tunnel vision is hurting your security: time to see the forest for the trees
TRANSCRIPT
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Tunnel Vision Is Hurting
Your Security: Time to See
the Forest for the Trees
David Monahan
Research Director, Security and Risk Management
Enterprise Management Associates
Dustin Rigg Hillard
VP of Engineering and Co-founder
Versive
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Watch the On-Demand Webinar
Check out the on-demand webinar at:
http://research.enterprisemanagement.com/tunnel-vision-is-hurting-
you-security-on-demand-webinar-ss.html
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Today’s Speakers
Dustin Rigg Hillard, VP of Engineering and Co-founder, Versive
Dustin joined Versive in 2012, where he is currently VP of Engineering. Previously at Microsoft
and Yahoo!, he loves building systems that deliver business value via large-scale processing
and machine-learning. He has published more than 30 papers in these areas.
David Monahan, Research Director, Security and Risk Management, EMA
David is a senior information security executive with several years of experience. He has
organized and managed both physical and information security programs, including security
and network operations (SOCs and NOCs) for organizations ranging from Fortune 100
companies to local government and small public and private companies. He has diverse audit
and compliance and risk and privacy experience such as providing strategic and tactical
leadership to develop, architect, and deploy assurance controls; delivering process and policy
documentation and training; and working on educational and technical solutions.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Logistics for Today’s Webinar
An archived version of the event recording will be
available at www.enterprisemanagement.com
• Log questions in the chat panel located on the lower
left-hand corner of your screen
• Questions will be addressed during the Q&A session
of the event
QUESTIONS
EVENT RECORDING
A PDF of the speaker slides will be distributed
to all attendees
PDF SLIDES
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Tunnel Vision Is Hurting
Your Security: Time to See
the Forest for the Trees
David Monahan
Research Director, Security and Risk Management
Enterprise Management Associates
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Issues Security Teams Face
Slide 6 © 2017 Enterprise Management Associates, Inc.
79%Security teams overwhelmed with threat alerts
From Bay Dynamics and EMA “Day in the Life of a Security Professional” Research
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Issues Security Teams Face
Slide 7 © 2017 Enterprise Management Associates, Inc.
52%Threat alerts improperly prioritized by systems
Must be manually reprioritized
From Bay Dynamics and EMA “Day in the Life of a Security Professional” Research
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Issues Security Teams Face
Slide 8 © 2017 Enterprise Management Associates, Inc.
31%Threat alerts are false positives
From Bay Dynamics and EMA “Day in the Life of a Security Professional” Research
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Issues Security Teams Face
Slide 9 © 2017 Enterprise Management Associates, Inc.
64%Threat alerts go unworked on a daily basis
From Bay Dynamics and EMA “Day in the Life of a Security Professional” Research
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Unexpected Barriers to Success
© 2017 Enterprise Management Associates, Inc.Slide 10
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Political Silos
• Divisions in business leadership and organizations
• Created through ignorance or by leaders who desire control and/or power over
cooperation and collaboration
• The lack of cooperation inhibits full contextual awareness necessary to identify threats
and appropriately address them
• Data and tools exist but are not made available
• Common projects impacted are data lakes
They require a large degree of cross-organizational cooperation
• Valuable to the business for a myriad of projects, including security and performance
improvement
Slide 11 © 2017 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Political Silos: Resolution
• Addressing political silos depends on why they exist
• Personal education: additional individual communication
• Identifying how cooperation improved the business
• Playing to the fiefdom mentality (help me help you)
• Escalation to higher common management
Slide 12 © 2017 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Data Silos
• Cooperation exists and tools exist at some level, but data is lacking and/or
there is an inability to bring the data together to be used cooperatively.
• Configuration errors in agents or logging
• Insufficient storage to maintain sufficient data history
• Systems exist that can produce the information but due to other factors, the
ability to share or integrate data across tools is limited to nonexistent.
Often, data silos are caused by decisions made long before the current
time.
Slide 13 © 2017 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Data Silos (Cont’d)
• Primarily caused by poor architecture decisions about how
data is collected and maintained.
• As systems connect, their architecture does not allow for the
free flow or combining the data into a central repository.
Slide 14 © 2017 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Data Silos: Resolution
• Data silos are generally more easily diagnosed and
straightforward to resolve—though they are more costly
than political silos.
• Audit configurations
• Create standard configurations and deployment models
• Expand data storage
• Re-architect data flows to central repository
Slide 15 © 2017 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Tools Silos
• Cooperation exists but data does not exist due to a
lack of tools or lack of interoperability between tools.
• Inability to leverage tools across multiple organizations or an inability to
use tools to create or collect data due to a lack of capability.
• Often manifested by an inability to collect, share, correlate, or analyze
data for a successful outcome.
• Lack of budgets
Slide 16 © 2017 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Tools Silos (Cont’d)
• Failure to identify operational or organizational
requirements prior to purchase of one or more tools
OR
• Inability of existing tools to adapt to significant
requirement changes over time
• Monitoring/management coverage gap caused by
having insufficient sensor-based tools in the
environment.
Slide 17 © 2017 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Tools Silos: Resolution
• Evaluate placement of current sensor technologies for best coverage
• The failure to place technologies creates blind spots in the data and therefore
a lack of visibility into actions within the environment
• The failure to place technologies also yields an inability to provide context on
those actions.
• Evaluate existing tools against current organizational need
• Leverage common needs for combined budget strength between
organizations (another, “help me, help you”)
Slide 18 © 2017 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Tools Silos: Resolution (Cont’d)
• Plan for integration going forward
• Evaluate analytics capability
• Failure to provide broader analytics also leaves visibility and context gaps.
