Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
1/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix소개자료
㈜쿼리시스템즈윤동한
Regain visibility
2/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix회사소개
회사소개
• 2008년설립, 300명이상의임직원
• 200 개이상의고객레퍼런스
• $29M 시리즈 A 펀딩 (2017년 9월)
제품군
• User Entity Behavior Analytics (UEBA)
• Security Big Data Lake (Log Mgmt.)
• Security Analytics (SIEM2.0)
• Packaged Application Content
특허 : Machine Learning
• Behavior anomaly detection to identify malicious activity
• Risk scoring for threat analytics
• Anomaly detection using adaptive behavioral profiles
세계최초 Signature less Behavior based Threat Detection Technology세계최초 Risk Base Peer Group Access와 Activity Outlier Detection Technology세계최초 Fuzzy logic Based Identity Correlation Engine
3/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix에대한시장의평가
2018 Gartner SIEM & UEBA : Leader Position2018년 12월: SC 매거진 2018 최고의 SIEM (Trust Award)Cyber Defense 2018 Global Awards : Best Product Cybersecurity AnalyticsEnterprise Management Associates : 최고가치 리더, 최고혁신 솔루션
4/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Gartner 2017 리포트: UEBA 기술및 솔루션
모든 UEBA 사용형태를지원하는유일한업체
“이벤트와리스크분석그리고사용자프로파일링을자격증명과매칭시키는도구를통해시큐로닉스는 UEBA와 UBA 시장을새롭게재정의하였습니다. 향후시큐로닉스는 UEBA vendor의 대표플래그쉽이될것입니다.”
Securonix에대한시장의평가 (UEBA 기술평가)
5/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Reference
Fortune 100 대기업의 1/3 도입
6/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Reference (TOYOTA Motors, 2018. 12)
Customer:도요타
Product Purchase:11만유저기준라이선스
Customer Business Problem and Background:도요타자동차는 6년전 ArcSight 구매ArcSight 의 UBA 모듈인 Identity View를같이판매하였고, 전세계 ID View의유일한고객인도요타자동차에서는이를활용하고자 3년간노력하였으나 ID View를통한내부위협탐지가불가능에가깝다고판단
장기간 PoC를통해 Securonix도입
7/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Reference (GE, 2018.12)
Customer:General Electric (GE)
Product Purchase:영구라이선스 Security Data Lake 모듈구매
Customer Business Problem and Background:Splunk 로그스토리지절감과라이선스비용절감
8/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Reference (Horizon Blue Cross Blue Shield, 2018.12)
Customer:Horizon Blue Cross Blue Shield
Customer Business Problem:최초요구사항: 권한있는사용자계정 Access 모니터링PoC중발견: 환자데이터영역노출
Competition:Splunk 사용중이었으나 (최초고려대상)2번에걸친기회에도고객요구사항충족어려워 Exabeam과 Securonix PoC
Securonix는권한 Access모니터링과환자데이터유출관련탐지에탁월한성과
9/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix SNYPR Vision
Enterprise Security Data Lake
Real-timeBehaviorAnalytics
Packaged Solutions Insider Threat
DetectionCyber
Threat DetectionFraud DetectionCloud
Analytics
Search &Threat Hunting
Open Data PlatformHadoop
ConnectorFramework
Data Privacy
Data Super Enrichment
Build Your Own
Workflow & Case Mgmt.
Link AnalysisThreat ModelsMachine Learning
Build Your App
Dashboard & Reports
10/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix SNYPR Overview
Securonix Case Mgmt.
Insider Threat ComplianceCyber Threat
CONTEXT ENRICHMENT
MACHINE LEARNING
THREAT LIBRARY SPOTTER™ LINK ANALYSIS
DATA PRIVACY
Fraud
Collector Library Syslog Server
Kafka Producer
Connector Framework
FirewallVPN
Netflow/Asset
discovery
IDS/IPSRouter
switches
Cloud Apps
Network & HostDLP
Web & MailProxyDNS
Unix/WinDatabases
Malware Detection
Identity &Access Mgmt.
