From False Positives to Actionable Analysis: Behavioral Intrusion Detection, Machine Learning, and the SOC

Presented at Black Hat USA 2015, Aug. 6, 2015, 12:10 p.m. (50 minutes).

This talk outlines an approach to modeling human behavior in network traffic with the goal of automatically labeling events that have security context. Large-scale defensive programs now have the opportunity to invest resources in next generation distributed architectures and software stacks to build custom security solutions to augment existing SIEM and point solution driven escalations. We describe ways to create such a scalable framework of distributed forensic artificial intelligences to hunt for evil and to minimize time spent on repeatable remediation and evidence collection processes. This type of next-gen cybersecurity analytics engine can add immediate value through alarm reduction and attribution of attacks to threat actors and campaigns over time.

The goal of building such a framework is to reduce time to detection and to provide automated ways to help incident response and daily reporting and escalations. The amount of data present in corporate SIEM's and IT warehouses allows for security teams to build the central nervous system of the Security Operations Center (SOC). One of the more complex tasks in designing such a next generation defensive system to is leverage machine learning to build models that are dynamic and intelligent enough to adapt to changing threats (labels suffer from concept drift) and to catch threats that have never been observed before (no ground truth). We describe ways to roadmap such cybersecurity analytics and ways to calculate the best return on investment given existing coverage and needs mapped to the threat surface.


Presenters:

  • Joseph Zadeh - Splunk
    Joseph Zadeh studied mathematics in college and received a BS from University California, Riverside and an MS and PhD from Purdue University. While in college, he worked in a Network Operation Center focused on security and network performance baselines and during that time he spoke at DEFCON and Torcon security conferences. Most recently he joined Caspida as a security data scientist. Previously, Joseph was part of the data science consulting team at Greenplum/Pivotal helping focused on Cyber Security analytics and also part of Kaiser Permanentes first Cyber Security R&D team.

Links:

Similar Presentations: