Presented By
O’Reilly + Cloudera
Make Data Work
March 25-28, 2019
San Francisco, CA

Using graph metrics to detect lateral movement in enterprise cybersecurity data

Louis DiValentin (Accenture), Dillon Cullinan (Accenture)
1:50pm2:30pm Thursday, March 28, 2019
Average rating: ***..
(3.00, 3 ratings)

Who is this presentation for?

  • Data scientists, security operators, and security analysts

Level

Intermediate

Prerequisite knowledge

  • A basic understanding of security and graph analytics concepts

What you'll learn

  • Learn how Accenture leverages its SIEM data more effectively to generate insights on lateral movement within its logs

Description

Lateral movement is a crucial part of the security detection lifecycle and requires a comprehensive view of the patterns of communications between hosts within a computer network. However, it is also one of the most difficult detection challenges in security analytics. Most skilled adversaries no longer use noisy methods when they are attempting to compromise new hosts within a network; instead they will launch targeted “low-and-slow” attacks against hosts and user accounts to avoid detection by volume-based detection methods. Additionally, because of the scale of data generated by enterprise security information and event management systems, it’s impractical to investigate all the security logs collected to find specific logs that indicate lateral movement. However, lateral movement does leave traces in the aggregated security data that can be extracted and used to generate security analytics models.

Attempted lateral movement shows up in security data as a series of logs that connect disparate clusters of hosts that have previously never interacted before. By transforming the security data into a graph-based format, these connections become visibly obvious and significantly impact various graph metrics of individual nodes. By generating these graph metrics over time, you can then build detection models that monitor every individual node and alert when attempted lateral movement is occurring.

Louis DiValentin and Dillon Cullinan explain how Accenture’s Cyber Security Lab built security analytics models to detect attempted lateral movement in networks by transforming enterprise-scale security data into a graph format, generating graph analytics for individual users, and building time series detection models that visualize the changing graph metrics for security operators so they can easily detect when specific nodes are becoming more important to the network graph. They also discuss how they used ASGARD, Accenture’s Hadoop, Spark, and GraphX stack, to scale these analytics to an enterprise-scale dataset.

Photo of Louis DiValentin

Louis DiValentin

Accenture

Louis DiValentin is a security data scientist at Accenture Cyber Labs, located in the Washington, DC, area. His research focuses on security analytics modeling, graph analytics, and big data.

Photo of Dillon Cullinan

Dillon Cullinan

Accenture

Dillon Cullinan is a data engineering cybersecurity specialist at Accenture Cyber Labs, located in the Washington, DC, area. Dillon focuses on building big data solutions for the cybersecurity realm to enable large-scale analytics and visualizations.