Watch the stream
Security Operation Centers (SOCs) are used by companies to defend themselves against cyber-attacks. These SOCs monitor logs collected from the enterprise network such as process activity, authentication events and netflow, to identify attacks or compromises. These security teams must navigate numerous alerts generated from a wide range of security controls using both rules and Machine Learning (ML) to identify malicious activity. This is even more so the case in large-scale SOCs, or for companies offering Managed Detection and Response (MDR).
This talk showcases a multi-step approach used in a modern large-scale managed SOC that manages thousands of enterprise networks, demonstrating how it can successfully identify a real infostealer attack through multiple layers of filtering and processing. Through a two-week period containing 9.7 trillion event logs, the presented approach combines alert deduplication, individual rule-based and ML based detectors, alert suppression, and a supervised ML based alert prioritization model to dramatically reduce the noise, so that security analysts can pinpoint the infostealer activity.
François Labrèche Principal Data Scientist, Sophos
François Labrèche is a Principal Data Scientist at Sophos, who focuses on applying machine learning approaches to research problems related to security alerts and vulnerabilities. He focuses on using machine learning to improve the prioritization of alerts and vulnerabilities, in the context of XDR and vulnerability management. He has a Ph.D. from École Polytechnique de Montréal, and has published research papers on the topics of threat research, spam detection, malware analysis and machine learning applied to cybersecurity. He has presented at ACSAC, CAMLIS, NorthSec, BSides Montreal, University College London and École Polytechnique de Montréal, and has published papers in conferences such as the ACM CCS and eCrime.