Practical Cyborgism: Getting Start with Machine Learning for Incident Detection

BSidesDC 2016

Presented by: David J. Bianco, Chris McCubbin
Date: Sunday October 23, 2016
Time: 13:30 - 14:20
Location: Grand Central
Track: Track 2

Organizations today are collecting more information about what's going on in their environments than ever before, but manually sifting through all this data to find evil on your network is next to impossible. Increasingly, companies are turning to big data analytics and machine learning to detect security incidents. Most of these solutions are black-box products that cannot be easily tailored to the environments in which they run. Therefore, reliable detection of security incidents remains elusive, and there is a distinct lack of open source innovation.

It doesn't have to be this way! Many security pros think nothing of whipping up a script to extract downloaded files from a PCAP, yet recoil in horror at the idea of writing their own machine learning tools. The "analytics barrier" is perceived to be very high, but getting started is much easier than you think!

In this presentation, we'll walk through the creation of a simple Python script that can learn to find malicious activity in your HTTP proxy logs. At the end of it all, you'll not only gain a useful tool to help you identify things that your IDS and SIEM might have missed, but you'll also have the knowledge necessary to adapt that code to other uses as well.

David J. Bianco

David J. Bianco, Lead Security Technologist, Sqrrl Data, Inc. Before coming to work as a Security Technologist and DFIR subject matter expert at Sqrrl, David led the hunt team at Mandiant, helping to develop and prototype innovative approaches to detect and respond to network attacks. Prior to that, he spent five years helping to build an intel-driven detection & response program for General Electric (GE-CIRT). He set detection strategies for a network of nearly 500 NSM sensors in over 160 countries and led response efforts for some of the company's the most critical incidents. David stays active in the community, speaking and writing on the subjects of Incident Detection & Response, Threat Intelligence and Security Analytics. He is also the person behind [The ThreatHunting Project](http://threathunting.net) and a member of the [MLSec Project](http://www.mlsecproject.org). You can follow him on Twitter as [@DavidJBianco](https://twitter.com/DavidJBianco) or subscribe to his blog, ["Enterprise Detection & Response"](http://detect-respond.blogspot.com).

Chris McCubbin

Chris McCubbin, Director of Data Science, Sqrrl Data, Inc. Chris is the Director of Data Science and a co-founder of Sqrrl Data, Inc. Chris' primary task is prototyping new designs and algorithms to extend the capabilities of the Sqrrl Enterprise cybersecurity solution. Prior to cofounding Sqrrl, Chris spent 2 years developing big-data analytics for the Department of Defense at TexelTek, Inc and 10 years as Senior Professional Staff at the Johns Hopkins Applied Physics Laboratory where he applied machine learning algorithms to swarming unmanned vehicle ensembles. Chris holds a Masters degree in Computer Science and Bachelor's degrees in Mathematics and Computer Science from the University of Maryland.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats