fully integrated defense operation
TRANSCRIPT
F.I.D.O.Fully Integrated Defense Operation
Rob Fry - Sr Security Architect
Agenda• The Human Problem
• The Technical Problem
• F.I.D.O. High Level
• What’s Next?
• Q & A
The Human Problem
Source: Cisco 2014 ASR, Network World, ISAC, swimlane.com, Security Week
The Human Problem• Vendors and organizations are not doing enough to lower the bar
• 62% of organizations have not increased security training
• 83% of enterprises lack the resources or skills to protect assets
• Majority of the work is done manually… self-defeating
• Response time windows are too high
• Enforcement, mitigation is largely manual
Too Many Alerts, Too Little Time/Resources Network defenders are overwhelmed by the volume of alerts
• Typical Fortune 1000 organization experiences thousands of new security events everyday (1)
• Data review is time consuming
Current industry best practices rely on analysts using SIEM technologies + manual use of threat intel feeds
• Too many false positives• Very little guidance on how to filter the signal from the noise
The Technical Problem
Source: (1) IBM 2014 Cyber Security Intelligence Index
“There are 400 alerts in my SIEM, and I have time/resources to investigate 10. Which 10 do I choose?” (1)
Source: (1) CISO from Fortune 200 Company
The Technical Problem
But… it WORKS in the MOVIES
The Technical Problem
F.I.D.O. = Orchestration
• The work of a human, but at machine speed• Data enrichment• Get more out of security investment• Adds consistency• Filter out false positives• Threat, user, machine and asset scoring
Known -versus- Unknown
F.I.D.O. = Orchestration
Reduce Response Time
Attackers Ability
Defenders Ability
Source:(Verizon(Data(Breach(Report(
F.I.D.O. = Orchestration
At First, SimplicityDisjointed Security
Network Alert Firewall/IPS/IDS
Endpoint Defense
Support Person
Support Person
=
=
Bad!
Blocked!Malware
At First, SimplicityJoining the disjointed
Network Alert Firewall/IPS/IDS
Endpoint Defense
Support Person
Blocked
Not Blocked
Malware
At First, SimplicityJoining the disjointed
• Aggregate data from multiple human jobs at once
• Look for corresponding events
• Reduce severity where one detector blocks
• Reduce response time
• Opened door to other ideas
Look Outside the Security SphereNetwork Alert Firewall/IPS/IDS
Endpoint Defense
Support Person
Expanding data sources
Blocked
Not Blocked
UserAsset
Machine
Data Source
Malware
Data Source
Expanding data sources
• Systems management, inventory, HR, AD, etc.
• Added machine, user, asset posture
• Not just about the threat, context is still king
• Example: any alert against PCI, PII, Domain Admin, CEO, etc., would be more critical
Look Outside the Security Sphere
Threat FeedsValue in Crowdsourcing
Alert
Support PersonData Source
UserAsset
Machine
Threat Feeds
Correlation
Threat Feeds
Crowdsourcing
ContextValidation
False Positives
Threat Feeds• Too much data to do manually, more effective automated
• Can provide rich detailed layers of context
• As a stack, can cover the multiple layers
• Cross-correlation between feeds
• Scheduled artifact checking
• Prelude to detection
Value in Crowdsourcing
Historical DataAlert
Support Person
Data Source
UserAsset
Machine
Threat Feeds
Correlation
Historical
Looking back is important
Historical Data
• Security alerts
• User, machine
• Artifacts (IP, hash, URL)
• Introduces thresholds
• Retrospection
Historical
Looking back is important
Scoring EngineAssessing the DataAlert
Support Person
Correlation
Scoring
0%-100%User Asset
Machine Threat Total
Data Source
User Asset
Machine
Threat Feeds
Historical
F.I.D.O.
1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification
F.I.D.O. High Level
F.I.D.O. High LevelF.I.D.O.
Carbon Black
ProtectWise
Cyphort
SentinelOne
Niddel
1. Detectors
DHCP
RPC
SSH
DNS
2. Host Detection
VirusTotal
ThreatGRID
OpenDNS
ThreatExchange
AlienVault
3. Threat Stack
LDAP
Jamf
Landesk
SCCM
Endpoint
4. Data Sources
Detectors
Previous Threats
Historical User/Machine
OS
Threat Feeds
Thresholds
5. Correlation 6. Scoring 7. Enforcement 8. Notification
ARP
Palo Alto Network
HR
Although somedays I feel like it’s here.
