[PDF] #CiscoLive All rights reserved. Cisco Public. #





Previous PDF Next PDF



#CiscoLive

All rights reserved. Cisco Public. #CiscoLive. Encrypted Sessions. All Encrypted Sessions. Begin Unencrypted. Digital. Fingerprints. TLS Is the New TCP.



Untitled

2020 Cisco and/or its affiliates. All rights reserved. Cisco Public. Encrypted Sessions. All Encrypted Sessions Begin. Unencrypted. Digital. Fingerprints.



Accurate TLS Fingerprinting using Destination Context and

3 set. 2020 Cisco mcgrew@cisco.com. ABSTRACT. Network fingerprinting is used to identify ... TLS Fingerprinting; Process Identification; Malware.



#CiscoLive

Exploring Cisco's Newest Innovations Cisco CX Fingerprinting. • Summary ... and integrating these into the products and solutions Cisco builds.



Threat Prevention with AMP (Advanced Malware Protection)

Cisco Public. Components of FireAMP. Visibility and Control. 14. Lightweight Connector. • Watches for move/copy/execute. • Traps fingerprint & attributes.



Session Presentation

Cisco Public. #CLUS. • Introduction. • Encrypted Traffic. • What Data is Available? • What is “Joy”? • TLS Fingerprinting. • Conclusion. DevNet-1218.



#CiscoLive

All rights reserved. Cisco Public. • Introduction. • Benchmarking. • Fingerprinting. • Automated Fault Management & Network. Early Warning. • Conclusion.



Secure Network Analytics ETA Cryptographic Audit Release Notes

The TLS Fingerprinting Report has been replaced with the Client Processes Report ETA Cryptographic Audit now works with Cisco Secure Network Analytics.



Cisco Unified Wireless Location-Based Services

Cisco RF Fingerprinting and its advantages over traditional positioning techniques. • Traffic flow analysis between the Cisco Wireless Location Appliance 



??? INTERSIGHT

??? ?? (myunlee@cisco.com) IDC “The Business Value of Cisco UCS Integrated Infrastructure Solutions for ... fingerprinting

#CiscoLive

#CiscoLiveTK Keanini, Distinguished Engineer, Advanced Threat@tkeaniniDGTL-BRKSEC-2068The Future of Security Analytics

Agenda#CiscoLive© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public•Introduction•Security Analytics Fundamentals•Telemetry, Techniques and Outcomes •Artificial Intelligence and Machine Learning•Dark Data, Encrypted Traffic Analytics and Behavioral Analytics•The Future of Security Analytics•Conclusion and TakeawaysDGTL-BRKSEC-20685

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveBrief History in a NutshellHello My Name Is TK Keanini(Pronounced Kay-Ah-Nee-Nee)DGTL-BRKSEC-20686

Fundamentals

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveSecurity Analytics versus Other AnalyticsSecurity Analytics focus on augmenting or automating these functions•Incident Responder•Security Analyst•Security Operations•Threat Hunter•Compliance and Policy•Business Continuity•Cybercrime fightingOutcomesSynthesis/AnalyticsTelemetryDGTL-BRKSEC-20688

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveAll Telemetry Is Data but, Not All Data Is TelemetryDataTelemetryTelemetrynoun. The process of recording and transmitting the readings an instrumentIt is data that represents changetaking place within an observable domainte·lem·e·tryDGTL-BRKSEC-20689

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveTelemetry (Sensing Change)AWS TelemetryGoogle GCP TelemetryAzure Any Data Set That is Useful in the Analytical OutcomesCatalystIEETA Enabled CatalystWeb Security Appliance (WSA)ISR| CSR |ASR | WLCAnyConnectAMPASA |FTD |MerakiIdentity Services Engine (ISE)DuoStealthwatch Flow SensorObservable Network ApplianceSwitchRouterRouterFirewallServerUserCisco IdentityServices EngineWANServerDeviceCloud NativeSwitchWebRouterEndpointFirewallPolicy and User InfoOtherSwitchDGTL-BRKSEC-206810

