cyber threat detection and interpretation
TRANSCRIPT
Detecting and Interpreting Cyber Threats at AT&T
© 2016 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement.
Cyber Threat Detection and Interpretation
Making Sense out of Big Data
Detecting and Interpreting Cyber Threats at AT&T
© 2016 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement.
Near Real Time Anomaly Detection and InterpretationData arrival triggers dataset generation, analysis, alerting, and visualizationSome outliers are obvious and warrant further analysis and investigation e.g. 426GB of application traffic in a 15 minute partition
2
Detecting and Interpreting Cyber Threats at AT&T
© 2016 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement.
Threat Detection through time serial analysis, outlier detectionSome outliers are not so obvious, further analysis detects application outliersApplication traffic associated with one application produces an anomaly (e.g. 115GB traffic for one application in 15 minute partition)
3
Interpretation of Anomalies Produces AlertsAnalysis of high traffic anomaly reveals external SSH sources, alert is generated
External SSH Connections
Detecting and Interpreting Cyber Threats at AT&T
© 2016 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement.
4
Near Real Time Anomaly Detection and InterpretationPotential threats are grouped for outlier detection as a result of summary statisticsExtensive graph development and traversal is required to group potential threats together for analysis
Once the correct group is formed, anomaly detection can commence
Detecting and Interpreting Cyber Threats at AT&T
© 2016 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement.
Near Real Time Anomaly Detection and InterpretationOutlier Detection Identifies Anomalies Statistical analysis to determine behavioral values that are a-typical and/or impossible (e.g. number of logins)
Time Series Analysis Interprets non-human behaviorsHundreds of logins within 15 minute intervals is non-human behavior
Alerts are Generated for Analysts
5
Detecting and Interpreting Cyber Threats at AT&T
© 2016 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement.
Insider Threat
A Potential Use Case for Outlier Detection
Detecting and Interpreting Cyber Threats at AT&T
© 2016 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement.
Insider Threat Use Case
7
Data Arrival Triggers Extraction into a Data ModelEntities, relationships and features are collected, aggregated and analyzed for outliers
Model Features Build a History of Data Transfer and Statistical Baselines are Calculated
Detecting and Interpreting Cyber Threats at AT&T
© 2016 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement.
8
Insider Threat Use CaseOutlier Detection Identified Data Transfer AnomalyStatistical analysis to determine behavioral values that are out of character (e.g. bytes sent)
Time Series Analysis Interprets the Data Transfer Source Source and time frame was identified as an outlier
Alerts are Generated for AnalystsAlert was generated for further analysis with pin-point details
Remediation/Correction Action was TakenTarget was identified and corrective action taken
Detecting and Interpreting Cyber Threats at AT&T
© 2016 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement.
9
Wrap UP
Hadoop Based Threat Analytics PlatformOutlier Detection and InterpretationQuestions
Detecting and Interpreting Cyber Threats at AT&T
© 2016 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement.