BEGIN:VCALENDAR VERSION:2.0 PRODID:-//HasGeek//NONSGML Funnel//EN DESCRIPTION:Using anomaly patterns for improved data security\, network mo nitoring and observability. X-WR-CALDESC:Using anomaly patterns for improved data security\, network m onitoring and observability. NAME:Detecting anomalous network patterns X-WR-CALNAME:Detecting anomalous network patterns REFRESH-INTERVAL;VALUE=DURATION:PT12H SUMMARY:Detecting anomalous network patterns TIMEZONE-ID:Asia/Kolkata X-PUBLISHED-TTL:PT12H X-WR-TIMEZONE:Asia/Kolkata BEGIN:VEVENT SUMMARY:Introduction to the conference - rationale\, themes and takeaways DTSTART:20210618T083000Z DTEND:20210618T084000Z DTSTAMP:20260419T160016Z UID:session/9dr2zbovni93Xg64HfbirW@hasgeek.com SEQUENCE:0 CREATED:20210617T072805Z LAST-MODIFIED:20210617T072811Z LOCATION:Online ORGANIZER;CN=Rootconf:MAILTO:no-reply@hasgeek.com BEGIN:VALARM ACTION:display DESCRIPTION:Introduction to the conference - rationale\, themes and takeaw ays in 5 minutes TRIGGER:-PT5M END:VALARM END:VEVENT BEGIN:VEVENT SUMMARY:Introducing Network Security Monitoring (NSM) for your organizatio ns (and your homes) DTSTART:20210618T084000Z DTEND:20210618T091000Z DTSTAMP:20260419T160016Z UID:session/Jd7GeVkPRVRs6xZYBhxpWJ@hasgeek.com SEQUENCE:1 CATEGORIES:Scheduled for Pre-recording,Observability CREATED:20210608T031142Z DESCRIPTION:Prevention ultimately fails. With this uncomfortable premise\, everyone gets breached. The circumstances for networks become grave when one looks at defending networks from the security 1% lens. According to Ri chard Bejtlich\, \n\n"assortment of people and organizations who have the personnel\, processes\, technology\, and support to implement somewhat rob ust digital security programs\, especially those with the detection and re sponse capabilities and not just planning and resistance/"prevention" func tions"[1]\n\nOne of the methods to identify\, process and gain visibility into a network is Network Security Monitoring(NSM). \n\nIn this talk\, I w ill lay out ample reasons for implementing NSM in a network and the variou s ways to do it. \n\nQ: Key Takeways\n1. Why NSM matters\n2. Implementing NSM in a network\n\nQ: Who should attend?\n1. Network administrators\n2. I nfoSec professionals\n\n[1] https://taosecurity.blogspot.com/2020/10/secur ity-and-one-percent-thought.html\n\n LAST-MODIFIED:20230108T103046Z LOCATION:Online ORGANIZER;CN=Rootconf:MAILTO:no-reply@hasgeek.com URL:https://hasgeek.com/rootconf/detecting-anomalous-network-patterns/sche dule/packets-dont-lie-network-security-monitoring-nsm-for-the-masses-Jd7Ge VkPRVRs6xZYBhxpWJ BEGIN:VALARM ACTION:display DESCRIPTION:Introducing Network Security Monitoring (NSM) for your organiz ations (and your homes) in 5 minutes TRIGGER:-PT5M END:VALARM END:VEVENT BEGIN:VEVENT SUMMARY:Where is my traffic going - and other tough questions about hybrid network monitoring. DTSTART:20210618T091000Z DTEND:20210618T094000Z DTSTAMP:20260419T160016Z UID:session/T6gvAfHmf7XgPwpCdp3w9C@hasgeek.com SEQUENCE:1 CATEGORIES:Scheduled for Pre-recording,Anamoly detection CREATED:20210608T031302Z DESCRIPTION:Modern application architectures have evolved networking beyon d physical connections. IP addresses are no longer sufficient descriptors of components like virtual machines\, containers\, and cloud services. Eff ectively managing complex\, distributed environments requires an understan ding of how these components interact\, which cannot be obtained with trad itional network monitoring tools. \n\nIn this session we will show how Da tadog takes a unified approach to observability\, providing insight into t he performance and security of your apps and network. With dynamic depende ncy mapping\, out of the box threat detection\, and proactive anomaly-base d alerting\, we’ll demonstrate how you can leverage Datadog to get visib ility across your network\, no matter its scale or complexity. LAST-MODIFIED:20230108T103046Z LOCATION:Online ORGANIZER;CN=Rootconf:MAILTO:no-reply@hasgeek.com URL:https://hasgeek.com/rootconf/detecting-anomalous-network-patterns/sche dule/where-is-my-traffic-going-and-other-tough-questions-of-hybrid-network -monitoring-T6gvAfHmf7XgPwpCdp3w9C BEGIN:VALARM ACTION:display DESCRIPTION:Where is my traffic going - and other tough questions about hy brid network monitoring. in 5 minutes TRIGGER:-PT5M END:VALARM END:VEVENT BEGIN:VEVENT SUMMARY:Achieving a high level of network inspection with VPC traffic mirr oring and Suricata DTSTART:20210618T094000Z DTEND:20210618T101000Z DTSTAMP:20260419T160016Z UID:session/WG2o3Yrywx5Q2yeS7NuKhP@hasgeek.com SEQUENCE:1 CATEGORIES:Confirmed,Observability CREATED:20210608T031409Z DESCRIPTION:COVID has hit everyone and affected people in their own way. A s far as organizations are concerned\, employees have been asked to work f rom home (WFH)\, and because many industries are now working remotely\, th e pattern of user connections to the enterprise network has turned upside down. Instead of most users connecting locally\, now most are connecting r emotely. And for allowing employees to access critical business functions\ , there is mandatory VPN connectivity.\n\nSince the VPN instance is kept i n a demilitarized zone (DMZ) to allow employees around the globe to connec t to it and access internal applications\, there is an unexpected flood of WFH connections\, which makes VPN networks more vulnerable to all kinds o f Layer7/Layer3 attacks.\n\nWe will walk through how we have strengthened security and monitoring over our public VPN instance\, which was kept in t he public VPC\, keeping an ever-watchful eye out for unusual traffic patte rns or content that could signify a network intrusion using AWS VPC Traffi c Mirroring and a network intrusion detection system Suricata. LAST-MODIFIED:20230108T103046Z LOCATION:Online ORGANIZER;CN=Rootconf:MAILTO:no-reply@hasgeek.com URL:https://hasgeek.com/rootconf/detecting-anomalous-network-patterns/sche dule/achieving-a-high-level-of-network-inspection-with-vpc-traffic-mirrori ng-and-suricata-WG2o3Yrywx5Q2yeS7NuKhP BEGIN:VALARM ACTION:display DESCRIPTION:Achieving a high level of network inspection with VPC traffic mirroring and Suricata in 5 minutes TRIGGER:-PT5M END:VALARM END:VEVENT BEGIN:VEVENT SUMMARY:Coffee break DTSTART:20210618T101000Z DTEND:20210618T102000Z DTSTAMP:20260419T160016Z UID:session/Wcnz4RUPombvLhAxAWBusX@hasgeek.com SEQUENCE:0 CREATED:20210616T113517Z LAST-MODIFIED:20210617T072821Z LOCATION:Online ORGANIZER;CN=Rootconf:MAILTO:no-reply@hasgeek.com BEGIN:VALARM ACTION:display DESCRIPTION:Coffee break in 5 minutes TRIGGER:-PT5M END:VALARM END:VEVENT BEGIN:VEVENT SUMMARY:Anatomy of an attack - how to analyze network behaviour DTSTART:20210618T102000Z DTEND:20210618T104500Z DTSTAMP:20260419T160016Z UID:session/9aKjaswgp7nNamVZvsmCGv@hasgeek.com SEQUENCE:1 CATEGORIES:Confirmed,Deep defense CREATED:20210608T031537Z DESCRIPTION:- __Network behaviour analysis__ often leads to early indicato rs of attack\, however\, network behaviour needs to be _augmented_ with ad ditional data points like user behaviour\, data flow characteristics\, thr eat intelligence\, anonymous API calls to identify and establish threat pa tterns\n\n- There are __mechanism of preventive and detective controls__. In this session we will look at an Anatomy of an attack and how to levera ge various capabilities to identify various indicators and trace attack pa th \n LAST-MODIFIED:20230108T103046Z LOCATION:Online ORGANIZER;CN=Rootconf:MAILTO:no-reply@hasgeek.com URL:https://hasgeek.com/rootconf/detecting-anomalous-network-patterns/sche dule/anatomy-of-an-attack-9aKjaswgp7nNamVZvsmCGv BEGIN:VALARM ACTION:display DESCRIPTION:Anatomy of an attack - how to analyze network behaviour in 5 m inutes TRIGGER:-PT5M END:VALARM END:VEVENT BEGIN:VEVENT SUMMARY:Knowledge versus faith: how to use observable data to make better defence decisions DTSTART:20210618T104500Z DTEND:20210618T113000Z DTSTAMP:20260419T160016Z UID:session/JMLJLMh9o4qjSDqxJQFmAt@hasgeek.com SEQUENCE:1 CATEGORIES:Scheduled for Pre-recording,Observability CREATED:20210608T033923Z DESCRIPTION:Over the past years we increasingly relied on someone's else j udgement and opinion of what is bad or good on the Internet. And whilst ve ry often the things changed the scores may not\, leading to false positive s or complicated and obscure risk-score structures. Also\, to form an opin ion\, one need to observe the behaviour for some time to cast judgement. W hat can we do in the meantime? Knowledge about the facts - the objective o bservations and prior knowledge of the behaviour of a large system over lo ng period of time - comes to rescue. Newly observed assets on the internet and the scientifically derived mortality rates will help you defend your business when any other methods\, that aim to detect anomalies\, are helpl ess. LAST-MODIFIED:20230108T103046Z LOCATION:Online ORGANIZER;CN=Rootconf:MAILTO:no-reply@hasgeek.com URL:https://hasgeek.com/rootconf/detecting-anomalous-network-patterns/sche dule/knowledge-vs-faith-how-to-use-observable-data-to-make-better-defence- decisions-JMLJLMh9o4qjSDqxJQFmAt BEGIN:VALARM ACTION:display DESCRIPTION:Knowledge versus faith: how to use observable data to make bet ter defence decisions in 5 minutes TRIGGER:-PT5M END:VALARM END:VEVENT BEGIN:VEVENT SUMMARY:Advanced anomaly detection systems for transactions and network fl ows DTSTART:20210618T113000Z DTEND:20210618T121000Z DTSTAMP:20260419T160016Z UID:session/PxD9ToHR2tQyv56MfRJ4jb@hasgeek.com SEQUENCE:1 CATEGORIES:Scheduled for Pre-recording,Anamoly detection CREATED:20210610T082010Z DESCRIPTION:India holds the record for having the highest number of digita l transactions annually. VuNet is a major Indian player in this\, helping several prominent banks through AI driven monitoring of their payment tran saction flows and network infrastructure to improve the user experience. Through our flagship product\, vuSmartMaps\, we have been rigorously analy sing millions of transactions\, applications\, and network traffic\, by co llecting\, analysing and correlating terabytes of telemetry across their t ransaction logs\, application and system logs and network traffic details to detect and correct failures in real time. \n\nWe have extensive experie nce in analysing various logs and multivariate time series data at scale. Building on this\, we have developed a unique approach to anomalies: captu ring both transaction anomalies and network anomalies\, proactively catchi ng failure incidents\, and accelerating root cause analysis through advanc ed correlation mechanisms. We are also extending the anomaly detection sys tems to our customer's network systems to identify spurious network traffi c by baselining user and branch network behaviour. \n\nMonitoring more tha n 2.5 Billion transactions a month across 10K+ network nodes\, our anomaly systems have become robust over time to discern various time series patte rns from seasonal\, multimodal\, and sudden spikes. They have been tested against global benchmarks with demonstrated superior results and are const antly enhanced with user feedback loops. \n\nIn our talk\, we will share o ur experience around the challenges of varied time series data\, a novel w ay at building anomaly systems and applying to real world noisy data at sc ale. LAST-MODIFIED:20230108T103046Z LOCATION:Online ORGANIZER;CN=Rootconf:MAILTO:no-reply@hasgeek.com URL:https://hasgeek.com/rootconf/detecting-anomalous-network-patterns/sche dule/advanced-anomaly-detection-systems-for-transactions-and-network-flows -PxD9ToHR2tQyv56MfRJ4jb BEGIN:VALARM ACTION:display DESCRIPTION:Advanced anomaly detection systems for transactions and networ k flows in 5 minutes TRIGGER:-PT5M END:VALARM END:VEVENT BEGIN:VEVENT SUMMARY:Coffee break DTSTART:20210618T121000Z DTEND:20210618T122000Z DTSTAMP:20260419T160016Z UID:session/XaT4nPxiLcAY9fRL9bpPXd@hasgeek.com SEQUENCE:0 CREATED:20210616T113649Z LAST-MODIFIED:20210617T072832Z LOCATION:Online ORGANIZER;CN=Rootconf:MAILTO:no-reply@hasgeek.com BEGIN:VALARM ACTION:display DESCRIPTION:Coffee break in 5 minutes TRIGGER:-PT5M END:VALARM END:VEVENT BEGIN:VEVENT SUMMARY:Network egress observability at Dream11 and SRE workflows DTSTART:20210618T122000Z DTEND:20210618T125000Z DTSTAMP:20260419T160016Z UID:session/H5znGLBGxNuUbRaabGnbEk@hasgeek.com SEQUENCE:1 CATEGORIES:Confirmed,Observability CREATED:20210615T061641Z DESCRIPTION:One of the many challenges a SRE/Devops/Cloud Security Officer has to face in his or her job is to know at any time what is going on in the cloud egress network. They must perform continuous analyses and checks to determine which cloud systems communicate which each other \, which cl oud system are sending data outside and which protocols are they employed. What about the data that is transferred to third parties and the data ent ering the network from outside? All this information must be available for evaluation at any time\, even if that particular period of time lies in t he past.\nDifferenciate between organic & in-organic trafiic pattern is di fficult. Anomaly algorithm identifies when a metric is behaving differentl y than it has in the past\, taking into account trends\, seasonal day-of-w eek\, and time-of-day patterns. It is well-suited for metrics with strong trends and recurring patterns that are hard to monitor with threshold-base d alerting.\nWe at dream11 used anomaly detection algorithm to detect anom aly data pattern in\n1. Network Bytes IN / OUT\, TCP connection attempt/ connection establish / connection close\, TCP retransmission & packet drop \n2. DNS successful lookups \, #SERVFAIL\, #NXDOMAIN LAST-MODIFIED:20230108T103046Z LOCATION:Online ORGANIZER;CN=Rootconf:MAILTO:no-reply@hasgeek.com URL:https://hasgeek.com/rootconf/detecting-anomalous-network-patterns/sche dule/what-is-happening-in-my-network-network-egress-observability-at-dream 11-H5znGLBGxNuUbRaabGnbEk BEGIN:VALARM ACTION:display DESCRIPTION:Network egress observability at Dream11 and SRE workflows in 5 minutes TRIGGER:-PT5M END:VALARM END:VEVENT BEGIN:VEVENT SUMMARY:API security powered by Deep Learning DTSTART:20210618T125000Z DTEND:20210618T132500Z DTSTAMP:20260419T160016Z UID:session/W6uaRhJYfgUSxkSBHmLhCs@hasgeek.com SEQUENCE:1 CATEGORIES:Scheduled for Pre-recording,Deep defense CREATED:20210615T061658Z DESCRIPTION:Spherical Defense is working on applying research from Cambrid ge University on representation learning and Natural Language Processing ( NLP) to web application / API security. We learn the baseline in an unsupe rvised manner of normal JSON request headers and payloads\, and can detect anomalies. We learn continuously as the application changes and reduce fa lse positives. We can 1) detect anomalies in request using a tree-trace au toregressive model 2) Detect account takeover attacks using our tree-varia tional autoencoder model. \n\n LAST-MODIFIED:20230108T103046Z LOCATION:Online ORGANIZER;CN=Rootconf:MAILTO:no-reply@hasgeek.com URL:https://hasgeek.com/rootconf/detecting-anomalous-network-patterns/sche dule/api-security-powered-by-deep-learning-W6uaRhJYfgUSxkSBHmLhCs BEGIN:VALARM ACTION:display DESCRIPTION:API security powered by Deep Learning in 5 minutes TRIGGER:-PT5M END:VALARM END:VEVENT BEGIN:VEVENT SUMMARY:Summary and conclusion DTSTART:20210618T132500Z DTEND:20210618T134000Z DTSTAMP:20260419T160016Z UID:session/PXKhSHLRGRV5efVGBtyafx@hasgeek.com SEQUENCE:0 CREATED:20210616T113953Z LAST-MODIFIED:20210617T072838Z LOCATION:Online ORGANIZER;CN=Rootconf:MAILTO:no-reply@hasgeek.com BEGIN:VALARM ACTION:display DESCRIPTION:Summary and conclusion in 5 minutes TRIGGER:-PT5M END:VALARM END:VEVENT BEGIN:VEVENT SUMMARY:Birds of Feather (BOF) session on Tooling for Network Security Mon itoring (NSM) DTSTART:20210715T093000Z DTEND:20210715T103000Z DTSTAMP:20260419T160016Z UID:session/QakT6zSePYp9bEkXTjQUBc@hasgeek.com SEQUENCE:0 CREATED:20210702T045605Z LAST-MODIFIED:20210708T065730Z LOCATION:Online ORGANIZER;CN=Rootconf:MAILTO:no-reply@hasgeek.com BEGIN:VALARM ACTION:display DESCRIPTION:Birds of Feather (BOF) session on Tooling for Network Security Monitoring (NSM) in 5 minutes TRIGGER:-PT5M END:VALARM END:VEVENT END:VCALENDAR