F.I.D.O.Fully Integrated Defense Operation

Rob Fry - Sr Security Architect

Agenda• The Human Problem

• The Technical Problem

• F.I.D.O. High Level

• What’s Next?

• Q & A

The Human Problem

Source: Cisco 2014 ASR, Network World, ISAC, swimlane.com, Security Week

The Human Problem• Vendors and organizations are not doing enough to lower the bar

• 62% of organizations have not increased security training

• 83% of enterprises lack the resources or skills to protect assets

• Majority of the work is done manually… self-defeating

• Response time windows are too high

• Enforcement, mitigation is largely manual

Too Many Alerts, Too Little Time/Resources Network defenders are overwhelmed by the volume of alerts

• Typical Fortune 1000 organization experiences thousands of new security events everyday (1)

• Data review is time consuming

Current industry best practices rely on analysts using SIEM technologies + manual use of threat intel feeds

• Too many false positives• Very little guidance on how to filter the signal from the noise

The Technical Problem

Source: (1) IBM 2014 Cyber Security Intelligence Index

“There are 400 alerts in my SIEM, and I have time/resources to investigate 10. Which 10 do I choose?” (1)

Source: (1) CISO from Fortune 200 Company

The Technical Problem

But… it WORKS in the MOVIES

The Technical Problem

F.I.D.O. = Orchestration

• The work of a human, but at machine speed• Data enrichment• Get more out of security investment• Adds consistency• Filter out false positives• Threat, user, machine and asset scoring

Known -versus- Unknown

F.I.D.O. = Orchestration

Reduce Response Time

Attackers Ability

Defenders Ability

Source:(Verizon(Data(Breach(Report(

F.I.D.O. = Orchestration

At First, SimplicityDisjointed Security

Network Alert Firewall/IPS/IDS

Endpoint Defense

Support Person

Support Person

=

=

Bad!

Blocked!Malware

At First, SimplicityJoining the disjointed

Network Alert Firewall/IPS/IDS

Endpoint Defense

Support Person

Blocked

Not Blocked

Malware

At First, SimplicityJoining the disjointed

• Aggregate data from multiple human jobs at once

• Look for corresponding events

• Reduce severity where one detector blocks

• Reduce response time

• Opened door to other ideas

Look Outside the Security SphereNetwork Alert Firewall/IPS/IDS

Endpoint Defense

Support Person

Expanding data sources

Blocked

Not Blocked

UserAsset

Machine

Data Source

Malware

Data Source

Expanding data sources

• Systems management, inventory, HR, AD, etc.

• Added machine, user, asset posture

• Not just about the threat, context is still king

• Example: any alert against PCI, PII, Domain Admin, CEO, etc., would be more critical

Look Outside the Security Sphere

Threat FeedsValue in Crowdsourcing

Alert

Support PersonData Source

UserAsset

Machine

Threat Feeds

Correlation

Threat Feeds

Crowdsourcing

ContextValidation

False Positives

Threat Feeds• Too much data to do manually, more effective automated

• Can provide rich detailed layers of context

• As a stack, can cover the multiple layers

• Cross-correlation between feeds

• Scheduled artifact checking

• Prelude to detection

Value in Crowdsourcing

Historical DataAlert

Support Person

Data Source

UserAsset

Machine

Threat Feeds

Correlation

Historical

Looking back is important

Historical Data

• Security alerts

• User, machine

• Artifacts (IP, hash, URL)

• Introduces thresholds

• Retrospection

Historical

Looking back is important

Scoring EngineAssessing the DataAlert

Support Person

Correlation

Scoring

0%-100%User Asset

Machine Threat Total

Data Source

User Asset

Machine

Threat Feeds

Historical

F.I.D.O.

1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification

F.I.D.O. High Level

F.I.D.O. High LevelF.I.D.O.

Carbon Black

ProtectWise

Cyphort

SentinelOne

Niddel

1. Detectors

DHCP

RPC

SSH

DNS

2. Host Detection

VirusTotal

ThreatGRID

OpenDNS

ThreatExchange

AlienVault

3. Threat Stack

LDAP

Jamf

Landesk

SCCM

Endpoint

4. Data Sources

Detectors

Previous Threats

Historical User/Machine

OS

Threat Feeds

Thresholds

5. Correlation 6. Scoring 7. Enforcement 8. Notification

ARP

Palo Alto Network

HR

Although somedays I feel like it’s here.

