREAT DETECTION
UNSUPERVISED MACHINE LEARNING
BEHAVIOR BASELINING &
MODELING
REAL-TIME & BIG DATA ARCHITECTURE
REAL-TIME & BIG DATA ARCHITECTURE
SCALABLE ARCHITECTURE
0.5 BillionEVENTS
MULTI-ENTITY BEHAVIORAL MODEL
APPLICATION
USER
HOST
NETWORK
DATA
DESIGNED FOR A
HUNTERANOMALY DETECTION
APPLYING ML AGAINST
BEHAVIOR BASELINES
DESIGNED FOR A
SOC ANALYSTTHREAT DETECTION
ML DRIVEN AUTOMATED
ANOMALY CORRELATION
INSIDER THREAT
Day 1
.
.
Day 2
.
.
Day N
John connects via VPN
Administrator performs ssh (root) to a file share - finance department
John executes remote desktop to a system (administrator) - PCI zone
John elevates his privileges
root copies the document to another file share - Corporate zone
root accesses a sensitive document from the file share
root uses a set of Twitter handles to chop and copy the data outside the enterprise
USER ACTIVITY
Unusual Machine Access (Lateral Movement; Individual & Peer Group)
Unusual Zone (CorpPCI) traversal (Lateral Movement)
Unusual Activity Sequence
Unusual Zone Combination (PCICorp)
Unusual File Access (Individual & Peer Group)
Multiple Outgoing Connections & Unusual SSL session duration
PROXY SERVER
FIREWALL
WHAT DOES SPLUNK UBA NEED?
ACTIVE DIRECTORY /DOMAIN CONTROLLER
DNS, DHCP
SPLUNK ENTERPRISE ANY SIEM AT A MINIMUM
WHY SPLUNK UBA?
THE MOST ADVANCED
UEBA TECHNOLOGY
THE LARGEST INVESTMENT IN
MACHINE LEARNING
A COMPLETE SOLUTION FROM
SPLUNK
DETECT THE UNKNOWNS
IMPROVE SOC & HUNTER EFFICIENCY
WHAT CUSTOMERS HAVE TO SAY ABOUT SPLUNK UBA
Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather than the traditional rules-based approaches that doesn’t scale. We are pleased with the efficacy and efficiency of this solution as it makes the life of our SOC analysts’ way better. Mark Grimse, VP IT Security, Rambus
A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insider threats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found Splunk UBA to be one of the most advanced technologies within the behavioral analytics space. Randolph Barr, CSO, Saba
Fill out the Postcard and win a SONOS Play:1 today
"currentTrack":{ "artist":"College", "title":"Teenage Color - Anoraak Remix", "album":"Nightdrive With You", "albumArtURI":"/getaa?s=1&u=x-sonos-spotify%3aspotify%253atrack%253a3DjBDQs8ebkxMBo2V8V3SH%3fsid%3d9%26flags%3d32", "duration":347, "uri":"x-sonos-spotify:spotify%3atrack%3a3DjBDQs8ebkxMBo2V8V3SH?sid=9&flags=32" },
Thank you