Artwork

Вміст надано Black Hat / CMP and Jeff Moss. Весь вміст подкастів, включаючи епізоди, графіку та описи подкастів, завантажується та надається безпосередньо компанією Black Hat / CMP and Jeff Moss або його партнером по платформі подкастів. Якщо ви вважаєте, що хтось використовує ваш захищений авторським правом твір без вашого дозволу, ви можете виконати процедуру, описану тут https://uk.player.fm/legal.
Player FM - додаток Podcast
Переходьте в офлайн за допомогою програми Player FM !

Ken Hines: Using Causal Analysis to Establish Meaningful Connections between Anomalous Behaviors in a Networking Environment

24:48
 
Поширити
 

Manage episode 155121481 series 1146744
Вміст надано Black Hat / CMP and Jeff Moss. Весь вміст подкастів, включаючи епізоди, графіку та описи подкастів, завантажується та надається безпосередньо компанією Black Hat / CMP and Jeff Moss або його партнером по платформі подкастів. Якщо ви вважаєте, що хтось використовує ваш захищений авторським правом твір без вашого дозволу, ви можете виконати процедуру, описану тут https://uk.player.fm/legal.
Fueled by business needs such as supply chain integration and outsourcing, modern enterprises must open up portions of their networks to potentially untrusted outsiders. Combined with the troubling aspects of malicious insiders, ever more sophisticated attacks, increasing network complexity, and strong pressure from regulatory bodies to rapidly identify breaches and assess damages, there is a rapidly growing concern over internal network security. IT departments must work harder than ever to prevent insiders and outsiders from gaining unauthorized access to critical assets deep in the network, and if such access ever occurs, identify and report on, the impact of such a security breach. In order to gain real insight into the dynamic behavior of their networks, IT departments must monitor huge quantities of data, where individual elements of a sophisticated attack may be spread out over long periods of time, and vast numbers of logs. Many tools are available to identify individual phases of an attack, such as IDSs, network based anomaly detection tools, host based monitoring tools, and even firewalls. However, this data is presented to the security analyst as a series of unrelated suspicious events. Because of the complexity of modern networks there are always isolated and seemingly suspicious things occurring on the network. To find a sophisticated breach the individual pieces of an attack need to be tied together for successful analysis. One approach to determining relationships between events is by defining rules, such as: if some set of events happens around the same time, they are probably related, and should be presented as a correlated event. Unfortunately this places the burden on the security analyst of predefining attack scenarios for their particular network. Unlike virus detection which can leverage the entire anti-virus community to identify and write appropriate signature files, internal network security has no such analogy. Every enterprise network has unique characteristics requiring company specific rules. While rules are good for identifying problems with well defined signatures, they aren't capable of relating attack elements separated by large time intervals, and obscured by benign activity on the surrounding hosts. The missing piece is causal analysis, which can automatically link together suspicious events independent of the normal network activity that occurs between the various phases of a security breach. The benefit of the causal analysis approach is that chains of related and suspicious activity provide a strategic overview of network behavior allowing a security analyst to focus their efforts on attacks in progress. When they have a readable chain of anomalous behavior, the security team can trace the attack vector back to the entry point, and find the so-called "patient zero." This presentation demonstrates the value of causal analysis using a simple example that involves social networks rather than computer networks, how this example is really a metaphor for a very common form of computer network attack, and how causal analysis is equally appropriate in finding this sort of attack in enterprise networks. It then presents some of the factors that compound the difficulty of this analysis in real networks, and describes approaches that simplify this complexity. Using the techniques described, two real "stepping stone" attacks are outlined and diagrammed to illustrate the power of causal analysis. Finally, it demonstrates how this analysis can be combined with other forms of security analytic and mitigation techniques to provide a formidable barrier against network attacks. Ken Hines earned his Ph.D. in computer science at the University of Washington in 2000, by successfully defending his dissertation, which applied causal analysis to debugging heterogeneous distributed embedded systems. Since then, he has founded two venture funded companies, and actively developed commercial products that apply causal analysis to solving complex problems related to distributed embedded systems, network processor based network infrastructure, and finally networks as a whole. While a graduate student, Ken was one of the primary researchers on the Chinook Hardware/Software Co-synthesis project, and published a number of papers on distributed debugging, distributed hardware/software co-simulation, and co-synthesis for heterogeneous distributed embedded systems.
  continue reading

61 епізодів

Artwork
iconПоширити
 
Manage episode 155121481 series 1146744
Вміст надано Black Hat / CMP and Jeff Moss. Весь вміст подкастів, включаючи епізоди, графіку та описи подкастів, завантажується та надається безпосередньо компанією Black Hat / CMP and Jeff Moss або його партнером по платформі подкастів. Якщо ви вважаєте, що хтось використовує ваш захищений авторським правом твір без вашого дозволу, ви можете виконати процедуру, описану тут https://uk.player.fm/legal.
Fueled by business needs such as supply chain integration and outsourcing, modern enterprises must open up portions of their networks to potentially untrusted outsiders. Combined with the troubling aspects of malicious insiders, ever more sophisticated attacks, increasing network complexity, and strong pressure from regulatory bodies to rapidly identify breaches and assess damages, there is a rapidly growing concern over internal network security. IT departments must work harder than ever to prevent insiders and outsiders from gaining unauthorized access to critical assets deep in the network, and if such access ever occurs, identify and report on, the impact of such a security breach. In order to gain real insight into the dynamic behavior of their networks, IT departments must monitor huge quantities of data, where individual elements of a sophisticated attack may be spread out over long periods of time, and vast numbers of logs. Many tools are available to identify individual phases of an attack, such as IDSs, network based anomaly detection tools, host based monitoring tools, and even firewalls. However, this data is presented to the security analyst as a series of unrelated suspicious events. Because of the complexity of modern networks there are always isolated and seemingly suspicious things occurring on the network. To find a sophisticated breach the individual pieces of an attack need to be tied together for successful analysis. One approach to determining relationships between events is by defining rules, such as: if some set of events happens around the same time, they are probably related, and should be presented as a correlated event. Unfortunately this places the burden on the security analyst of predefining attack scenarios for their particular network. Unlike virus detection which can leverage the entire anti-virus community to identify and write appropriate signature files, internal network security has no such analogy. Every enterprise network has unique characteristics requiring company specific rules. While rules are good for identifying problems with well defined signatures, they aren't capable of relating attack elements separated by large time intervals, and obscured by benign activity on the surrounding hosts. The missing piece is causal analysis, which can automatically link together suspicious events independent of the normal network activity that occurs between the various phases of a security breach. The benefit of the causal analysis approach is that chains of related and suspicious activity provide a strategic overview of network behavior allowing a security analyst to focus their efforts on attacks in progress. When they have a readable chain of anomalous behavior, the security team can trace the attack vector back to the entry point, and find the so-called "patient zero." This presentation demonstrates the value of causal analysis using a simple example that involves social networks rather than computer networks, how this example is really a metaphor for a very common form of computer network attack, and how causal analysis is equally appropriate in finding this sort of attack in enterprise networks. It then presents some of the factors that compound the difficulty of this analysis in real networks, and describes approaches that simplify this complexity. Using the techniques described, two real "stepping stone" attacks are outlined and diagrammed to illustrate the power of causal analysis. Finally, it demonstrates how this analysis can be combined with other forms of security analytic and mitigation techniques to provide a formidable barrier against network attacks. Ken Hines earned his Ph.D. in computer science at the University of Washington in 2000, by successfully defending his dissertation, which applied causal analysis to debugging heterogeneous distributed embedded systems. Since then, he has founded two venture funded companies, and actively developed commercial products that apply causal analysis to solving complex problems related to distributed embedded systems, network processor based network infrastructure, and finally networks as a whole. While a graduate student, Ken was one of the primary researchers on the Chinook Hardware/Software Co-synthesis project, and published a number of papers on distributed debugging, distributed hardware/software co-simulation, and co-synthesis for heterogeneous distributed embedded systems.
  continue reading

61 епізодів

Усі епізоди

×
 
Loading …

Ласкаво просимо до Player FM!

Player FM сканує Інтернет для отримання високоякісних подкастів, щоб ви могли насолоджуватися ними зараз. Це найкращий додаток для подкастів, який працює на Android, iPhone і веб-сторінці. Реєстрація для синхронізації підписок між пристроями.

 

Короткий довідник