Apps.(SAP, EPIC,
Cerner)Threat Intel
Physical –non
network
SampleCustom
Open Big Data Platform
BUILD APP
11/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix SNYPR Overview
• Long Term Data Retention
• Text Indexing
• Correlation Rule Engine
• Behavior Anomaly Engine
• Peer Anomaly Engine
• Event Rarity Engine
• DGA and Beaconing Detection
• Threat Models
HBASE
SuperEnrichment
KAFKA
SPARK STREAMING SERVICES• In-memory normalization, attribution & analytics• Distributed and parallelized processing
RAW
HDFS
SOLR
ENRICHED
HOSTSWindows/Unix/Mainfram
e
COMMUNCIATIONemail/Chat/Phone
PERIMETERIDS/IDP/Firewall/VPN
MALWARESandboxing/Antivirus
NETWORKNetflow/Pcap/ VLAN ACL
CLOUDIAAS. PAAS, SAAS
ENTERPRISE APPSSAP / OFS / EPIC/ CERNE
R
ANALYTICS
DATA STORAGE
ING
ES
TIO
N N
OD
E
IDENTITYHRMS / IAM
THREAT INTELOPEN / COTS
12/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix SNYPR Architecture
Hadoop Eco-System
13/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix SNYPR Architecture
Hadoop Eco-System
• 세계최고 Hadoop 배포판제작및 ML 서비스제공회사• Cloudera : #no 1. Cyber Security Partner • Strategic Partnership with Hortonworks
• Component Summary
14/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix동작방식
• Network• Cloud • DLP• Proxy• Servers• Endpoints• Identity• Apps• Threat Intel• Unstructured Data
원천데이터
상황정보연결프레임워크
위협연결고리 및 스코어링
내부위협
사이버위협
이상징후
검색및위협추적
링크분석 대시보드및보고서
조사과정–검색, 링크분석, 데이터인사이트,보고서
Automated Playbooks
Case Mgmt.
기계학습
즉각 대응
클라우드보안
실시간 데이터 적재
알려지지않은위협검출 응답–자동화된조치데이터수집
15/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix동작방식 (수집단계)
~1.2 million EPS
정규화
엔티티 속성
대량의 데이터적재 단계
이상 탐지단계
상황정보 취합
실시간데이터정규화
Behavior Anomaly Engine
Risk Scoring Engine
Correlation Rules Engine
Peer Analytics Engine
Proxy Analyzer
실시간수집모듈
데이터 연속성유지 단계
정형데이터
검색클러스터
데이터압축
텍스트 인덱싱
분산파일시스템
분석
SPARK 스트리밍서비스
• 데이터를 마이크로 배치와 정규화 업무를 통해 분리하며 대량의 데이터 적재는 모두 병렬로 처리됨.• 인메모리 데이터 저장과 정규화 처리, 단말 속성 분석
16/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix동작방식 (분석기법진화)
Event Enrichment
Anomaly Detection
Threat Models
Multi-Tiered Threat
2008
2009-10
2014- 2015
2016-2017
• ID Correlation
• Peer Grouping
• Access Analytics
Identity Context
User Behavior Analytics
• Machine Learning
• Peer Analytics
• Data Privacy
• Packaged Content
• Entity analytics - User, IP, Host, Account
• Threat Model Exchange
• Data Privacy
Packaged Applications• Multi-tiered analytic chains
• Big data backend
• Adaptive learning
• Threat Hunting
Big Data Security Analytics
Insider ThreatCyber Threat
FraudHealthcare
17/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix동작방식 (분석단계)
기계학습특허 위협라이브러리/위협교환
패키징애플리케이션
알려진 위협에 대한정보 공유
알려지지 않은 위협의신속한 검출을 위한
패키징 애플리케이션
내부위협
사이버위협
이상징후
Threat Chains
클라우드보안
그룹연결분석
행위분석
희귀이벤트
로봇행위
도메인알고리즘
Rule엔진
데이터과학자
적용사례관리
위협연구
위협조사연구
목적에 적합한 분석 새로운 위협 탐지를위한 분석, 조사
18/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix동작방식 (분석단계)
Data Science Techniques
Behavior Baseline Profiling Supervised Learning (e.g. DGA)
Peer Group Analysis Statistical Computation
Event Rarity Analysis Predictive Analytics (e.g. Flight risk)
Robotic Pattern e.g., (Beaconing) Tiered Analytics
Sequential Learning Threat Models
Fuzzy Correlation Rules Engine
1000+Out-of-boxUse Cases
Securonix Data Science Patents
• Malicious 행위탐지를위한 Behavior기반 anomaly detection기술
• 위협분석 (Threat Analytics)를위한위협스코어링기술
• adaptive behavioral profiles을이용한 anomaly detection
19/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix동작방식 (대응단계)
자동화된대응프로세스 케이스별관리
