Machine Learning for Threat Detection

USER BEHAVIOURAL ANALYTICSMachine Learning for Threat DetectionHarry McLaren – Security Consultant at ECS

HARRY MCLAREN

•Alumnus of Edinburgh Napier•Security Consultant at ECS • SOC & CSIR Development• Splunk Consultant & Architect

ACCELERATING PACE OF DATAVolume | Velocity | Variety | Variability

Legacy SIEM type technologies aren’t enough to detect insider threats and advanced adversaries and are poorly

designed for rapid incident response. 

[SIEM - Security Information & Event Management]

Inadequate Contextual Data68% of respondents in

the survey said that reports often only indicated changes

without specifying what the change was.

Innocuous Events of Interest

81% of respondents said that SIEM reports contain

too much extraneous information and were

overwhelmed with false positives.

2016 SIEM Efficiency Survey - Conducted by Netwrix

19952002

2008

2011

2015

END-POINT SECURITY

NETWORK SECURITY EARLY CORRELATION PAYLOAD ANALYSIS BEHAVIOR ANALYSIS

TECHNOLOGY DEVELOPMENT

CAPA

BILI

TY

EVOLUTION

KILL CHAIN - EVENTS OVERLOAD

SECURITY PLATFORM

DETECTING UNKNOWN THREATS

SECURITY & COMPLIANCE

REPORTING

INCIDENT INVESTIGATIONS

& FORENSICS

REAL-TIME MONITORING OF

KNOWN THREATS

DETECTION OF INSIDER THREATS

DETECTION OF ADVANCED

CYBER ATTACKS

Splunk Enterprise Security Splunk UBA

MACHINE LEARNING EVOLUTION

EVOLUTION

COM

PLEX

ITY

RULES - THRESHOLDPOLICY - THRESHOLD

POLICY - STATISTICS

UNSUPERVISED MACHINE LEARNING

POLICY - PEER GROUP STATISTICS

SUPERVISED MACHINE LEARNING

DETECT ADVANCED CYBERATTACKS

DETECT MALICIOUS INSIDER THREATS

ANOMALY DETECTION

THREAT DETECTION

UNSUPERVISED MACHINE LEARNING

BEHAVIOR BASELINING &

MODELING

REAL-TIME & BIG DATA

ARCHITECTURE

WHAT IS SPLUNK USER BEHAVIORAL ANALYTICS?

INSIDER THREAT

John connects via VPN

Administrator performs ssh (root) to a file share - finance department

John executes remote desktop to a system (administrator) - PCI zone

John elevates his privileges

root copies the document to another file share - Corporate zone

root accesses a sensitive document from the file share

root uses a set of Twitter handles to chop and copy the data outside the enterprise

USER ACTIVITYDay 1

.

.Day 2

.

.

Day N

MULTI-ENTITY BEHAVIORAL MODEL

APPLICATION

USER

HOST

NETWORK

DATA

UBA 2.2 LATEST FEATURES• Threat Modeling Framework • Create custom threats using 60+ anomalies.

• Enhanced Security Analytics• Visibility and baseline metrics around user,

device, application and protocols.• Risk Percentile & Dynamic Peer Groups• Support for Additional 3rd Party Devices

QUESTIONS / CONTACT

twitter.com/cyberharibu

harry.mclaren@ecs.co.uk

harrymclaren.co.uk/blog