BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//pretalx.com//bsides-canberra-2025//speaker//VDFCQ9 BEGIN:VTIMEZONE TZID:AEST BEGIN:STANDARD DTSTART:20000326T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3;UNTIL=20050326T170000Z TZNAME:AEST TZOFFSETFROM:+1100 TZOFFSETTO:+1000 END:STANDARD BEGIN:STANDARD DTSTART:20060402T040000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060401T170000Z TZNAME:AEST TZOFFSETFROM:+1100 TZOFFSETTO:+1000 END:STANDARD BEGIN:STANDARD DTSTART:20070325T040000 RRULE:FREQ=YEARLY;BYDAY=4SU;BYMONTH=3;UNTIL=20070324T170000Z TZNAME:AEST TZOFFSETFROM:+1100 TZOFFSETTO:+1000 END:STANDARD BEGIN:STANDARD DTSTART:20080406T040000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4 TZNAME:AEST TZOFFSETFROM:+1100 TZOFFSETTO:+1000 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000827T030000 RRULE:FREQ=YEARLY;BYDAY=4SU;BYMONTH=8;UNTIL=20000826T170000Z TZNAME:AEDT TZOFFSETFROM:+1000 TZOFFSETTO:+1100 END:DAYLIGHT BEGIN:DAYLIGHT DTSTART:20011028T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20071027T170000Z TZNAME:AEDT TZOFFSETFROM:+1000 TZOFFSETTO:+1100 END:DAYLIGHT BEGIN:DAYLIGHT DTSTART:20081005T030000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=10 TZNAME:AEDT TZOFFSETFROM:+1000 TZOFFSETTO:+1100 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-bsides-canberra-2025-WV9YXP@pretalx.com DTSTART;TZID=AEST:20250926T110000 DTEND;TZID=AEST:20250926T112500 DESCRIPTION:Host file-access logs can be a valuable source of information w hen it comes to detecting the theft of sensitive files or the establishmen t of persistence by malware. But how can we leverage logs\, such as those produced by Santa\, for early malware mitigation when monitoring a fleet t hat makes an enormous amount of benign file accesses every day? Enter the Suspicious File Access Detection pipeline - an internal\, ML-backed detect ion mechanism developed through collaboration between Security and AI soft ware engineers at Google. The pipeline is used by Google's Detection & Res ponse team to score\, surface\, and investigate clandestine file access be haviours.\n\nI’ll take you through the process of how we created a ML mo del to score file access logs based on their relative suspicion level. We ’ll dig into how we can go beyond prevalence-based anomaly detection and utilize embeddings to not just identify activity that is rare\, but activ ity that is extremely suspicious for a given host. This approach aims to d etect behaviourally-agnostic malware activity involving the modification o f sensitive files on disk for Google’s corporate fleet.\n\nFor the purpo se of this talk I’ll demonstrate how we use this pipeline with Santa\, a publicly available binary and file access authorization system for macOS. I’ll take you through the process of how Santa can be configured to mon itor areas of the macOS filesystem that are modified to establish persiste nce at runtime\, and how the logs are utilized by the SFAD model. DTSTAMP:20260603T234503Z LOCATION:Main Track SUMMARY:Is this binary Naughty or Nice? How Google leverages ML and Santa t o detect persistence on MacOS - Kristin Smith URL:https://pretalx.com/bsides-canberra-2025/talk/WV9YXP/ END:VEVENT END:VCALENDAR