Regain visibility - blog.kakaocdn.net

1/33

Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.

Securonix소개자료

㈜쿼리시스템즈윤동한

Regain visibility

2/33


Securonix회사소개

회사소개

• 2008년설립, 300명이상의임직원

• 200 개이상의고객레퍼런스

• $29M 시리즈 A 펀딩 (2017년 9월)

제품군

• User Entity Behavior Analytics (UEBA)

• Security Big Data Lake (Log Mgmt.)

• Security Analytics (SIEM2.0)

• Packaged Application Content

특허 : Machine Learning

• Behavior anomaly detection to identify malicious activity

• Risk scoring for threat analytics

• Anomaly detection using adaptive behavioral profiles

세계최초 Signature less Behavior based Threat Detection Technology세계최초 Risk Base Peer Group Access와 Activity Outlier Detection Technology세계최초 Fuzzy logic Based Identity Correlation Engine

3/33


Securonix에대한시장의평가

2018 Gartner SIEM & UEBA : Leader Position2018년 12월: SC 매거진 2018 최고의 SIEM (Trust Award)Cyber Defense 2018 Global Awards : Best Product Cybersecurity AnalyticsEnterprise Management Associates : 최고가치 리더, 최고혁신 솔루션

4/33


Gartner 2017 리포트: UEBA 기술및 솔루션

모든 UEBA 사용형태를지원하는유일한업체

“이벤트와리스크분석그리고사용자프로파일링을자격증명과매칭시키는도구를통해시큐로닉스는 UEBA와 UBA 시장을새롭게재정의하였습니다. 향후시큐로닉스는 UEBA vendor의 대표플래그쉽이될것입니다.”

Securonix에대한시장의평가 (UEBA 기술평가)

5/33


Securonix Reference

Fortune 100 대기업의 1/3 도입

6/33


Securonix Reference (TOYOTA Motors, 2018. 12)

Customer:도요타

Product Purchase:11만유저기준라이선스

Customer Business Problem and Background:도요타자동차는 6년전 ArcSight 구매ArcSight 의 UBA 모듈인 Identity View를같이판매하였고, 전세계 ID View의유일한고객인도요타자동차에서는이를활용하고자 3년간노력하였으나 ID View를통한내부위협탐지가불가능에가깝다고판단

장기간 PoC를통해 Securonix도입

7/33


Securonix Reference (GE, 2018.12)

Customer:General Electric (GE)

Product Purchase:영구라이선스 Security Data Lake 모듈구매

Customer Business Problem and Background:Splunk 로그스토리지절감과라이선스비용절감

8/33


Securonix Reference (Horizon Blue Cross Blue Shield, 2018.12)

Customer:Horizon Blue Cross Blue Shield

Customer Business Problem:최초요구사항: 권한있는사용자계정 Access 모니터링PoC중발견: 환자데이터영역노출

Competition:Splunk 사용중이었으나 (최초고려대상)2번에걸친기회에도고객요구사항충족어려워 Exabeam과 Securonix PoC

Securonix는권한 Access모니터링과환자데이터유출관련탐지에탁월한성과

9/33


Securonix SNYPR Vision

Enterprise Security Data Lake

Real-timeBehaviorAnalytics

Packaged Solutions Insider Threat

DetectionCyber

Threat DetectionFraud DetectionCloud

Analytics

Search &Threat Hunting

Open Data PlatformHadoop

ConnectorFramework

Data Privacy

Data Super Enrichment

Build Your Own

Workflow & Case Mgmt.

Link AnalysisThreat ModelsMachine Learning

Build Your App

Dashboard & Reports

10/33


Securonix SNYPR Overview

Securonix Case Mgmt.

Insider Threat ComplianceCyber Threat

CONTEXT ENRICHMENT

MACHINE LEARNING

THREAT LIBRARY SPOTTER™ LINK ANALYSIS

DATA PRIVACY

Fraud

Collector Library Syslog Server

Kafka Producer

Connector Framework

FirewallVPN

Netflow/Asset

discovery

IDS/IPSRouter

switches

Cloud Apps

Network & HostDLP

Web & MailProxyDNS

Unix/WinDatabases

Malware Detection

Identity &Access Mgmt.

