aws sqrrl · sqrrl reveals connections between alerts, events, and entities. use cases: alert and...

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Brandon Baxter

08.01.19

AWS SQRRLA 50K Foot View


AWAR D - W I N N I N G T E C H N O L O G Y

Who is AWS Sqrrl?

• Cambridge, MA HQ

• NSA spin out (Creators of Accumulo)

• Founded in 2012

• Award-winning Threat Hunting Platform

• Acquired by Amazon AWS January 2018


The Rise of Threat Hunting

Trends.google.com for “threat hunting” in the

US

The term “hunting”

coined by the Air

Force in mid-

2000’s

2013: Sqrrl advisor,

Richard Bejtlich, writes

about hunting in his

book “ The Practice of

Network Monitoring”

2015: Sqrrl decides

to focus its

messaging and

branding on “threat

hunting”

Feb 2016: Sqrrl’s first

RSA Conference; ~4

vendors messaging

threat hunting

Feb 2017: 30+

vendors messaging

threat hunting at

RSAC

April 2017: First

Gartner report on

threat hunting; 2nd

Annual SANS TH

Summit and Survey


Current Trend


Gartner Threat Hunting Tools


Gartner Identifies Sqrrl as Only Hunting-Specific Tool


What is Threat Hunting?

The proactive, iterative,

human-driven, and

analytical approach to

detect cyber

adversaries that have

evaded detection by

existing cyber defenses

Proactive Iterative

Human-

DrivenAnalytical


The Sqrrl Threat Hunting Platform

SECURITY DATA

NETWORK DATA

ENDPOINT/IDENTITY DATA

Analytics Threat

Intel

ProcessesHR

SIEM

Alerts

NetflowProxy

Authentication

SECURITY BEHAVIOR

GRAPHINVESTIGATE +

HUNT

BIG DATA (GB ->

PB)

MACHINE

LEARNING

RISK

ENGINE

DNS

”Guided

Hunts”

Investigatio

ns

#tags

#tags


QRadar / Sqrrl Reference Architecture

QRadar Console

Sqrrl Console

Event Collector 1

Sqrrl

Enterprise

Event Processor(s)

AnalyticsData,

Offenses

Pivot for

hunting and

investigations

Event Collector 2

QRadar Event Collectors

Event Collector n

© 2016 Sqrrl Data, Inc. All rights reserved.

Threat Intel Endpoint


Technology Stack

Sqrrl extends an open core of Apache Accumulo and

HadoopLink Analysis

Physical

Data Storage

Data Model

Processing

Interface

Au

dit

Cry

pto

gra

ph

y

La

be

ling

+ P

olic

y

Multi-Indexing Apache Spark

Raw Data Linked Data

Hadoop DFS Accumulo+

Commodity Hardware / Cloud

API


Sqrrl Use Cases

1. Simplify Investigations

Sqrrl reveals connections

between alerts, events, and

entities. Use Cases: alert

and incident investigations

2. Hunt for Hidden Threats

Sqrrl discovers net new patterns,

behaviors, and anomalies. Use

Cases: APTs, data breaches,

“low and slow” attackers

Sqrrl makes hunting and investigations simpler and more effective… a “force multiplier”


Hunting in a SIEM vs. Sqrrl

Addressing typical log-based analysis challenges

LOG DATA

VS.

SECURITY BEHAVIOR

GRAPH


Incident and Alert Investigations Use Cases

Tier 3

SME/

Hunter

Tier 2

Incident

Responder

я

Avoid Unnecessary Alert EscalationAddress 3-4 events in a single investigation

50x time savings

Improve Alert Resolution TimesReduce ticket resolution by 10x

Accelerate Incident Root Cause

AnalysisReconstruct full attack picture 20x faster

Frontlines

Tier 1

Alert

Analyst

React to events much faster and with far less effort.

Know your network like never before.


TTP-Driven HuntsUse Mitre ATT&CK Model or related frameworks to hunt for

anomalies associated with general adversary behaviors / TTPs

Entity-Driven HuntsHunt for threats associated with specific high risk and/or high

consequence entities (e.g., crown jewel assets, privileged users,

etc.)

Intelligence-Driven HuntsHunt using threat intelligence associated with specific threat actors

Data-Driven HuntsLook for general statistical anomalies associated with specific

datasets / data features (i.e., unknown behaviors)

Types of Threat Hunting

Proactively search for and disrupt threats on your network.

TM


Launch Hunts Based on Anomalies

Use Sqrrl’s Kill Chain algorithms and playbooks to kickstart a hunt

Failed

Authentication

Remote

Admin Login

Credential

Reuse


Complete the Hunting Loop with User-Defined Analytics

Sqrrl offers custom risk triggers to automate identifying suspicious patterns.

• Entities that match filter

• Entities with anomalous spikes of

activity

• Entities active at unusual times of day

Automate the detection of

adversaries:


DEMONSTRATION


BACKUP SLIDES


Counterops Model

19


Why Should You Hunt Security Threats? Why Sqrrl?

88% Found threat hunting reduced attacker dwell time*

65% say their threat hunting programs need to be improved*

*Sources: SANS survey: Threat Hunting: The Hunter Strikes Back, April 2017

Sqrrl’s Hunting Maturity Model


The Sqrrl Security Behavior Graph

KEY CAPABILITIES:

• Linked data models

• Visualization, exploration, search

• Adversarial behavior analytics

• Small to big data elastic scalability

Unique approach to security data


Adversarial Behavior Analytics

TTP-oriented User and Entity Behavior Analytics (UEBA)

Risk

Scoring

Reconnaissance

Weaponization Delivery Exploitation InstallationCommand & Control (C2)

Actions on Objectives

Full TTP

Visualization


Sqrrl / IBM QRadar Integration


Risk Scoring Guidance

Risk Score Time-To-Wait (Days) Interpretation

How many to expect

under normal

conditions

< 68 < 0.1Too common to consider

as detection

Most don’t cross our

threshold on detections

68-78 < 1 Marginally interesting

detectionsA few per day

78 - 83 < 100 Strong candidate for

detectionA few per month

83 - 90 < 1M5-sigma Detection (Sound

Alarm)

Extremely rare. These are

real detections

90 - 100 > 1M Very loud, Off-scale Never


Trigger Types and Example Queries

Find entities that match filter• Workstation with any RDP activity

• Accounts with > 10 failed logons

Find pairs of linked entities that match filter • Internal-to-external data transfer of > 100MB/day

• Client requested DNS resolution for domain with recent threat intel

Find entities with anomalous spikes of activity• Accounts in "CORP" domain with spike in failed logons

• Server in specific subnet with spike in failed logons

Find entities active at unusual times of day• Accounts in "CORP" with lots of logon attempts at unusual time of day

• Server in specific subnet with lots of logons at unusual time of day


Data-Centric Security

Sqrrl’s Data-Centric Security is the foundation for multi-level security

SQRRL

UI

aws sqrrl · sqrrl reveals connections between alerts, events, and entities. use cases: alert and...

Documents