1. Advanced Threat Detection
A technical overview of how the Interset platform
can quickly and accurately alert you to when
your sensitive data is under threat.
2. 2 WHITE PAPER – ADVANCED THREAT DETECTION
Introduction
The sensitive data (Intellectual Property, trade secrets, business plans, MandA data and customer data)
of a company represents its most important assets and is a critical component of the company’s ability to
compete on a global scale. The loss of this data to either an insider attack, a targeted outside attack, or
the negligence of an employee, contractor or partner can be catastrophic and companies are spending
thousands and even millions of dollars to protect it. So why are the headlines still full of data loss incidents?
It seems that every month a new story of significant data loss makes the headlines and another organization
that invested major resources to protect their data is dealing with the fallout of bad PR, fines, and worse
potentially large amounts of lost revenue. This white paper explores the challenges of protecting this
critical data, examines why existing technologies and approaches to data protection have largely failed and
introduces a different approach to protecting sensitive data, like intellectual property (IP) and trade secrets,
based on advanced behavioral analytics: the Interset Enterprise Threat Detection Platform.
Defining the Risks and Threats to Organizations
Regardless of size or vertical, organizations drive competitive advantage and revenue from the sensitive
data assets they create or acquire. Many of these organizations are populated by highly skilled and highly
valued employees (engineers, software developers, designers, researchers, scientists, and technicians)
who work in highly creative and dynamic environments. Almost all organizations have extensive partnerships
including; OEM partners, suppliers, dealers, outsources, services firms and sometimes even competitors.
Organizations also have a variety of internal end users such as contractors, consultants, and auditors who
are not employees, but still have access to critical data. Connecting the high value workers, partners and
their work are integrated computing and file share systems that purposely make access to software
applications and data both easy and pervasive.
Internal end users, whether employees, third parties, or partners have access to sensitive data and are all
capable of causing a data compromise either through carelessness, ignorance or malicious activity. The most
dangerous and difficult to detect is a malicious insider. Beyond the infamous names of Manning and Snowden,
these types of attacks have become so widespread that the FBI has added ‘insider threat’ as a major focus
in its counter intelligence effort1
. With over 70% of insider attacks going unreported, US CERT statistics shows
that the average cost of an insider attack exceeded $1 Million USD in almost 50% of cases investigated2
.
Insider attacks by privileged users of all types define a significant and growing data loss risk to the enterprise.
At the same time, companies with valuable data are being targeted by a growing threat of skilled, motivated,
organized and often state-funded attackers willing to push the limits on corporate espionage via malware
and bribing employees to steal IP. These attackers can avoid investing billions of dollars in costs by stealing
the RandD, testing and manufacturing data from established companies. The consequences for legitimate
companies are enormous with losses of revenue in the millions from being cut out of foreign markets or
price undercutting in existing markets.
1 http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat
2 http://www.cert.org/blogs/insider_threat/2013/12/theft_of_ip_by_insiders.html
3. 3 WHITE PAPER – ADVANCED THREAT DETECTION
Defining a New Approach
A system that looks holistically across the activities and events of an organization is able to build a series
of baselines that define normal business behavior. This system understands the context of normal behavior
and provides visibility into IT and operational risk. Further, it searches out events in real-time that do not
match normal behavior. These events are the anomalies that represent possible attacks from both insiders
and outsiders. When found, alerts are surfaced so that the appropriate individuals can be quickly investigated.
This new approach offers significant advantages, such as:
• The overall number of alerts and false positives are greatly reduced when compared to DLP or SIEM
tools because alerts are based on anomalies as compared to normal baseline behavior.
• The information about an alert is presented in the context of the event so that investigators do not waste
time trying to correlate who did what, when, and with what file.
• The events include the context of the file or files involved, and are not limited by file types so that
specialized applications and data types that include IP and trade secrets can be protected.
• The sensors that capture the relationships between users, files, and endpoints, are not limited when they
are offline or in virtual or cloud environments and can see data moving to mobile devices, eliminating
much of the challenges of integrated and new technology.
• The system works across all users, whether privileged IT admins, knowledge workers, contractors or
partners when deployed in their organization.
• Events from an attack, whether from an insider or from an outsider who attempts surreptitious access
for the purpose of exfiltration, show up immediately because they trigger anomaly alerts. The analytics
engine finds these attacks, and sends an alert as soon as the anomaly is discovered, providing security
managers time to react and quick access to information so they can stop the threat before data is
compromised.
This is the approach used by the Interset Platform, powered by a cutting edge behavioral analytics engine
and innovative big data collection and aggregation capabilities.
4. 4 WHITE PAPER – ADVANCED THREAT DETECTION
How Interset Works
Behavioral Analytics are not new, but applying these proven methodologies for identifying and mitigating
risk within security is a paradigm shift. To make behavioral analytics truly effective, a rich set of information
must be collected and modelled so that anomalies can be accurately surfaced. The Interset platform is
specifically designed to optimize the threat detection process from metadata collection to analytical modeling.
Event Data Collection
Interset offers multiple agentless and agent-based data collection capabilities and is continually increasing
collection capabilities over time to drive ever richer data sets. Agentless data collection starts with specialized
Interset connectors that gather data from existing enterprise applications and systems. With a focus on
applications where IP and trade secrets are created, managed and stored, Interset connectors collect log
data from source code management systems, product lifecycle management systems, enterprise content
management systems, identity management systems, and security information and event management (SIEM)
systems. Examples of such systems include Perforce, Windchill, SharePoint, Active Directory, and Splunk.
Interset also offers a lightweight endpoint sensor that can be deployed across your organization on desktops,
laptops, workstations and servers. The collector works at the system level to continuously track data
interactions, user events, and system events. Once deployed, interactions are recorded every day, ranging
from what applications are opened to whether the user has taken a screenshot of a sensitive document,
or attempted to “print to file.” Supported on both Windows and Mac, the Interset endpoint sensor is also
designed to work on and offline and maintains a minimal footprint, such that system performance is not
affected.
Log data collected via a connector or endpoint sensor includes the following fields: user, IP address,
timestamp, action (commit, sync, get, etc.), resource (folder, file, path, etc.) and other specialized data fields
that may be helpful. This data is then aggregated and stored in Hadoop and retrieved by Apache Spark and
Phoenix for analytics. After collection, aggregation, and analysis is completed, the results can be explored via
the Interset UI or exported through an open API to SIEM solutions or into a Security Operations Center (SOC).
Behavioral Analytics
The Interset Behavioral Analytics Engine is driven
by two main classes of mathematics; behavioral risk
modeling, and entity risk modeling. Behavioral risk
models are multivariate math models that take in all
available contexts for each event that occur across
an organization and combine event and context in
a meaningful way to produce a Behavior Risk Score.
Entity Risk Models are a second set of math models
that drive Entity Risk Scores for Users, Machines and
Assets adjusting these risk scores over time based on
events that occur. Every entity (user, machine and asset)
maintains its own risk score. Assets are most commonly
files but can also be applications, source code and
other valuable objects. Entity risk models create the
normal activity baselines that are then compared
against events to determine how anomalous an event
is in the behavioral risk model.
The connected relationship model between
events, behavioral risk, behavioral risk scores,
entities and entity risk scores.
5. 5 WHITE PAPER – ADVANCED THREAT DETECTION
The Interset Behavioral Analytics Engine sees
and understands the relationship between Events
and Entities as it observes activities across the
organization. The analytics engine builds and
maintains irrevocable relationships between entities
as events occur. As Interset observes activities and
builds relationships, the analytics engine continuously
creates and refines metrics that drive behavioral
baselines. The engine is able to see each anomalous
behavior and connect the dots of a series of behaviors
in terms of its context (files touched, application
used, machines involved, projects accessed, users
involved) to offer a complete picture of the threat as
it is occurring. By connecting the events, the Interset
Platform creates stories — a series of anomalous
events which enables the analytics engine to remove
noise and false positives.
In addition, through statistical analysis, the engine
quantifies just how anomalous an observed behavior
is. As usage and anomaly patterns are refined, the
analytics engine learns which users create more risk, which files are the most at risk, and which machines
are most often part of risky activities. Interset actively maintains a risk score for all of these entities using
normalized values. The more an entity is involved in high-risk anomalous activities, the more its risk score
will increase. Conversely, an entity that is not involved in high-risk activities, and that doesn’t trigger alerts,
will have its risk score decrease over time. When entities are involved in anomaly alerts, the alerts will
be presented in a prioritized order based on the risk score.
Entities and Risk
Entities are defined as users, machines (identities) and assets. A core feature of Interset is its ability to
accurately model the risk of all entities in your organization. Entity risk needs to be more than just a simple
one-time data classification exercise: entity risk changes over time, and needs to respond automatically over
time, to result in a maintainable, scalable system.
