(Go: >> BACK << -|- >> HOME <<)
SlideShare a Scribd company logo

Delivering Security Insights with Data Analytics and Visualization

Download as PPTX, PDF
Raffael Marty
Raffael Marty

It's an interesting exercise to look back to the year 2000 to see how we approached cyber security. We just started to realize that data might be a useful currency, but for the most part, security pursued preventative avenues, such as firewalls, intrusion prevention systems, and anti-virus. With the advent of log management and security incident and event management (SIEM) solutions we started to gather gigabytes of sensor data and correlate data from different sensors to improve on their weaknesses and accelerate their strengths. But fundamentally, such solutions didn't scale that well and struggled to deliver real security insight. Today, cybersecurity wouldn't work anymore without large scale data analytics and machine learning approaches, especially in the realm of malware classification and threat intelligence. Nonetheless, we are still just scratching the surface and learning where the real challenges are in data analytics for security. This talk will go on a journey of big data in cybersecurity, exploring where big data has been and where it must go to make a true difference. We will look at the potential of data mining, machine learning, and artificial intelligence, as well as the boundaries of these approaches. We will also look at both the shortcomings and potential of data visualization and the human computer interface. It is critical that today's systems take into account the human expert and, most importantly, provide the right data.

1 of 37
Delivering Security Insights with Data Analytics and Visualization Raffael Marty VP Security Analytics ACSAC Orlando November 2017
Disclaimer © Raffael Marty 2 "This presentation was prepared solely by Raffael Marty in his personal capacity. The material, views, and opinions expressed in this presentation are the author's own and do not reflect the views of Sophos Ltd. or its affiliates."
Raffael Marty • Sophos • PixlCloud • Loggly • Splunk • ArcSight • IBM Research • SecViz • Logging • Big Data • ML & AI • SIEM • Leadership • Zen
4 The master of Kennin temple was Mokurai. He had a little protégé named Toyo who was only twelve years old. Toyo saw how students entered the masters room each day and received instructions and guidance in Zen. The young boy wished to do zazen (meditation) as well. Upon convincing Mokuri, he went in front of the master who gave him the following koan to ponder: "You can hear the sound of two hands when they clap together," said Mokurai. "Now show me the sound of one hand."
Outline 5 • Big Data for Security • A Security (Big) Data Journey • Machine Learning and Artificial Intelligence • Data Visualization • Solving Security Problems with Data • A Glimpse Into the Future • My 5 Security Big Data Challenges
Big Data For Security 6
“memory has become the new hard disk, hard disks are the tapes of years ago.” -- unknown source 7
Security Data Data • infrastructure / network logs (flows, dns, dhcp, proxy, routing, IPS, DLP, …) • host logs (file access, process launch, socket activity, etc.) • HIPS, anti virus, file integrity • application logs (Web, SAP, HR, …) • metrics • configuration changes (host, network equipment, physical access, applications) • indicators of compromise (threat feeds) • physical access logs • cloud instrumentation data • change tickets • incident information Context • asset information and classification • identity context (roles, etc.) • information classification and location (tracking movement?) • HR / personnel information • vulnerability scans • configuration information for each machine, network device, and application
Big Data Systems – A Complex Ecosystem 9 Storing any kind of data o Schema-less but with schema on demand o Storing event data (time-series data, logs) o Storing metrics Data access o Fast random access o Ad-hoc analytical workloads o Search o Running models (data science) Data processing needs o Metric generation from raw logs o Real-time matching against high volume threat feeds o Anonymization o Building dynamic context from the data o Enrichment with entity information Use-cases • Situational awareness / dashboards • Alert triage • Forensic investigations • Incident management • Reports (e.g., for compliance) • Data sharing / collaboration • Hunting • Anomaly detection • Behavioral analysis • Pattern detection • Scoring requires
Are Today’s Systems Ready For Big Data Use Cases? 10 Data Sources • Haven’t been built with analysis in mind • Logs are incomplete • Log formats are not standardized Log mgmt | SIEM | “Big Data Lakes” • Don’t scale well to volumes, variety, and velocity • No standard data pipelines – results in point to point integrations that are imperfect • No standard storage concepts – results in data duplication • No standard use-cases – results in ‘spaghetti architectures’
Security (Big) Data Journey 11Image credit: http://journeyofhealth.org/
(Incomplete) Security Data History 12 “Big Data Is An Old Problem in Security” 1980 Firewalls, IPSs, OSs, Apps, Infra, etc. SecurityBigData syslogd(8) 1996 Log Management and first SIM “Big Data” in security RDBMS (way earlier already) 2004 CEF Standard (2007 CEE) 2006 2009 2014 2016 First logging as a service offering Security Data Lake Apache Metron (Open SOC) Apache Spot Distributed storage and processing (Hadoop 0.1.0) AWS (re-launch) Kafka Separation of query engines and data stores (Presto, Drill, parquet, etc.) Continued innovation on cloud platforms (Athena, S3, etc.) First RAID conference (ML / AD) ML is slow and missing training data First VizSec conference Device and user-context correlation First ”security analytics” solution Deep Learning in security (traffic and malware identification) ”Big Bang of Deep Learning” First unstructured data store and search engine (Solr) Columnar data stores become popular (MonetDB, etc.) R (previously S) Data Lake Data centralization Data insight
Security Data – The State Today 13 • “Security Data Lakes – an excuse to collect anything without having to think about schemas and access patterns.” • Data and infrastructure challenges to overcome o Data standardization (parsing, schemas) - Meaning of log entries and fields within - When is a log generated, when not? o Data infrastructure - One architecture for all use-cases - Self maintaining and healing o Building ‘content’ across customers? - Different policies - Different data sources and configurations o Data Privacy
14http://theconversation.com/your-questions-answered-on-artificial-intelligence-49645 Data Science Data Mining Machine Learning Artificial Intelligence
ML and AI – What Is It? 15 • Machine learning – Algorithmic ways to “describe” data o Supervised - We are giving the system a lot of training data and it learns from that o Unsupervised - We give the system some kind of optimization to solve (clustering, dim reduction) • Deep learning – a ‘newer’ machine learning algorithm o Eliminates the feature engineering step o Verifiability issues • Data Mining – Methods to explore data – automatically and interactively • Artificial Intelligence – “Just calling something AI doesn’t make it AI.” ”A program that doesn't simply classify or compute model parameters, but comes up with novel knowledge that a security analyst finds insightful.”
Machine Learning in Security 16 • Supervised o Malware classification - Deep learning on millions of samples - 400k new malware samples a day - Has increased true positives and decreased false positives compared to traditional ML o Spam identification • Unsupervised o Tier 1 analyst automation (reducing workload from 600M events to 100 incidents)* o User and Entity Behavior Analytics (UEBA) - Uses mostly regular statistics and rule-based systems * See Respond Software Inc.
Application of Machine Learning - Anomaly Detection Objective : Find ‘security incidents’ in the data – deviations from the ‘norm’ • What’s “normal”? • Needs explainability for clusters • Observe clusters over time (requires stable ‘incremental’ clustering) • Even 0.01% of false positives are too high (1m log records -> 100 anomalies)
