《整合相关事件日志和警报.pdf》由会员分享,可在线阅读,更多相关《整合相关事件日志和警报.pdf(62页珍藏版)》请在三个皮匠报告上搜索。
1、CONTEXT IS ALL U NEEDFinding Relevant Events Logs&Alerts+11,000 Alerts/DayRECEIVED BY SECURITY TEAMS(FORRESTER)ON AVERAGEONLY 9%OF ATTACKS GENERATE ALERTS(MANDIANT)ATTACKS ARE SO STEALTHY287 DaysTO DETECT&CONTAIN A BREACH(IBM)ON AVERAGE130 ToolsIN USE BY SECURITY TEAMS(PALO ALTO NETWORKS)WITH UP TOb
2、loated&ineffectiveIN FACE OF RAPIDLY EVOLVING ADVERSARIESTHERE IS NO DOUBT,ATTACK DETECTION IS Lack of Correlationof seemingly disparate events.Hidden within,are attack kill chains.Surveyed in 2017-2024(by SANS),security experts blame CYBER NOISEContextualization&CorrelationCoordinatedAttacksSiloed
3、SignalsEMAIL PHYSICALNETWORKCLOUDIDENTITY APPS INDUSTRIALInput Data or Context SizeEX:index=na earliest=5mUsually a subset is chosen through the timespan,resulting in many clusters per time period,complicating the analysis with overlapping periods and numerous clusters.Features to be usedEX:src_ip,d
4、st_ip,severity,etc.Usually,features require further preprocessing and weighing,requiring deep data science expertise applied to every use case.Feature mapping EX:usr:”joe5”and id:”joe5s4”are similar Usually,similar values may exist in different fields.The user must modify the data to capture these d
5、ynamic data modeling cases,requiring data engineering expertise applied to every use case.Classical Clustering ChallengesFeature enrichment EX:tech:“T1056”Usually,data can benefit from enrichments such as MITRE ATT&CK Tactics&Techniques resembled,or event entities metadata from a CMDB or ITSM or IAM
6、 system.The user must source&apply the enrichment content logic to the data and expand the data model.Data encodingsEX:ports 8443 and 8008 are similar Usually,features will have values that are not identical but are similar.The user must develop these data encodings per feature to underline the data