FloCon 2020 has ended
Back To Schedule
Wednesday, January 8 • 9:00am - 9:30am
A Practical Decision Framework for Implementing Evasion-Resilient Host-Based Analytics

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Any organization that needs to sustain and improve its defensive cybersecurity posture must be able to implement the optimal set of security analytics. Recent advances in the fields of artificial intelligence (AI) and machine learning (ML) increase the incentive to implement predictive analytics that take advantage of these underlying technologies. Instead of building heuristic analytics that aim to match through static queries and signatures, ML models are applied to defensive cybersecurity to capture and generalize the underlying characteristics of malevolent behavior, such that they can protect from new and slightly modified threats. However, since there is no standard approach for implementing ML analytics in the cybersecurity domain, applying ML analytics without the underlying required components can easily waste much organizational effort.

Using examples from MITRE’s ATT&CK™ model, the speakers present a novel framework to help organizations decide whether the detection of a malevolent technique is best suited with a simple static heuristic analytic or a ML security analytic. The discussion, which focuses on host-based detection, includes the critical underlying decision points and the tradeoffs that should be considered to influence the overall decision. The framework is broken down into components that include data, analytic evasion, and the organization itself. Considering that data is a critical component of predictive ML models, and that sufficient data collection and labeling continues to be a challenge, the speakers provide a deep dive into this area with discussion on host-based data sources. Even if the right data is being collected, it is rarely labeled, limiting the application of supervised ML models. While Windows Security events and Sysmon event data are typically collected for host-based detection, process monitoring data can be efficiently consolidated and processed on the endpoint before being ingested into a big data platform for translation into ML-ready format. The proposed framework will provide security analytic developers a structured means to implement analytics to better secure and defend an enterprise network.

Attendees Will Learn:
This talk will provide attendees with a practical framework that can be applied to determine whether a simple heuristic analytic or a machine learning (ML) analytic is the best choice for detecting a certain malevolent technique. In addition, the speakers will provide a deep-dive into host-based data sources focusing on the features available for training ML models. Security operations personnel will benefit from a repeatable decision framework to improve the analytic implementation process, without the need for a background in the data science field.

avatar for Joe Mikhail

Joe Mikhail

Technical Staff, The MITRE Corporation
Joe Mikhail is a member of the technical staff at The MITRE Corporation, where his work currently focuses on implementing cybersecurity analytics to detect behaviors based on the MITRE ATT&CK™ framework. His recent journal article in ACM Transactions on Intelligent Systems and Technology... Read More →
avatar for Brandon Werner

Brandon Werner

Cybersecurity Engineer, The MITRE Corporation
Brandon Werner is a Cybersecurity Engineer at The MITRE Corporation who applies his data science background to solve various problems in the cybersecurity domain. Brandon is interested in the use of machine learning (ML) to automate cybersecurity tasks, such as intrusion detection... Read More →

Wednesday January 8, 2020 9:00am - 9:30am EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401