Limits of Machine Learning 18 “Everyone calls their stuff ‘machine learning’ or even better ‘artificial intelligence’ - It’s not cool to use statistics!” “Companies are throwing algorithms on the wall to see what sticks - see security analytics market” Machine Learning Challenges • An algorithm is not he answer. It’s the process around it (find the best fit algorithm for the data and use-case, feature engineering, supervision, drop outs, parameter choices, etc.) • Even in deep learning, it’s not just about using tensorflow. Features matter (e.g., independent bytes versus program flow) • The algorithms are only as good as the data and the knowledge of the data o Common data layers / common data models o Enriched data o Clean data (e.g, source/destination confusions) • How do we build systems that incorporate expert knowledge?
Illustration of Parameter Choices and Their Failures • t-SNE clustering of network traffic from two types of machines perplexity = 3 epsilon = 3 No clear separation perplexity = 3 epsilon = 19 3 clusters instead of 2 perplexity = 93 epsilon = 19 What a mess
Illustration of Parameter Choices and Their Failures • Dangerous clusters
Adversarial Machine Learning 21 • An example of an attack on deep learning
The Role of 22
S e c u r i t y . A n a l y t i c s . I n s i g h t . “How Can We See, Not To Confirm - But To Learn” - Edward Tufte
Why Visualization? 24 dport time
Visualization Overview 25 • Why? o Verify output of machine generated intelligence o Focus experts where they are most useful, rather than having them build tools / queries to understand the data o Enable exploration and hunting • What are the limitations? o Data is always a problem – we need clean, enriched data o Visualization of large data sets o Interpretation is hard - “And the single port with no traffic is port 0, which is reserved [24]” found in “Visualization of large scale Netflow data” by Nicolai H Eeg-Larsen - “… and the destinations are Internet Web Server or DNS server or both with the port 0.” - “.. so many TCP port scans are distributed in the whole day that most of them can be considered as false positives.” https://www.researchgate.net/publication/257686749_IDSRadar_A_real-time_visualization_framework_for_IDS_alerts
VAST Challenge 2013 Submission – Spot the Problems? 26 dest port! Port 70000? src ports! http://vis.pku.edu.cn/people/simingchen/docs/vastchallenge13-mc3.pdf
Visualization Challenges 27 • Backend o Super quick data access in any possible way (search, scan, summarize) o Ability to ingest any data source - intelligent parsing anyone? • User Interface o The right visualization paradigms o How to visualize 1m records? o The right data abstractions / summarizations / aggregations o Easy to use and still flexible enough • Data Science o Make the machine help us interpret the data • How to encode domain knowledge?
Visualization Challenges - Security Metrics 28 • How to quantify ‘security’? • Provide context
Solving Security Problems With Data 29
Solving Security Problems With Data Objective: Automatically detect “problems” / attacks with data Solution: Not ML or AI – the right process for the problem at hand • Any data science approach: o Encode domain knowledge – leverage trained experts (e.g., malware classification with n-grams, or URLs) o Involve the right ‘entities’ (e.g., push problems out to the end user) o Collect the right data for the given use-cases – don’t forget context and cleaning o Plan for expert feedback / validation loop o Build solutions for actual problems with real data that produce actionable insight o Share your insights with your peers – security is not your competitive advantage • Supervised: o Be selective on the problems that have good, large training data sets • Unsupervised: o We need good distance functions. Ones that encode domain knowledge!
Applications of Data in Security 31 • Prioritize event and entity data • Rule-based correlations • Behavior modeling • Risk / exposure / threat computation • Configuration assessments • Data classification • Data abstraction • Cross ‘boundary’ data sharing • Cross ‘customer’ analytics • Crowd intelligence • Enable free-form exploration • Identify and attribute attacks • Incident response • Improve prevention • Allocate / prioritize work / resources • Situational awareness • Understand exposure • Risk inventory • Spam, malware detection • Feedback loop on initiatives • Simplify security • Continuous attestation • Micro segmentation • Risk informed, dynamic enforcement (automation) Data Data Operations Applications Data is a core driver for many or most security use-cases
A Glimpse Into The Future 32http://www.aberdeenessentials.com/techpro-essentials/business-leaders-can-utilize-data-even-without-technology-background/
My Magic 8 Ball • Data is distributed across the edge and (a) central data store o We will have a (data lake)++ in every company with all security data (likely in the cloud) o Centralize data for correlation (could we get a decentralized correlation system?) o Keep raw sensor data at the edge and access through federated query system o Threat intelligence will be tailored to your organization and exchanged in real-time • APIs will be everywhere to let products integrate with each other • Security Analytics as a product category, as well as orchestration will merge with the data platforms (SIEM++) • Algorithms take a back seat – insights are key o Nobody cares whether you call something artificial intelligence or machine learning. It’s about actual results o Products will learn from users more and more • Startups will deliver innovation, but only large organizations will be able to deliver on the overall security promise • Detection is great. Protection is key. Closing the loop between insight and action. o Continuous attestation o Risk-based defense • No 3D visualizations
Thoughts on How We Get There 34 • Focus on three types of users o Data scientists and hunters – that now how to program, have security domain knowledge, and can find complex insights o Security analysts – that are using product interfaces to deal with security issues that the system couldn’t deal with automatically o Non security experts – that need insight into what is happening, but don’t know enough to intervene • AWS will productize the ’all encompassing data backend’ (others will contribute the technology) o Abstracting the data storage layer o Self-optimizing and monitoring query engine • Hire and train good UX people • Hire and train security domain experts o ”A course doesn’t make you a data scientist – not a good one at least”. It’s about the domain knowledge! • Use deep belief networks rather than deep learning • Build systems that help analysts and exports be more effective o Don’t try to replace them - let them do the interesting work o Don’t make up use-cases. Go into organizations and learn what the real problems are o Understand the user personas you are catering to o Stop building islands of products – SA is a feature – how do we build that on top of a common platform? o Move away from algorithm thinking into use-cases and workflows • Collect all your data (network and endpoint) in one data store
My 5 Challenges https://play.google.com/store/apps/dev?id=5029488271380967378
My 5 Challenges • Establish a pattern / algorithm / use-case sharing effort • Define a common data model everyone can buy into (CIM, CEF, CEE, Spot, etc.) o Including a semantic component for log records, not just syntax • Build a common entity store o Hooked up to a stream of data it automatically extracts entities and creates a state store o Allows for fast enrichment of data at ingest and query time o Respects and enforces privacy • Design a great CISO dashboard (framework) o Risk and “security efficiency” oriented, actionable views • Develop systems that ’absorb’ expert knowledge non intrusively
Questions? 37 http://slideshare.net/zrlram @raffaelmarty "You can hear the sound of two hands when they clap together," said Mokurai. "Now show me the sound of one hand."

