Professional Documents
Culture Documents
2 OCTOBER 2018
WELCOME To receive your
CPE Credit:
1. Complete 3 Attendance
Audio is streamed over your computer. Checkpoints
or
2. Watching the On-Demand
Dial-in numbers and codes are on the left. recording? Watch from the
beginning to the very end.
Have a question for the speaker? Access the Q&A tab. 3. Don’t forget to take the
survey!
Andrew Hollister
Technical Director EMEA
LogRhythm
Some Definitions
Data Science
Machine Learning
(ML)
Dawn of AI
Dawn of AI
Early Innovation
From HAL to Now
AI Winter
Dawn of AI
Early Innovation
From HAL to Now
AI Winter
Dawn of AI
Awesome
AI/ML
Data Preparation
09 28 2016 03:19:33 172.16.0.21 <LOC4:DBUG> Sep 28 03:18:09 probe LogRhythmDpi: EVT:001 4b03743f-8d06-4bdb-a9fe-63b6bb833376:00
172.16.0.106,172.16.0.35,1205,25,00:50:56:a7:00:df,00:50:56:a7:35:ad,6,956,339816/339816,11920/11920,501/501,1475029082,1475029089,7/7,dname=lrxm.uk.emea.logrhyth
m.com,command=EHLO|MAIL|RCPT|DATA,sender=invoicetracking@acme.com,recipient=bsmith@uk.emea.logrhythm.com,subject=Status Update For Tracking#
123412341234,object=250,objectname=Invoice.pdf
Data Preparation – Who, What, When?
09 28 2016 03:19:33 172.16.0.21 <LOC4:DBUG> Sep 28 03:18:09 probe LogRhythmDpi: EVT:001 4b03743f-8d06-4bdb-a9fe-63b6bb833376:00
172.16.0.106,172.16.0.35,1205,25,00:50:56:a7:00:df,00:50:56:a7:35:ad,6,956,339816/339816,11920/11920,501/501,1475029082,1475029089,7/7,dname=lrxm.uk.emea.logrhyth
m.com,command=EHLO|MAIL|RCPT|DATA,sender=invoicetracking@acme.com,recipient=bsmith@uk.emea.logrhythm.com,subject=Status Update For Tracking#
123412341234,object=250,objectname=Invoice.pdf
LogRhythm Machine Data Intelligence: An Example
LogRhythm Machine Data Intelligence: An Example
LogRhythm Machine Data Intelligence: An Example
LogRhythm Machine Data Intelligence: An Example
LogRhythm Machine Data Intelligence: An Example
100+
Metadata Fields
Data
Domain
Data Science
Why AI/ML for Security?
Poll #1
a) Account compromise
b) Insider threats
c) Privilege account abuse
d) Data exfiltration
e) Other – none of the above
Poll #1
a) Account compromise
b) Insider threats
c) Privilege account abuse
d) Data exfiltration
e) Other – none of the above
The Evolving Need
• Exponentially increasing
threat surface “Unfortunately, more security
• Spectrum of attacks – doesn’t necessarily mean better
security….The status quo is not
“unknown unknowns” sustainable…Even as companies
• Improving detection spend more on security, losses
requires improving related to cybercrime have
accuracy and efficiency nearly doubled in the last five
years.”
• Moving beyond rules-
based approaches
69%
of orgs report a recent
insider data exfil attempt1
https://www.verizonenterprise.com/verizon-insights-lab/dbir/
Why AI/ML for Security?
81%
breaches involved stolen
or weak credentials2
https://www.verizonenterprise.com/verizon-insights-lab/dbir/
Skills shortage
80%
Organisations affected by
Cyber Security Skills gap
Threat
Classification
Temporal
Modeling Network
Analytics
Security Analytics Machine Learning Landscape
One-Class Nearest
SVMs Neighbor
Search
Density
Outlier
Methods
Bayesian Subspace Clustering
Inference Models
Spectral
Graph Threat
Theory
Classification
Markov
Temporal Random
Modeling Time
Processes
Network Adversarial
Series
Analysis
Analytics Learning
Indications or Conclusions?