Apps.(SAP, EPIC,

Cerner)Threat Intel

Physical –non

network

SampleCustom

Open Big Data Platform

BUILD APP

11/33


Securonix SNYPR Overview

• Long Term Data Retention

• Text Indexing

• Correlation Rule Engine

• Behavior Anomaly Engine

• Peer Anomaly Engine

• Event Rarity Engine

• DGA and Beaconing Detection

• Threat Models

HBASE

SuperEnrichment

KAFKA

SPARK STREAMING SERVICES• In-memory normalization, attribution & analytics• Distributed and parallelized processing

RAW

HDFS

SOLR

ENRICHED

HOSTSWindows/Unix/Mainfram

e

COMMUNCIATIONemail/Chat/Phone

PERIMETERIDS/IDP/Firewall/VPN

MALWARESandboxing/Antivirus

NETWORKNetflow/Pcap/ VLAN ACL

CLOUDIAAS. PAAS, SAAS

ENTERPRISE APPSSAP / OFS / EPIC/ CERNE

R

ANALYTICS

DATA STORAGE

ING

ES

TIO

N N

OD

E

IDENTITYHRMS / IAM

THREAT INTELOPEN / COTS

12/33


Securonix SNYPR Architecture

Hadoop Eco-System

13/33


Securonix SNYPR Architecture

Hadoop Eco-System

• 세계최고 Hadoop 배포판제작및 ML 서비스제공회사• Cloudera : #no 1. Cyber Security Partner • Strategic Partnership with Hortonworks

• Component Summary

14/33


Securonix동작방식

• Network• Cloud • DLP• Proxy• Servers• Endpoints• Identity• Apps• Threat Intel• Unstructured Data

원천데이터

상황정보연결프레임워크

위협연결고리 및 스코어링

내부위협

사이버위협

이상징후

검색및위협추적

링크분석 대시보드및보고서

조사과정–검색, 링크분석, 데이터인사이트,보고서

Automated Playbooks

Case Mgmt.

기계학습

즉각 대응

클라우드보안

실시간 데이터 적재

알려지지않은위협검출 응답–자동화된조치데이터수집

15/33


Securonix동작방식 (수집단계)

~1.2 million EPS

정규화

엔티티 속성

대량의 데이터적재 단계

이상 탐지단계

상황정보 취합

실시간데이터정규화

Behavior Anomaly Engine

Risk Scoring Engine

Correlation Rules Engine

Peer Analytics Engine

Proxy Analyzer

실시간수집모듈

데이터 연속성유지 단계

정형데이터

검색클러스터

데이터압축

텍스트 인덱싱

분산파일시스템

분석

SPARK 스트리밍서비스

• 데이터를 마이크로 배치와 정규화 업무를 통해 분리하며 대량의 데이터 적재는 모두 병렬로 처리됨.• 인메모리 데이터 저장과 정규화 처리, 단말 속성 분석

16/33


Securonix동작방식 (분석기법진화)

Event Enrichment

Anomaly Detection

Threat Models

Multi-Tiered Threat

2008

2009-10

2014- 2015

2016-2017

• ID Correlation

• Peer Grouping

• Access Analytics

Identity Context

User Behavior Analytics

• Machine Learning

• Peer Analytics

• Data Privacy

• Packaged Content

• Entity analytics - User, IP, Host, Account

• Threat Model Exchange

• Data Privacy

Packaged Applications• Multi-tiered analytic chains

• Big data backend

• Adaptive learning

• Threat Hunting

Big Data Security Analytics

Insider ThreatCyber Threat

FraudHealthcare

17/33


Securonix동작방식 (분석단계)