More Related Content

What's hot

Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
AmrMousa51
 
Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityDebunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust Security
Centrify Corporation
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Mark Arena
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
MITRE - ATT&CKcon
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
AlienVault
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
DNIF
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
Sirius
 
Log Mining: Beyond Log Analysis
Log Mining: Beyond Log AnalysisLog Mining: Beyond Log Analysis
Log Mining: Beyond Log Analysis
Anton Chuvakin
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
Justin Henderson
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
Mohamed Zohair
 

What's hot (20)

Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
 
Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityDebunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust Security
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
 
Log Mining: Beyond Log Analysis
Log Mining: Beyond Log AnalysisLog Mining: Beyond Log Analysis
Log Mining: Beyond Log Analysis
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
 

Similar to Delivering Security Insights with Data Analytics and Visualization

Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
Raffael Marty
 
BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6
Rod Soto
 
Rise of the machines -- Owasp israel -- June 2014 meetup
Rise of the machines -- Owasp israel -- June 2014 meetupRise of the machines -- Owasp israel -- June 2014 meetup
Rise of the machines -- Owasp israel -- June 2014 meetup
Shlomo Yona
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Alex Pinto
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)
Tao Xie
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
Eric Johansen, CISSP
 
ESWC SS 2012 - Friday Keynote Marko Grobelnik: Big Data Tutorial
ESWC SS 2012 - Friday Keynote Marko Grobelnik: Big Data TutorialESWC SS 2012 - Friday Keynote Marko Grobelnik: Big Data Tutorial
ESWC SS 2012 - Friday Keynote Marko Grobelnik: Big Data Tutorial
eswcsummerschool
 
BSidesLV 2013 - Using Machine Learning to Support Information Security
BSidesLV 2013 - Using Machine Learning to Support Information SecurityBSidesLV 2013 - Using Machine Learning to Support Information Security
BSidesLV 2013 - Using Machine Learning to Support Information Security
Alex Pinto
 
Upstate CSCI 525 Data Mining Chapter 1
Upstate CSCI 525 Data Mining Chapter 1Upstate CSCI 525 Data Mining Chapter 1
Upstate CSCI 525 Data Mining Chapter 1
DanWooster1
 
Data Mining Intro
Data Mining IntroData Mining Intro
Data Mining Intro
ShubhamSamrat5
 
01Intro.ppt
01Intro.ppt01Intro.ppt
01Intro.ppt
AidaMustapha6
 
01Introduction to data mining chapter 1.ppt
01Introduction to data mining chapter 1.ppt01Introduction to data mining chapter 1.ppt
01Introduction to data mining chapter 1.ppt
admsoyadm4
 
data mining
data miningdata mining
data mining
AMITKUMAR202236
 
01Intro.ppt
01Intro.ppt01Intro.ppt
01Intro.ppt
VaibhavGupta447155
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
Towards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelTowards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity Model
Alex Pinto
 
