The Role of machine learning in cybersecurity

Transcript

1. 1 The Role of machine learning in cybersecurity A discussion

   on using machine learning in chaotic and disparate environments

2. 2 Danny miller Chief Information Security Officer

3. 3 Trends we face • Phishing • Ghosting • Hidden

   links • Malware

4. 4 The opponent’s plan (bad guys) Phase Description Reconnaissance Research,

   identify and select a target Weaponization Pair remote access malware with exploitation into a deliverable payload (such as a PDF file or Word doc) Delivery Transmit weapon to target (email, attachment, website or external media) Exploitation Once delivered, trigger the weapons code, exploiting vulnerable applications or systems Installation Weapon now installs a back door on target system allowing persistent or repeated access Command & Control An outside server communicates with weapons already deployed providing ‘hands-on’ keyboard access inside the target network Actions on Objective The attacker works to achieve the objective of their intrusion, which can include exfiltration or destruction of data, or intrusion of another target

5. 5 How is machine learning different from artificial intelligence? Artificial

   Intelligence (AI) • Ability to take seemingly disparate pieces of information or related information and: − Synthesize ideas or conclusions − Make decisions − Do these in the absence of information in making conclusions • AI can take other information, such as environmental data, into account when making decisions or conclusions Machine Learning • A narrowly defined set of taught and learned attributes

6. 6 Machine learning approaching ai Machine Learning Monitoring / Alerting

   Responsive Orchestration Social Networks Blogs ISAOs Threat Intelligence Network Traffic Support Tickets Behaviors of endpoints and network Firewalls and other network devices Malware and C&C on endpoints Insider Threats Dark Web Intelligence

7. Simplified Model including iR Network & Endpoint Monitoring Incident Response

   Cyber Threat Intelligence • Monitoring team escalates potential incidents to the response team • Response team handles the incident • Intelligence is produced to improve detection and response 7

8. 8 High-priority asset protection

9. 9 Threats we face in higher education What are they

   after? • Brand and reputational damage • Intellectual property • Cyber extortion • Employee productivity disruption • Operational disruption • Compliance violations What tactics might they use? • Academic solicitation • Account compromise • Data extraction / destruction • Denial of service • Espionage • Intellectual property theft • Malware • Network Intrusion • Phishing • Reconnaissance • Stolen credentials • Unauthorized access • Unpatched vulnerabilities Who might attack? Higher Education Insider Threat Organized Crime Hacktivist Individual Hacker Third Party Nation State Higher Education is consistently one of the most targeted sectors due to its access to highly sensitive research, student personal information and openness of information sharing

10. 10 Where we are in higher education • Where there

    is little visibility into the environment, we may only know what a device is doing or how much traffic is flowing across a network using endpoint solutions • Tools are not connected to any other tool or information source • Our vision is narrow, to the point of not being useful • This opens up opportunities for the bad guys to take advantage of us from multiple points in the organization, often undetected

11. 11 Our first steps • We gathered all manner of

    data on our networks - too much data too fast − Ingested huge amounts of data − Created a large storage infrastructure to store the data for future analysis − Storage is cheap, but continuing to buy more and more storage isn’t the answer • Focus only on data that is important, allowing machine learning to capture and keep data that is truly useful • Knowing the structure of our environments was key to securing them • CONTEXT BECAME CRITICAL

12. 12 Solution output from machine learning • The system learns

    our environments, knowing ‘good’ and ‘bad’, ‘high-risk’ vs ‘low-risk’ behaviors • Focuses alerts to those that manage the noise and address security concerns • Drives down dwell-time inside our environments • Reduces the success of bad guys achieving their objective • Orchestration can assist in not only detecting possible incidents but also remediating − Automatic port closures − Affecting dynamic network segmentation by isolating segments or even creating new segments on the fly − Auto-launch EDR agents on potentially infected endpoints

13. 13 Lessons learned • Have a plan for incident response

    - the highest risk and highest number of events − Automate low-level events, such as malware infections, if you can • Test your incident response plans regularly and fold them into your business continuity plan • Reporting and data sharing (if you can’t measure it or prove it, it never happened)

14. 14 Lessons learned • Machine learning-based monitoring and security systems

    do not eliminate all risk − Help you focus on the most relevant risk and manage it • Ensure you know where your most valuable assets are in any environment you are monitoring • Know what type of machine learning is being used! − Structured vs unstructured • Know the structure of the monitored environment - who owns which piece, including endpoints • Machine learning does not fully replace 'eyes on glass'

15. Incident Comparison –THEN VS NOW 2017 2019 Time to Detect

    6 Months 8 Hours Time to Mitigate 1 Week 1 Hour Time to Remediate 6 Weeks 30 Minutes Detection Third Party SOC & CRT Affected 30 Endpoints, 2 Members 6 Endpoints, 2 Members Downtime 336 Hours Member 1: 0 Hrs, Member 2: 24+ Hrs. Attacker Objectives Achieved Not Achieved 15

16. 16 Questions? ?

17. 17 BACKUP SLIDES