WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats

1 | © 2018 Interset Software
How To Use Artificial
Intelligence To Prevent
Insider Threats

Today’s Webinar Hosts
Stephan Jou
CTO, Interset
Holger Schulze, CEO
Cybersecurity Insiders

Impact Of Insider Attacks

Barriers To Insider Threat Management

Almost All Cybersecurity Problems Become Inside(r) Threats
Unauthorized
User
Malware
Phishing
Ransomware
CISO
Security
Architect
Security
Practitioner
• Low Risk Visibility
• Slow Threat Detection
• Increasing Security Spend
• Reduced SOC Efficiency
• Security Tool Integration
• Scalability, Interoperability
• Analyst Efficiency
• Alert Fatigue
• Alert Triage
• Threat Hunting & Investigation
• Attack Mitigation

Unauthorized
User
Malware
Phishing
Ransomware
But, Threats Are Obscured By Too Much Data, Too Many Systems
CISO
Security
Architect
Security
Practitioner
• Low Risk Visibility
• Slow Threat Detection
• Increasing Security Spend
• Reduced SOC Efficiency
• Security Tool Integration
• Scalability, Interoperability
• Analyst Efficiency
• Alert Fatigue
• Alert Triage
• Threat Hunting & Investigation
• Attack Mitigation
Perimeter
Network
Servers
Apps
Users
Data

Who Wants This Type Of Risk Visibility?

Current Security Tools Are Limiting
• Rules & Thresholds Based
• Fragmented
• Inefficient
• Reactive
• Scattered
• Overwhelming
• 60–80% false positives
• Not enough data for visibility
• Not enough staff

Where Companies Want To Use AI
34% of companies
plan/are using AI to
mitigate security risks

Need AI To Automate And Scale To Risk
“By 2020, 60% of digital businesses
will suffer major service failures due
to IT security teams’ inability to
manage digital risk”
Gartner

DEFINING AI

Artificial Intelligence
Input Processing Output
Learning
Decision
&
Inference
Knowledge
& Memory
Knowledge Representation,
Ontologies, Graph
Databases, …
Prescriptive Analytics,
Optimization,
Decision Making, …
Machine Learning
(supervised, unsupervised)
NLP
Speech
Recognition
Visual
Recognition
…
Data Sources
Robotics,
Navigation
Systems
Speech
Generation
Threat Leads

Different Types Of Machine Learning
Source: MathWorks
Deep Learning
Learning by example Learning by pattern
discovery

§ Based on ideas started in 1940’s
§ Biologically inspired “Neurons”
§ Input on the left, output on the right
Learning =
§ Examples compared to actual output
§ Differences used to modify the
weights (strength of connections)
§ Iterate
Input Output
1980’s: Neural Networks

Use a neural network to
discriminate between
tanks and trees
Data
§ 200 pictures (100
tanks, 100 trees)
Compute
§ One 1980’s mainframe
Results
§ Suboptimal :-)
1980’s: Pentagon & Tanks

1M x cycles (Hz)
More Compute
33,000 x pixels
More Data
Convolutional, Feedforward, Adversarial
LSTM, Ensemble
Better Algorithms
Government, Universities,
Startups, Big Companies
Broad Investment
* According to Andreessen Horowitz
What’s Different Now?

AI FOR INSIDE(R)
THREAT DETECTION

Insider Threat Detection Requires Measuring “Unique Normal”
Current tools scalability shortcomings must assume
common patterns/rules for entire population
Comparing everyone to the same
pattern means many false positives
Measuring “Unique Normal” for
each user/ machine/ filesystem
/printer /.. results in accuracy
Only large scale machine learning can measure
what is normal for every user for every category

“Unique Normal”, Or Not Requires Big Data & Unsupervised #ML
Supervised approaches, such as deep learning, is good for
cybersecurity data with lots of labels, i.e. malware. The
malware use case has decades’ worth of example
binaries, both malicious and innocent.
Unsupervised approaches are best for cybersecurity data
with limited data, typically without labels, such as
detecting anomalies indicative of unique insider threats
where there is not enough data for supervised ML.
Supervised learning is learning by example
and requires “labeled” data.
Unsupervised learning is self-discovery of
patterns and doesn’t need labels/examples.