Evolution of Correlation
F.I.D.O. is probably here.
Correlation: Simple ExamplePatterns in the data
Normal Suspicious Malicious
Correlation: Real World ExamplePatterns in the data
Correlation: Cross SectionsPatterns in the data
66.102.255.50 eda661bf08ca0129d78f901dc561afe6549e383d
167.89.125.30 76adfe71d590173b7b6a8db01133d3eb7132bfc6
54.71.32.218 www.downloadcrest.com
463065c87d58befbfde6d150fe1d1338fa752bd6 appsom1.com
d1ut7rcibkldo.cloudfront.net/b_zq_ym_hotvideo002/hotvideo_0910_3.apk 205.210.187.209
67.207.158.254 miserupdate.aliyun.com/data/2.4.1.6/TBSecSvc.exe
wilsart.nl/images/banners/eok.swf?myid=2ac20f898f1e6a17f04952452c4d20d4 209.222.15.232
d1qd2jv3uw36vk.cloudfront.net/PlusHDrow_14_01-a1a8f801.exe 179.43.156.66 172.98.67.53
108.61.226.13 6de64d26a49b05b0e70ad50b8ed3b99a0200240c
IP/Hash/URL/Domain5x
2x
2x4x
2x
2x
3x
2x
2x
Correlation Initiatives• More data, different data, more data points
• Move past 1000 vectors
• More indicators
• Move laterally across data (detector, threat feed, whatever)
• Drill in multiple layers deep
• Better data enrichment algorithms for higher quality associations, thresholds, increments
• Independent processes for correlation ( micro services ]
• Continue to evaluate ML for correlation
• F.I.D.O. is not ML, but we are working on it
• ML for scoring first (Thank you Mines.IO team)
• ML for security is hard, efficacy can be challenging
• Correlation can be repeatable
• Correlation is what security people do… codify it
Correlation Initiatives
F.I.D.O. High LevelF.I.D.O.
Threat
User
Machine
Asset
Total Score
Kill NIC
Client Sandboxing
Network Sandboxing
Automated Re-image
Kill VPN
DHCP Blacklist
Disable Account
Reset Password
Recommendation
Link to Docs
Actions Performed
Create Ticket
Updates DB
1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification
F.I.D.O. High LevelF.I.D.O.
Carbon Black
ProtectWise
Cyphort
SentinelOne
DHCP
RPC
SSH
DNS
VirusTotal
ThreatGRID
OpenDNS
AlienVault
LDAP
Jamf
Landesk
SCCM
Endpoint
Detectors
Previous Threats
Historical User/Machine
OS
Threat Feeds
Thresholds
Threat
User
Machine
Asset
Total Score
Kill NIC
Client Sandboxing
Network Sandboxing
Automated Re-image
Kill VPN
DHCP Blacklist
Disable Account
Reset Password
Recommendation
Link to Docs
Actions Performed
Create Ticket
Updates DBARP
ThreatExchange
Niddel
Palo Alto Network
HR
1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification
F.I.D.O. High Level
1. Response measured in days to week
2. Aggregation of data took hours
3. 80% of alerts not processed
4. Minimal endpoint/user information
5. Little or no scoring information
Pre-F.I.D.O. Post-F.I.D.O.1. Response measures less than an hour
2. Aggregation of data takes minutes
3. All alerts processed
4. Detailed endpoint/user information
5. Detailed scoring information
Success?
F.I.D.O. High LevelSuccess?
Time = Days
7 Days1 Days> 1hr
Time = Hours
4 Hours30 Mins>10mins
Response Time
Data Aggregation
Pre-F.I.D.O.
Post-F.I.D.O.
+23hrs Improvement
+20mins Improvement
F.I.D.O. High LevelSuccess?
Alerts Processed
80% of alerts not processed
Before F.I.D.O.
After F.I.D.O.Alerts Processed
100% of alerts processed
What’s Next?Opportunity
What’s Next?• ML for scoring (Thanks Mines.IO guys)
• More and tighter integrations
• Full stack: Ubuntu, python, node, nginx, couchdb & more
• Web UI: both configuration and admin
• API for data ingestion or export