🚨NEW from Fusion: #AzureSentinel flagship Machine Learning solution🚨
TL;DR: Fusion ML💗Partner Datasets
In this release, we extend Fusion to partner ecosystem such as firewall Threat logs from Palo Alto Networks and our very own, MDATP
microsoft.com/security/blog/…
Deets⬇️1/
TL;DR: Fusion ML💗Partner Datasets
In this release, we extend Fusion to partner ecosystem such as firewall Threat logs from Palo Alto Networks and our very own, MDATP
microsoft.com/security/blog/…
Deets⬇️1/
Fusion, in a nutshell combines, 🟨+ 🟨low fidelity alerts = 🟥 high fidelity incidents using Bayesian methods
Data: Alerts and events from Microsoft Security and Partner Products incident using
In Dec 2019, we processed 50 Billion+ alerts and found 23 high fidelity cases 2/
Data: Alerts and events from Microsoft Security and Partner Products incident using
In Dec 2019, we processed 50 Billion+ alerts and found 23 high fidelity cases 2/
Simple correlations dont work well when you have 50 Billion input signals - the opportunities for False positives are grave. For instance, a simple 1% FP over 50B, is still...umm... half a BILLION.
3/
3/
Part I: What's new?
We now extend this stitching together insights from Threat logs from @PaloAltoNtwks and Microsoft Defender ATP
4/
We now extend this stitching together insights from Threat logs from @PaloAltoNtwks and Microsoft Defender ATP
4/
For instance, Fusion stitches together suspicious powershell process in an end point connects to a weird IP (from MDATP) followed by anomalous activity in the network (from Palo Alto)
5/
5/
Part II: How?
We had to overcome 2 problems for this release
Problem 1: Customers have many security products and are on many clouds. If we build a custom ML system for each of these datasets, we aint gonna scale.
Want: A flexible ML System that can accommodate new datasets
We had to overcome 2 problems for this release
Problem 1: Customers have many security products and are on many clouds. If we build a custom ML system for each of these datasets, we aint gonna scale.
Want: A flexible ML System that can accommodate new datasets
Problem 2: Incorporate domain knowledge easily. The MSTIC team in @LeahLease has specialized knowledge virtually across different products. We wanted to tap into their scenarios into our system
Want: A flexible system that can accomodate domain knowledge
7/
Want: A flexible system that can accomodate domain knowledge
7/
Problem 3: We need a way to test our generic ML system to see it actually works
Want: An environment to test the system
8/
Want: An environment to test the system
8/
Using DNNs take care of problem #1 (no feature engineering) but not so much problem #2 (co-opting domain knowledge).
So one natural fit is using graphical methods. We had already invested in it in the previous release, so extending to other data sets.
9/
So one natural fit is using graphical methods. We had already invested in it in the previous release, so extending to other data sets.
9/
There is a 3 Step process:
1) Convert alerts into a graph (you'll notice the nodes can be entities, VMs, IP addreses or even alerts)
2) Prune the graph using probabilistic kill chain
3) Do one more round of scoring to really reduce the alerts.
10/
1) Convert alerts into a graph (you'll notice the nodes can be entities, VMs, IP addreses or even alerts)
2) Prune the graph using probabilistic kill chain
3) Do one more round of scoring to really reduce the alerts.
10/
Problem 3 - test the detection - was solved thanks to @ashwinpatil awesomeness
This was a double blind test:
- Ashwin did not know internals of detection logic
- ML team did not know anything about attack
Goal for ML team: Find Ashwin's shenanigans (We did!)
11/
This was a double blind test:
- Ashwin did not know internals of detection logic
- ML team did not know anything about attack
Goal for ML team: Find Ashwin's shenanigans (We did!)
11/
I am super proud of this system - Complex and hard combining:
1) the state of art ML techniques from the ML team
2) domain knowledge of MSTIC team from @ashwinpatil, @LeahLease and @JohnLaTwC
3) Good partnership with Partners @PaloAltoNtwks
4) Feedback from customers
12/
1) the state of art ML techniques from the ML team
2) domain knowledge of MSTIC team from @ashwinpatil, @LeahLease and @JohnLaTwC
3) Good partnership with Partners @PaloAltoNtwks
4) Feedback from customers
12/
If you have questions:
1) DM Me - Always open. Always want to hear from you
2) We will be at #RSAC2020 . Swing by and say hullo!
1) DM Me - Always open. Always want to hear from you
2) We will be at #RSAC2020 . Swing by and say hullo!