Unit 1 (Chapter-1) on data mining concepts.ppt
Unit 1 (Chapter-1) on data mining concepts.pptUnit 1 (Chapter-1) on data mining concepts.ppt
Unit 1 (Chapter-1) on data mining concepts.ppt
PadmajaLaksh
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are Dangerous
Raffael Marty
 
Mining Software Repositories for Security: Data Quality Issues Lessons from T...
Mining Software Repositories for Security: Data Quality Issues Lessons from T...Mining Software Repositories for Security: Data Quality Issues Lessons from T...
Mining Software Repositories for Security: Data Quality Issues Lessons from T...
CREST
 
Chapter 1. Introduction.ppt
Chapter 1. Introduction.pptChapter 1. Introduction.ppt
Chapter 1. Introduction.ppt
Subrata Kumer Paul
 

Similar to Delivering Security Insights with Data Analytics and Visualization (20)

Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
 
BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6
 
Rise of the machines -- Owasp israel -- June 2014 meetup
Rise of the machines -- Owasp israel -- June 2014 meetupRise of the machines -- Owasp israel -- June 2014 meetup
Rise of the machines -- Owasp israel -- June 2014 meetup
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
 
ESWC SS 2012 - Friday Keynote Marko Grobelnik: Big Data Tutorial
ESWC SS 2012 - Friday Keynote Marko Grobelnik: Big Data TutorialESWC SS 2012 - Friday Keynote Marko Grobelnik: Big Data Tutorial
ESWC SS 2012 - Friday Keynote Marko Grobelnik: Big Data Tutorial
 
BSidesLV 2013 - Using Machine Learning to Support Information Security
BSidesLV 2013 - Using Machine Learning to Support Information SecurityBSidesLV 2013 - Using Machine Learning to Support Information Security
BSidesLV 2013 - Using Machine Learning to Support Information Security
 
Upstate CSCI 525 Data Mining Chapter 1
Upstate CSCI 525 Data Mining Chapter 1Upstate CSCI 525 Data Mining Chapter 1
Upstate CSCI 525 Data Mining Chapter 1
 
Data Mining Intro
Data Mining IntroData Mining Intro
Data Mining Intro
 
01Intro.ppt
01Intro.ppt01Intro.ppt
01Intro.ppt
 
01Introduction to data mining chapter 1.ppt
01Introduction to data mining chapter 1.ppt01Introduction to data mining chapter 1.ppt
01Introduction to data mining chapter 1.ppt
 
data mining
data miningdata mining
data mining
 
01Intro.ppt
01Intro.ppt01Intro.ppt
01Intro.ppt
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Towards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelTowards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity Model
 
Unit 1 (Chapter-1) on data mining concepts.ppt
Unit 1 (Chapter-1) on data mining concepts.pptUnit 1 (Chapter-1) on data mining concepts.ppt
Unit 1 (Chapter-1) on data mining concepts.ppt
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are Dangerous
 
Mining Software Repositories for Security: Data Quality Issues Lessons from T...
Mining Software Repositories for Security: Data Quality Issues Lessons from T...Mining Software Repositories for Security: Data Quality Issues Lessons from T...
Mining Software Repositories for Security: Data Quality Issues Lessons from T...
 
Chapter 1. Introduction.ppt
Chapter 1. Introduction.pptChapter 1. Introduction.ppt
Chapter 1. Introduction.ppt
 

More from Raffael Marty

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
Raffael Marty
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
Raffael Marty
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Raffael Marty
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
Raffael Marty
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AI
Raffael Marty
 
Security Chat 5.0
Security Chat 5.0Security Chat 5.0
Security Chat 5.0
Raffael Marty
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
Raffael Marty
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
Raffael Marty
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
Raffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data Visualization
Raffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
Raffael Marty
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for Security
Raffael Marty
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization Linux
Raffael Marty
 
Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big Data
Raffael Marty
 
Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock Insight
Raffael Marty
 
AfterGlow
AfterGlowAfterGlow
AfterGlow
Raffael Marty
 
Supercharging Visualization with Data Mining
Supercharging Visualization with Data MiningSupercharging Visualization with Data Mining
Supercharging Visualization with Data Mining
Raffael Marty
 
Security Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackSecurity Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step Back
Raffael Marty
 

More from Raffael Marty (20)

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AI
 
Security Chat 5.0
Security Chat 5.0Security Chat 5.0
Security Chat 5.0
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data Visualization
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for Security
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization Linux
 
Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big Data
 
Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock Insight
 
AfterGlow
AfterGlowAfterGlow
AfterGlow
 
Supercharging Visualization with Data Mining
Supercharging Visualization with Data MiningSupercharging Visualization with Data Mining
Supercharging Visualization with Data Mining
 
Security Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackSecurity Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step Back
 

Recently uploaded

”NewLo":the New Loyalty Program for the Web3 Era
”NewLo":the New Loyalty Program for the Web3 Era”NewLo":the New Loyalty Program for the Web3 Era
”NewLo":the New Loyalty Program for the Web3 Era
pjnewlo
 
一比一原版(city毕业证书)英国剑桥大学毕业证如何办理
一比一原版(city毕业证书)英国剑桥大学毕业证如何办理一比一原版(city毕业证书)英国剑桥大学毕业证如何办理
一比一原版(city毕业证书)英国剑桥大学毕业证如何办理
taqyea
 
