aws sqrrl · sqrrl reveals connections between alerts, events, and entities. use cases: alert and...
TRANSCRIPT
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Brandon Baxter
08.01.19
AWS SQRRLA 50K Foot View
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWAR D - W I N N I N G T E C H N O L O G Y
Who is AWS Sqrrl?
• Cambridge, MA HQ
• NSA spin out (Creators of Accumulo)
• Founded in 2012
• Award-winning Threat Hunting Platform
• Acquired by Amazon AWS January 2018
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Rise of Threat Hunting
Trends.google.com for “threat hunting” in the
US
The term “hunting”
coined by the Air
Force in mid-
2000’s
2013: Sqrrl advisor,
Richard Bejtlich, writes
about hunting in his
book “ The Practice of
Network Monitoring”
2015: Sqrrl decides
to focus its
messaging and
branding on “threat
hunting”
Feb 2016: Sqrrl’s first
RSA Conference; ~4
vendors messaging
threat hunting
Feb 2017: 30+
vendors messaging
threat hunting at
RSAC
April 2017: First
Gartner report on
threat hunting; 2nd
Annual SANS TH
Summit and Survey
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Current Trend
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Gartner Threat Hunting Tools
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Gartner Identifies Sqrrl as Only Hunting-Specific Tool
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is Threat Hunting?
The proactive, iterative,
human-driven, and
analytical approach to
detect cyber
adversaries that have
evaded detection by
existing cyber defenses
Proactive Iterative
Human-
DrivenAnalytical
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Sqrrl Threat Hunting Platform
SECURITY DATA
NETWORK DATA
ENDPOINT/IDENTITY DATA
Analytics Threat
Intel
ProcessesHR
SIEM
Alerts
NetflowProxy
Authentication
SECURITY BEHAVIOR
GRAPHINVESTIGATE +
HUNT
BIG DATA (GB ->
PB)
MACHINE
LEARNING
RISK
ENGINE
DNS
”Guided
Hunts”
Investigatio
ns
#tags
#tags
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
QRadar / Sqrrl Reference Architecture
QRadar Console
Sqrrl Console
Event Collector 1
Sqrrl
Enterprise
Event Processor(s)
AnalyticsData,
Offenses
Pivot for
hunting and
investigations
Event Collector 2
QRadar Event Collectors
Event Collector n
© 2016 Sqrrl Data, Inc. All rights reserved.
Threat Intel Endpoint
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Technology Stack
Sqrrl extends an open core of Apache Accumulo and
HadoopLink Analysis
Physical
Data Storage
Data Model
Processing
Interface
Au
dit
Cry
pto
gra
ph
y
La
be
ling
+ P
olic
y
Multi-Indexing Apache Spark
Raw Data Linked Data
Hadoop DFS Accumulo+
Commodity Hardware / Cloud
API
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sqrrl Use Cases
1. Simplify Investigations
Sqrrl reveals connections
between alerts, events, and
entities. Use Cases: alert
and incident investigations
2. Hunt for Hidden Threats
Sqrrl discovers net new patterns,
behaviors, and anomalies. Use
Cases: APTs, data breaches,
“low and slow” attackers
Sqrrl makes hunting and investigations simpler and more effective… a “force multiplier”
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hunting in a SIEM vs. Sqrrl
Addressing typical log-based analysis challenges
LOG DATA
VS.
SECURITY BEHAVIOR
GRAPH
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Incident and Alert Investigations Use Cases
Tier 3
SME/
Hunter
Tier 2
Incident
Responder
я
Avoid Unnecessary Alert EscalationAddress 3-4 events in a single investigation
50x time savings
Improve Alert Resolution TimesReduce ticket resolution by 10x
Accelerate Incident Root Cause
AnalysisReconstruct full attack picture 20x faster
Frontlines
Tier 1
Alert
Analyst
React to events much faster and with far less effort.
Know your network like never before.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
TTP-Driven HuntsUse Mitre ATT&CK Model or related frameworks to hunt for
anomalies associated with general adversary behaviors / TTPs
Entity-Driven HuntsHunt for threats associated with specific high risk and/or high
consequence entities (e.g., crown jewel assets, privileged users,
etc.)
Intelligence-Driven HuntsHunt using threat intelligence associated with specific threat actors
Data-Driven HuntsLook for general statistical anomalies associated with specific
datasets / data features (i.e., unknown behaviors)
Types of Threat Hunting
Proactively search for and disrupt threats on your network.
TM
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Launch Hunts Based on Anomalies
Use Sqrrl’s Kill Chain algorithms and playbooks to kickstart a hunt
Failed
Authentication
Remote
Admin Login
Credential
Reuse
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Complete the Hunting Loop with User-Defined Analytics
Sqrrl offers custom risk triggers to automate identifying suspicious patterns.
• Entities that match filter
• Entities with anomalous spikes of
activity
• Entities active at unusual times of day
Automate the detection of
adversaries:
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DEMONSTRATION
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
BACKUP SLIDES
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Counterops Model
19
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why Should You Hunt Security Threats? Why Sqrrl?
88% Found threat hunting reduced attacker dwell time*
65% say their threat hunting programs need to be improved*
*Sources: SANS survey: Threat Hunting: The Hunter Strikes Back, April 2017
Sqrrl’s Hunting Maturity Model
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Sqrrl Security Behavior Graph
KEY CAPABILITIES:
• Linked data models
• Visualization, exploration, search
• Adversarial behavior analytics
• Small to big data elastic scalability
Unique approach to security data
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Adversarial Behavior Analytics
TTP-oriented User and Entity Behavior Analytics (UEBA)
Risk
Scoring
Reconnaissance
Weaponization Delivery Exploitation InstallationCommand & Control (C2)
Actions on Objectives
Full TTP
Visualization
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sqrrl / IBM QRadar Integration
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Risk Scoring Guidance
Risk Score Time-To-Wait (Days) Interpretation
How many to expect
under normal
conditions
< 68 < 0.1Too common to consider
as detection
Most don’t cross our
threshold on detections
68-78 < 1 Marginally interesting
detectionsA few per day
78 - 83 < 100 Strong candidate for
detectionA few per month
83 - 90 < 1M5-sigma Detection (Sound
Alarm)
Extremely rare. These are
real detections
90 - 100 > 1M Very loud, Off-scale Never
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Trigger Types and Example Queries
Find entities that match filter• Workstation with any RDP activity
• Accounts with > 10 failed logons
Find pairs of linked entities that match filter • Internal-to-external data transfer of > 100MB/day
• Client requested DNS resolution for domain with recent threat intel
Find entities with anomalous spikes of activity• Accounts in "CORP" domain with spike in failed logons
• Server in specific subnet with spike in failed logons
Find entities active at unusual times of day• Accounts in "CORP" with lots of logon attempts at unusual time of day
• Server in specific subnet with lots of logons at unusual time of day
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Data-Centric Security
Sqrrl’s Data-Centric Security is the foundation for multi-level security
SQRRL
UI
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sqrrl Partner Ecosystem
© 2016 Sqrrl Data, Inc. All rights reserved.
SIEM / Log Mgmt.
Threat Intel /
Vuln.
Network /
Endpoint
Security
Orchestration
Case Mgmt.
Firewalls
Endpoints
NAC
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.