FloCon 2019 has ended
Back To Schedule
Wednesday, January 9 • 2:30pm - 3:00pm
Simulating Your Way to Security - One Detector at a Time

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Covering a network with sensors is the first step towards security, but the massive flood of unprocessed, raw data points is frequently as paralyzing as having no visibility at all. To find actionable signal in the noise, one has to first define signal and noise. Threat detection must be motivated from a problem-first mentality, rather than a data-first mentality. Using this approach, "Big Data" problems tend to become small, relevant data problems, facilitating accurate and scalable detection solutions. We demonstrate the aforementioned problem-first approach with a case study of a password spray attack against an Active Directory (AD) system. We examine the nature of the attack: how it works, why it works and how its parameter settings interact with attacker style. In the resulting threat model, the "signal" is a sequence of failed authentication attempts from a particular device and the "noise" is the rest of the LDAP traffic.

To understand detectability of a dynamic password spray attack in a variable environment, the central idea is to gather samples of attack and merge them with records of the baseline enterprise network traffic. This may be accomplished by mapping timestamps and IP addresses of simulated and real flow data. For successful detection, signal must be discriminable from noise, so we demonstrate how to use time-series and probability density plots, combined with faceting and animation techniques, to visually examine the separation of signal from noise, across the sample of devices. Next, we show how constraints that come from details of the threat model suggest how to reduce the signal into a filtered, low-dimensional summary that preserves discriminability and allows detection to scale to a large network of devices. Finally, we show how the signal summary can be used to construct heuristic and statistical detection methods, and evaluate their efficacy, using accuracy and time-to-detection metrics.

Attendees will Learn:
Attendees will learn how to determine whether an attack is detectable and how to quantify detector’s quality using accuracy and time-to-detect. This can improve security operations by focusing investment on reliable detection.

avatar for Slava Nikitin

Slava Nikitin

Data Scientist, Columbus Collaboratory
Slava Nikitin is applying statistics and high-performance computing to bring the future back to now.  He is a Data Scientist at Columbus Collaboratory, working on statistical and machine learning modeling, software engineering, and interactive information displays.  He also is... Read More →

Wednesday January 9, 2019 2:30pm - 3:00pm EST
Grand Ballroom 300 Bourbon St, New Orleans, LA 70130