using machine learning in or distribution appdefense to ... › event_data › 10 › ... ·...

#vmworld

Using Machine Learning in AppDefense to Simplify Data Center

SecurityRole of ML/AI in achieving Cyber Hygiene and least

privilege at scale

Scott McKinnon, VMware , Inc.Vijay Ganti, Head of Product and ML/AI Research, VMware , Inc.

SAI3243BE

#SAI3243BE

VMworld 2018 Content: Not for publication or distribution

©2018 VMware, Inc.

Security spend: outpacing IT spend 2:1

Source: IDC

Security as a % of IT Spend:2012: 11%2015: 21 %

(Source: Forrester)

Projected Growth Rate in IT Spend from 2014-2019: Zero (Flat)

(Source: Gartner)

Security SpendIT Spend

2


©2018 VMware, Inc.

Information Security Spending >$80B in 2016*

Infrastructure Security

Security Operations & Incident Response

Endpoint Security Application Security

Messaging Security Web Security

IoT Security Threat Intelligence Mobile Security Data Security

Cloud Security

Specialized Threat Analysis & Protection Identity & Access ManagementTransaction Security

Risk & Compliance

3


©2018 VMware, Inc.

A Picture of Diminishing Returns

Annual Cost of Security Breaches: $445B

(Source: Center for Strategic and Int’l Studies)

Security as a % of IT Spend:2012: 11%2015: 21 %

(Source: Forrester)

Projected Growth Rate in IT Spend from 2014-2019: Zero (Flat)

(Source: Gartner)

Security SpendIT Spend IT Spend

4


©2018 VMware, Inc.

Propagation Extraction ExfiltrationEscalate privileges

Install C2* infrastructureLateral movement

Break into data storesNetwork eavesdropping

App-level extraction

Parcel and obfuscateExfiltration

Cleanup

InfiltrationAttack vector/malware

Delivery mechanismEntry point compromise

5


©2018 VMware, Inc.

We’re Watching The Wrong Thing

6


©2018 VMware, Inc.

Dynamics of an Attack

Infiltration Propagation Extraction Exfiltration

Attacker

Defender

7


©2018 VMware, Inc.

Dynamics of an Attack

Infiltration Propagation Extraction Exfiltration

Attacker

Defender

8


©2018 VMware, Inc.






Cleanup



We over invest in Infiltration Prevention

We under invest in Resilience

9


©2018 VMware, Inc.






Cleanup



We Align SecurityTo

Infrastructure

Rather than AlignTo

Applications & Data

10


©2018 VMware, Inc.






Cleanup



We Align SecurityTo

Infrastructure

Rather than AlignTo

Applications & Data

We over invest in

Chasing Threats

We under investin Shrinking

the Attack Surface

11


©2018 VMware, Inc.

We Should Focus More on Core Protection StrategiesGartner Market Guide for Cloud Workload Protection Framework

AV

Deception

HIPS withVulnerability Shielding

Server Workload EDRBehavioral Monitoring

IaaS Data at Rest Encryption

Exploit Prevention / Memory Protection

Application Control / Whitelisting

System Integrity Monitoring / Management

Network Firewalling, Segmentation and Visibility

Hardening, Configuration and Vulnerability Management

Foundational

Less Critical

Optional Server Protection Strategies

Core Server Protection Strategies

Important, but often provided outside of CWPP

Operations HygieneNo arbitrary code

No email, web clientAdmin Privilege

ManagementChange

ManagementLog

Management

Restricted Physical and Logical Perimeter Access

Figure 1. Cloud Workload Protection Controls Hierarchy, © 2018 Gartner, Inc.

Source: Gartner, Market Guide for Cloud Workload Protection Platforms, Neil MacDonald, March 26th 2018. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. 12


©2018 VMware, Inc.

Cyber HygieneAttack Surface

Apps Data

Cyber ThreatsResidual Risk

EncryptionMicro-Segmentation

PatchingLeastPrivilege

Multi-FactorAuthentication

13


©2018 VMware, Inc.

DevicesUsers AccessCompute Network Data

Apps Data

Secure Infrastructure

14


©2018 VMware, Inc.

1001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101010010101010011001010010101010101101

Changing the Application Security ModelFrom chasing bad to ensuring good

Pro

cess

es

Pro

cess

es

Pro

cess

es

OS75,000,000 75

Chasing Bad Ensuring Good

DevicesUsers AccessCompute Network Data 15


©2018 VMware, Inc.

How can AI help with, threat detection, cyber hygiene and modern security operations?

16


©2018 VMware, Inc.

AI WINTER

A brief history of AI

17


©2018 VMware, Inc.

A brief history of AI

18


©2018 VMware, Inc.

2012

19


©2018 VMware, Inc.

RECENT AI ACCOMPLISHMENTS

20


©2018 VMware, Inc.

RECENT AI ACCOMPLISHMENTS WITH TECHNICAL PERFORMANCE

21


©2018 VMware, Inc.

Long way to go before generalized AI


©2018 VMware, Inc.

What changed in AI since last time round ?

Lots of Data Lots of Compute Use cases /w lots of money

Algorithmic Innovation

23


©2018 VMware, Inc.

Challenges in Applying AI/ML to chasing the bad guys

Adversarial No Rules Data Scarcity

A PERFECT STORM

CHASING BAD IS HARD FOR EVEN AI/ML

24


©2018 VMware, Inc.

False positives vs false negatives - Cost

Huge focus on false negatives

• Is the software able to detect attacks or malware?

Little focus on false positives

• Is your software throwing alerts when it should not ?

• 10,000 to 150,000 alerts per day.

25


©2018 VMware, Inc.

Deep Learning vs Traditional Machine Learning

What is the interpretability of the predictions?

Performance – Accuracy (Precision & Recall)

Amount of data needed for training models

Where does the domain expertise go? (feature engineering vs designing networks)

26


©2018 VMware, Inc.

What About ensuring Good?

Understand Intended Application Composition

Understand Intended Application Behavior

Understand Intended Operational Changes

AI is a must to help achieve cyber hygiene in dynamic environments, at scale

THIS IS NOT ADVERSARIAL, HAS RULES & THERE IS DATA

27


©2018 VMware, Inc.

Understanding application composition

Service/Application Identification or Discovery

Distributed Application Component Identification

VM Composition

28


©2018 VMware, Inc.

Understanding application Behavior

Coarse Grain Network Behavior Fine Grain Network Behavior System Calls File System Organization

29


©2018 VMware, Inc.

Understanding OPERATIONAL processes and CHANGES

Routine application changes (upgrades/patches)

Routine infrastructure changes Operational activities (backup/restore,

monitoring, troubleshooting, administering)

30


©2018 VMware, Inc.

What more can AI do?

AI should be the fabric of your security operations

Empower security analysts with contextual information for quick resolution

Use analysis bots for reducing burden on security analysts with deeper, targeted, automated and non-disruptive analysis in response to high-level anomalies

31


©2018 VMware, Inc.

Takeaways

AI is eating the world but it’s not likely to be the silver bullet for threat detection

Cyber hygiene is foundation for cybersecurity & AI will transform cyber hygiene at scale

AI will make security analysts super human

AI should be the fabric of your security operations

32


DON’T FORGET TO FILL OUT YOUR SURVEY.

#vmworld #SAI3243BE


THANK YOU!

#vmworld #SAI3243BE


using machine learning in or distribution appdefense to ... › event_data › 10 › ... ·...

Documents