Skip to main content

Distinguished Seminar:  Building a Network Security Analysis Toolbox - Problems of Vantage, Narrative and Action

Date:November 2, 2015 
Talk Title:Building a Network Security Analysis Toolbox - Problems of Vantage, Narrative and Action
Speaker:Michael Collins, Chief scientist at RedJack, LLC
Time & Location:12:00pm - 1:00pm
DEC, CIC Building, Pittsburgh

Abstract

Information security research is unique in that we have an adversary; if we do our job well, we will make attacker's lives miserable. To do our job well, we need to transfer research into operations -- everything in security research -eventually- ends up on the ops floor. For the majority of my career I have been focused on taking security research and turning it into actionable analysis on networks comprising hundreds of millions of IP addresses. In this talk, I will discuss the process of doing so, and the headaches we've encountered en route.

The problem of vantage refers to the placement of sensors on a network and the impact that this placement has on the ability to infer sensory information. Data collection on live networks is often complicated by the need to satisfy multiple concerns, include scale, legal permissions, and network configuration. The problem of narrative refers to the difference between how an attack is observed by the attacker, and how its observed by the defenders. Multistage models such as CAPEC, CKC and the five-P's propose mechanisms to describe attacks as sequences of events, but attackers often skip past steps or rearrange them as they see fit. The problem of action refers to how information is treated by operational personnel. Detection is not simply a matter of false positive or false negative, but a question of context, timing and the ultimate outcome of a decision.

In this talk, I will discuss each of these problems, and how we address them in the course of operationalizing research.

Speaker Bio

Dr. Michael Collins is Chief Scientist for RedJack, LLC; in this capacity, he has led research on insider threat, game-theoretic security, moving target defense and software defined networking.

A practitioner and researcher, Dr. Collins built the initial SiLK toolset, a high-performance flow analysis toolkit used in the US Government's CENTAUR and EINSTEIN capacities as well as various private and public organizations for enterprise flow analysis. He has worked on multiple investigations and was called as an expert witness in U.S. vs. Manning. He has authored multiple technical papers and the recent book "Network Security Through Data Analysis".

Prior to his work at RedJack, Dr. Collins was a member of the technical staff at the CERT/Network Situational Awareness group at Carnegie Mellon University. Dr. Collins graduated with a PhD in Electrical Engineering from Carnegie Mellon University in 2008, he holds Master's and Bachelor's Degrees from the same institution. He is vaguely bemused to return to a city where french fries are put on salads.