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLive‣After logging in, what did they do?‣What protocols were used?‣Were they coming in front another machine via RDP?‣How much data was exchanged?‣Was the communication encrypted?‣What other sessions were active at the time of this session?‣What was the integrity of the device prior and during the session?‣How does this current activity compare to the historical baseline?Access logs are terse and leave gaps in the narrativeTracking a Users BehaviorDGTL-BRKSEC-206811

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveTimeExpectationsInnovation TriggerPeak of Inflated ExpectationsTrough of DisillusionmentSlope of EnlightenmentPlateau of ProductivitySource: Gartner (July, 2017)MACHINE LEARNINGGartner Hype Cycle for Emerging Technologies 2017DGTL-BRKSEC-206812

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveSimple Pattern MatchingStatistical MethodsRules and First Order Logic (FoL)What Did We Do Before Machine Learning?Use in Combination with Machine LearningDGTL-BRKSEC-206813

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveEvolving SecurityThe security domain is always evolving, has a large amount of variability, and is not well-understoodStaticWith limited variability or is well-understoodWhy Is Machine Learning So Useful In Security?DGTL-BRKSEC-206814

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveWhy Use Machine Learning for Security Analytics‣Advanced Threat inherently is not static and evolving‣The data sets are often very large at scale (the 1% that matters)‣The most advanced threats are not well-understood and novel‣Machine Learning is not magic and still has problems!The key is to use its strengths along side other techniques in a analytics pipeline that is hard to evade and delivers the most fidelityhttps://blogs.cisco.com/security/the-state-of-machine-learning-in-2019DGTL-BRKSEC-206815

Example Stack: Encrypted Traffic Analytics

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveExample: Encrypted Traffic Analytics Detection of Malware without DecryptionCryptographic ComplianceAnalytics Pipeline of Diverse MethodsSequence of Packets Lengths and TimesInitial Data PacketFlow StartTimeObservablesOutcomesSynthesis/AnalyticsTelemetryDGTL-BRKSEC-206817

Artificial Intelligence & Machine Learning

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveArthur Samuel's definition of machine learning in 1959"Field of study that gives computers the ability to learn without being explicitly programmed."DGTL-BRKSEC-206819

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveMachine Learning Big PictureMachine Learning is oneof the fields in Artificial Intelligence, where machines learn to act autonomously, and react to new situations without being pre-programmed.It is about designing algorithms that allow computers to learn aimed at some outcome. •Learn to identify faces, learn to drive a car, etc•Learning to detect malware, learning to identify a threat actors, etc.Supervised LearningExamples: Classification, RegressionUnsupervised LearningExamples: Clustering Dimensionality ReductionReinforcement LearningDGTL-BRKSEC-206820

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLive•Used when you know the question you are trying to ask•And have examples of it being asked and answered correctly•If you can phrase a problem as 'we know this is right, learn a way to answer more questions of this type'Supervised•Less structured & know little about the structure•You don't have answers and may not fully know the questions•Unsupervised techniques act as a tool for gaining an understanding of how elements of the set relate to each otherUnsupervised•Sometimes called RL and is really the 'other' category•Learns the optimal solution by repeated trial and error•If you can formalize your problem even at a level above even what supervised learning calls for then RL has some powerful tools for solving itReinforced LearningDGTL-BRKSEC-206821

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveGround Truth Used In Supervised Learning‣The 'Ground Truth' is the pairing of example questions and answers‣If you can phrase a problem as 'we know this is right, learn a way to answer more questions of this type'‣Success depends greatly on the dataset expressing the Question -> Answer mappingDGTL-BRKSEC-206822

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLive"Field of study that gives computers the ability to learn without being explicitlyprogrammed.""Field of study that gives computers the ability to be implicitlyprogrammed."© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveDGTL-BRKSEC-206823

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveClassifierPredictionTraining DataMachine Learning AlgorithmNew DataTraining ClassifiersDGTL-BRKSEC-206824

Efficacy and Measurement

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveBecause you watched Deadpool, you might like...DeadpoolX-Men: First ClassThe FlashCaptain America: The First AvengerWhat Is At Stake MattersDGTL-BRKSEC-206826

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLive"The Explainability Problem"Normal WorkflowCFO daily calendarIrregular ActivityMachine detects "suspicious"activityand suggests remediationQuarantinedHowever, Machine cannot articulate *why* it wants to remediateLoss of Time and ResourcesHow Did The Machine Come To That Conclusion?DGTL-BRKSEC-206827

