tunnel vision is hurting your security: time to see the forest for the trees

IT & DATA MANAGEMENT RESEARCH,

INDUSTRY ANALYSIS & CONSULTING

Tunnel Vision Is Hurting

Your Security: Time to See

the Forest for the Trees

David Monahan

Research Director, Security and Risk Management

Enterprise Management Associates

Dustin Rigg Hillard

VP of Engineering and Co-founder

Versive



Watch the On-Demand Webinar

Check out the on-demand webinar at:

http://research.enterprisemanagement.com/tunnel-vision-is-hurting-

you-security-on-demand-webinar-ss.html

http://research.enterprisemanagement.com/tunnel-vision-is-hurting-you-security-on-demand-webinar-ss.html



Today’s Speakers

Dustin Rigg Hillard, VP of Engineering and Co-founder, Versive

Dustin joined Versive in 2012, where he is currently VP of Engineering. Previously at Microsoft

and Yahoo!, he loves building systems that deliver business value via large-scale processing

and machine-learning. He has published more than 30 papers in these areas.

David Monahan, Research Director, Security and Risk Management, EMA

David is a senior information security executive with several years of experience. He has

organized and managed both physical and information security programs, including security

and network operations (SOCs and NOCs) for organizations ranging from Fortune 100

companies to local government and small public and private companies. He has diverse audit

and compliance and risk and privacy experience such as providing strategic and tactical

leadership to develop, architect, and deploy assurance controls; delivering process and policy

documentation and training; and working on educational and technical solutions.



Logistics for Today’s Webinar

An archived version of the event recording will be

available at www.enterprisemanagement.com

• Log questions in the chat panel located on the lower

left-hand corner of your screen

• Questions will be addressed during the Q&A session

of the event

QUESTIONS

EVENT RECORDING

A PDF of the speaker slides will be distributed

to all attendees

PDF SLIDES

http://www.enterprisemanagement.com/



Tunnel Vision Is Hurting

Your Security: Time to See

the Forest for the Trees

David Monahan

Research Director, Security and Risk Management

Enterprise Management Associates



Issues Security Teams Face

Slide 6 © 2017 Enterprise Management Associates, Inc.

79%Security teams overwhelmed with threat alerts

From Bay Dynamics and EMA “Day in the Life of a Security Professional” Research





52%Threat alerts improperly prioritized by systems

Must be manually reprioritized






31%Threat alerts are false positives






64%Threat alerts go unworked on a daily basis




Unexpected Barriers to Success

© 2017 Enterprise Management Associates, Inc.Slide 10



Political Silos

• Divisions in business leadership and organizations

• Created through ignorance or by leaders who desire control and/or power over

cooperation and collaboration

• The lack of cooperation inhibits full contextual awareness necessary to identify threats

and appropriately address them

• Data and tools exist but are not made available

• Common projects impacted are data lakes

They require a large degree of cross-organizational cooperation

• Valuable to the business for a myriad of projects, including security and performance

improvement




Political Silos: Resolution

• Addressing political silos depends on why they exist

• Personal education: additional individual communication

• Identifying how cooperation improved the business

• Playing to the fiefdom mentality (help me help you)

• Escalation to higher common management




Data Silos

• Cooperation exists and tools exist at some level, but data is lacking and/or

there is an inability to bring the data together to be used cooperatively.

• Configuration errors in agents or logging

• Insufficient storage to maintain sufficient data history

• Systems exist that can produce the information but due to other factors, the

ability to share or integrate data across tools is limited to nonexistent.

Often, data silos are caused by decisions made long before the current

time.




Data Silos (Cont’d)

• Primarily caused by poor architecture decisions about how

data is collected and maintained.

• As systems connect, their architecture does not allow for the

free flow or combining the data into a central repository.




Data Silos: Resolution

• Data silos are generally more easily diagnosed and

straightforward to resolve—though they are more costly

than political silos.

• Audit configurations

• Create standard configurations and deployment models

• Expand data storage

• Re-architect data flows to central repository




Tools Silos

• Cooperation exists but data does not exist due to a

lack of tools or lack of interoperability between tools.

• Inability to leverage tools across multiple organizations or an inability to

use tools to create or collect data due to a lack of capability.

• Often manifested by an inability to collect, share, correlate, or analyze

data for a successful outcome.

• Lack of budgets




Tools Silos (Cont’d)

• Failure to identify operational or organizational

requirements prior to purchase of one or more tools

OR

• Inability of existing tools to adapt to significant

requirement changes over time

• Monitoring/management coverage gap caused by

having insufficient sensor-based tools in the

environment.




Tools Silos: Resolution

• Evaluate placement of current sensor technologies for best coverage

• The failure to place technologies creates blind spots in the data and therefore

a lack of visibility into actions within the environment

• The failure to place technologies also yields an inability to provide context on

those actions.

• Evaluate existing tools against current organizational need

• Leverage common needs for combined budget strength between

organizations (another, “help me, help you”)




Tools Silos: Resolution (Cont’d)

• Plan for integration going forward

• Evaluate analytics capability

• Failure to provide broader analytics also leaves visibility and context gaps.

