Profile picture
J. @CxOSidekick
, 13 tweets, 5 min read Read on Twitter
Great talk by @ram_ssk : most talks are only about what worked in machine learning, but what about the experiments that failed?
Problem 1 : on lateral movement, once lateral movement goal is attained, hard to identify attackers as they are under the radar. Lots of data to start with...
Questions to narrow down if this is a service account; then as red teams love to go after these, when they get one, time intervals for events change
Using RankNet to look to see if benign session ranks lower than malicious session. On prem worked great. Not so much for cloud...
Reason for change was different environment ; no domain controller as a central brain; have to look for different crown jewls as no longer looking at physical machines ; win event logs still valuable but other sources of logs needed to get to 'version of truth'
Mapping the kill chain to the cloud meant expanding logs to brains that controls important stuff in the cloud
Problem 2 : powershell : started by asking 'what is the probability of unusual sequences?'
Problem was obfuscation of attacks
Solution was to turn command sequences into images for analysis : this was an example of changing detection strategy as threat landscape changed with rise of powershell obfuscation
Problem 3 : Geo anomaly detection : last 10 login locations cached and challenge users if a new current location but rules based system did not account for complexity of travel patterns and company proxies, vpns and cell phone networks
Some thoughts on solving : look at peers and look at frequency of counts
Then look at reachability score based on time of travel and reachability of location based on last login; 70x improvement on false positives by doing this
Great summary on all the people who need to get involved in developing industry grade data science 👍👍
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to J.
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @CxOSidekick see all

Profile picture
It's 100% true that you need technical expertise in a security team. There are also other things that need to come together for a team to improve how well protected their business is. One of those can be winning the opportunity to do the technical stuff that's needed.
In fact I think there are 8 key applied abilities that are vital in security

1. Systems thinking
2. Politic
3. Architecture / engineering mindset
4. Team creation and evolution
5. Product management
6. Project management
7. Data science
8. Coding
Systems thinking: Sec teams are usually implementing a complex system (lots of sec controls w/ interdependencies) within a complex system (the biz+its people/process/ tech inter-relationships). Ability to understand, share & build consideration of this into decisions is vital.
Read 11 tweets
Profile picture
@xaprb Some quick thoughts...

There are different scenarios for exec comms:
- Cyclical (e.g. annual reporting where format doesn't change)
- Periodic (e.g. on an issue that will last a few committee meetings)
- Ad hoc (e.g. random requests on key things)
- Crisis (new, short cycle)
@xaprb For each there are different formulas you can use. E.g. cyclical reporting may be
- what's our status on something pre-defined as important?
- is status good or bad?
- if bad do we have enough information to act or do we need more?
- if we act what is best cost decision?
@xaprb And there will be different levels of detail for each type of comms. For example in Crisis, you may be giving minute by minute updates. In cyclical the level of detail may be very deep (e.g. board reporting) but more analytical in style.
Read 9 tweets
Profile picture
@sachafaust One of the things that I find helpful is to use product management frameworks to look at effort and impact over time. Lots of things you 'should have' can take a lot of time to roll out and then don't give you the agility you want (e.g. in detection over custom data sets)...
@sachafaust ... which means the team needs to think about what will move the needle quickly in the short term while also laying the foundation to go from 1.0 to 2.0 of capability (vs waiting for 5.0 and never getting there).
@sachafaust Another product management tool is 'time boxing' for testing new ideas (either on red or blue) and that can be effective in limiting scope (which itself is another important part of testing assumptions under uncertainty).
Read 13 tweets

Related threads

Profile picture
Great opportunity to speak at #ASSA2019 American Economics Association/American Finance Association joint luncheon. Here are my slides: goo.gl/tWcLoM
Machine learning brings great opportunities for improvement in empirical work and for improving firm efficiency. Managers and regulators face similar challenges, given black box algorithms built by engineers who may lack context. Need analytic framework to analyze, guide usage.
Causal inference framework helps with some of the challenges, both in terms of describing problems and suggesting solutions.
Read 8 tweets
Profile picture
💣SmokingBoneSaw💣

GOP senators: The Trump adm is covering up Khashoggi’s killing

Post CIA Haspel briefing Graham is highly confident MbS is responsible for the brutal murder of Khashoggi.

MbS planned, ordered & oversaw the murder of Khoshoggi

Flynn substantially cooperated.
💣SmokingMbS💣

📌Recall GHWB commissioned the Dossier

📌Manafort case movement in D.C. , the special counsel's team says that they don't wish to have that discussion unsealed quite yet

📌Mueller office will file new court documents on Manafort, Cohen, Flynn

📌Flynn = 3 cases
💣SmokingMbS3💣

The gilets jaunes (yellow vest) movement, loosely organised on social media, had been hijacked by experienced, violent hard L & far R provocateurs for their own purposes, & fired up by viral fakes inserted into the internet by likely Russian hands. #RAM
Read 83 tweets
Profile picture
So there have been a bunch of articles written in the semi-recent future about how AI has managed to be racist/sexist/whatever in a variety of messed up ways.
Like this article about Amazon’s hiring AI which discriminated against women.

inc.com/guadalupe-gonz…
Or this article about racism in criminal justice applications.

aclu.org/issues/privacy…
Read 9 tweets
Profile picture
🍿StockUp!🍿

CT: Roger Stone is under sealed indictment (7/27) and another sealed indictment was handed down last week.

Stay tuned for a deep dive about RU Alfa Bank per CT—it’s supposed to be a ‘game-changer.’

Trump’s résumé is rife with mob connections. MSM is catching up!
🍿StockUp!🍿

Bob Baer says he knows some of Trump’s Soviet secrets.

The former undercover CIA operative divulged what he’s learned about Trump’s long-running relationship with Russia — specifically the KGB

Lordy there may be a tape!
🍿StockUp3🍿

Energy investment group claims $350M capital commitment from Carter Page post 2016 election. 💰source?

@RepTomGarrett said that he was told in a classified FBI briefing that Russian actors were directly involved in sowing discord Charlottesville. #RAM #Provokatsiya
Read 64 tweets
Profile picture
1/ Data markets are going to be one of the most critical pieces of infrastructure in the next 15 years. Here's a master thread to explain why and how.
2/ I'm not teaching you anything new when I tell you that data may be the most important resource we have today. That's exactly why the idea of an open data commons is so powerful.
3/ Just imagine the kind of insight we could find if we opened all of the world's data at once - from fighting cancer to personal AIs to revolutionizing our cities and food system.
Read 19 tweets
Profile picture
Okay, I'm going to rag on that guy who tried to beat Magnus Carlsen in a month.

He's a big fat phoney fake loser. (1/many)
He set himself up for several challenges, to learn to do something impressive in a month. Here they are:
The amazing thing is that he did all of them! All but the last one, anyway. Wow! Incredible! This guy is some kind of superdude!
Read 39 tweets

Trending hashtags

#GustavKlimt #Bartoleme #Hitler #Christian #autonomousvehicles #DavidShedd #AIQ #MoveEquity #Maps #attitudes #bigdaga #Black #PaidFamilyLeave #Erté #prison #system #equity #ThePatriotTimes #Devastation #elite #ArmMeWith #CrashNotAccident #IWD2018 #Dictatorships #Connections

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!