자동화되고 즉각적인 대응 메뉴얼
즉각적인 대응에 대한 3rd party 툴 연동(Phantom, Demisto 등)
케이스 관리를 위한 워크플로우 빌트인
위부 케이스 관리 도구 연계(Remedy, ServiceNow 등)
20/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases
Insider Threat
Data Exfiltration
Privileged Account Misuse
Patient Data Snooping
IP Theft
Access Anomalies
Pass the Hash
Lateral Movement
Ransomware
Beaconing, DGA
Phishing
Payment Fraud
Retail/HC Fraud
Customer Fraud
Internal Fraud
Trade Surveillance
Cyber Threat Fraud
Packaged Applications
Privileged Account Analytics Data Security AnalyticsApplication Security
AnalyticsAccess Analytics Cyber Threat Analytics
Cloud Platform Analytics Cloud Application Security Patient Data Analytics Fraud Analytics Trade Surveillance
Compliance
FISMA
PCI DSS
SOX
GDPR
GLBA
HIPAA
ISO27002
21/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (Privileged Account Analytics)
Key Use Cases Logic Primary Data Sources Benefits
Anomalous privilege activity compared toown/peer behavior
Event Rarity, Behavior Analysis • Active Directory/Workstations (Windows Security Events)
• UNIX
• Privileged Account Monitoring
• Database Logs
• VPN Logs
• Badge readers
• Detect cyber threat via use of compromised accounts
• Detect privilegedinsiders misusing access with malicious intent
• Detect bad user behavior - account sharing, segregation of duties violations
Lateral movement Threat Model - Sequential Learning, Event Rarity
Pass the hash/Pass the ticket Threat Model - Event Rarity, Sequential Learning, Rule
Service account misuse Threat Model - Event Rarity, Sequential Learning, Rule
Brute force activity Behavior Analysis - Securonix Brute Force Algorithm
New or rare login activity Event Rarity
Possible account sharing/compromise Threat Model – Land speed, Identity correlation, Event Rarity
Spike in failed login attempts Behavior Analysis
Rare geo-location (by velocity) Land Speed violation – Geo-coordinate analysis
Self permission elevation Threat Model - Identity Correlation, Fuzzy Logic
22/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (Privileged Account Analytics)
Key Use Cases Logic Primary Data Sources Benefits
Anomalous privilege activity compared toown/peer behavior
Event Rarity, Behavior Analysis • Active Directory/Workstations (Windows Security Events)
• UNIX
• Privileged Account Monitoring
• Database Logs
• VPN Logs
• Badge readers
• Detect cyber threat via use of compromised accounts
• Detect privilegedinsiders misusing access with malicious intent
• Detect bad user behavior - account sharing, segregation of duties violations
Lateral movement Threat Model - Sequential Learning, Event Rarity
Pass the hash/Pass the ticket Threat Model - Event Rarity, Sequential Learning, Rule
Service account misuse Threat Model - Event Rarity, Sequential Learning, Rule
Brute force activity Behavior Analysis - Securonix Brute Force Algorithm
New or rare login activity Event Rarity
Possible account sharing/compromise Threat Model – Land speed, Identity correlation, Event Rarity
Spike in failed login attempts Behavior Analysis
Rare geo-location (by velocity) Land Speed violation – Geo-coordinate analysis
Self permission elevation Threat Model - Identity Correlation, Fuzzy Logic
23/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (Access Analytics)
Key Use Cases Logic Primary Data Sources Benefits
Identify outlier access permissions using peer group analysis
Peer Analysis
• Active Directory
• Enterprise Applications (SAP, Oracle Financials, etc.)
