using machine learning in or distribution appdefense to ... › event_data › 10 › ... ·...
TRANSCRIPT
#vmworld
Using Machine Learning in AppDefense to Simplify Data Center
SecurityRole of ML/AI in achieving Cyber Hygiene and least
privilege at scale
Scott McKinnon, VMware , Inc.Vijay Ganti, Head of Product and ML/AI Research, VMware , Inc.
SAI3243BE
#SAI3243BE
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Security spend: outpacing IT spend 2:1
Source: IDC
Security as a % of IT Spend:2012: 11%2015: 21 %
(Source: Forrester)
Projected Growth Rate in IT Spend from 2014-2019: Zero (Flat)
(Source: Gartner)
Security SpendIT Spend
2
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Information Security Spending >$80B in 2016*
Infrastructure Security
Security Operations & Incident Response
Endpoint Security Application Security
Messaging Security Web Security
IoT Security Threat Intelligence Mobile Security Data Security
Cloud Security
Specialized Threat Analysis & Protection Identity & Access ManagementTransaction Security
Risk & Compliance
3
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
A Picture of Diminishing Returns
Annual Cost of Security Breaches: $445B
(Source: Center for Strategic and Int’l Studies)
Security as a % of IT Spend:2012: 11%2015: 21 %
(Source: Forrester)
Projected Growth Rate in IT Spend from 2014-2019: Zero (Flat)
(Source: Gartner)
Security SpendIT Spend IT Spend
4
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Propagation Extraction ExfiltrationEscalate privileges
Install C2* infrastructureLateral movement
Break into data storesNetwork eavesdropping
App-level extraction
Parcel and obfuscateExfiltration
Cleanup
InfiltrationAttack vector/malware
Delivery mechanismEntry point compromise
5
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
We’re Watching The Wrong Thing
6
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Dynamics of an Attack
Infiltration Propagation Extraction Exfiltration
Attacker
Defender
7
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Dynamics of an Attack
Infiltration Propagation Extraction Exfiltration
Attacker
Defender
8
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Propagation Extraction ExfiltrationEscalate privileges
Install C2* infrastructureLateral movement
Break into data storesNetwork eavesdropping
App-level extraction
Parcel and obfuscateExfiltration
Cleanup
InfiltrationAttack vector/malware
Delivery mechanismEntry point compromise
We over invest in Infiltration Prevention
We under invest in Resilience
9
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Propagation Extraction ExfiltrationEscalate privileges
Install C2* infrastructureLateral movement
Break into data storesNetwork eavesdropping
App-level extraction
Parcel and obfuscateExfiltration
Cleanup
InfiltrationAttack vector/malware
Delivery mechanismEntry point compromise
We Align SecurityTo
Infrastructure
Rather than AlignTo
Applications & Data
10
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Propagation Extraction ExfiltrationEscalate privileges
Install C2* infrastructureLateral movement
Break into data storesNetwork eavesdropping
App-level extraction
Parcel and obfuscateExfiltration
Cleanup
InfiltrationAttack vector/malware
Delivery mechanismEntry point compromise
We Align SecurityTo
Infrastructure
Rather than AlignTo
Applications & Data
We over invest in
Chasing Threats
We under investin Shrinking
the Attack Surface
11
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
We Should Focus More on Core Protection StrategiesGartner Market Guide for Cloud Workload Protection Framework
AV
Deception
HIPS withVulnerability Shielding
Server Workload EDRBehavioral Monitoring
IaaS Data at Rest Encryption
Exploit Prevention / Memory Protection
Application Control / Whitelisting
System Integrity Monitoring / Management
Network Firewalling, Segmentation and Visibility
Hardening, Configuration and Vulnerability Management
Foundational
Less Critical
Optional Server Protection Strategies
Core Server Protection Strategies
Important, but often provided outside of CWPP
Operations HygieneNo arbitrary code
No email, web clientAdmin Privilege
ManagementChange
ManagementLog
Management
Restricted Physical and Logical Perimeter Access
Figure 1. Cloud Workload Protection Controls Hierarchy, © 2018 Gartner, Inc.
Source: Gartner, Market Guide for Cloud Workload Protection Platforms, Neil MacDonald, March 26th 2018. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. 12
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Cyber HygieneAttack Surface
Apps Data
Cyber ThreatsResidual Risk
EncryptionMicro-Segmentation
PatchingLeastPrivilege
Multi-FactorAuthentication
13
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
DevicesUsers AccessCompute Network Data
Apps Data
Secure Infrastructure
14
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
1001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101010010101010011001010010101010101101
Changing the Application Security ModelFrom chasing bad to ensuring good
Pro
cess
es
Pro
cess
es
Pro
cess
es
OS75,000,000 75
Chasing Bad Ensuring Good
DevicesUsers AccessCompute Network Data 15
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
How can AI help with, threat detection, cyber hygiene and modern security operations?
16
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
AI WINTER
A brief history of AI
17
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
A brief history of AI
18
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
2012
19
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
RECENT AI ACCOMPLISHMENTS
20
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
RECENT AI ACCOMPLISHMENTS WITH TECHNICAL PERFORMANCE
21
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Long way to go before generalized AI
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
What changed in AI since last time round ?
Lots of Data Lots of Compute Use cases /w lots of money
Algorithmic Innovation
23
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Challenges in Applying AI/ML to chasing the bad guys
Adversarial No Rules Data Scarcity
A PERFECT STORM
CHASING BAD IS HARD FOR EVEN AI/ML
24
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
False positives vs false negatives - Cost
Huge focus on false negatives
• Is the software able to detect attacks or malware?
Little focus on false positives
• Is your software throwing alerts when it should not ?
• 10,000 to 150,000 alerts per day.
25
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Deep Learning vs Traditional Machine Learning
What is the interpretability of the predictions?
Performance – Accuracy (Precision & Recall)
Amount of data needed for training models
Where does the domain expertise go? (feature engineering vs designing networks)
26
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
What About ensuring Good?
Understand Intended Application Composition
Understand Intended Application Behavior
Understand Intended Operational Changes
AI is a must to help achieve cyber hygiene in dynamic environments, at scale
THIS IS NOT ADVERSARIAL, HAS RULES & THERE IS DATA
27
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Understanding application composition
Service/Application Identification or Discovery
Distributed Application Component Identification
VM Composition
28
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Understanding application Behavior
Coarse Grain Network Behavior Fine Grain Network Behavior System Calls File System Organization
29
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Understanding OPERATIONAL processes and CHANGES
Routine application changes (upgrades/patches)
Routine infrastructure changes Operational activities (backup/restore,
monitoring, troubleshooting, administering)
30
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
What more can AI do?
AI should be the fabric of your security operations
Empower security analysts with contextual information for quick resolution
Use analysis bots for reducing burden on security analysts with deeper, targeted, automated and non-disruptive analysis in response to high-level anomalies
31
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Takeaways
AI is eating the world but it’s not likely to be the silver bullet for threat detection
Cyber hygiene is foundation for cybersecurity & AI will transform cyber hygiene at scale
AI will make security analysts super human
AI should be the fabric of your security operations
32
VMworld 2018 Content: Not for publication or distribution
DON’T FORGET TO FILL OUT YOUR SURVEY.
#vmworld #SAI3243BE
VMworld 2018 Content: Not for publication or distribution
THANK YOU!
#vmworld #SAI3243BE
VMworld 2018 Content: Not for publication or distribution