decision automation: teaching machines to hunt · threat hunting alert triage incident response...
TRANSCRIPT
Decision Automation:Teaching Machines to Hunt
Kumar Saurabh2019.05.02
( Security Events )
BILLIONS
Alerts
THOUSANDS
Eliminate False
Positives
HUNDREDS
Incidents
TENS
Ignored Notifications
Detection Rules
Threat Hunting Alert Triage Incident Response
Typical SOC
Decision Automation: Signal vs. noise
Factor Analysis
• A factor which will turn true
for alerts, false for non alerts.
• OK to have false positive
rate on every factor
• Reduce false positive rates
by applying multiple factors
Spot the red signal
1 out of 100
1 out of 10,000 1 out of 100,000,000
Factor 4:
1 out of 100
Factor 5:
1 out of 100
1 out of
100,000,000
Factor 2:
1 out of 100
Factor 3:
1 out of 100
Factor 1:
1 out of 100
Factor 6:
1 out of 100
0 7 0 2
Context & Event Types
Enriched Events
Multi-Dimensional Reductions
Scoring Rules
Threat Ranking
Decision Automation
Deep Logic Nets
0 7 0 2
Context & Event Types
Enriched Events
Multi-Dimensional
Reductions
Scoring Rules
Threat Ranking
Machine Learning
Human Feedback
Threat Hunting in GitHub Logs
Alert Triage
Phishing Triage
Thank you!