• IAM solutions
• UNIX
• Databases
• Identify rogue access permissions
• Risk based access review
• Assist with compliancerequirements
• Clean-uporphan accounts
• Enable better governance of privileged accounts
Identify dormant human accounts Identity Correlation, Fuzzy logic, Rule
Terminated user with active access Identity Correlation, Rule (risk booster)
Identify rogue uncorrelated accounts Identity Correlation, Rule (risk booster)
Identify segregation of duty violations Securonix SOD library, Rules
Create watch list based on privileged access/entitlements
WatchList (risk booster)
Risk based access request, review and certification
Peer Analysis, Securonix Access Review
Correlate access permissions to high risk activity (where applicable)
Access permission -to-Activity correlation
Account discovery and governance (cloud) Securonix account discovery algorithm
Discovery and monitoring of accounts with privileged access
Account discovery and classification
24/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (Data Security Analytics)
Key Use Cases Logic Primary Data Sources Benefits
Spike in data egressed to removable media Behavior Analysis
• Email Gateway
• Network DLP
• End Point Monitoring Solutions
• Proxy
• File/Folder Access Applications
• Printer
• User risk data (HR, Travel, Background checks)
• Detect and prevent compromise of confidential client data and/or intellectual property
• Identify and monitor high risk users using predictive analytics
Spike in email to self (personal) address Behavior Analysis
Email to competitors anomalous to peer behavior
Recipient Domain Analysis, Behavior Analysis
Spike in data download Behavior Analysis
Access/export critical files anomalous to peer behavior
Peer Analysis; Rule (risk booster, watch-list)
Spike in printing of large/sensitives filesBehavior Analysis; Rule (risk booster, watch-list)
Spike in upload of data to external storage Behavior Analysis
Flight risk user exfiltrating dataThreat Model - Predictive Analytics +Behavior Analytics
User inherent risk – watch list (untrusted)users exfiltrating data
Threat Model – Watch List + Behavior Analytics
25/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (Cyber Threat Analytics)
Key Use Cases LogicPrimary DataSources
Benefits
Anomalous/rare process (path) execution Event Rarity
• Firewall
• IDS/IPS
• EndPointMonitoring (Carbon Black)
• DNS
• DHCP
• Netflow
• Malware detection system
• Detect malwareinfections (including zero day attacks)
• Detect possible system compromise
• Identify compromised host/user/IP address
• Identify data exfiltration attempts
Robotic traffic pattern to a malicious/uncategorized/suspicious websites
Securonix Beaconing Algorithm
Connections to digitally generated domains Securonix DGA Algorithm
Unusual DNS queries Event Rarity, Behavior Analysis
Large volume of data egress Behavior Analysis
Unusual Traffic (Application/Port)Pattern Analysis, Behavior Analysis, Event Rarity
Rare user agents Event Rarity, Pattern Analysis
Unusual session duration Event Rarity, Behavior Analysis
Connections to blacklisted IP or domains Third Party Intelligence (Risk Booster)
DDOS/Port scan activity Behavior Analysis
Abnormal no of failed / re-directed requests Behavior Analysis
Targeted SPAM/Phishing attemptsThreat Model - Securonix Supervised Learning, Peer analysis
26/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (Enterprise Application Security Analytics)
Key Use Cases Logic Primary Data Sources Benefits
Data snooping – access to customer confidential data or Intellectual property
Event Rarity, Behavior Analysis
• Enterprise Apps – SAP, Oracle Financials
• HealthCare Apps – EPIC, Cerner
• Custom Applications
• File Sharing Applications - SharePoint
• Source Code Repository- Perforce
• Detect data compromise/theft
• Meet compliance requirements
• Detect privilegemisuse/compromise
Unusual transactions by a user/account never seen before
Event Rarity
Download/export of large volume of data Behavior Analysis
Slow and low data compromise/egress Behavior Analysis
