Data Driven Security

Episode 26

In this episode, Bob sits down with co-workers on the data science team at Rapid 7. They explore the future of security data science, Heisenberg and Project Sonar.

• Keep on top of Heisenberg developments at http://community.rapid7.com/
• Find out more about Project Sonar at http://sonar.labs.rapid7.com/ and http://scans.io/
• Get tools to work with both at http://github.com/rapid7

Episode 24

In this episode, Bob & Jay talk to Charles Givre who has been doing training sessions for professionals trying to learn data science and recently did a training at a recent BlackHat event.

• Data-Driven Security: The Blog
• Data-Driven Security: The Book

Episode 11

In this episode, Jay & Bob talk Squirrels, Pigs & Maps with Preeminent Data Scientist Jason Trost from ThreatStream, and take a look at what's made the headlines in the data science community since last show.

• Watch the UNEDITED BLOOPER REEL!
• Jason Trost
• covert.io blog
• ThreatStream
• Clairvoyant Squirrel: Large Scale Malicious Domain Classification
• Binary Pig
• Binary Pig github repo
• Modern Honey Network
• Roll Your Own IP Attack Graphs with IPew
• Map or Don't Map
• DAVIX 2014 Released
• Lynn Cherny "roundup of recent text analytics & vis work"
• How a fraud detection algorithm consipred to ruin my recent trip
• Collecting all IPv4 WHOIS records in Python
• Linked Small Multiples

Episode 1

In this episode, Bob & Jay invite Alex Pinto (@alexcpsec), Michael Roytman (@mroytman) & Russ Thomas (@mrmeritology) on to the show to discuss what makes up "security data science". They delve into the tools of the trade, posit on future of the intersection of security and data science and relate their own personal & professional experiences trying to introduce "data science" into infosec. Bob & Jay also talk about recent blog posts and do a mini-review of the recently published book "Data Smart".

Watch along "live" with the un-edited "director's" cut.

Topic/resources mentioned in this episode:

Russ Thomas

https://twitter.com/mrmeritology
- http://exploringpossibilityspace.blogspot.com/

Alex Pinto

https://twitter.com/alexcpsec

Michael Roytman

https://twitter.com/mroytman
- http://about.me/michaelroytman

MLSec Project

https://mlsecproject.org

KDD - Knowledge Discovery and Data Mining Conference

http://www.kdd.org/

The (in)famous KDD’99 dataset

http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html

Alex's version of the Data Science Venn Diagram

http://l.rud.is/1af3MLS

Alex's xkcd shirt

http://store-xkcd-com.myshopify.com/collections/apparel/products/self-reference

Measuring vs Modeling

https://www.usenix.org/system/files/login/articles/14_geer-online_0.pdf

VCDB: Top 10 Actions by Industry

http://datadrivensecurity.info/blog/posts/2014/Jan/top10-threat-actions/

Wizard Pro

http://www.wizardmac.com/

Julia

http://julialang.org/

The Data Science Venn Diagram

http://drewconway.com/zia/2013/3/26/the-data-science-venn-diagram

Data Smart

http://www.amazon.com/Data-Smart-Science-Transform-Information/dp/111866146X

Risk I/O

https://www.risk.io/

Make sure to bookmark Data Driven Security blog and podcast and check out the upcoming book.

Episode 10

In this episode, Jay & Bob have a community discussion with John Langton & Alex Baker about their security data analysis & visualization startup: VisiTrend, and take a look at what's made the headlines in the data science community since last show.

Resources / people featured in the show:

• VisiTrend - visitrend (twitter)
• Data science can't be point and click
• In-depth introduction to machine learning in 15 hours of expert videos
• Data Playlists
• Running RStudio via Docker in the Cloud
• Building a DGA Classsifier (in R) - Part 1
• Building a DGA Classsifier (in R) - Part 2
• Building a DGA Classsifier (in R) - Part 3

Link Insights from VisiTrend

VERIS/VCDB general vis - we have a tree map version of the actors, actions, assets, and attributes breakdown which better shows the distribution of events (description on snapshot).
Snapshot - can be posted and viewed without logging in
Actual analysis and data you can load after signing up and logging in

VERIS/VCDB clustering - each square is an event in the data set. Squares are first grouped based on # of employees (e.g. companies with 1k employees will be grouped together), and then based on industry. Squares are colored based on clustering output - we found 7 clusters. We will provide more detail on what defines these clusters in a blog post. It’s interesting to see that particular industries do have particular attack types according to clustering, shown by blocks of similar color.
Snapshot - Actual analysis and data

Honeypot overview - this is really cool (I think). Black, square nodes are the honey pots. Node size is based on the # of packets they’re sending. Computers use more different ports are colored red (big red guy doing massive port scan drowns out the others). The force directed layout clusters nodes if they hit the same honeypots. For instance, click a node in an “outer ring” twice to highlight the honeypot it’s hitting, and it will be one. All other nodes in that ring hit the same one. Double click one of the center nodes and you’ll se they’re hitting all of the honeypots. Treemap groups nodes according to subnet addressing. The timeline view shows time-based histogram of packets coming in colored by destination port. The red guy is selected in the snapshot, so you can see that he blasts all the honey pots at relatively same time.
Snapshot - Actual analysis and data

Honeypot port highlighting - Square nodes are attackers, and circle nodes are ports. Size of the port is how many times packets were sent to that port. Mouse over big purple circle and you see port 1433 is the most popular. You could double click it to see all machines hitting that port. There are two color layers for the node-link graph, you can toggle between them. They both show a version of variability over time (more red = more variable port usage). Treemap shows subnet addressing again but colors a green heat map based on # of diff ports each machine uses. Size based on # of packets they send.
Snapshot - Actual analysis and data

Finally, a great mentor and visionary pioneer of InfoVis named Matt Ward passed away last weekend. He wrote the most recent, comprehensive infovis book with some other really big guys in the field including Keim and Grinnel. Link to the book.