• The data exists, but security has no way to connect the dots to see the larger picture,

resulting in an operational failure or an undiscovered breach and data exfiltration.




Isolated Analytics for Security: Better, but not Great

• Many “analysis” tools

• Highly segmented source data limits context

• Endpoint good for endpoint

• Network good for network

• Identity and authorization good for users

• Many“sense-making” technologies combine limited

data or have limited analytics





• SIEM

• Correlation vs. analytics

• Lack of analytics impacts context and prioritization of alerts

• Basic investigation requires user to know what they want to find

May bias outcomes or findings





• Advanced Breach Detection

• Strong analytics on network activities

• Excellent for spotting anomalous activities within network traffic

• Have limitations on types of data that can be used for creating/verifying context





• UEBA

• Strong analytics on user activities

• Excellent for spotting anomalous activities within their data scope

• Not designed to use many types of data in creating context




Security- Visibility, Load, and Prioritization Issues

• Most traditional technology is designed to solve a

compartmentalized part of the security problem

• Each can be very successful in their own realm

HOWEVER

• Each has limitations on performance, scope, and

data both produced and assimilated




Gaining Full Context Within Your Environment:

The Need for Broad Spectrum Analysis

• Do not rely on mere correlation (orange)

• Identify compartmentalized data (blue)

• Identify limited analytics (red)

• Visualize how you will deliver data for the cross-domain analytics (green)


Contextual Cross-Domain Analytics

UEBA Threat Intel.

DeceptionSandboxIAM

IDS/IPS/IDP

ABDNext-Gen Endpoint

FW

Network Flows

Traditional SIEM



Advantages of Cross-Domain Analytics

• Creates a big data and business analytics approach for security

• Breaks down tools silos

• Breaks down data silos

• Brings data together and makes sense of it without a huge amount

of manual labor

• Enables automation of analysis for many routine situations, enabling human resources to focus

on higher-end issues

• Creates analysis without bias to identify real issues

• Many issues operators never knew about


©2017 Versive Confidential

Use Case Deep Dive:Automated Threat Hunting

©2017 Versive Confidential 28

Outline

Versive Overview

Why Automated Threat Hunting?

How AI Makes Sense in Security

1

2

3


Who We Are

Artificial Intelligence Company

Founded in 2012

Offices in SEA, NY, SF

Investors

Strategics

Advisors from Government and Industry

VJ Viswanathan Ira WinklerRob KnakeJohn JohnsonBrook ConnerTodd BellRichard ClarkeMudge Zatko


We Focus on the Adversary Mission

Advanced Adversary Detection – Right of Hack


160 breaches per week, at an

average cost of $1.9M

79% of teams overwhelmed with alerts

High profile breaches are rising as

much as 50% annuallyLord Abbett


Why?

Adversaries are more advanced.

Data is complex and growing.

Humans can’t keep up.

High-profile breaches are rising as

much as 50% annuallyLord Abbett

EMA

Heritage.org

52% of alerts are improperly prioritizedEMA


Versive automates – brings together the data, detects key behaviors, and connects the dots

Effective use of AI starts with understanding the mission.


We Distill What You Need to Take Action

Automated map of the

key findings

Transparent results with

human explanation

Pointers to raw data that

make investigation easy


Bottom Line:

We automate the tedious parts of threat hunting so

that your team can focus on what’s most important


Our Unique Approach Accelerates Your Work

Better Visibility with Increasing Data Sources

Apply AI to Make Sense of the Data

Prioritize Threat Cases with Automated Expertise

1

2

3


Bring Together Data with Open Source


Our Platform Makes Sense of the Data


Combine AI with SME for Powerful Results


The Result: All of our results detect suspicious behavior that requires

investigation. We’ve removed the noise.


Typical Customer Challenges

Dozens of Data SourcesProxy, DNS, Flow, Endpoint, …

Months of Dwell TimeNeed long term understanding

100k+ Internal HostsCorporate network size

100s of TBData transferred internally

1000s of Rare DomainsData outbound to unknown domains

Tens of TBOutbound data transfer

Standard tools deliver thousands of anomalies at this scale


Making Sense

Unify Data SourcesCorrelate easily across all sources

Long-Term HistoryUnderstand months of behavior

Prioritize Risky HostsNarrow by Adversary Lifecycle

Automate ExpertiseAI-driven threat hunting

Identify SuspiciousGranular identification of anomalies

Understand NormalAdaptive model of activity

Automated expertise reduces to less than 5 suspicious cases.


Take Action

Get a Demo: https://www.versive.com/product/get-demo/

Follow us on Twitter: https://twitter.com/VersiveAI

Connect on LinkedIn: https://www.linkedin.com/company/VersiveAI

1

2

3

https://www.versive.com/product/get-demo/

https://twitter.com/VersiveAI

https://www.linkedin.com/company/versiveai

tunnel vision is hurting your security: time to see the forest for the trees

Technology