webroot flowscape network behavioral analytics - … · webroot flowscape - accelerated network...
TRANSCRIPT
1Tuesday, March 14, 2017 | Webroot Inc. | Proprietary & Confidential Information
Webroot FlowScape - Accelerated
Network Threat Detection
By: Tom Caldwell, Sr. Director Webroot
Date: February, RSA 2017
2Tuesday, March 14, 2017 | Webroot Inc. | Proprietary & Confidential Information
Webroot Inc.
30+MILLION
Licensed Endpoints
9k+MSP Partners
Business
Customers
180k+
MILLION
OEM Users
27+Who We Secure
» Largest Cloud Platform for Integrated Endpoint &
Threat Intelligence
» Behavior-based endpoint protection defends
against any and all threats, known and unknown
» Threat intelligence powered by 5th generation
machine learning - foundation for all current and
future products
» Industry’s Best Net Promoter Scores & Customer
Satisfaction
» Leading Provider of Threat Intelligence to the
Security Industry
3Tuesday, March 14, 2017 | Webroot Inc. | Proprietary & Confidential Information
Your network is your key asset.
Protect it.
Networks propagate threats
faster than humans can stop
them
Visibility is limited… IPv4/IPv6…
IT & IoT… normal vs abnormal…
You must secure North/South
and East/West communications
4Tuesday, March 14, 2017 | Webroot Inc. | Proprietary & Confidential Information
Visualizing the Threat Landscape
Data Center
• Anomalies
• Insider Policy Violations
• Cyber Threat Hunting
5Tuesday, March 14, 2017 | Webroot Inc. | Proprietary & Confidential Information
Introducing Webroot FlowScape® Analytics
Network Anomaly Detection
BrightCloud® Threat Intelligence
SecureAnywhere®
Endpoint Protection
6Tuesday, March 14, 2017 | Webroot Inc. | Proprietary & Confidential Information
Monitoring both IoT and IT
7Tuesday, March 14, 2017 | Webroot Inc. | Proprietary & Confidential Information
Webroot FlowScape Anomaly Detection
30+ Machine Learning Capabilities in Security Analytics Platform
Monitoring and Alarms for one IP talking to another IP over a given Port:17. A new communication never seen before over the history of this network18. Traffic OverFlow Volume Violation for received packets19. Traffic OverFlow Volume Violation for sent packets20. Traffic OverFlow Volume Violation for total (sent + received) packets21. Traffic OverFlow Volume Violation for sent, received and total aggregated packets22. Traffic UnderFlow Volume Violation for sent packets (for IoT and SCADA Networks)23. Traffic UnderFlow Volume Violation for received packets24. Traffic UnderFlow Volume Violation for total packets25. Traffic UnderFlow Volume Violation for sent, received, and total aggregated packets
Machine Learning Analytics for Detection of Specific High Risk Behaviors (new)26. Supervised TOR Traffic over HTTPS Model
BrightCloud Threat Intelligence Alarms (new)27. High Risk (IP Reputation less than 20) Alarm on North-South Anomalous Traffic28. High Risk Alarm on North-South Normal TrafficSpecial Device Alarms (new)29. New Internal Device Alarm (new IP on internal network) – good for air-gapped
networks with static IPs. Examples are Industrial IoT Manufacturing environments or critical infrastructure.
30. New External Device Alarm (new IP on external network) – good for Industrial IoT and stringent critical infrastructure, air-gapped environments where all external traffic should go through a proxy or should be very restricted.
Machine Learning Behavioral Analytics Alarms for Anomaly Detection:1. Clustering Model for IP by IP by Port communication change in Vector Velocity 2. Clustering Model for IP by IP by Port communication change in Vector Magnitude3. Clustering Model for a Port communication change in Vector Velocity 4. Clustering Model for a Port communication change in Vector Magnitude5. Clustering Model for a Client Port communication change in Vector Velocity 6. Clustering Model for a Client Port communication change in Vector Magnitude7. Clustering Model for a Server Port communication change in Vector Velocity 8. Clustering Model for a Server Port communication change in Vector Magnitude9. Clustering Model for IP by IP by Port communication change in Vector Velocity 10. Clustering Model for IP by IP by Port communication change in Vector Magnitude11. Clustering Model for External TCP communication change in Vector Velocity 12. Clustering Model for Internal TCP communication change in Vector Magnitude13. Clustering Model for External UDP communication change in Vector Velocity 14. Clustering Model for Internal UDP communication change in Vector Magnitude15. Clustering Model for External ICMP communication change in Vector Velocity 16. Clustering Model for Internal ICMP communication change in Vector Magnitude
8Tuesday, March 14, 2017 | Webroot Inc. | Proprietary & Confidential Information
Example: TOR over HTTPS
1. Unsupervised Machine
Learning in Phase 1 detects
abnormal HTTPS traffic over
port 443
2. Supervised Machine
Learning in Phase 2 detects
TOR Traffic over HTTPS
Can be applied to other
protocols that are encrypted
9Tuesday, March 14, 2017 | Webroot Inc. | Proprietary & Confidential Information
Integrated with BrightCloud Threat Intelligence
» FlowScape Integrated BrightCloud Threat Investigator
» Seamless North/South cyber threat detection
10Tuesday, March 14, 2017 | Webroot Inc. | Proprietary & Confidential Information
Use Case - FlowScape for IoT (Internet of Things)
Anomaly Detection using BrightCloud
Threat Intelligence for:
» IoT Devices
» IoT Gateways
» IoT Clouds
» IoT Transportation
» Amazon AWS Clouds (for Amazon
AWS IoT)
12Tuesday, March 14, 2017 | Webroot Inc. | Proprietary & Confidential Information
Binocular Fusion
Analytics
Threat
Intelligence Advanced
Visualization
» 30+ Behavioral Models
» Unsupervised/Supervised Models
» Machine Learning (ML)
» Early Warning Predictors
» Black List, Threat Intel Feeds
» Geo-location/Time
» Big Data Visualization
» Clusters of Breach Activity
» CyberHooks REST API
» Open Data Stores for research
S
M1
M2
M3
M4
M5
Mx
Passive
Tap / Span
Port
Sensor
Listens to
All traffic
Machine Learning using
self organizing maps
Apply multiple advanced
analytical modelsAnomaly Detection
How FlowScape Works
(Patent Pending)
FlowScape – Network Security Analytics Platform
13Tuesday, March 14, 2017 | Webroot Inc. | Proprietary & Confidential Information
» Private Cloud or Public Cloud Deployments
» Docker Containers and Virtual Machines
» High Speed Sensors, only look at packet meta-data
» Context and Threat intelligence (BrightCloud + End Points)
» Visualization
» Integration with SIEM via CyberHooks
MongoDBMongoDB
Policy
ManagerVisualization
Interface
#1
#2
#3
#n
Binocular Fusion
Analytics
MongoDB, OMQ server,
analytics scoring service,
Docker Containers
Threat
Intelligence
Java-based Policy Engine,
Customizable Rules, MaxMind Geo
Docker container
Advanced
Visualization
Key-Lines, Spring, REST,
Docker, MongoDB
Sensors (C/C++
App running in
CentOS VM)
Analytics
Engine
FlowScape
CyberHooks
WebHooks pub/sub
Integration Layer
External
System
SIEM, Splunk, Operational System
Webroot FlowScape - Software Architecture
14Tuesday, March 14, 2017 | Webroot Inc. | Proprietary & Confidential Information
Success Story - San Diego – Smart City
» City of San Diego
– 40,000 End Points, 24 Networks
– IoT (ATMs, Parking Meters, HVAC, Vending
Machines, Golf Carts, Transport Systems, Police,
Fire, Water…)
» “Perimeters are malleable and breaches are
happening in the core.”
» “FlowScape Enables the SOC to machine learn
what devices/users normally do”
» “We need tools that cover both IT/IoT
requirements in Smart Cities”
“…we spend $600 per infected computer, 100
infected computers a month; that is $720K per
year the city spends on infected computers.”
FlowScape reduces their detection time by
more than 50%, saves over $360K per year
“Intel I can count on”
Gary Hayslip, CISO
City San Diego
15Tuesday, March 14, 2017 | Webroot Inc. | Proprietary & Confidential Information
Designed for the MSP/MSSP
Seamless management for multiple sites
Machine learning across endpoints,
networks, threat intelligence
Cloud-based SaaS site management
with integrated tools
16Tuesday, March 14, 2017 | Webroot Inc. | Proprietary & Confidential Information
Q&A