Data snooping – unauthorized access to customer confidential data or Intellectual property
Event Rarity, Behavior Analysis, Peer Analysis
Segregation of duty violation analysis basedon transaction/activity data
Securonix SOD Library, Rules
Misuse of service/system accounts for data compromise, sabotage
Event rarity
Suspicious activity compared to peers Peer analysis
Unusual access pattern (time, geo-location) Event rarity, geo-coordinate analysis
Account sharing and misuseThreat Model – Land speed, Identity correlation, Fuzzy logic
27/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
예제: 내부위협체인
사용자가 취업을 검색하고 있거나
중요한 자산에 접속하려고 하거나
기밀 데이터를 염탐 또는 가로채려고하거나
개인 이메일을 사용하거나 Sept 15- Nov 152017
Oct 12, 2017
Oct 12, 2017
Nov 15, 2017
1.5 hours
일정 기간에 걸친 개인적인 변형은 중요하지 않은 것처럼 보일 수 있으나, Securonix는 위협 체인로직을 통해 감춰진 위협과 우선순위가 낮거나 느린 (영구) 공격 유형을 감지합니다.
위협체인로직
Securonix Use-Cases (Slow & Long Term Attack)
28/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (퇴사예정자내부정보유출)
Securonix discovered attack by the criminal organization fin4
User spends an unusually long time on job search websites.
(Predictive Analytics – Flight Risk User | Risk Score: 0)
Request made for SharePoint approval; denied by manager.
(Peer Anomaly - Unusual request compared to peers| Risk Score: 0)
User from that department accessing data from ”XXXXX technology” never seen before.
(Event Rarity | Risk Score: 0.8)
Emails sent to personal email address.
(Suspiciously high volume of data egresses, Fuzzy correlation | Risk Score: 1)
Day 1-15 Day 16-30 Day 45
Request to data owner for SharePoint access; access is approved.
(Cross Channel Anomaly – deny followed by success | Risk Score: 0.5)
Day 46-60………
High volume of downloads from SharePoint – over 250,000 documents.
(Suspiciously high volume of downloads | Risk Score: 1)
Inbound & outbound emails with "Resume“ and “Thanks for applying” in subject.
(Predictive Analytics – Exiting Behavior | Risk Score:0)
Flight RiskExiting
Behavior
Unauthorized
Access
Request
Suspicious
data access
pattern
Spike in
downloadsEmail to Self
29/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (Email이용한정보유출)
Threat Model Threat category Threat indicators Technique applied
Email data exfiltration
Flight risk indicators
Detection of flight risk/exiting behaviorPredictive analytics (Securonix flight risk detection algorithm)
Users with upcoming termination/contract end dates
Rule based risk booster/watch lists
Data aggregation/Datahoarding
Only member in a peer group to access a file share
Peer group based outlier analysis
Abnormal number of sensitive files accessed
Peak usage algorithm/Document discovery
Detection of sensitive data snoopingEvent rarity algorithm/Document discovery/Peak usage algorithm
Suspicious file system activity
Suspicious file rename/archival transaction Event rarity algorithm
Endpoint accessed at unusual time of the day
Event rarity algorithm
Data exfiltration
Abnormal number of emails sent to personal email accounts
Peak usage analysis/Fuzzy logic(comparators algorithm)/Recipient domain analysis
Abnormal number of emails sent to non-business or competitor domains
Peak usage analysis/Recipient domain analysis
Only member in a peer group sendingemails to a competitor domain
Peer group based outlier analysis/Recipient domain analysis
Email forwarding - Abnormal number of forwards to non enterprise recipients
Peak usage analysis
Abnormal amount of data egress via email Amount spike analysis
Abnormal number of sensitive/critical files egressed via email
Peak usage algorithm/Document discovery
30/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (Phishing 감염)
Securonix discovered attack by the criminal organization fin4
Day 1 Day 30- 60 Day 61………
Phishing
Attack
Suspicious
URL
Rare
Process
Anomalous
Access
Suspicious
Process
Log
Tampering
IronPort sees: Email “Subject: HR Violation against Mr. XXX” to Head of Clinical Trials
(Phishing Anomaly | Risk Score = 0)
Rare process identified
(Event Rarity: “ntdetect.exe” was never seen before| Risk Score = 0.5 )
Windows New logon type "10" was detected.