Dark Data

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveThe Network Traffic Is Encrypted90% of the network traffic today is encryptedThreat actors are also using network encryptionAll encrypted sessions begin unencryptedDGTL-BRKSEC-206829

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveDirect InspectionNo Longer PossibleInference Becomes Our StrategyWe can accurately inferwhat we cannot observe.Dark Data Is HereDGTL-BRKSEC-206830

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveEncrypted SessionsAll Encrypted Sessions Begin UnencryptedDigital FingerprintsTLSIs the New TCPDGTL-BRKSEC-206831

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveDigital FingerprintsAttributionHelpfulAnalyticsWe Can Still Detect Threats Without DecryptionUnencryptedObservablesDGTL-BRKSEC-206832

Intro to Fingerprinting

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveValuable Qualities‣Detailed & unique to every person‣Difficult to alter‣Durable over the life of the personAn impression left by the friction ridges of a human finger.What is a Fingerprint?DGTL-BRKSEC-206834

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLive1:1with Object ClassBenefits‣Size (how much of the world do I represent?) x/domain‣Accuracy of the inference Implementation Challenges‣Labor intensive process‣Not 100% Comprehensive‣Precision FingerprintingDGTL-BRKSEC-206835

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveObjectiveTo directly observe a pattern in transit that accurately identifies the class of process responsible for the exhibitionDuck Example (abductive reasoning)Directly Observable (&&)Class of ObjectInstanceHas FeathersHas Webbed FeetHas Yellow BillDuckNot Daffy SpecificallyDigital Network FingerprintsDGTL-BRKSEC-206836

TLSFingerprintingResearch based on Blake Anderson and David McGrewSecurity and Trust Organization at Ciscohttps://github.com/cisco/joy/blob/master/fingerprinting/resources/fingerprint_db.json.gzhttps://github.com/cisco/joy

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveTransport Layer Security (TLS):is the protocol used to secure network trafficThe TLS parameters offered in the negotiations are observableand can provide attributionto a processTLSis the New TCPattributed toattributed toattributed toProcess Class"Google Chrome (43.0.2357.130 64-bit OSX)"Malware: TBot / Skynet Tor Botnet""Metasploit SSL Scanner"Direct ObservableObservable 848Observable 232Observable 135TLSFingerprintingDGTL-BRKSEC-206838

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveNetwork Visibility Module (NVM)•IPFIX-Based Record (Source, Destination IP, etc)•Unique Device ID (correlate records from same endpoint device)•Device Name (bsmith-WIN) and OS Version (Window 7)•Domain\User Name (Amer\bsmith)•Account Type (win Admin/Standard/Guest mac: Standard/Root)•Local DNS (starbucks.com) Target DNS (àamceco.box.com)•Mac Address (extension to Interface Records) •Interface(Intel ® Dual Band Wireless)•Process/Container Name (iexplorer.exe) Process ID (hash)•Parent Process Name (foobar.exe) Parent ID(hash)•Encrypted Traffic Analytics Telemetry (Initial Data Packet (IDP))•Stealthwatch Flow Sensor•Opensource Joy PackageEncrypted Traffic Analytics (IDP Data)From Observations to AttributionMachines help us answer:What deterministic patterns can be directly attributed to a process?Endpoint ActivityNetwork ActivityDGTL-BRKSEC-206839

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveThe CiscoTLS Fingerprint Database (FPDB)is maintained and updated dailyAny Cisco product witness to these fields in the packet can match against the FPDBHow does it work?DGTL-BRKSEC-206840

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveHow comprehensive is the map to the territory?Specificity of the attributions?Google Chrome (43.0.2357.130 64-bit OSX)Universe of ProcessesattributionattributionattributionObservableObservableObservablemore specificless specificGoogle Chrome How To Evaluate a Fingerprint Database?DGTL-BRKSEC-206841

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveUsing machines, we have automated the process of identifying observable TLS patterns that can be attributed to processes. Cisco has the most comprehensive data base growing every day!DMZ-NVMDMZ-No-NVMTLS Fingerprint Overlap (Total=17,502)1,9104162,01127702213,000ThreatGridBuilding a Better Fingerprint Database (counts as of June 04 2019)DGTL-BRKSEC-206842

