FROM FALSE POSITIVES TO ACTIONABLE ANALYSIS: BEHAVIORAL INTRUSION DETECTION MACHINE LEARNING AND THE SOC presented at BlackhatUS 2015

by Joseph Zadeh,

Summary : This talk outlines an approach to modeling human behavior in network traffic with the goal of automatically labeling events that have security context. Large-scale defensive programs now have the opportunity to invest resources in next generation distributed architectures and software stacks to build custom security solutions to augment existing SIEM and point solution driven escalations. We describe ways to create such a scalable framework of distributed forensic artificial intelligences to hunt for evil and to minimize time spent on repeatable remediation and evidence collection processes. This type of next-gen cybersecurity analytics engine can add immediate value through alarm reduction and attribution of attacks to threat actors and campaigns over time.
The goal of building such a framework is to reduce time to detection and to provide automated ways to help incident response and daily reporting and escalations. The amount of data present in corporate SIEM's and IT warehouses allows for security teams to build the central nervous system of the Security Operations Center (SOC). One of the more complex tasks in designing such a next generation defensive system to is leverage machine learning to build models that are dynamic and intelligent enough to adapt to changing threats (labels suffer from concept drift) and to catch threats that have never been observed before (no ground truth). We describe ways to roadmap such cybersecurity analytics and ways to calculate the best return on investment given existing coverage and needs mapped to the threat surface.