Future Trends What's Next for UI UX Design on Websites
Future Trends What's Next for UI UX Design on WebsitesFuture Trends What's Next for UI UX Design on Websites
Future Trends What's Next for UI UX Design on Websites
Serva AppLabs
 
@Call @Girls Vile Parle phone 9920874524 You Are Serach A Beautyfull Dolle co...
@Call @Girls Vile Parle phone 9920874524 You Are Serach A Beautyfull Dolle co...@Call @Girls Vile Parle phone 9920874524 You Are Serach A Beautyfull Dolle co...
@Call @Girls Vile Parle phone 9920874524 You Are Serach A Beautyfull Dolle co...
RACHANA GUPTA
 
Nariman point @Call @Girls Whatsapp 9833363713 With High Profile Offer
Nariman point @Call @Girls Whatsapp 9833363713 With High Profile OfferNariman point @Call @Girls Whatsapp 9833363713 With High Profile Offer
Nariman point @Call @Girls Whatsapp 9833363713 With High Profile Offer
kmohit1234521
 
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
taqyea
 
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
ffg01100
 
Carrington degree offer diploma Transcript
Carrington degree offer diploma TranscriptCarrington degree offer diploma Transcript
Carrington degree offer diploma Transcript
ubufe
 
Ahmedabad @Call @Girls 0000000000 Riya Khan Beautiful And Cute Girl any Time
Ahmedabad @Call @Girls 0000000000 Riya Khan Beautiful And Cute Girl any TimeAhmedabad @Call @Girls 0000000000 Riya Khan Beautiful And Cute Girl any Time
Ahmedabad @Call @Girls 0000000000 Riya Khan Beautiful And Cute Girl any Time
adityaroy0215
 
一比一原版(warwick文凭证书)华威大学毕业证如何办理
一比一原版(warwick文凭证书)华威大学毕业证如何办理一比一原版(warwick文凭证书)华威大学毕业证如何办理
一比一原版(warwick文凭证书)华威大学毕业证如何办理
ysuah
 
一比一原版(爱大毕业证书)英国爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)英国爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)英国爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)英国爱丁堡大学毕业证如何办理
taqyea
 
PSD to Wordpress Service Providers in 2024
PSD to Wordpress Service Providers in 2024PSD to Wordpress Service Providers in 2024
PSD to Wordpress Service Providers in 2024
Bestdesign2hub
 
一比一原版(uh毕业证)休斯敦大学毕业证如何办理
一比一原版(uh毕业证)休斯敦大学毕业证如何办理一比一原版(uh毕业证)休斯敦大学毕业证如何办理
一比一原版(uh毕业证)休斯敦大学毕业证如何办理
mvahxyy
 
About Alibaba company and brief general information regarding how to trade on...
About Alibaba company and brief general information regarding how to trade on...About Alibaba company and brief general information regarding how to trade on...
About Alibaba company and brief general information regarding how to trade on...
Erkinjon Erkinov
 
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
taqyea
 
Dasdadadâfafafafafafgsgsgs adjasjdajda.docx
Dasdadadâfafafafafafgsgsgs adjasjdajda.docxDasdadadâfafafafafafgsgsgs adjasjdajda.docx
Dasdadadâfafafafafafgsgsgs adjasjdajda.docx
tuanqa6868
 
一比一原版(uom毕业证)曼彻斯特大学毕业证如何办理
一比一原版(uom毕业证)曼彻斯特大学毕业证如何办理一比一原版(uom毕业证)曼彻斯特大学毕业证如何办理
一比一原版(uom毕业证)曼彻斯特大学毕业证如何办理
taqyea
 
sophos-xgs-series-firewall-datasheet.pdf
sophos-xgs-series-firewall-datasheet.pdfsophos-xgs-series-firewall-datasheet.pdf
sophos-xgs-series-firewall-datasheet.pdf
Thanksoan
 
Steps involved in the implementation of EDI in a company
Steps involved in the implementation of EDI in a companySteps involved in the implementation of EDI in a company
Steps involved in the implementation of EDI in a company
sivaraman163206
 
Ethics guidelines for trustworthy AI (HIGH-LEVEL EXPERT GROUP ON ARTIFICIAL I...
Ethics guidelines for trustworthy AI (HIGH-LEVEL EXPERT GROUP ON ARTIFICIAL I...Ethics guidelines for trustworthy AI (HIGH-LEVEL EXPERT GROUP ON ARTIFICIAL I...
Ethics guidelines for trustworthy AI (HIGH-LEVEL EXPERT GROUP ON ARTIFICIAL I...
prb404
 

Recently uploaded (20)

”NewLo":the New Loyalty Program for the Web3 Era
”NewLo":the New Loyalty Program for the Web3 Era”NewLo":the New Loyalty Program for the Web3 Era
”NewLo":the New Loyalty Program for the Web3 Era
 
一比一原版(city毕业证书)英国剑桥大学毕业证如何办理
一比一原版(city毕业证书)英国剑桥大学毕业证如何办理一比一原版(city毕业证书)英国剑桥大学毕业证如何办理
一比一原版(city毕业证书)英国剑桥大学毕业证如何办理
 
Future Trends What's Next for UI UX Design on Websites
Future Trends What's Next for UI UX Design on WebsitesFuture Trends What's Next for UI UX Design on Websites
Future Trends What's Next for UI UX Design on Websites
 
@Call @Girls Vile Parle phone 9920874524 You Are Serach A Beautyfull Dolle co...
@Call @Girls Vile Parle phone 9920874524 You Are Serach A Beautyfull Dolle co...@Call @Girls Vile Parle phone 9920874524 You Are Serach A Beautyfull Dolle co...
@Call @Girls Vile Parle phone 9920874524 You Are Serach A Beautyfull Dolle co...
 