Evolution of Correlation

F.I.D.O. is probably here.

Correlation: Simple ExamplePatterns in the data

Normal Suspicious Malicious

Correlation: Real World ExamplePatterns in the data

Correlation: Cross SectionsPatterns in the data

66.102.255.50 eda661bf08ca0129d78f901dc561afe6549e383d

167.89.125.30 76adfe71d590173b7b6a8db01133d3eb7132bfc6

54.71.32.218 www.downloadcrest.com

463065c87d58befbfde6d150fe1d1338fa752bd6 appsom1.com

d1ut7rcibkldo.cloudfront.net/b_zq_ym_hotvideo002/hotvideo_0910_3.apk 205.210.187.209

67.207.158.254 miserupdate.aliyun.com/data/2.4.1.6/TBSecSvc.exe

wilsart.nl/images/banners/eok.swf?myid=2ac20f898f1e6a17f04952452c4d20d4 209.222.15.232

d1qd2jv3uw36vk.cloudfront.net/PlusHDrow_14_01-a1a8f801.exe 179.43.156.66 172.98.67.53

108.61.226.13 6de64d26a49b05b0e70ad50b8ed3b99a0200240c

IP/Hash/URL/Domain5x

2x

2x4x

2x

2x

3x

2x

2x

Correlation Initiatives• More data, different data, more data points

• Move past 1000 vectors

• More indicators

• Move laterally across data (detector, threat feed, whatever)

• Drill in multiple layers deep

• Better data enrichment algorithms for higher quality associations, thresholds, increments

• Independent processes for correlation ( micro services ]

• Continue to evaluate ML for correlation

• F.I.D.O. is not ML, but we are working on it

• ML for scoring first (Thank you Mines.IO team)

• ML for security is hard, efficacy can be challenging

• Correlation can be repeatable

• Correlation is what security people do… codify it

Correlation Initiatives

F.I.D.O. High LevelF.I.D.O.

Threat

User

Machine

Asset

Total Score

Kill NIC

Client Sandboxing

Network Sandboxing

Automated Re-image

Kill VPN

DHCP Blacklist

Disable Account

Reset Password

Recommendation

Link to Docs

Actions Performed

Create Ticket

Updates DB

1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification

F.I.D.O. High LevelF.I.D.O.

Carbon Black

ProtectWise

Cyphort

SentinelOne

DHCP

RPC

SSH

DNS

VirusTotal

ThreatGRID

OpenDNS

AlienVault

LDAP

Jamf

Landesk

SCCM

Endpoint

Detectors

Previous Threats

Historical User/Machine

OS

Threat Feeds

Thresholds

Threat

User

Machine

Asset

Total Score

Kill NIC

Client Sandboxing

Network Sandboxing

Automated Re-image

Kill VPN

DHCP Blacklist

Disable Account

Reset Password

Recommendation

Link to Docs

Actions Performed

Create Ticket

Updates DBARP

ThreatExchange

Niddel

Palo Alto Network

HR

1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification

F.I.D.O. High Level

1. Response measured in days to week

2. Aggregation of data took hours

3. 80% of alerts not processed

4. Minimal endpoint/user information

5. Little or no scoring information

Pre-F.I.D.O. Post-F.I.D.O.1. Response measures less than an hour

2. Aggregation of data takes minutes

3. All alerts processed

4. Detailed endpoint/user information

5. Detailed scoring information

Success?

F.I.D.O. High LevelSuccess?

Time = Days

7 Days1 Days> 1hr

Time = Hours

4 Hours30 Mins>10mins

Response Time

Data Aggregation

Pre-F.I.D.O.

Post-F.I.D.O.

+23hrs Improvement

+20mins Improvement

F.I.D.O. High LevelSuccess?

Alerts Processed

80% of alerts not processed

Before F.I.D.O.

After F.I.D.O.Alerts Processed

100% of alerts processed

What’s Next?Opportunity

What’s Next?• ML for scoring (Thanks Mines.IO guys)

• More and tighter integrations

• Full stack: Ubuntu, python, node, nginx, couchdb & more

• Web UI: both configuration and admin

• API for data ingestion or export

Q&A• Questions?

• Thank you!

• rob.fry@netflix.com