Tracking user risk enables IT teams to identify persons of interest. For example, as users (or their accounts)
exhibit more behavior with indicators of compromise, or their activity starts to show anomalous events
(and therefore are possible indicators of an account takeover), or their activity starts to show indications
of becoming a leaver (and therefore is statistically prone to IP exfiltration), the user risk score will increase
correspondingly to signal a warranted follow up investigation. With Interset, the ability to instantly show the
top most risky users in the organization is a very valuable way to focus the investigation team and maintain
a scalable process. Such a view shows the users that, among your entire organization, have accumulated
the most risk. Clicking on the user then allows you to see the underlying alerts and events that have
resulted in the system increasing the user risk score.
Machine risk tracks suspicious behaviors that accumulate on certain machines. Are some machines more
prone to store important files and become vulnerable to exfiltration? If so, that will be reflected in a high
machine risk score. For all machines monitored by an endpoint sensor, Interset will show the machines that
are most at risk. This risk can be due to compromise of the machine by malware, usage of the machine
by an insider, or high value assets being moved to or stored in machines making them more at risk.
The behavior risk score is an aggregate
of identity (user or machine), activity, asset,
and asset movement risk scores involved in
the behavior.
6. 6 WHITE PAPER – ADVANCED THREAT DETECTION
Asset risk is a different set of models that identify where important data such as IP or trade secrets have
collected within your organization. Having Asset risk tracked through a separate and accurate set of models
is important because file contents change over time. Some files, for example, may be highly important and
therefore any anomalous behaviors or violations involving those assets should respond more rapidly than
other files. Computing a higher importance value for those files compared to others quantifies this relationship.
As the Interset platform defines important files, machine learning methods are used to learn common
attributes of these files, and discover and identify other, new files that are likely to be important as well.
The “vulnerability” of an entity is used to amplify the entity’s importance over time, based on the observed
behaviors involving that entity. As every user, file or machine exhibits anomalies, violations and exits, the
vulnerability of the entities involved are increased in proportion to the severity and recency of the event.
In other words, the more serious the bad event, and the more that happen close together, the more quickly
the vulnerability and overall risk score of the entity increases.
The relationship of Events, Behavioral Risk and Entity Risk: Three events drive all risk
scores higher.
The figure above illustrates a simple three event example that shows the relationship between behavioral
and entity risk models and how entity risk scores change over time. As J Mason executes three events, the
anomalous nature and riskiness of each event creates higher behavioral risk scores. To start, the entity risk
scores begin very low, showing little danger across the user, the machine that is logged into and the file that
has been accessed. As each event occurs, the behavior and entity risk scores climb. The Interset Behavioral
Analytics Engine then surfaces the threat across the event as well as the entities. The derivative file created
is also surfaced as it inherits the high risk score of its parent asset.
Rules
The Interset Platform also utilizes a rules engine, which complements the behavioral analytics engine, and
is applied at two points in the threat detection process. The first is prior to full behavioral analysis, and is the
point where corporate or compliance policies can be defined in the system. Policies can be defined to govern
user access, applications usage including cloud, USB devices, and the access of sensitive files. The alerts
based on these policies can be measured against risk thresholds, so that alerts are triggered only when these
7. 7 WHITE PAPER – ADVANCED THREAT DETECTION
thresholds are exceeded. Companies can quickly identify prioritized gaps in their existing IT systems
and policies through Interset’s visibility into the activities between users, files and devices and the risk
measurements Interset applies. Interset rules can also be set to interact directly with the end user whose
actions are creating the violation, offering a powerful real-time training and awareness tool to help
employees understand and self-correct risky behavior.
Reducing noise and false positives
Through Interset’s stories approach which are driven by various behavioral and entity risk models, security
teams are able to cut through noise and false positive events that currently overwhelm them. As an example
— suppose “John Sneakypants” was detected accessing an important network share, an unusual event,
given his historical access patterns and/or the patterns of his peers in the same role. This may be suspicious,
but it could also be a false positive if John has had a recent role change or has been assigned to a new
project. But suppose that John also accessed this file at a time of day that he was never active at before,
and that he also just took files from a source code project that had been inactive for months, and that he
also copied an unusually large amount of sensitive files to a USB drive. Suddenly, this event is a lot more
suspicious. It is this intuition that the entity risk models capture, in real time, via mathematics.
This enables the Interset platform to automatically focus in and alert on actual threats, while tuning out the
massive amounts of uninteresting noise that overwhelm existing tools and the security teams that operate
them. The stories approach can vastly improve an organization’s ability to quickly determine the root cause
of a threat and respond proactively before critical data is compromised.
Interset Enterprise Risk and Threat Detection Architecture.
8. 8 WHITE PAPER – ADVANCED THREAT DETECTION
Proactive Forensics
Leveraging end-user behavioral analytics is also key to lowering the cost of the forensic investigations.
It illuminates patterns and relationships created by the habits and activities of users and their devices.
By capturing the relationships between identities, activities, assets (files and machines), and the movement
of the data, an investigation can quickly and accurately identify the information that defines the risk or threat
down to the user, application or file in question. Since all activity is captured, a complete historical record of
the events related to the threat and all relationships is immediately available. This enables you to reconstruct
the activities that led up to the event, automating the reconstruction and loss analysis, compressing the
time it takes to determine the root cause and extent of a breach. Forensics are no longer reactive, but rather
proactive dramatically lowering the cost to investigate an incident and enable fast pursuit of legal action
or policy adjustments to prevent or reduce the risk of a future breach.
Use Cases
Beyond the protection of intellectual property and trade secrets, the Interset Platform addresses several
other use cases:
• Employee Resignation
The US CERT reports that more than 70% of resigning employees leave with IP, trade secrets and other
sensitive business data. Interset captures all end user file level events and when an employee announces
their resignation, reports can be quickly generated to see what sensitive data was accessed and where
it was moved to. HR departments can include these reports in their exit interviews and take effective
action to eliminate this common data loss risk. Similarly, when employees have not yet announced their
resignation but have planned to leave with malicious intent, the Interset Platform captures the behavioral
changes of such users and can alert security and HR to prevent data exfiltration. With its unique and
extensive visibility, Interset can see and capture all sensitive file movements involving, USB devices, cloud
environments, and also whether the machine is on or off the corporate network or completely offline.
• IT Controls/Policy Violations
Risks from improper application usage, improper file access and storage, usage of unauthorized cloud
storage systems are all captured by Interset and can be easily seen through the Interset UI. Common
risks like USB device usage, web mail attachments and employees emailing work home is also captured.
It is very common for scientists, researchers and technicians to “bring their work home,” and in some
cases even approved, but Interset can provide an understanding of how users are moving the data home
and what risk they are creating when they do. One Life Sciences customer had an IT control on Outlook
attachment size to minimize storage and help with some compliance regulations. Interset quickly showed
that employees were bypassing the control by attaching large files to webmail and using that for data
transfer to other employees and partners creating even greater risk of data loss and non-compliance.
• Education
Interset also supports the notion that your best data security tool is an educated employee. This
is especially true in highly creative and open industries. When Interset recognizes that a user is
violating a policy or taking an unusual risk, real-time notifications detailing what the violation or risk is
and alternative paths the employee can choose are immediately sent to the user. Education on corporate
policy, awareness of new risks and self-remediation on improper activity represent the most effective
IT control available.
9. 9 WHITE PAPER – ADVANCED THREAT DETECTION
Conclusion
Using the science of Behavioral Analytics, Interset helps IP and trade secret centric companies and partners
gain visibility into what is truly happening across their collaborative enterprise. The ability to detect risky user
behaviors, processes, and controls enable companies to quickly detect and take action on anomalies that
represent insider and outsider threats. This level of risk visibility and detection provides you with the power
to secure high-value intellectual property and trade secrets, as well as other sensitive business data.
Interset’s innovative approach offers significant advantages, including;
• Reducing noise and false positives so that security teams can focus on material risks and actual threats
• Reducing the time required to forensically investigate a risky event or anomaly
• Expanding protection to include all types of IP and trade secrets including specialized design, engineering,
PLM and source code management applications
• Expanding protection to endpoints, whether they are on the corporate network or offline
• Accurately detecting insider and outside attacks during their early stages, enabling the attack to be
stopped before sensitive data is compromised
These advantages reduce the overall cost and complexity of a threat detection and data protection program
while increasing a security team’s ability to reduce risk and surface actual threats to the organization. In doing
this, Interset enables security teams and companies of all sizes to be more efficient, effectively protect their
IP and trade secrets, and most importantly be more competitive in global markets.