Nariman point @Call @Girls Whatsapp 9833363713 With High Profile Offer
Nariman point @Call @Girls Whatsapp 9833363713 With High Profile OfferNariman point @Call @Girls Whatsapp 9833363713 With High Profile Offer
Nariman point @Call @Girls Whatsapp 9833363713 With High Profile Offer
 
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
 
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
 
Carrington degree offer diploma Transcript
Carrington degree offer diploma TranscriptCarrington degree offer diploma Transcript
Carrington degree offer diploma Transcript
 
Ahmedabad @Call @Girls 0000000000 Riya Khan Beautiful And Cute Girl any Time
Ahmedabad @Call @Girls 0000000000 Riya Khan Beautiful And Cute Girl any TimeAhmedabad @Call @Girls 0000000000 Riya Khan Beautiful And Cute Girl any Time
Ahmedabad @Call @Girls 0000000000 Riya Khan Beautiful And Cute Girl any Time
 
一比一原版(warwick文凭证书)华威大学毕业证如何办理
一比一原版(warwick文凭证书)华威大学毕业证如何办理一比一原版(warwick文凭证书)华威大学毕业证如何办理
一比一原版(warwick文凭证书)华威大学毕业证如何办理
 
一比一原版(爱大毕业证书)英国爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)英国爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)英国爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)英国爱丁堡大学毕业证如何办理
 
PSD to Wordpress Service Providers in 2024
PSD to Wordpress Service Providers in 2024PSD to Wordpress Service Providers in 2024
PSD to Wordpress Service Providers in 2024
 
一比一原版(uh毕业证)休斯敦大学毕业证如何办理
一比一原版(uh毕业证)休斯敦大学毕业证如何办理一比一原版(uh毕业证)休斯敦大学毕业证如何办理
一比一原版(uh毕业证)休斯敦大学毕业证如何办理
 
About Alibaba company and brief general information regarding how to trade on...
About Alibaba company and brief general information regarding how to trade on...About Alibaba company and brief general information regarding how to trade on...
About Alibaba company and brief general information regarding how to trade on...
 
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
 
Dasdadadâfafafafafafgsgsgs adjasjdajda.docx
Dasdadadâfafafafafafgsgsgs adjasjdajda.docxDasdadadâfafafafafafgsgsgs adjasjdajda.docx
Dasdadadâfafafafafafgsgsgs adjasjdajda.docx
 
一比一原版(uom毕业证)曼彻斯特大学毕业证如何办理
一比一原版(uom毕业证)曼彻斯特大学毕业证如何办理一比一原版(uom毕业证)曼彻斯特大学毕业证如何办理
一比一原版(uom毕业证)曼彻斯特大学毕业证如何办理
 
sophos-xgs-series-firewall-datasheet.pdf
sophos-xgs-series-firewall-datasheet.pdfsophos-xgs-series-firewall-datasheet.pdf
sophos-xgs-series-firewall-datasheet.pdf
 
Steps involved in the implementation of EDI in a company
Steps involved in the implementation of EDI in a companySteps involved in the implementation of EDI in a company
Steps involved in the implementation of EDI in a company
 
Ethics guidelines for trustworthy AI (HIGH-LEVEL EXPERT GROUP ON ARTIFICIAL I...
Ethics guidelines for trustworthy AI (HIGH-LEVEL EXPERT GROUP ON ARTIFICIAL I...Ethics guidelines for trustworthy AI (HIGH-LEVEL EXPERT GROUP ON ARTIFICIAL I...
Ethics guidelines for trustworthy AI (HIGH-LEVEL EXPERT GROUP ON ARTIFICIAL I...
 

