sqrrl threat hunting platform
TRANSCRIPT
![Page 1: SQRRL threat hunting platform](https://reader034.vdocuments.site/reader034/viewer/2022052405/586f77a31a28ab10258b6867/html5/thumbnails/1.jpg)
SQRRL THREAT HUNTING PLATFORM
ADAM FUCHSCTO, SQRRL
COMMITTER, ACCUMULOMEMBER, ASF
![Page 2: SQRRL threat hunting platform](https://reader034.vdocuments.site/reader034/viewer/2022052405/586f77a31a28ab10258b6867/html5/thumbnails/2.jpg)
© 2016 Sqrrl Data, Inc. All rights reserved. 2
Accelerating InvestigationsLOG DATA BEHAVIOR GRAPH
VS.
![Page 3: SQRRL threat hunting platform](https://reader034.vdocuments.site/reader034/viewer/2022052405/586f77a31a28ab10258b6867/html5/thumbnails/3.jpg)
© 2016 Sqrrl Data, Inc. All rights reserved. 3
The Sqrrl Threat Hunting Platform
SECURITY DATA
NETWORK DATA
ENDPOINT/IDENTITY DATA
Firewall / IDS
Threat Intel
Bro
SIEM Alerts
NetflowProxy
ProcessesHR
![Page 4: SQRRL threat hunting platform](https://reader034.vdocuments.site/reader034/viewer/2022052405/586f77a31a28ab10258b6867/html5/thumbnails/4.jpg)
© 2016 Sqrrl Data, Inc. All rights reserved. 4
Sqrrl ArchitectureSecurity
Visualization + API
Physical
Data Storage
Data Model
Processing
InterfaceAudit
EncryptionLabeling +
Policy
Query Engine: Accumulo Iterators
Bulk/Graph Processing: YARN +
SparkRaw Events Linked Data
HDFS Accumulo+
Commodity Hardware
![Page 5: SQRRL threat hunting platform](https://reader034.vdocuments.site/reader034/viewer/2022052405/586f77a31a28ab10258b6867/html5/thumbnails/5.jpg)
© 2016 Sqrrl Data, Inc. All rights reserved. 5
The Apache Accumulo ProjectAccumulo Stores Sorted Key, Value Pairs
High Performance WritesGreat ScalabilityEmbedded Processing (Iterators)
We leverage Accumulo for:Low-Latency Information Retrieval IndexingDistributed ProcessingGraph OrganizationIngest-Time AggregationSecure Storage
![Page 6: SQRRL threat hunting platform](https://reader034.vdocuments.site/reader034/viewer/2022052405/586f77a31a28ab10258b6867/html5/thumbnails/6.jpg)
Behavioral Analytics
![Page 7: SQRRL threat hunting platform](https://reader034.vdocuments.site/reader034/viewer/2022052405/586f77a31a28ab10258b6867/html5/thumbnails/7.jpg)
© 2016 Sqrrl Data, Inc. All rights reserved. 7
Attack Chain Behavior detectionAdversary behavior is modeled based on a kill chainKill chain alignment of behavior detection analytics:
Helps to determine attack penetration and riskSupports arguments of completeness of detection coverage
![Page 8: SQRRL threat hunting platform](https://reader034.vdocuments.site/reader034/viewer/2022052405/586f77a31a28ab10258b6867/html5/thumbnails/8.jpg)
© 2016 Sqrrl Data, Inc. All rights reserved. 8
Kill Chain-Based Behavioral Analytic Example
• Lateral Movement:Multiple host logins, credential theft
• Active Directory
• Windows event logs
• Unsupervised machine learning for rarity detection
• Graph algorithm for chaining
• Analyst whitelisting of false positives
![Page 9: SQRRL threat hunting platform](https://reader034.vdocuments.site/reader034/viewer/2022052405/586f77a31a28ab10258b6867/html5/thumbnails/9.jpg)
© 2016 Sqrrl Data, Inc. All rights reserved. 9
Collating Results For Visualization and AnalysisBehavioral Analytics Entity Risk Scoring
Raw Data
Modeled Data (Graph)
API Applications
AnalyticsAnalyticsAnalyticsAnalytics
![Page 10: SQRRL threat hunting platform](https://reader034.vdocuments.site/reader034/viewer/2022052405/586f77a31a28ab10258b6867/html5/thumbnails/10.jpg)
Target. Hunt. Disrupt.