Beyond matching: Applying data science techniques to IOC-based detection
Alex Pinto demonstrates how to apply descriptive statistics, graph theory, and nonlinear scoring techniques on the relationships of known network IOCs to log data and how to use those techniques to empower IR teams to encode analyst intuition into repeatable data techniques that can be used to simplify the triage stage and get actionable information with minimal human interaction.
Talk Title | Beyond matching: Applying data science techniques to IOC-based detection |
Speakers | |
Conference | O’Reilly Security Conference |
Conf Tag | Build better defenses |
Location | Amsterdam, Netherlands |
Date | November 9-11, 2016 |
URL | Talk Page |
Slides | Talk Slides |
Video | |
There is no doubt that indicators of compromise (IOCs) are here to stay. However, at the moment, even the most mature incident response (IR) teams are mainly focused on matching known indicators to their captured traffic or logs. The real eureka moments of using threat intelligence mostly come from the intuition of analysts. You know, the ones that are almost impossible to hire. Alex Pinto demonstrates how to apply descriptive statistics, graph theory, and nonlinear scoring techniques on the relationships of known network IOCs to log data and how to use those techniques to empower IR teams to encode analyst intuition into repeatable data techniques that can be used to simplify the triage stage and get actionable information with minimal human interaction. Alex also showcases open source tools that can be easily expandable to paid or private sources an organization might have access to. With these results, you can make IR teams more productive as soon as the initial triage stages by providing them data products that provide a sixth sense on which events are worth an analyst’s time. They also make painfully evident which IOC feeds are helpful to their detection process and which ones are not.