Insider Threat Detection



Similar documents
DETECTING THREATENING INSIDERS WITH LIGHTWEIGHT MEDIA FORENSICS

SCEADAN Systematic Classification Engine for Advanced Data ANalysis

SCEADAN Systematic Classification Engine for Advanced Data ANalysis

CLOUD ANALYTICS: Empowering the Army Intelligence Core Analytic Enterprise

ALERT LOGIC FOR HIPAA COMPLIANCE

Summary of CIP Version 5 Standards

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Hunting for the Undefined Threat: Advanced Analytics & Visualization

Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013

Meeting the challenges of today s oil and gas exploration and production industry.

Gaming System Monitoring and Analysis Effort

How To Manage Security On A Networked Computer System

Continuous Network Monitoring

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Introduction to Data Mining

Innovative, High-Density, Massively Scalable Packet Capture and Cyber Analytics Cluster for Enterprise Customers

IBM Security IBM Corporation IBM Corporation

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Cyber Watch. Written by Peter Buxbaum

CyberArk Privileged Threat Analytics. Solution Brief

Insider Threat Detection Using Graph-Based Approaches

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

SecureVue Product Brochure

Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

the challenge our mission our advisors

POWERFUL SOFTWARE. FIGHTING HIGH CONSEQUENCE CYBER CRIME. KEY SOLUTION HIGHLIGHTS

Evolution Of Cyber Threats & Defense Approaches

Vulnerability Management

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

How To Manage Sourcefire From A Command Console

Indexing Full Packet Capture Data With Flow

McAfee Network Security Platform

Compliance Guide: ASD ISM OVERVIEW

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

High-Frequency Active Internet Topology Mapping

Introduction to Data Mining and Machine Learning Techniques. Iza Moise, Evangelos Pournaras, Dirk Helbing

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

PRACTICAL DATA MINING IN A LARGE UTILITY COMPANY

Introduction to Data Mining

IBM SECURITY QRADAR INCIDENT FORENSICS

This Symposium brought to you by

A New Era of Cybersecurity Neil Mohammed, Sales Engineer

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Endpoint Threat Detection without the Pain

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Concepts of digital forensics

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

First Line of Defense

Modern IT Operations Management. Why a New Approach is Required, and How Boundary Delivers

Secure Because Math: Understanding ML- based Security Products (#SecureBecauseMath)

CYBER SECURITY. Novel Approaches for Security in Building Automation Systems. J. Kaur, C. Herdin, J. Tonejc, S. Wendzel, M. Meier, and S.

IBM Security QRadar SIEM Version MR1. Administration Guide

Visualization, Modeling and Predictive Analysis of Internet Attacks. Thermopylae Sciences + Technology, LLC

Azure Machine Learning, SQL Data Mining and R

CorreLog: Mature SIEM Solution on Day One Paul Gozaloff, CISSP. Presentation for SC Congress esymposium CorreLog, Inc. Tuesday, August 5, 2014

Introduction. Architecture Re-engineering. Systems Consolidation. Data Acquisition. Data Integration. Database Technology

Energy Efficient Storage - Multi- Tier Strategies For Retaining Data

Web Plus Security Features and Recommendations

ENVI Services Engine: Scientific Data Analysis and Image Processing for the Cloud

SIMPLE MACHINE HEURISTIC INTELLIGENT AGENT FRAMEWORK

Double guard: Detecting Interruptions in N- Tier Web Applications

Yuan Fan Arcsight. Advance SQL Injection Detection by Join Force of Database Auditing and Anomaly Intrusion Detection

IS 6363 Computer Forensics Spring 2006

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

The Comprehensive National Cybersecurity Initiative

Conclusions and Future Directions

Hardware Enabled Zero Day Protection

SANS Top 20 Critical Controls for Effective Cyber Defense

On-Premises DDoS Mitigation for the Enterprise

WebSphere Business Monitor

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Why is Internal Audit so Hard?

Notable Changes to NERC Reliability Standard CIP-010-3

Hybrid Model For Intrusion Detection System Chapke Prajkta P., Raut A. B.