(Event Rarity: Suspicious Remote Interactive logon activity never seen by user| Risk Score = 0.5)
Windows: Wevtutil.exe was invoked.
(Event Rarity, Peer Analysis: Rare executable not seen on other hosts | Risk Score = 1)
Proxy redirect to "outlookscansafe.net"
(URL Analytics: Redirect to an uncategorized URL| Risk Score = 0.2)
Copy of docs to external staging server; logout in 3 hours
(Behavior anomaly: Spike in bytes out| Risk Score = 1.0)
Domain controller discovers that the Audit Log was cleared.
(Rules Engine, Event Rarity: Rare event detected | Risk Score = 1.0)
31/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (Phishing 탐지)
Threat Model Threat category Threat indicators Technique applied
Phishing detection
Phishing attack
Email from previously uncommunicated domains
Event rarity algorithm
Spear phishing - Peer inlier analysis to detected targeted peer attacks
Peer inlier analysis
Spray phishing - Email sender and subject analysis
Volume spike analysis
Suspicious outbound traffic
Traffic to rare domains Event rarity algorithm
Traffic to possible Algorithmically Generated Domains
Angler EK domain detection algorithm
Communication to Angler Rootkit sites DGA detection algorithm
Rare executable detected in web-request Event rarity algorithm
Suspicious endpoint activity
Rare process MD5 detected on the network
Event rarity algorithm
Suspicious process execution detection Event rarity algorithm
Suspicious file download Rule based detection
Network behavior anomaly
Account authenticating from a geolocation never conducted before
Geolocation analysis and event rarity algorithm
Possible beaconing - detection of robotic traffic pattern
Beaconing detection algorithm
Subnet analytics - Beaconing to multiple hosts on the same subnet
Subnet analytics
32/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (항목별상세 : Based on Geo Location)
Relevant Use Cases:
• Family Snooping
• Neighbor Snooping
• Access patients from unusual location (state/country) never seen before
• Access patient from multiple location in short time
Approach:
• Enrich employee and patient data with physical address information
• Obtain geo-coordinates based on physical address
• Compare distance to determine if employee and patient live at the same location or within X miles
• Last name, phone number, etc. are used as risk boosters to further validate the anomaly
33/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (항목별상세 : Based on Event Rarity)
Relevant Use Cases:
• Rare age group: Pediatrician typically accesses patient up to age 21, suddenly accesses patient(s) of age over 40
• Rare outpatient activity when the doctor typically performs only inpatient activity
• Anomalous login at a rare time or from a rare location (e.g., different country, state, etc.)