CERTAINTY
INSIGHT
https://blogs.gartner.com/anton-chuvakin/2016/12/08/what-should-your-ueba-show-indications-or-conclusions/
Machine Learning: Non-Deterministic Security
FAST EXPLAINABLE
https://blogs.gartner.com/anton-chuvakin/2015/03/03/killed-by-ai-much-a-rise-of-non-deterministic-security/
Analytics in Depth is Required
Spectrum of Attacks
Analytics in Depth is Required
Spectrum of Attacks
Spectrum of Attacks
Vulns: Known
Real-time Vulns: Known
threat detection Vulns: Unknown
Methods: Known analyticsMethods: Unknown
via scenario Methods: Unknown
Analytics in Depth is Required
Spectrum of Attacks
Vulns: Known
Real-time Vulns: Known Anomaly Vulns:
threat detection Unknown
detection via deep
Methods: Known analyticsMethods: Unknown behavioural
via scenario Methods: Unknown
profiling
Attack Coverage with Analytics In Depth
Percentage of Attacks
Known Unknown
Attack Coverage with Analytics In Depth
Percentage of Attacks
Attack Impact
Known Unknown
Measuring Results
Poll #2
a) # alerts
b) # cases closed
c) Wider SLAs that are met
d) Time to triage
e) No effective way to measure
f) I don't know
How Do You Measure SOC Effectiveness?
# of Alerts
Open/Close Rates
% Met SLAs
Time to Triage
Measuring the Security Operation Process
First Qualified
Earliest Alarm
Alarm Threat or Mitigated Resolved
evidence Creation
Touch Not
Time to Triage
Time to Detect
Measuring the Security Operation Process
First Qualified
Earliest Alarm
Alarm Threat or Mitigated Resolved
evidence Creation
Touch Not
Time to Triage
Time to Detect
Time to Qualify
Measuring the Security Operation Process
First Qualified
Earliest Alarm
Alarm Threat or Mitigated Resolved
evidence Creation
Touch Not
Time to Triage
Time to Detect
Time to Qualify
Time to Investigate
Measuring the Security Operation Process
First Qualified
Earliest Alarm
Alarm Threat or Mitigated Resolved
evidence Creation
Touch Not
Time to Triage
Time to Detect
Time to Qualify
Time to Investigate
Time to Respond
Measuring the Security Operation Process
First Qualified
Earliest Alarm
Alarm Threat or Mitigated Resolved
evidence Creation
Touch Not
Time to Triage
Time to Detect
Time to Qualify
Time to Investigate
Time to Respond
Measuring the Security Operation Process
First Qualified
Earliest Alarm
Alarm Threat or Mitigated Resolved
evidence Creation
Touch Not
Time to Triage
Time to Detect
Time to Qualify
Time to Investigate
Time to Respond
Poll Results
Technology? Process? People?
Where/what is the bottleneck?
• Technology issue:
High # of Alarms • How many are qualified? Tune analytics to draw down false
positives
• Process issue:
• Can external/internal contextual data be automatically
Slow rate of collected?
Qualification • Technology issue:
• Do you have access to contextual data? (e.g. vulnerability
state, threat intel, CMDB, etc.)
You assume the entire risk for the use of the content and acknowledge that: ISACA has
designed the content primarily as an educational resource for IT professionals and
therefore the content should not be deemed either to set forth all appropriate
procedures, tests, or controls or to suggest that other procedures, tests, or controls that
are not included may not be appropriate; ISACA does not claim that use of the content
will assure a successful outcome and you are responsible for applying professional
judgement to the specific circumstances presented to determining the appropriate
procedures, tests, or controls.
Copyright © 2018 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
THANK YOU FOR
ATTENDING THIS
WEBINAR