기계학습특허 위협라이브러리/위협교환

패키징애플리케이션

알려진 위협에 대한정보 공유

알려지지 않은 위협의신속한 검출을 위한

패키징 애플리케이션

내부위협

사이버위협

이상징후

Threat Chains

클라우드보안

그룹연결분석

행위분석

희귀이벤트

로봇행위

도메인알고리즘

Rule엔진

데이터과학자

적용사례관리

위협연구

위협조사연구

목적에 적합한 분석 새로운 위협 탐지를위한 분석, 조사

18/33


Securonix동작방식 (분석단계)

Data Science Techniques

Behavior Baseline Profiling Supervised Learning (e.g. DGA)

Peer Group Analysis Statistical Computation

Event Rarity Analysis Predictive Analytics (e.g. Flight risk)

Robotic Pattern e.g., (Beaconing) Tiered Analytics

Sequential Learning Threat Models

Fuzzy Correlation Rules Engine

1000+Out-of-boxUse Cases

Securonix Data Science Patents

• Malicious 행위탐지를위한 Behavior기반 anomaly detection기술

• 위협분석 (Threat Analytics)를위한위협스코어링기술

• adaptive behavioral profiles을이용한 anomaly detection

19/33


Securonix동작방식 (대응단계)

자동화된대응프로세스 케이스별관리

자동화되고 즉각적인 대응 메뉴얼

즉각적인 대응에 대한 3rd party 툴 연동(Phantom, Demisto 등)

케이스 관리를 위한 워크플로우 빌트인

위부 케이스 관리 도구 연계(Remedy, ServiceNow 등)

20/33


Securonix Use-Cases

Insider Threat

Data Exfiltration

Privileged Account Misuse

Patient Data Snooping

IP Theft

Access Anomalies

Pass the Hash

Lateral Movement

Ransomware

Beaconing, DGA

Phishing

Payment Fraud

Retail/HC Fraud

Customer Fraud

Internal Fraud

Trade Surveillance

Cyber Threat Fraud

Packaged Applications

Privileged Account Analytics Data Security AnalyticsApplication Security

AnalyticsAccess Analytics Cyber Threat Analytics

Cloud Platform Analytics Cloud Application Security Patient Data Analytics Fraud Analytics Trade Surveillance

Compliance

FISMA

PCI DSS

SOX

GDPR

GLBA

HIPAA

ISO27002

21/33


Securonix Use-Cases (Privileged Account Analytics)

Key Use Cases Logic Primary Data Sources Benefits

Anomalous privilege activity compared toown/peer behavior

Event Rarity, Behavior Analysis • Active Directory/Workstations (Windows Security Events)

• UNIX

• Privileged Account Monitoring

• Database Logs

• VPN Logs

• Badge readers

• Detect cyber threat via use of compromised accounts

• Detect privilegedinsiders misusing access with malicious intent

• Detect bad user behavior - account sharing, segregation of duties violations

Lateral movement Threat Model - Sequential Learning, Event Rarity

Pass the hash/Pass the ticket Threat Model - Event Rarity, Sequential Learning, Rule

Service account misuse Threat Model - Event Rarity, Sequential Learning, Rule

Brute force activity Behavior Analysis - Securonix Brute Force Algorithm

New or rare login activity Event Rarity

Possible account sharing/compromise Threat Model – Land speed, Identity correlation, Event Rarity

Spike in failed login attempts Behavior Analysis

Rare geo-location (by velocity) Land Speed violation – Geo-coordinate analysis

Self permission elevation Threat Model - Identity Correlation, Fuzzy Logic

22/33


Securonix Use-Cases (Privileged Account Analytics)


Anomalous privilege activity compared toown/peer behavior

Event Rarity, Behavior Analysis • Active Directory/Workstations (Windows Security Events)

• UNIX

• Privileged Account Monitoring

• Database Logs

• VPN Logs

• Badge readers

• Detect cyber threat via use of compromised accounts

• Detect privilegedinsiders misusing access with malicious intent

• Detect bad user behavior - account sharing, segregation of duties violations

Lateral movement Threat Model - Sequential Learning, Event Rarity

Pass the hash/Pass the ticket Threat Model - Event Rarity, Sequential Learning, Rule

Service account misuse Threat Model - Event Rarity, Sequential Learning, Rule

Brute force activity Behavior Analysis - Securonix Brute Force Algorithm

New or rare login activity Event Rarity

Possible account sharing/compromise Threat Model – Land speed, Identity correlation, Event Rarity

Spike in failed login attempts Behavior Analysis

Rare geo-location (by velocity) Land Speed violation – Geo-coordinate analysis

Self permission elevation Threat Model - Identity Correlation, Fuzzy Logic

23/33


Securonix Use-Cases (Access Analytics)


Identify outlier access permissions using peer group analysis

Peer Analysis

• Active Directory

• Enterprise Applications (SAP, Oracle Financials, etc.)

• IAM solutions

• UNIX

• Databases

• Identify rogue access permissions

• Risk based access review

• Assist with compliancerequirements

• Clean-uporphan accounts

• Enable better governance of privileged accounts

Identify dormant human accounts Identity Correlation, Fuzzy logic, Rule

Terminated user with active access Identity Correlation, Rule (risk booster)

Identify rogue uncorrelated accounts Identity Correlation, Rule (risk booster)

Identify segregation of duty violations Securonix SOD library, Rules

Create watch list based on privileged access/entitlements

WatchList (risk booster)

Risk based access request, review and certification

Peer Analysis, Securonix Access Review

Correlate access permissions to high risk activity (where applicable)

Access permission -to-Activity correlation

Account discovery and governance (cloud) Securonix account discovery algorithm

Discovery and monitoring of accounts with privileged access

Account discovery and classification

24/33


Securonix Use-Cases (Data Security Analytics)


Spike in data egressed to removable media Behavior Analysis

• Email Gateway

• Network DLP

• End Point Monitoring Solutions

• Proxy

• File/Folder Access Applications

• Printer

• User risk data (HR, Travel, Background checks)

• Detect and prevent compromise of confidential client data and/or intellectual property

• Identify and monitor high risk users using predictive analytics

Spike in email to self (personal) address Behavior Analysis

Email to competitors anomalous to peer behavior

Recipient Domain Analysis, Behavior Analysis

Spike in data download Behavior Analysis

Access/export critical files anomalous to peer behavior

Peer Analysis; Rule (risk booster, watch-list)

Spike in printing of large/sensitives filesBehavior Analysis; Rule (risk booster, watch-list)

Spike in upload of data to external storage Behavior Analysis

Flight risk user exfiltrating dataThreat Model - Predictive Analytics +Behavior Analytics

User inherent risk – watch list (untrusted)users exfiltrating data

Threat Model – Watch List + Behavior Analytics

25/33


Securonix Use-Cases (Cyber Threat Analytics)

Key Use Cases LogicPrimary DataSources

Benefits

Anomalous/rare process (path) execution Event Rarity

• Firewall

• IDS/IPS

• EndPointMonitoring (Carbon Black)

• DNS

• DHCP

• Netflow

• Malware detection system

• Detect malwareinfections (including zero day attacks)

• Detect possible system compromise

• Identify compromised host/user/IP address

• Identify data exfiltration attempts

Robotic traffic pattern to a malicious/uncategorized/suspicious websites

Securonix Beaconing Algorithm

Connections to digitally generated domains Securonix DGA Algorithm

Unusual DNS queries Event Rarity, Behavior Analysis

Large volume of data egress Behavior Analysis

Unusual Traffic (Application/Port)Pattern Analysis, Behavior Analysis, Event Rarity

Rare user agents Event Rarity, Pattern Analysis

Unusual session duration Event Rarity, Behavior Analysis

Connections to blacklisted IP or domains Third Party Intelligence (Risk Booster)

DDOS/Port scan activity Behavior Analysis

Abnormal no of failed / re-directed requests Behavior Analysis

Targeted SPAM/Phishing attemptsThreat Model - Securonix Supervised Learning, Peer analysis

26/33


Securonix Use-Cases (Enterprise Application Security Analytics)


Data snooping – access to customer confidential data or Intellectual property

Event Rarity, Behavior Analysis

• Enterprise Apps – SAP, Oracle Financials

• HealthCare Apps – EPIC, Cerner

• Custom Applications

• File Sharing Applications - SharePoint

• Source Code Repository- Perforce

• Detect data compromise/theft

• Meet compliance requirements

• Detect privilegemisuse/compromise

Unusual transactions by a user/account never seen before

Event Rarity

Download/export of large volume of data Behavior Analysis

Slow and low data compromise/egress Behavior Analysis

Data snooping – unauthorized access to customer confidential data or Intellectual property

Event Rarity, Behavior Analysis, Peer Analysis

Segregation of duty violation analysis basedon transaction/activity data

Securonix SOD Library, Rules

Misuse of service/system accounts for data compromise, sabotage

Event rarity

Suspicious activity compared to peers Peer analysis

Unusual access pattern (time, geo-location) Event rarity, geo-coordinate analysis

Account sharing and misuseThreat Model – Land speed, Identity correlation, Fuzzy logic

27/33


예제: 내부위협체인

사용자가 취업을 검색하고 있거나

중요한 자산에 접속하려고 하거나

기밀 데이터를 염탐 또는 가로채려고하거나

개인 이메일을 사용하거나 Sept 15- Nov 152017

Oct 12, 2017

Oct 12, 2017

Nov 15, 2017

1.5 hours

일정 기간에 걸친 개인적인 변형은 중요하지 않은 것처럼 보일 수 있으나, Securonix는 위협 체인로직을 통해 감춰진 위협과 우선순위가 낮거나 느린 (영구) 공격 유형을 감지합니다.

위협체인로직

Securonix Use-Cases (Slow & Long Term Attack)

28/33


Securonix Use-Cases (퇴사예정자내부정보유출)

Securonix discovered attack by the criminal organization fin4

User spends an unusually long time on job search websites.

(Predictive Analytics – Flight Risk User | Risk Score: 0)

Request made for SharePoint approval; denied by manager.

(Peer Anomaly - Unusual request compared to peers| Risk Score: 0)

User from that department accessing data from ”XXXXX technology” never seen before.

(Event Rarity | Risk Score: 0.8)

Emails sent to personal email address.

(Suspiciously high volume of data egresses, Fuzzy correlation | Risk Score: 1)

Day 1-15 Day 16-30 Day 45

Request to data owner for SharePoint access; access is approved.

(Cross Channel Anomaly – deny followed by success | Risk Score: 0.5)

Day 46-60………

High volume of downloads from SharePoint – over 250,000 documents.

(Suspiciously high volume of downloads | Risk Score: 1)

Inbound & outbound emails with "Resume“ and “Thanks for applying” in subject.

(Predictive Analytics – Exiting Behavior | Risk Score:0)

Flight RiskExiting

Behavior

Unauthorized

Access

Request

Suspicious

data access

pattern

Spike in

downloadsEmail to Self

29/33


Securonix Use-Cases (Email이용한정보유출)

Threat Model Threat category Threat indicators Technique applied

Email data exfiltration

Flight risk indicators

Detection of flight risk/exiting behaviorPredictive analytics (Securonix flight risk detection algorithm)

Users with upcoming termination/contract end dates

Rule based risk booster/watch lists

Data aggregation/Datahoarding

Only member in a peer group to access a file share

Peer group based outlier analysis

Abnormal number of sensitive files accessed

Peak usage algorithm/Document discovery

Detection of sensitive data snoopingEvent rarity algorithm/Document discovery/Peak usage algorithm

Suspicious file system activity

Suspicious file rename/archival transaction Event rarity algorithm

Endpoint accessed at unusual time of the day

Event rarity algorithm

Data exfiltration

Abnormal number of emails sent to personal email accounts

Peak usage analysis/Fuzzy logic(comparators algorithm)/Recipient domain analysis

Abnormal number of emails sent to non-business or competitor domains

Peak usage analysis/Recipient domain analysis

Only member in a peer group sendingemails to a competitor domain

Peer group based outlier analysis/Recipient domain analysis

Email forwarding - Abnormal number of forwards to non enterprise recipients

Peak usage analysis

Abnormal amount of data egress via email Amount spike analysis

Abnormal number of sensitive/critical files egressed via email

Peak usage algorithm/Document discovery

30/33


Securonix Use-Cases (Phishing 감염)

Securonix discovered attack by the criminal organization fin4

Day 1 Day 30- 60 Day 61………

Phishing

Attack

Suspicious

URL

Rare

Process

Anomalous

Access

Suspicious

Process

Log

Tampering

IronPort sees: Email “Subject: HR Violation against Mr. XXX” to Head of Clinical Trials

(Phishing Anomaly | Risk Score = 0)

Rare process identified

(Event Rarity: “ntdetect.exe” was never seen before| Risk Score = 0.5 )

Windows New logon type "10" was detected.

(Event Rarity: Suspicious Remote Interactive logon activity never seen by user| Risk Score = 0.5)

Windows: Wevtutil.exe was invoked.

(Event Rarity, Peer Analysis: Rare executable not seen on other hosts | Risk Score = 1)

Proxy redirect to "outlookscansafe.net"

(URL Analytics: Redirect to an uncategorized URL| Risk Score = 0.2)

Copy of docs to external staging server; logout in 3 hours

(Behavior anomaly: Spike in bytes out| Risk Score = 1.0)

Domain controller discovers that the Audit Log was cleared.

(Rules Engine, Event Rarity: Rare event detected | Risk Score = 1.0)

31/33


Securonix Use-Cases (Phishing 탐지)

Threat Model Threat category Threat indicators Technique applied

Phishing detection

Phishing attack

Email from previously uncommunicated domains


Spear phishing - Peer inlier analysis to detected targeted peer attacks

Peer inlier analysis

Spray phishing - Email sender and subject analysis

Volume spike analysis

Suspicious outbound traffic

Traffic to rare domains Event rarity algorithm

Traffic to possible Algorithmically Generated Domains

Angler EK domain detection algorithm

Communication to Angler Rootkit sites DGA detection algorithm

Rare executable detected in web-request Event rarity algorithm

Suspicious endpoint activity

Rare process MD5 detected on the network


Suspicious process execution detection Event rarity algorithm

Suspicious file download Rule based detection

Network behavior anomaly

Account authenticating from a geolocation never conducted before

Geolocation analysis and event rarity algorithm

Possible beaconing - detection of robotic traffic pattern

Beaconing detection algorithm

Subnet analytics - Beaconing to multiple hosts on the same subnet

Subnet analytics

32/33


Securonix Use-Cases (항목별상세 : Based on Geo Location)

Relevant Use Cases:

• Family Snooping

• Neighbor Snooping

• Access patients from unusual location (state/country) never seen before

• Access patient from multiple location in short time

Approach:

• Enrich employee and patient data with physical address information

• Obtain geo-coordinates based on physical address

• Compare distance to determine if employee and patient live at the same location or within X miles

• Last name, phone number, etc. are used as risk boosters to further validate the anomaly

33/33


Securonix Use-Cases (항목별상세 : Based on Event Rarity)

Relevant Use Cases:

• Rare age group: Pediatrician typically accesses patient up to age 21, suddenly accesses patient(s) of age over 40

• Rare outpatient activity when the doctor typically performs only inpatient activity

• Anomalous login at a rare time or from a rare location (e.g., different country, state, etc.)

Approach:

• Establish baseline behavior using historical behavior (we need 30 days of data)

• Identify rare activity never seen before

34/33


Securonix Use-Cases (항목별상세 : Based on Peer Comparison)

Relevant Use Cases:

• IT employee accessing patient records not accessed by peers

• Co-worker snooping – employee and patient work in same team

• Nurse accessing patient with same last name in a dept. (e.g., oncology that peers never access)

Approach:

• Create peer groups based on employee and doctor identity attributes

• Obtain geo-coordinates based on physical address

• Compare distance to determine if employee and patient live at the same location or within X miles

• Last name, phone number, etc. are used as risk boosters to further validate the anomaly

35/33


Securonix Use-Cases (항목별상세 : Based on Behavior Analytics)