Approach:
• Establish baseline behavior using historical behavior (we need 30 days of data)
• Identify rare activity never seen before
34/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (항목별상세 : Based on Peer Comparison)
Relevant Use Cases:
• IT employee accessing patient records not accessed by peers
• Co-worker snooping – employee and patient work in same team
• Nurse accessing patient with same last name in a dept. (e.g., oncology that peers never access)
Approach:
• Create peer groups based on employee and doctor identity attributes
• Obtain geo-coordinates based on physical address
• Compare distance to determine if employee and patient live at the same location or within X miles
• Last name, phone number, etc. are used as risk boosters to further validate the anomaly
35/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (항목별상세 : Based on Behavior Analytics)
Relevant Use Cases:
• Spike in break the glass violations
• Spike in VIP records accessed
• Spike in failed login attempts
• Spike in downloads/prints/emails
Approach:
• Establish baseline behavior using historical behavior (we need 30 days of data)
• Identify any sudden spikes in behavior
• Pre-built content, can customize or add new based on specific customer requirements
36/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (항목별상세 : Based on Behavior Analytics)
관련 특허 정보: https://patents.justia.com/patent/20160226901
37/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (적용기술 – M/L Based Advanced Analytics)
Activity
Access Privileges
Identity
EntityCorrelation
Threat Intelligence
Context Enrichment
Peer Group Analysis
Behavior Analysis
Event Rarity
Robotic Behavior
Outlier Detection
Risk Aggregation
Threat Models
Threat Detection Techniques
Violations
Algorithm Generated Domain
String Comparators
Rules Engine
Sequence Analysis
Investigation & Response
Machine Learning
38/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (항목별상세 : Based on Behavior Analytics)
적용된 Clustering 알고리즘과적용이유• K-means• Affinity propagation• Mean-shift• Ward hierarchical clustering• Agglomerative clustering• Gaussian mixtures• Birch/ Characteristic Feature Tree• CART and/or Random Forests
MINMAX 클러스터링 알고리즘과 Gaussian Kernel Density 추정 그리고 robust 통계는 상당한 양의 Data 소스에서 의미 있는 값을 추출 , Online Agglomerative Clustering은 실시간으로 기계적 통신 (반복적, 주기적) 탐지 가능Hierarchical clustering 은 Peer Group분석에 사용됩니다.
위협 모델에 사용된 알고리즘과 적용 이유o Spectral clusteringo Bayesian Information Criteriono Cross-Validation Likelihoodo Rand Index/ Normalized Rand Indexo Purity and/or Normalized Mutual Information
behavioral (derived from anomaly detection) and direct (threat intel and association rule learning) indicators -> False Negative를 줄이는데 사용Cross Domain Correlation , Peer Group Analysis -> False Positive 줄이는데 사용Adaptive Behavior Profile, Risk Score는 실시간 업데이트 되면서 위협에 대한 지속적인 재 평가
39/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
Securonix Use-Cases (헬스케어고객도입결과)
Challenges
• 방대한 로그데이터 처리를 위한 성능 및 확장성 없음
• 보안 장비 원시 이벤트 내에 근거 데이터 부족
• Legacy SIEM 솔루션내에 UBA 관련 Rule부족
• Rule외에 Rule이 탐지하기 어려운 위협을 탐지할 수 있는 기법 없음
• 기술지원 인력의 실력에 따라 정책, 위협 분석 결과 품질에 차이가많음
Securonix Approach
• 로그 데이터에 사용자 정보까지 추가해서 분석
• Identify threats 탐지를 위해 M/L 사용
• 연결되는 (지속적인) 위협 탐지
• 기술지원 인력의 실력 편차에 상관없이 Critical한 위협 분석 가능
Benefits
• False Positive 감소 (98%) 하루 1000건의 Alert가 5~10건으로 줄어 듬
• 위협 조사 시간 절약 (기존 1시간 이상 -> 10분 내외)
• 악의적인 위협의 행위자 탐지
40/33
Copyright 2018 Quarry Systems co.,ltd. All Right Reserved.
별첨 #1. 비교자료
Legacy SIEM Securonix
• Search does not scale • Highly scalable search leveraging SOLR and HDFS
• Adding context to search is a manual process • Search on enriched events – massive reduction in
investigation time.
• Limited out of the box correlation rules. (300+)• Packaged content with out of the box use cases that are ready to
deploy (1000+ Rule, M/L .. )
• Limited capability to perform advanced use cases unless you have a highly skilled SME
• Advanced use cases are part of the packaged content
• Priced by data. Cost increases exponentially • Priced by identities. Cost is predictable and does not
escalate as data grows
• Requires proprietary hardware. Expensive, dependent on vendor to acquire and maintain
• Uses commodity hardware. Cheaper to acquire, does not require specialized skills