Delivering Security Insights with Data Analytics and Visualization

  • 1. Delivering Security Insights with Data Analytics and Visualization Raffael Marty VP Security Analytics ACSAC Orlando November 2017
  • 2. Disclaimer © Raffael Marty 2 "This presentation was prepared solely by Raffael Marty in his personal capacity. The material, views, and opinions expressed in this presentation are the author's own and do not reflect the views of Sophos Ltd. or its affiliates."
  • 3. Raffael Marty • Sophos • PixlCloud • Loggly • Splunk • ArcSight • IBM Research • SecViz • Logging • Big Data • ML & AI • SIEM • Leadership • Zen
  • 4. 4 The master of Kennin temple was Mokurai. He had a little protégé named Toyo who was only twelve years old. Toyo saw how students entered the masters room each day and received instructions and guidance in Zen. The young boy wished to do zazen (meditation) as well. Upon convincing Mokuri, he went in front of the master who gave him the following koan to ponder: "You can hear the sound of two hands when they clap together," said Mokurai. "Now show me the sound of one hand."
  • 5. Outline 5 • Big Data for Security • A Security (Big) Data Journey • Machine Learning and Artificial Intelligence • Data Visualization • Solving Security Problems with Data • A Glimpse Into the Future • My 5 Security Big Data Challenges
  • 6. Big Data For Security 6
  • 7. “memory has become the new hard disk, hard disks are the tapes of years ago.” -- unknown source 7
  • 8. Security Data Data • infrastructure / network logs (flows, dns, dhcp, proxy, routing, IPS, DLP, …) • host logs (file access, process launch, socket activity, etc.) • HIPS, anti virus, file integrity • application logs (Web, SAP, HR, …) • metrics • configuration changes (host, network equipment, physical access, applications) • indicators of compromise (threat feeds) • physical access logs • cloud instrumentation data • change tickets • incident information Context • asset information and classification • identity context (roles, etc.) • information classification and location (tracking movement?) • HR / personnel information • vulnerability scans • configuration information for each machine, network device, and application
  • 9. Big Data Systems – A Complex Ecosystem 9 Storing any kind of data o Schema-less but with schema on demand o Storing event data (time-series data, logs) o Storing metrics Data access o Fast random access o Ad-hoc analytical workloads o Search o Running models (data science) Data processing needs o Metric generation from raw logs o Real-time matching against high volume threat feeds o Anonymization o Building dynamic context from the data o Enrichment with entity information Use-cases • Situational awareness / dashboards • Alert triage • Forensic investigations • Incident management • Reports (e.g., for compliance) • Data sharing / collaboration • Hunting • Anomaly detection • Behavioral analysis • Pattern detection • Scoring requires
  • 10. Are Today’s Systems Ready For Big Data Use Cases? 10 Data Sources • Haven’t been built with analysis in mind • Logs are incomplete • Log formats are not standardized Log mgmt | SIEM | “Big Data Lakes” • Don’t scale well to volumes, variety, and velocity • No standard data pipelines – results in point to point integrations that are imperfect • No standard storage concepts – results in data duplication • No standard use-cases – results in ‘spaghetti architectures’
  • 11. Security (Big) Data Journey 11Image credit: http://journeyofhealth.org/
  • 12. (Incomplete) Security Data History 12 “Big Data Is An Old Problem in Security” 1980 Firewalls, IPSs, OSs, Apps, Infra, etc. SecurityBigData syslogd(8) 1996 Log Management and first SIM “Big Data” in security RDBMS (way earlier already) 2004 CEF Standard (2007 CEE) 2006 2009 2014 2016 First logging as a service offering Security Data Lake Apache Metron (Open SOC) Apache Spot Distributed storage and processing (Hadoop 0.1.0) AWS (re-launch) Kafka Separation of query engines and data stores (Presto, Drill, parquet, etc.) Continued innovation on cloud platforms (Athena, S3, etc.) First RAID conference (ML / AD) ML is slow and missing training data First VizSec conference Device and user-context correlation First ”security analytics” solution Deep Learning in security (traffic and malware identification) ”Big Bang of Deep Learning” First unstructured data store and search engine (Solr) Columnar data stores become popular (MonetDB, etc.) R (previously S) Data Lake Data centralization Data insight
  • 13. Security Data – The State Today 13 • “Security Data Lakes – an excuse to collect anything without having to think about schemas and access patterns.” • Data and infrastructure challenges to overcome o Data standardization (parsing, schemas) - Meaning of log entries and fields within - When is a log generated, when not? o Data infrastructure - One architecture for all use-cases - Self maintaining and healing o Building ‘content’ across customers? - Different policies - Different data sources and configurations o Data Privacy
  • 15. ML and AI – What Is It? 15 • Machine learning – Algorithmic ways to “describe” data o Supervised - We are giving the system a lot of training data and it learns from that o Unsupervised - We give the system some kind of optimization to solve (clustering, dim reduction) • Deep learning – a ‘newer’ machine learning algorithm o Eliminates the feature engineering step o Verifiability issues • Data Mining – Methods to explore data – automatically and interactively • Artificial Intelligence – “Just calling something AI doesn’t make it AI.” ”A program that doesn't simply classify or compute model parameters, but comes up with novel knowledge that a security analyst finds insightful.”
  • 16. Machine Learning in Security 16 • Supervised o Malware classification - Deep learning on millions of samples - 400k new malware samples a day - Has increased true positives and decreased false positives compared to traditional ML o Spam identification • Unsupervised o Tier 1 analyst automation (reducing workload from 600M events to 100 incidents)* o User and Entity Behavior Analytics (UEBA) - Uses mostly regular statistics and rule-based systems * See Respond Software Inc.
  • 17. Application of Machine Learning - Anomaly Detection Objective : Find ‘security incidents’ in the data – deviations from the ‘norm’ • What’s “normal”? • Needs explainability for clusters • Observe clusters over time (requires stable ‘incremental’ clustering) • Even 0.01% of false positives are too high (1m log records -> 100 anomalies)
  • 18. Limits of Machine Learning 18 “Everyone calls their stuff ‘machine learning’ or even better ‘artificial intelligence’ - It’s not cool to use statistics!” “Companies are throwing algorithms on the wall to see what sticks - see security analytics market” Machine Learning Challenges • An algorithm is not he answer. It’s the process around it (find the best fit algorithm for the data and use-case, feature engineering, supervision, drop outs, parameter choices, etc.) • Even in deep learning, it’s not just about using tensorflow. Features matter (e.g., independent bytes versus program flow) • The algorithms are only as good as the data and the knowledge of the data o Common data layers / common data models o Enriched data o Clean data (e.g, source/destination confusions) • How do we build systems that incorporate expert knowledge?
