Reducing Mean Time to Know

Securely explore your data

SQRRL WEBINAR

Reducing “Mean Time to Know”

© 2015 Sqrrl | All Rights Reserved 2

YOUR WEBINAR HOSTS

•  Sqrrl cofounder / VP Business Development •  Former Director of Cybersecurity at the

National Security Council Staff / White House •  Degrees from Wharton and Harvard

•  Sqrrl VP Products •  Former Director of Product Management at

Vertica, Imprivata, and DataSynapse •  CS degree from MIT

© 2015 Sqrrl | All Rights Reserved

From securing the country to securing your enterprise SQRRL HISTORY

Google’s BigTable

Paper 2006

NSA Builds Accumulo

2008

Sqrrl Founded

2012

Sqrrl Enterprise

1.0 2013

Sqrrl Enterprise

2.0 2015

Investors: Patented Technology:

3


Sqrrl’s focus today is on Detection and Analysis (i.e., cybersecurity investigations)

INCIDENT RESPONSE LIFECYCLE

4

Source: NIST


CYBERSECURITY INVESTIGATIONS TAXONOMY Cybersecurity Investigations

Detection Analysis

Hunting / IOCs

Threat Intelligence Alerting Alert

Resolution Incident Triage

Root Cause / Forensics

Rule-Based Algorithmic


How do we decrease Mean Time To Know?

MEAN TIME TO KNOW

Mean Time To Identify (MTTI): Detect than an incident has occurred

Mean Time To Know (MTTK): Understand root cause of an incident

25%

75% MTTK MTTI

% Time Spent on MTTI vs. MTTK

Source: Ponemon Institute

6


Sqrrl MTTK Case Study Large Telecommunications Company

Results

Challenge Sqrrl Solution

Ensured compliance with data security regulations

Reduce investigation time from days/weeks to minutes

Visibility across more data than previously possible

Analyzing more than 1 year of multi-structured security data including for Advanced Persistent (APT), fraud, and insider threats

•  Aggregate and store all data •  Gather and profile employee and device behaviors •  Search, query and analyze

behaviors, details and anomalies

7


TOP 5 WAYS TO REDUCE MTTK

1.  Big Data 2.  Linked Data Visualization 3.  Graph Exploration 4.  Investigation Workflow 5.  Advanced Analytics


#1 BIG DATA

Current solutions can’t easily handle the variety and volume of data that security analysts need

Volume and Variety of Data


Performance Measures #1 BIG DATA

Source: http://www.pdl.cmu.edu/SDI/2013/slides/big_graph_nsa_rd_2013_56002v1.pdf

Source: http://arxiv.org/pdf/1406.4923v1.pdf •  Sqrrl indexes and

stores 25,000 events per second per node

•  Sqrrl’s core has proven near-linear scalability to 2000+ nodes

•  Clustered support for processing Trillions of events per day

Data Source Record Count Ne#low 2,109,409,060

Cisco ASA Firewall 2,982,124,483 Websense 924,819,607 MsDns 503,237,033 IsaFw 207,834,546 IIS 38,941,968

Damballa 16,060 Apache Webserver 5,615,832

ISE 671,006 Radius 1,138,001

Windows Events 12,220,081 Symantec EP 1,040,871

FireEye 4,305 Total Records 6,787,072,853

Node * Seconds 271,800

Records/Second/Node 24,971


#2 LINKED DATA VISUALIZATION LOGS

VS.

LINKED DATA


LINKED DATA •  Organizes data into entities

and relationships (links)

•  More intuitive visualization

•  Surfaces meaning & context

•  Enables faster analysis

12


LINKED DATA VISUALIZATION DEMO


Pattern Discovery and Matching #3 GRAPH EXPLORATION

•  Hunting for known patterns •  Search for the HTTP transaction “triangle” •  Locate specific instance quickly amongst large volume of transactions


GRAPH EXPLORATION DEMO


It is easy to get lost in a maze of searches during an investigation #4 INVESTIGATION WORKFLOW


INVESTIGATION WORKFLOW DEMO


#5 ADVANCED ANALYTICS

Peer Group

Outlier

Algorithmic approaches to anomaly detection


ADVANCED ANALYTICS DEMO


www.sqrrl.com

HOW TO LEARN MORE?

• Read our white paper or product paper • Schedule a demo or proof of concept • Request a VM or evaluation software

Software

Reducing Mean Time to Know