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveDatabaseSizeAutomatically UpdatedGREASE SupportStatic Extension DataCisco4,500+YesYessupported_groupsec_point_formatsstatus_requestsignature_algorithmsapplication_layer_protocol_negotiationsupported_versions16 othersKotzias et al.~1,684NoDiscards Localitysupported_groupsec_point_formatsJA3 (Used by DarkTrace)157NoDiscards All Datasupported_groupsec_point_formatsFingerprint TLS409NoNosupported_groupsec_point_formatssignature_algorithmsComparing to Other TLS Fingerprinting MethodsDGTL-BRKSEC-206843

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveQuick Summary of TLS Fingerprinting‣Every domain (not just TLS) can leverage fingerprinting methods‣All encrypted sessions begin unencrypted‣By analyzing endpoint and network activity together we can find deterministic patterns that fingerprint processes‣Cisco currently has the most robust TLS fingerprint database in terms of size and precisionDGTL-BRKSEC-206844

The Limitations of Fingerprinting

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveattributed toattributed toattributed toProcess Class"Malware: TBot / Skynet Tor Botnet""Metasploit SSL Scanner""Google Chrome (43.0.2357.130 64-bit OSX)"Direct ObservableObservable 232Observable 135Observable 848"NVIDEA GeForce Experience""GitHub Desktop (tested build 216 on OSX)"HipChat(32bit)javaFirefoxDropboxBenignMaliciousUnaccountedAttribution to a process class is only the first step, we still need to understand what it means to the businessThreat CategoryTLS Fingerprints Point to a ProcessDGTL-BRKSEC-206846

Behavioral Analytics

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveIf you see pattern X, sound the alarmSignatures vs. Behavioral DetectionA set of actions were performed, sound the alarmvsDGTL-BRKSEC-206848

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveHybridBehavioralTelemetryThe Network is Where Computers BehaveDGTL-BRKSEC-206849

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveUsed for food preparation in kitchensSharp blade of a particular shapeHas a handle used byrole of kitchen workerA Chef's KnifeDGTL-BRKSEC-206850

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveA Chef's Knife•Behavior 01: Monday night, the chef used it to prepare meals•Behavior 02: Tuesday day, it was used as a murder weapon•Behavior 03: Tuesday night, a passenger was removed from a flight because this object is not allowed on airplanesBehaviorsDGTL-BRKSEC-206851

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveKNOWNNOVELNAMEDuckQuacksWaddlesEats Grass, Insects, etc.FliesRoar?!Other BehaviorsBehavioral ProfilesDGTL-BRKSEC-206852

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveattributed toObservable 232TLS FingerprintingBehavioral InferencesProcessClients Connect to it to printTraffic volumes have a distinct patternClients Connect for managementPrinter{Behavioral Profiles}Behavioral AnalyticsConnection to AWS!Any activity not yet known!DGTL-BRKSEC-206853

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveattributed toattributed toattributed to"Malware: TBot / Skynet Tor Botnet""Metasploit SSL Scanner""Google Chrome (43.0.2357.130 64-bit OSX)"Observable 232Observable 135Observable 848"Google Chrome (version with CVE)"TLS Fingerprinting (Labeling)Known Priorattributed toObservable 800WhitelistPolicy/Compliance ViolationBlacklistCVE ####Known BadLEVEL 1 INFERENCELEVEL 2 INFERENCELevels of InferenceDGTL-BRKSEC-206854

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveDIRECT ATTRIBUTIONLEVEL 1INFERENCELEVEL 2INFERENCELEVEL 3INFERENCEObservationsProcessesProcessesProcessesProcessesProcessesProcessesProcessesProcessesOS versionApplication versionMalwareAdwareApp v2.0.56Global Threat Actor CampaignPolicy ViolationCVE VulnerabilityCompliance ViolationMisconfigurationKnown Behavioral ModelAnomalous BehaviorLevels of InferenceDGTL-BRKSEC-206855

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveKnown BadObjects & Behavior Known a prioriIf This Is Good, Then What Is This? Derived from first modeling the good Known GoodOutliers & NoveltyDGTL-BRKSEC-206856