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Spark use case at Telefonica CBS

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

Machine Data Analytics with Sumo Logic

REDCENTRIC MANAGED BACKUP SERVICE SERVICE DEFINITION

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

Role of Anomaly IDS in Network

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

Stay ahead of insiderthreats with predictive,intelligent security

Water Network Monitoring: A New Approach to Managing and Sustaining Water Distribution Infrastructure

Becoming an Agile Digital Detective

EnCase Endpoint Security Product Overview

End-user Security Analytics Strengthens Protection with ArcSight

Gaining and Maintaining Support for a SOC. Jim Goddard Executive Director, Kaiser Permanente

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

Transcription:

Insider Threat Detection Using Lightweight Media Forensics Cyber Security Division 2012 Principal Investigators Meeting October 10, 2012 Nicole L. Beebe, Ph.D. Assistant Professor The University of Texas at San Antonio Nicole.Beebe@utsa.edu 210-458-8040 (210-269-5647 cell)

Outline Intro Technical Approach Milestones, Deliverables, Schedule Technology Transition Plan Quad Chart 2

Intro TTA #4 Insider Threat Focus on detection (vs. prevention or deterrence) Detect anomalous accumulation of data Indication and warning of exfiltration threat Alert to criminal and/or exploitable behavior Research Team PI: Simson Garfinkel, Ph.D. Naval Postgraduate School Co-PI: Nicole Beebe, Ph.D. The University of Texas at San Antonio UTSA Co-Investigator, Dr. Daijin Ko, Ph.D. 3

Technical Approach The Problem Indication and warning of exfiltration threat when Information collected IAW access permissions Data collected, transmitted, and deleted quickly No signature exists for behavior Past detection efforts focused on Monitoring access patterns Defining signatures Detection solutions must Be scalable to large, diverse, dislocated organizations Be lightweight and not impact computational operations Accommodate fluidity and variety in workforce 4

Technical Approach The Solution Detect threatening insiders by detecting deviations in their individual storage profile on their workstation Deviations in storage profile Data focused (not quantity/quota) Types (file/data type and content based) Deviations measured from variety of baselines Individual, role-based, department, organization Tunable anomaly alert sensitivity To balance false positive false negative trade-off To increase monitoring on individuals or units 5

Technical Approach The Solution Benefits System agnostic Leverages but does not rely on file system Scalable Uses reliable sampling of stored data Does not rely on policy statement or discovery Does not require Internet connectivity Does not rely on insider threat modeling or signatures No intellectual property costs (uses GOTS) 6

Technical Approach The Solution Approach Local, lightweight, covert, secured surveillance agents installed on workstations calculates storage profiles bulk_extractor Open-source, demonstrated capability, v1.3 just released Random sampling Of disk data to minimize computational overhead Of interval to minimize anti-forensics efforts Central management console Surveillance agents send line-based profile data for analysis and anomaly detection Statistical cluster analysis detects outliers 7

Bulk Extractor Viewer Screen Shot 8

Technical Approach Technical Challenges Science: Clustering algorithm selection/development Accuracy and speed trade-off of extant algorithms Develop combinatorial algorithm to improve accuracy Need for automated parameter selection amidst noisy data Feature selection Engineering: Visualization component Visual representation of anomalies Facilitate analyst drill-down 10

Milestones & Schedule Year 1 Milestone: Develop and test lightweight media forensics agent for Windows workstations Done: Bulk Extractor v1.3 released To do: Enhancements and sampling engine Milestone: Develop and test optimal clustering algorithm Leverage past research at UTSA Self-organizing neural nets in digital forensics Automated parameter estimation heuristics Precision INdex (PIN) measure for combining classifiers 11

Milestones & Schedule Year 2 Milestone: Develop and test management console tools, data aggregation agent, visualization components on limited scope production network at NPS Currently investigating adaptation of open source network collection and remote management systems Year 3 Milestone: Final development of outlier detection and visualization technology based on test results and largescale testing on partner network(s) 12

Deliverables & Schedule Year 1 Year 2 Knowledge Products (Tech Report / Academic Pub) - Feature Extraction Technique - Anomaly Detection Algorithm - Visual Component - Small-Scale Network Test Software - Workstation Agent (v1) - Workstation Agent (v2) - Server-Side Management Tool (v1) Year 3 - Large-Scale Network Test - Workstation Agent (v3 as needed) - Server-Side Management Tool (v2) Progress reporting all years Monthly Program Reports Quarterly Status/Financial Reports Quarterly Detailed Technical Reports Annual Program Report Final Technical Report 13

Technology Transition Plan Open source releases Bulk Extractor (BE) BE sampling engine BE plug-in for clustering engine Clustering engine Visualization front-end for clustering engine Create GOTS product that integrates all above, plus Secure transmission of data Data aggregation agent To get to pilot: production network tests with injects DETER & PREDICT are not applicable PI Garfinkel has extensive experience transitioning technology into open-source, commercial, and GOTS products 14

15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information