Tactical provenance analysis for endpoint detection and response systems

Wajih Ul Hassan, Adam Bates, Daniel Marino

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Endpoint Detection and Response (EDR) tools provide visibility into sophisticated intrusions by matching system events against known adversarial behaviors. However, current solutions suffer from three challenges: 1) EDR tools generate a high volume of false alarms, creating backlogs of investigation tasks for analysts; 2) determining the veracity of these threat alerts requires tedious manual labor due to the overwhelming amount of low-level system logs, creating a "needle-in-a-haystack"problem; and 3) due to the tremendous resource burden of log retention, in practice the system logs describing long-lived attack campaigns are often deleted before an investigation is ever initiated.This paper describes an effort to bring the benefits of data provenance to commercial EDR tools. We introduce the notion of Tactical Provenance Graphs (TPGs) that, rather than encoding low-level system event dependencies, reason about causal dependencies between EDR-generated threat alerts. TPGs provide compact visualization of multi-stage attacks to analysts, accelerating investigation. To address EDR's false alarm problem, we introduce a threat scoring methodology that assesses risk based on the temporal ordering between individual threat alerts present in the TPG. In contrast to the retention of unwieldy system logs, we maintain a minimally-sufficient skeleton graph that can provide linkability between existing and future threat alerts. We evaluate our system, RapSheet, using the Symantec EDR tool in an enterprise environment. Results show that our approach can rank truly malicious TPGs higher than false alarm TPGs. Moreover, our skeleton graph reduces the long-term burden of log retention by up to 87%.

Original languageEnglish (US)
Title of host publicationProceedings - 2020 IEEE Symposium on Security and Privacy, SP 2020
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1172-1189
Number of pages18
ISBN (Electronic)9781728134970
DOIs
StatePublished - May 2020
Event41st IEEE Symposium on Security and Privacy, SP 2020 - San Francisco, United States
Duration: May 18 2020May 21 2020

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
Volume2020-May
ISSN (Print)1081-6011

Conference

Conference41st IEEE Symposium on Security and Privacy, SP 2020
Country/TerritoryUnited States
CitySan Francisco
Period5/18/205/21/20

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Tactical provenance analysis for endpoint detection and response systems'. Together they form a unique fingerprint.

Cite this