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveClassificationCategorizationBehavioralModelingBehavioralAnalyticsFingerprintingQuick Summary of the Analytical PipelineDGTL-BRKSEC-206857

The Problem with Numbers

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveIt is not your fault that you don't understand this.DGTL-BRKSEC-206859

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveNumbers Help Us Group ThingsCredit-worthiness ClassLegal to Drink/ Legally DrunkWeight ClassSocioeconomic ClassAge ClassGiven a number, within a social context, we are able to infer membership to a set* The terms 'Set' and 'Class' are synonymous in this presentationDGTL-BRKSEC-206860

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveSyntax and SemanticsThey also help ignore what is not being counted!Numbers digitize certain aspects of an observable domainThe challenge is that we don't share the same domain expertise and understanding across an enterpriseUnlike the physical domain, before we can count things in the information domain, we must all agree on what is being countedThey often fall short when asked to support multiple perspectives and points of viewNumber systems are dependent on social processes that institutionalize semanticsDGTL-BRKSEC-206861

Future Security Analytics

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveDirect Versus Indirect ObservationsClientServerClientServerL3/L4 Overlay/UnderlayL7 App/UserL7 App/UserAppNetAppObservationsObservationsOld MethodNew MethodDGTL-BRKSEC-206863

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveLate-Binding Modeling to Detect Security EventsPerform AnalysisWhat ports/protocols does the device continually access?What connections does it continually make?Does it communicate internally only?What countries does it talk to?How much data does the device normally send/receive?What is the role of the device?System LogsSecurity EventsPassive DNSExternal IntelConfig ChangesVulnerability ScansIP Meta DataDynamic Entity ModelingGroupConsistencyRulesForecastRoleCollect InputDraw ConclusionsDynamic Entity ModelingDGTL-BRKSEC-206864

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveNormal ActivityWeird Stuff(but not threat related)Threat Actor ActivityClassify the Observable World and Infer the RestDGTL-BRKSEC-206865

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveMulti-Layer Analytical PipelineCascade of specialized layers of Machine Learning algorithmsBillions of connections Anomaly Detectionand Trust ModelingEvent Classificationand Entity ModelingRelationshipModeling•Statistical Methods•Information-Theoretical Methods•70+ Unsupervised Anomaly Detectors•Dynamic Adaptive Ensemble Creation•Multiple-Instance Learning•Neural Networks•Rule Mining•Random Forests•Boosting•ML: Supervised Learning•Probabilistic Threat Propagation•Graph-Statistical Methods•Random Graphs•Graph Methods•Supervised Classifier TrainingDGTL-BRKSEC-206866

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveSecurity that Shows its Work553Spam tracking#CSPM02New3C&C URL8Information Stealer#CDCH01Anomalous http37Heavy uploaderDropbox.com78Malicious httpRecurring

8 Malware: SalityDec. 9 | 28 daysDGTL-BRKSEC-206867

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveAct TodayClean & EducateInformationalAct NowWe Track the Escalation Over the Lifetime of the Threat ActorDGTL-BRKSEC-206868

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveDataLabeled DataBehavioral ModelsAliceWebPDFBobprinterlaptopPrinters should act like printersVulnerability scanners should act like scannersIf your printer is acting like a vulnerability scanner we have a problemRole-Based Behavioral DetectionEvery endpoint on the network should play a roleDGTL-BRKSEC-206869

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveThinking in Sets/Class and MembershipThere are 3 blue trianglesTriangleBlue3...is a member of the intersection of the set Blue, the set Triangle, and the set ThreeDGTL-BRKSEC-206870

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveReasoners (Side Step the Numbers Problem with First Order Logic)FemaleJanehasMaidenNameSmithhasMaidenNameSemantic ModelsDOMAINRANGEhasMaidenNameFemalehasMaidenNameMarriedhasMaidenNameSirNameJane SmithMarriedJane SmithSirName:SmithJane SmithDGTL-BRKSEC-206871

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveTelemetrySynthesisAnalyticsOutcomesCompetency QuestionsDGTL-BRKSEC-206872

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveCompetency QuestionsOutcomesAnalyticsSynthesisTelemetryDGTL-BRKSEC-206873