• The data exists, but security has no way to connect the dots to see the larger picture,
resulting in an operational failure or an undiscovered breach and data exfiltration.
Slide 19 © 2017 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Isolated Analytics for Security: Better, but not Great
• Many “analysis” tools
• Highly segmented source data limits context
• Endpoint good for endpoint
• Network good for network
• Identity and authorization good for users
• Many“sense-making” technologies combine limited
data or have limited analytics
Slide 20 © 2017 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Isolated Analytics for Security: Better, but not Great
• SIEM
• Correlation vs. analytics
• Lack of analytics impacts context and prioritization of alerts
• Basic investigation requires user to know what they want to find
May bias outcomes or findings
Slide 21 © 2017 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Isolated Analytics for Security: Better, but not Great
• Advanced Breach Detection
• Strong analytics on network activities
• Excellent for spotting anomalous activities within network traffic
• Have limitations on types of data that can be used for creating/verifying context
Slide 22 © 2017 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Isolated Analytics for Security: Better, but not Great
• UEBA
• Strong analytics on user activities
• Excellent for spotting anomalous activities within their data scope
• Not designed to use many types of data in creating context
Slide 23 © 2017 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Security- Visibility, Load, and Prioritization Issues
• Most traditional technology is designed to solve a
compartmentalized part of the security problem
• Each can be very successful in their own realm
HOWEVER
• Each has limitations on performance, scope, and
data both produced and assimilated
Slide 24 © 2017 Enterprise Management Associates, Inc.
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Gaining Full Context Within Your Environment:
The Need for Broad Spectrum Analysis
• Do not rely on mere correlation (orange)
• Identify compartmentalized data (blue)
• Identify limited analytics (red)
• Visualize how you will deliver data for the cross-domain analytics (green)
Slide 25 © 2017 Enterprise Management Associates, Inc.
Contextual Cross-Domain Analytics
UEBA Threat Intel.
DeceptionSandboxIAM
IDS/IPS/IDP
ABDNext-Gen Endpoint
FW
Network Flows
Traditional SIEM
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Advantages of Cross-Domain Analytics
• Creates a big data and business analytics approach for security
• Breaks down tools silos
• Breaks down data silos
• Brings data together and makes sense of it without a huge amount
of manual labor
• Enables automation of analysis for many routine situations, enabling human resources to focus
on higher-end issues
• Creates analysis without bias to identify real issues
• Many issues operators never knew about
Slide 26 © 2017 Enterprise Management Associates, Inc.
©2017 Versive Confidential
Use Case Deep Dive:Automated Threat Hunting
©2017 Versive Confidential 28
Outline
Versive Overview
Why Automated Threat Hunting?
How AI Makes Sense in Security
1
2
3
©2017 Versive Confidential 29
Who We Are
Artificial Intelligence Company
Founded in 2012
Offices in SEA, NY, SF
Investors
Strategics
Advisors from Government and Industry
VJ Viswanathan Ira WinklerRob KnakeJohn JohnsonBrook ConnerTodd BellRichard ClarkeMudge Zatko
©2017 Versive Confidential 30
We Focus on the Adversary Mission
Advanced Adversary Detection – Right of Hack
©2017 Versive Confidential 31
160 breaches per week, at an
average cost of $1.9M
79% of teams overwhelmed with alerts
High profile breaches are rising as
much as 50% annuallyLord Abbett
©2017 Versive Confidential 31
Why?
Adversaries are more advanced.
Data is complex and growing.
Humans can’t keep up.
High-profile breaches are rising as
much as 50% annuallyLord Abbett
EMA
Heritage.org
52% of alerts are improperly prioritizedEMA
©2017 Versive Confidential 32
Versive automates – brings together the data, detects key behaviors, and connects the dots
Effective use of AI starts with understanding the mission.
©2017 Versive Confidential 33
We Distill What You Need to Take Action
Automated map of the
key findings
Transparent results with
human explanation
Pointers to raw data that
make investigation easy
©2017 Versive Confidential 34
Bottom Line:
We automate the tedious parts of threat hunting so
that your team can focus on what’s most important
©2017 Versive Confidential 35
Our Unique Approach Accelerates Your Work
Better Visibility with Increasing Data Sources
Apply AI to Make Sense of the Data
Prioritize Threat Cases with Automated Expertise
1
2
3
©2017 Versive Confidential 36
Bring Together Data with Open Source
©2017 Versive Confidential 37
Our Platform Makes Sense of the Data
©2017 Versive Confidential 38
Combine AI with SME for Powerful Results
©2017 Versive Confidential 39
The Result: All of our results detect suspicious behavior that requires
investigation. We’ve removed the noise.
©2017 Versive Confidential 40
Typical Customer Challenges
Dozens of Data SourcesProxy, DNS, Flow, Endpoint, …
Months of Dwell TimeNeed long term understanding
100k+ Internal HostsCorporate network size
100s of TBData transferred internally
1000s of Rare DomainsData outbound to unknown domains
Tens of TBOutbound data transfer
Standard tools deliver thousands of anomalies at this scale
©2017 Versive Confidential 41
Making Sense
Unify Data SourcesCorrelate easily across all sources
Long-Term HistoryUnderstand months of behavior
Prioritize Risky HostsNarrow by Adversary Lifecycle
Automate ExpertiseAI-driven threat hunting
Identify SuspiciousGranular identification of anomalies
Understand NormalAdaptive model of activity
Automated expertise reduces to less than 5 suspicious cases.
©2017 Versive Confidential 42
Take Action
Get a Demo: https://www.versive.com/product/get-demo/
Follow us on Twitter: https://twitter.com/VersiveAI
Connect on LinkedIn: https://www.linkedin.com/company/VersiveAI
1
2
3