Unsupervised Machine Learning Requires Big Data Compute
Self-Learning
Big Data Storage Big Data Compute
Contextually
Integrated
Automated

Platform Based On Unsupervised Machine Learning & AI
ACQUIRE
DATA
HIGH QUALITY
THREAT LEADS INTERNAL RECON
INFECTED HOST
DATA STAGING
& THEFT
COMPROMISED
ACCOUNT
LATERAL
MOVEMENT
ACCOUNT MISUSE
CUSTOM
FRAUD
DLP
ENDPOINT
Biz Apps
CUSTOM
DATA
NETWORK
IAM
Kibana
DETECT,
MEASURE AND
SCORE
ANOMALIES
CREATE UNIQUE
BASELINES
Contextual views.
Drill-down and
cyber-hunting.
Broad data
collection
Determine what
is normal
Gather the
raw materials
Find the behavior
that matters
Workflow engine
for incident
response.

Measuring Unique Normal Enables Accurate Anomaly Detection
Data
Repository Logs
Active Directory Logs
VPN Logs
Feature Extraction
Ann moves a significant volume of data
Ann access and takes from file folders
Ann accesses anomalous repositories
Ann logs in from anomalous location
Ann logs in at unusual time of day
(other features)
(other features)
(other features)
𝑝"
𝑝#
𝑝$
∑
𝑝%
𝑝&
𝑤"
𝑤#
𝑤$
𝑤%
𝑤&
Anomaly Detection
Auth./Access
Anomaly Model
File Access &
Usage Models
Volumetric Models
VPN Anomaly
Models
Entity Risk Aggregation
Entities
- Account
- Machine
- File
- Application
96

AI Transforms Existing Security Data Into Threat Leads

Here, Interset distills more than
5.1 billion events into 1 million
anomalies, for 29 validated and
prioritized threat leads
Anomalies Detected By AI Are Surfaced In The User Interface
”Unique Normal” measured for 12K
users, 12.8K machines, 2.4M files, 632
projects, 59 servers, 104 shares, 82
resources, 1.37M websites, 12K IP
addresses.
Enterprise risk score aggregated
across all individual entities’
“unique normal” (or not!)
measurements.

Ex. Data Exfiltration via Email Anomaly Detection (e.g. Proofpoint)
960 GB of email
data per hour was
observed at 3-4 am,
higher than any
personal or
population norm
Yaman has a norm
of 1.5 kB of
email/hr
Yaman has a high of
2.4 kB of email/hr
1
Avg of 14.8 kB of
email/hr for all pop.
690 MB/hr of email
is expected high for
all pop.
2
3

Ex: Insider Fraud Detection via Expense Reporting Anomalies
18
entertainment
claims in a
week - higher
than any norm
Norm of 6
for D Larkin
High of 4
for D Larkin
Avg 1.5 for
all users
High 16 for
all users
1
2
3

Ex: Using Anomalies To Distinguish Humans From Bots
TCP/465 on this
machine is not a
human activity
This particular machine
doesn’t normally have
humans using it at 4am
1
2
Click to Investigate
Potential Infected Host
3

Unauthorized
User
Malware
Phishing
Ransomware
AI Surfaces The Insider Threats Hidden By All The Noise
CISO
Security
Architect
Security
Practitioner
• Accelerated Threat Detection
• Expanded Risk Visibility
• Increased SOC Efficiency
• Optimize Security Investments
• Augment Security Tools
• Integrated Risk Visibility
• Noise-Cancelling Analytics
• Integrated Platform
• Faster, Focused Threat Hunting
• Accelerated Alert Triage
• Guided Investigation
• Detect Multi-faceted Attacks

AI Enables Automated Trace And Investigation Of Insider Threats

About Interset.AI
SECURITY ANALYTICS LEADER PARTNERSABOUT US
Data science & analytics
focused on cybersecurity
100 person-years of security
analytics and anomaly
detection R&D
Offices in Ottawa, Canada;
Newport Beach, CA
Interset.AI

QUESTIONS?
INTERSET.AI

WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats

Similar to WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats (20)

More from Interset

More from Interset (6)

Recently uploaded

Recently uploaded (20)

WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats