Securely explore your data SQRRL WEBINAR Reducing “Mean Time to Know”
Aug 15, 2015
Securely explore your data
SQRRL WEBINAR
Reducing “Mean Time to Know”
© 2015 Sqrrl | All Rights Reserved 2
YOUR WEBINAR HOSTS
• Sqrrl cofounder / VP Business Development • Former Director of Cybersecurity at the
National Security Council Staff / White House • Degrees from Wharton and Harvard
• Sqrrl VP Products • Former Director of Product Management at
Vertica, Imprivata, and DataSynapse • CS degree from MIT
© 2015 Sqrrl | All Rights Reserved
From securing the country to securing your enterprise SQRRL HISTORY
Google’s BigTable
Paper 2006
NSA Builds Accumulo
2008
Sqrrl Founded
2012
Sqrrl Enterprise
1.0 2013
Sqrrl Enterprise
2.0 2015
Investors: Patented Technology:
3
© 2015 Sqrrl | All Rights Reserved
Sqrrl’s focus today is on Detection and Analysis (i.e., cybersecurity investigations)
INCIDENT RESPONSE LIFECYCLE
4
Source: NIST
© 2015 Sqrrl | All Rights Reserved 5
CYBERSECURITY INVESTIGATIONS TAXONOMY Cybersecurity Investigations
Detection Analysis
Hunting / IOCs
Threat Intelligence Alerting Alert
Resolution Incident Triage
Root Cause / Forensics
Rule-Based Algorithmic
© 2015 Sqrrl | All Rights Reserved
How do we decrease Mean Time To Know?
MEAN TIME TO KNOW
Mean Time To Identify (MTTI): Detect than an incident has occurred
Mean Time To Know (MTTK): Understand root cause of an incident
25%
75% MTTK MTTI
% Time Spent on MTTI vs. MTTK
Source: Ponemon Institute
6
© 2015 Sqrrl | All Rights Reserved
Sqrrl MTTK Case Study Large Telecommunications Company
Results
Challenge Sqrrl Solution
Ensured compliance with data security regulations
Reduce investigation time from days/weeks to minutes
Visibility across more data than previously possible
Analyzing more than 1 year of multi-structured security data including for Advanced Persistent (APT), fraud, and insider threats
• Aggregate and store all data • Gather and profile employee and device behaviors • Search, query and analyze
behaviors, details and anomalies
7
© 2015 Sqrrl | All Rights Reserved 8
TOP 5 WAYS TO REDUCE MTTK
1. Big Data 2. Linked Data Visualization 3. Graph Exploration 4. Investigation Workflow 5. Advanced Analytics
© 2015 Sqrrl | All Rights Reserved 9
#1 BIG DATA
Current solutions can’t easily handle the variety and volume of data that security analysts need
Volume and Variety of Data
© 2015 Sqrrl | All Rights Reserved 10
Performance Measures #1 BIG DATA
Source: http://www.pdl.cmu.edu/SDI/2013/slides/big_graph_nsa_rd_2013_56002v1.pdf
Source: http://arxiv.org/pdf/1406.4923v1.pdf • Sqrrl indexes and
stores 25,000 events per second per node
• Sqrrl’s core has proven near-linear scalability to 2000+ nodes
• Clustered support for processing Trillions of events per day
Data Source Record Count Ne#low 2,109,409,060
Cisco ASA Firewall 2,982,124,483 Websense 924,819,607 MsDns 503,237,033 IsaFw 207,834,546 IIS 38,941,968
Damballa 16,060 Apache Webserver 5,615,832
ISE 671,006 Radius 1,138,001
Windows Events 12,220,081 Symantec EP 1,040,871
FireEye 4,305 Total Records 6,787,072,853
Node * Seconds 271,800
Records/Second/Node 24,971
© 2015 Sqrrl | All Rights Reserved 11
#2 LINKED DATA VISUALIZATION LOGS
VS.
LINKED DATA
© 2015 Sqrrl | All Rights Reserved
LINKED DATA • Organizes data into entities
and relationships (links)
• More intuitive visualization
• Surfaces meaning & context
• Enables faster analysis
12
© 2015 Sqrrl | All Rights Reserved 13
LINKED DATA VISUALIZATION DEMO
© 2015 Sqrrl | All Rights Reserved 14
Pattern Discovery and Matching #3 GRAPH EXPLORATION
• Hunting for known patterns • Search for the HTTP transaction “triangle” • Locate specific instance quickly amongst large volume of transactions
© 2015 Sqrrl | All Rights Reserved 15
GRAPH EXPLORATION DEMO
© 2015 Sqrrl | All Rights Reserved 16
It is easy to get lost in a maze of searches during an investigation #4 INVESTIGATION WORKFLOW
© 2015 Sqrrl | All Rights Reserved 17
INVESTIGATION WORKFLOW DEMO
© 2015 Sqrrl | All Rights Reserved 18
#5 ADVANCED ANALYTICS
Peer Group
Outlier
Algorithmic approaches to anomaly detection
© 2015 Sqrrl | All Rights Reserved 19
ADVANCED ANALYTICS DEMO
© 2015 Sqrrl | All Rights Reserved 20
www.sqrrl.com
HOW TO LEARN MORE?
• Read our white paper or product paper • Schedule a demo or proof of concept • Request a VM or evaluation software