security analytics: what now? - cso50...
TRANSCRIPT
© 2015 Interset Software Inc. 1
© 2015 Interset Software Inc.
SECURITY ANALYTICS: WHAT NOW?(or How To Cut Through The Noise)
Ross Sonnabend, VP Operations
© 2015 Interset Software Inc. 2
Hi.I’mRoss.
• VP, Product & Operations, focused on customer success
• Previously: Accenture, Sony, Warner Bros., Disney, Fox, Paramount
• Experience: • Large System Deployment• Program Management• Project Management• Product Management• Sales Engineering• Business to Technology Translation
© 2015 Interset Software Inc. 3
RSA2016:Everyone’sSCREAMINGtheSameThing
© 2015 Interset Software Inc. 4
SecurityAnalytics:WhatIsIt?
SecurityAnalytics:Connectingdatasources,addingautomation&intelligence• Reducewhitenoise&falsepositives• Findrealthreatswithgreateraccuracy• Overcomes incomplete datasets,disconnected technologies
““ By2016,40%ofenterpriseswillactivelyanalyzeatleast10terabytesofdataforinformationsecurity intelligence, upfromlessthan3%in2011
NeilMcDonald,Gartner
UEBA Network
Security Analytics
© 2015 Interset Software Inc. 5
DoINeedSecurityAnalytics?
Identifyandmitigatethreatsandriskinacoordinate,
timelyandeffective manner.
Endpoints
SIEM
IPRepositoryConnectors
StructuredData
AD/LDAPConnectors
Resource constraints
Control failures
Blind spots
Event overload
Missed clues Weak policies
Security gaps
False positivesUnmanaged accounts
Complexity
The Event Noise Barrier
Security Operations• Investigation• Remediation
IT Operations• System impact• Operational risk
Investigators• Data theft• Root cause analysis
Human Resources• Employee involved• Leaver theft• Watch list
Legal• Corporate risk• Legal actions
Incident/Threat Detection Security Orchestration
© 2015 Interset Software Inc. 6
BeforeYouBuy:WhoAreWe?
Customer Profile A
Very Large Enterprise, Well Resourced• Large security organization• Embrace security orchestration• Cyber hunters• Invested in big data• Data Scientists• Broad set of use cases• Prefers custom/semi-custom solution
Customer Profile B
Large Enterprise, Fair Resources• Typical security organization• Some stovepipes remain in security• Want to be cyber hunters, can’t• Planning for big data in future• MSSP embraced in some cases• Broad set of use cases• Prefer more off the shelf solution, some
customization
Customer Profile C
Mid-Size Enterprise, Scarce Resources• Small security organization• Limited security investment• Automation is key, not hunting• Big data is not an option• MSSP is reality• Limited Use Cases• Plug and Play is the only way
© 2015 Interset Software Inc. 7
BeforeYouBuy:WhatPathIsRightForYou?
Option 1 – On Premise Data Lake Option 3 Cloud Data Lake
• Leverage off the shelf analytics• Investigate threats automate response• Ability to process 1TB+ data per month
• Leverage off the shelf analytics• Custom data sources and models• Investigate threats, automate control response• Write custom apps on top of data lake• Broad partnership ecosystem• Ability to process 1TB+ data per day
Customer Profile A Customer Profile CCustomer Profile B
© 2015 Interset Software Inc. 8
WhatFeaturesShouldIBeLookingFor?
Proactively identify threats from both insiders and outsiders
Basic• Support for multiple data sets: directories, repositories, security tools• Prioritizes threats• Integrates with your security environment• Does not require some rules/thresholds
Advanced• Multiple data set correlations, single threat views• Hybrid batch and real-time processing • Leverages unsupervised & semi-supervised machine learning • Plain language UI & reporting
Cutting-edge• Multi-dimensional entities• Wizard based cyber-hunting• Automated workflow enablement
© 2015 Interset Software Inc. 9
HowDoIPoC/PilotaSecurityAnalytics Solution?
Operationalize- Environment- Process
PilotDeploymentPOCFocus:Analytics Validation
IdentifyUseCase
HaveDataSetReady
MeasureTimeToValue
ValidateResults
© 2015 Interset Software Inc. 10
CaseStudy:SuccessfulPOC/Pilot inHealthcare
Operationalize- Environment- Process
PilotDeploymentPOCFocus:Analytics Validation
IdentifyUseCase
HaveDataSetReady
MeasureTimeToValue
ValidateResults
Insider Threat (Employee Data
Theft)Endpoint
- 6 Hours to deploy
- 12 days to baseline normalcy
- Day 18 found first threat- POC lasted 6 weeks
© 2015 Interset Software Inc. 11
WhatDoesASuccessful Implementation LookLike?
InfrastructureDeployment
DataIngestion AnalyticalResults System
Tuning
Feedback
ExpandDeployment
© 2015 Interset Software Inc. 12
CaseStudy:Implementation
Hybrid Cloud Model• Data Gateway onsite• AWS Cloud Backend• Integration Points• SIEM• Ticketing System
Initial Data Class• Endpoint via SIEM• Active Directory
Machine Learning• Models converged in 12 days• Tuning analytics
- IT Admins- Certain knowledge workers
• Analytics- Average 11 high risk events/week- Most negligence (remediation training)- Leaving employee- Fraud case
Next Steps• Application Repositories
- EHR monitoring
4Days 2Days 30Days +8Months
CaseStudy:Implementation
© 2015 Interset Software Inc. 13
HowDoWeMeasure Success?
TimetoValue TrustInResults TCO OperationalIntegration
© 2015 Interset Software Inc. 14
HowDoWeMeasure Success?
Deployment to actionable results
42 DaysFirst Threat Detected
32 Days- Leaving employee
Process Improvement- Incident response- HIPAA compliance- Employee remediation
training
© 2015 Interset Software Inc. 15
WrapUp
• Have a perspective on what the solution should be
• Assess what your company can really accomplish• Select specific Use Case• Measure Time to Value and TCO• Start small, then go big.
© 2015 Interset Software Inc. 16
THANK YOU