  • 19. Illustration of Parameter Choices and Their Failures • t-SNE clustering of network traffic from two types of machines perplexity = 3 epsilon = 3 No clear separation perplexity = 3 epsilon = 19 3 clusters instead of 2 perplexity = 93 epsilon = 19 What a mess
  • 20. Illustration of Parameter Choices and Their Failures • Dangerous clusters
  • 21. Adversarial Machine Learning 21 • An example of an attack on deep learning
  • 23. S e c u r i t y . A n a l y t i c s . I n s i g h t . “How Can We See, Not To Confirm - But To Learn” - Edward Tufte
  • 25. Visualization Overview 25 • Why? o Verify output of machine generated intelligence o Focus experts where they are most useful, rather than having them build tools / queries to understand the data o Enable exploration and hunting • What are the limitations? o Data is always a problem – we need clean, enriched data o Visualization of large data sets o Interpretation is hard - “And the single port with no traffic is port 0, which is reserved [24]” found in “Visualization of large scale Netflow data” by Nicolai H Eeg-Larsen - “… and the destinations are Internet Web Server or DNS server or both with the port 0.” - “.. so many TCP port scans are distributed in the whole day that most of them can be considered as false positives.” https://www.researchgate.net/publication/257686749_IDSRadar_A_real-time_visualization_framework_for_IDS_alerts
  • 26. VAST Challenge 2013 Submission – Spot the Problems? 26 dest port! Port 70000? src ports! http://vis.pku.edu.cn/people/simingchen/docs/vastchallenge13-mc3.pdf
  • 27. Visualization Challenges 27 • Backend o Super quick data access in any possible way (search, scan, summarize) o Ability to ingest any data source - intelligent parsing anyone? • User Interface o The right visualization paradigms o How to visualize 1m records? o The right data abstractions / summarizations / aggregations o Easy to use and still flexible enough • Data Science o Make the machine help us interpret the data • How to encode domain knowledge?
  • 28. Visualization Challenges - Security Metrics 28 • How to quantify ‘security’? • Provide context
  • 30. Solving Security Problems With Data Objective: Automatically detect “problems” / attacks with data Solution: Not ML or AI – the right process for the problem at hand • Any data science approach: o Encode domain knowledge – leverage trained experts (e.g., malware classification with n-grams, or URLs) o Involve the right ‘entities’ (e.g., push problems out to the end user) o Collect the right data for the given use-cases – don’t forget context and cleaning o Plan for expert feedback / validation loop o Build solutions for actual problems with real data that produce actionable insight o Share your insights with your peers – security is not your competitive advantage • Supervised: o Be selective on the problems that have good, large training data sets • Unsupervised: o We need good distance functions. Ones that encode domain knowledge!
  • 31. Applications of Data in Security 31 • Prioritize event and entity data • Rule-based correlations • Behavior modeling • Risk / exposure / threat computation • Configuration assessments • Data classification • Data abstraction • Cross ‘boundary’ data sharing • Cross ‘customer’ analytics • Crowd intelligence • Enable free-form exploration • Identify and attribute attacks • Incident response • Improve prevention • Allocate / prioritize work / resources • Situational awareness • Understand exposure • Risk inventory • Spam, malware detection • Feedback loop on initiatives • Simplify security • Continuous attestation • Micro segmentation • Risk informed, dynamic enforcement (automation) Data Data Operations Applications Data is a core driver for many or most security use-cases
  • 32. A Glimpse Into The Future 32http://www.aberdeenessentials.com/techpro-essentials/business-leaders-can-utilize-data-even-without-technology-background/
  • 33. My Magic 8 Ball • Data is distributed across the edge and (a) central data store o We will have a (data lake)++ in every company with all security data (likely in the cloud) o Centralize data for correlation (could we get a decentralized correlation system?) o Keep raw sensor data at the edge and access through federated query system o Threat intelligence will be tailored to your organization and exchanged in real-time • APIs will be everywhere to let products integrate with each other • Security Analytics as a product category, as well as orchestration will merge with the data platforms (SIEM++) • Algorithms take a back seat – insights are key o Nobody cares whether you call something artificial intelligence or machine learning. It’s about actual results o Products will learn from users more and more • Startups will deliver innovation, but only large organizations will be able to deliver on the overall security promise • Detection is great. Protection is key. Closing the loop between insight and action. o Continuous attestation o Risk-based defense • No 3D visualizations
  • 34. Thoughts on How We Get There 34 • Focus on three types of users o Data scientists and hunters – that now how to program, have security domain knowledge, and can find complex insights o Security analysts – that are using product interfaces to deal with security issues that the system couldn’t deal with automatically o Non security experts – that need insight into what is happening, but don’t know enough to intervene • AWS will productize the ’all encompassing data backend’ (others will contribute the technology) o Abstracting the data storage layer o Self-optimizing and monitoring query engine • Hire and train good UX people • Hire and train security domain experts o ”A course doesn’t make you a data scientist – not a good one at least”. It’s about the domain knowledge! • Use deep belief networks rather than deep learning • Build systems that help analysts and exports be more effective o Don’t try to replace them - let them do the interesting work o Don’t make up use-cases. Go into organizations and learn what the real problems are o Understand the user personas you are catering to o Stop building islands of products – SA is a feature – how do we build that on top of a common platform? o Move away from algorithm thinking into use-cases and workflows • Collect all your data (network and endpoint) in one data store
  • 36. My 5 Challenges • Establish a pattern / algorithm / use-case sharing effort • Define a common data model everyone can buy into (CIM, CEF, CEE, Spot, etc.) o Including a semantic component for log records, not just syntax • Build a common entity store o Hooked up to a stream of data it automatically extracts entities and creates a state store o Allows for fast enrichment of data at ingest and query time o Respects and enforces privacy • Design a great CISO dashboard (framework) o Risk and “security efficiency” oriented, actionable views • Develop systems that ’absorb’ expert knowledge non intrusively
  • 37. Questions? 37 http://slideshare.net/zrlram @raffaelmarty "You can hear the sound of two hands when they clap together," said Mokurai. "Now show me the sound of one hand."