SQRRL THREAT HUNTING PLATFORM

ADAM FUCHSCTO, SQRRL

COMMITTER, ACCUMULOMEMBER, ASF

© 2016 Sqrrl Data, Inc. All rights reserved. 2

Accelerating InvestigationsLOG DATA BEHAVIOR GRAPH

VS.

© 2016 Sqrrl Data, Inc. All rights reserved. 3

The Sqrrl Threat Hunting Platform

SECURITY DATA

NETWORK DATA

ENDPOINT/IDENTITY DATA

Firewall / IDS

Threat Intel

Bro

SIEM Alerts

NetflowProxy

ProcessesHR

© 2016 Sqrrl Data, Inc. All rights reserved. 4

Sqrrl ArchitectureSecurity

Visualization + API

Physical

Data Storage

Data Model

Processing

InterfaceAudit

EncryptionLabeling +

Policy

Query Engine: Accumulo Iterators

Bulk/Graph Processing: YARN +

SparkRaw Events Linked Data

HDFS Accumulo+

Commodity Hardware

© 2016 Sqrrl Data, Inc. All rights reserved. 5

The Apache Accumulo ProjectAccumulo Stores Sorted Key, Value Pairs

High Performance WritesGreat ScalabilityEmbedded Processing (Iterators)

We leverage Accumulo for:Low-Latency Information Retrieval IndexingDistributed ProcessingGraph OrganizationIngest-Time AggregationSecure Storage

Behavioral Analytics

© 2016 Sqrrl Data, Inc. All rights reserved. 7

Attack Chain Behavior detectionAdversary behavior is modeled based on a kill chainKill chain alignment of behavior detection analytics:

Helps to determine attack penetration and riskSupports arguments of completeness of detection coverage

© 2016 Sqrrl Data, Inc. All rights reserved. 8

Kill Chain-Based Behavioral Analytic Example

• Lateral Movement:Multiple host logins, credential theft

• Active Directory

• Windows event logs

• Unsupervised machine learning for rarity detection

• Graph algorithm for chaining

• Analyst whitelisting of false positives

© 2016 Sqrrl Data, Inc. All rights reserved. 9

Collating Results For Visualization and AnalysisBehavioral Analytics Entity Risk Scoring

Raw Data

Modeled Data (Graph)

API Applications

AnalyticsAnalyticsAnalyticsAnalytics

Target. Hunt. Disrupt.