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveCompetency QuestionsOutcomesAnalyticsSynthesisTelemetryDGTL-BRKSEC-206874

While syntax can be right or wrong, analytical outcomes are helpful or not helpful to you

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveIn the end, it is not the math that matters, it is you the customer that matters!2019Stealthwatch Cloud Alerts Marked Helpful by Customers (%)Q3 FY201895%Q4 FY201895%Q1 FY201989%Q2FY201995%Q3 FY201992%Rolling Average93%How Helpful Was This Alert?© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveDGTL-BRKSEC-206876

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveWhat to Ask Your VendorHow are you applying Machine Learning in your product and why?How do you measure its effectiveness? Regarding supervised learning, what are you using for 'ground truth'?What non-machine learning are you using and why?What papers or open-source have you published regarding your analytics?For the ML based assertions, what entailments are provided?What detection in your product is based on known lists (a priori data)? What detection in your product is based on behavioral methods? DGTL-BRKSEC-206877

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveGood Principals for Security AnalyticsBe pragmaticAlways provide entailmentsFavor an analytical pipeline over single techniqueMeasure helpfulness, not mathematical accuracyBe Transparent with your science, publish papers and open sourceDGTL-BRKSEC-206878

References

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveLearn More....‣Cisco Stealthwatch Enterprise‣Cisco Stealthwatch Cloud‣Encrypted Traffic AnalyticsDGTL-BRKSEC-206880

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveBasic ReferencesBlogs‣Detecting Encrypted Malware Traffic (Without Decryption)‣Learning Detectors of Malicious Network Traffic‣Transparency in Advanced Threat Research‣Turn Your Proxy into Security Device‣Securing Encrypted Traffic on a Global Scale‣Closing One Learning Loop: Using Decision Forests to Detect Advanced Threats‣The State of Machine Learning in 2019DGTL-BRKSEC-206881

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveMake Your Head Hurt Reading Material•Identifying Encrypted Malware Traffic with Contextual Flow Data, Blake Anderson and David McGrew, AISEC '16•Grill, M., Pevny, T., & Rehak, M. (2017). Reducing false positives of network anomaly detection by local adaptive multivariate smoothing. Journal of Computer and System Sciences, 83(1), 43-57.•Komarek, T., & Somol, P. (2017). End-node Fingerprinting for Malware Detection on HTTPS Data. In Proceedings of the 12th International Conference on Availability, Reliability and Security (p. 77). ACM.•Jusko, J., Rehak, M., Stiborek, J., Kohout, J., & Pevny, T. (2016). Using Behavioral Similarity for Botnet Command-and-Control Discovery. IEEE Intelligent Systems, 31(5), 16-22.•Bartos, K., & Rehak, M. (2015). IFS: Intelligent flow sampling for network security-an adaptive approach. International Journal of Network Management, 25(5), 263-282.•Letal, V., Pevny, T., Smidl, V. & Somol, P. (2015). Finding New Malicious Domains Using Variational Bayes on Large-Scale Computer Network Data. In NIPS 2015 Workshop: Advances in Approximate Bayesian Inference (pp. 1-10).•Rehak, M., Pechoucek, M., Grill, M., Stiborek, J., Bartoš, K., & Celeda, P. (2009). Adaptive multiagent system for network traffic monitoring. IEEE Intelligent Systems, 24(3).In the past 12 years, we have published more than 50 papers(I can send you the PDF listing, just let me know)DGTL-BRKSEC-206882

Thank you#CiscoLive

#CiscoLivequotesdbs_dbs12.pdfusesText_18
[PDF] cisco firepower email security

[PDF] cisco free exam voucher

[PDF] cisco gve ticket

[PDF] cisco high touch engineer

[PDF] cisco htom

[PDF] cisco india revenue 2018

[PDF] cisco insbu

[PDF] cisco introduction to networks

[PDF] cisco introduction to packet tracer course description

[PDF] cisco investor relations

[PDF] cisco ios password encryption types

[PDF] cisco ip phone spa525g call forwarding

[PDF] cisco ise 2.4 mdm integration

[PDF] cisco ise how to

[PDF] cisco ise mdm integration