Relevant Use Cases:

• Spike in break the glass violations

• Spike in VIP records accessed

• Spike in failed login attempts

• Spike in downloads/prints/emails

Approach:

• Establish baseline behavior using historical behavior (we need 30 days of data)

• Identify any sudden spikes in behavior

• Pre-built content, can customize or add new based on specific customer requirements

36/33



관련 특허 정보: https://patents.justia.com/patent/20160226901

37/33


Securonix Use-Cases (적용기술 – M/L Based Advanced Analytics)

Activity

Access Privileges

Identity

EntityCorrelation

Threat Intelligence

Context Enrichment

Peer Group Analysis

Behavior Analysis

Event Rarity

Robotic Behavior

Outlier Detection

Risk Aggregation

Threat Models

Threat Detection Techniques

Violations

Algorithm Generated Domain

String Comparators

Rules Engine

Sequence Analysis

Investigation & Response

Machine Learning

38/33



적용된 Clustering 알고리즘과적용이유• K-means• Affinity propagation• Mean-shift• Ward hierarchical clustering• Agglomerative clustering• Gaussian mixtures• Birch/ Characteristic Feature Tree• CART and/or Random Forests

MINMAX 클러스터링 알고리즘과 Gaussian Kernel Density 추정 그리고 robust 통계는 상당한 양의 Data 소스에서 의미 있는 값을 추출 , Online Agglomerative Clustering은 실시간으로 기계적 통신 (반복적, 주기적) 탐지 가능Hierarchical clustering 은 Peer Group분석에 사용됩니다.

위협 모델에 사용된 알고리즘과 적용 이유o Spectral clusteringo Bayesian Information Criteriono Cross-Validation Likelihoodo Rand Index/ Normalized Rand Indexo Purity and/or Normalized Mutual Information

behavioral (derived from anomaly detection) and direct (threat intel and association rule learning) indicators -> False Negative를 줄이는데 사용Cross Domain Correlation , Peer Group Analysis -> False Positive 줄이는데 사용Adaptive Behavior Profile, Risk Score는 실시간 업데이트 되면서 위협에 대한 지속적인 재 평가

39/33


Securonix Use-Cases (헬스케어고객도입결과)

Challenges

• 방대한 로그데이터 처리를 위한 성능 및 확장성 없음

• 보안 장비 원시 이벤트 내에 근거 데이터 부족

• Legacy SIEM 솔루션내에 UBA 관련 Rule부족

• Rule외에 Rule이 탐지하기 어려운 위협을 탐지할 수 있는 기법 없음

• 기술지원 인력의 실력에 따라 정책, 위협 분석 결과 품질에 차이가많음

Securonix Approach

• 로그 데이터에 사용자 정보까지 추가해서 분석

• Identify threats 탐지를 위해 M/L 사용

• 연결되는 (지속적인) 위협 탐지

• 기술지원 인력의 실력 편차에 상관없이 Critical한 위협 분석 가능

Benefits

• False Positive 감소 (98%) 하루 1000건의 Alert가 5~10건으로 줄어 듬

• 위협 조사 시간 절약 (기존 1시간 이상 -> 10분 내외)

• 악의적인 위협의 행위자 탐지

40/33


별첨 #1. 비교자료

Legacy SIEM Securonix

• Search does not scale • Highly scalable search leveraging SOLR and HDFS

• Adding context to search is a manual process • Search on enriched events – massive reduction in

investigation time.

• Limited out of the box correlation rules. (300+)• Packaged content with out of the box use cases that are ready to

deploy (1000+ Rule, M/L .. )

• Limited capability to perform advanced use cases unless you have a highly skilled SME

• Advanced use cases are part of the packaged content

• Priced by data. Cost increases exponentially • Priced by identities. Cost is predictable and does not

escalate as data grows

• Requires proprietary hardware. Expensive, dependent on vendor to acquire and maintain

• Uses commodity hardware. Cheaper to acquire, does not require specialized skills

41/33


감사합니다.

Documents

Regain visibility - blog.kakaocdn.net