care if something we discover (or something reported to us) could be “bad”. • But we don’t really care if it’s “good” or “bad”. • We do care wether we should do something about it. • So how do we determine if something is actionable?
Have others seen “this” before? • Is this a critical system or asset? • Who owns it? • What’s running on it? • What do we know about this Asset/User/Executable/Vulnerability? • ..or pretty much whatever I’m looking at at the moment. • Is this user / system / process behaving as it should? • Should I keep digging, close, or escalate?
tickets with no useful info in them • Digging for information we already have • Why can’t we automate the information gathering? • (We can, but the problem is presentation) • What we need is some new sort of interactive, assisted discovery. • So what provides the richest context? THIS SUCKS
Activity User Activity Previous Incidents Identity Model (AD, IDM) Asset Model (asset mgmt) Vulnerability Model (CVE / CVSS) We have the data, so why not use it
Critical Vulnerability Found In Application Malware Infects Workstation IDS Alert Triggered By System Activity At the core of every actionable ticket / case / incident is a triple:
2. Code is executed and malware is installed 3. Malware attempts to exploit an internal host, which contains sensitive data 4. Sensitive data is exfiltrated
[ sensitive data ] vulnerable software + version [ Adobe Acrobat 8.0 ] system files/directories [ ] User (Person) [ Joe Bob ] source email address [ ] file (name) [ readme.pdf ] Actor (Malware) [ Conflicker ] vulnerability [ ] host1 [ workstation ] exfiltration mechanism received email from network access belongs to sent from updates exploits delivered by contains has user_account1 [ jbob ] belongs to system access executes user_account2 [ [email protected] ] belongs to data losss connection established located on associated with Logical Layout of Our Complete Case
HR jewels.family.net Joe Bob Billy Dean Jim Junior CVE-2008-4250 contains CVE-2008-4251 CVE-2008-4252 CVE-2008-4253 Primary relashionships Secondary relationships
HR jewels.family.net Joe Bob Billy Dean Jim Junior CVE-2008-4250 contains CVE-2008-4251 CVE-2008-4252 CVE-2008-4253 other vulnerabilities typical users business application location unusual location Primary relashionships Secondary relationships
Conflicker Flame CVE-2008-4250 jewels.family.net contains Snort:1:4154 Primary relashionships Secondary relationships detected by these IDS signatures other hosts with this vulnerability associated with malware hosts which triggered this IDS sig before host with this vulnerability which triggered this IDS sig before
an analyst to validate alerts and notifications • “I know everything about this user (or system) without having to search through other directories or having to track down the business owners” • “Even though this user has proper privileges, their area of responsibility varies from the staff who typically access this system/data.” 2. It can help the automated detection processes (scenario or anomaly based) to be more precise by integrating context references • “The behavioral analytics process has flagged an anomaly, but querying known relationships between the user and the host helped downgrade this alert as a false positive.”
SIEM events, AD/LDAP, asset db’s, etc) • Define the ontology • Which relationships matter and which ones do not? • Only show immediate and secondary relationships • Pay attention to clarity of presentation • Nobody wants to read upside-down labels • Great algorithm here: http://bl.ocks.org/MoritzStefaner/1377729 • Provide smooth navigation • Automate groupings to reduce clutter • Add critical pieces to the Case
are great for ‘as is’ states, but do not reflect time • How long ago was that connection? • A novel approach is needed to consider the time scale • Temporal subgraphs could help • Metrics and Reporting • Management still needs to track ‘avg. time to resolve’, etc.