Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Endpoint Threat Detection: Rules vs. Behavioral Analysis

107 views

Published on

Interset’s behavioral analytics augments an endpoint protection platform with an analytical brain that processes data faster than humanly possible to detect hidden threats. Analyzing endpoint data with unsupervised machine learning connects the dots of inside(r) threats and exposes the signs of a threat often missed by traditional endpoint solutions. Learn more at interset.com/uncover-endpoint-threats.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Endpoint Threat Detection: Rules vs. Behavioral Analysis

  1. 1. 1 | © 2018 Interset Software Rules vs. Behavioral Analysis for the Endpoint
  2. 2. 2 | © 2018 Interset Software Data Staging: Rules vs Behavioral Analytics  Volume of data interacted with by a user is higher than a threshold  Number of accesses to a storage volume by a user is higher than threshold  Volume of data interacted with by a user is higher than their average  Volume of data interacted with by a user is higher than their second highest  Volume of data interacted with by a user is higher than the organization's average  Volume of data interacted with by a user is higher than the organization's second highest  Number of storage volume accesses by a user is higher than their average  Number of storage volume accesses by a user is higher than their second highest Behavioral AnalyticsRules
  3. 3. 3 | © 2018 Interset Software Lateral Movement/Internal Recon: Rules vs Behavioral Analytics  Detection of accesses to resources, assets, machines  Shared drive access attempt by a user, that few peers access  Resource access attempt by a user, not recently accessed by anyone  Number of accesses to a shared drive by a user is higher than their average  Number of accesses to a shared drive by a user is higher than their second highest  Access of a storage volume type by a user, not recently used by anyone  Access of a storage volume type by a user, not recently used by the user Behavioral AnalyticsRules
  4. 4. 4 | © 2018 Interset Software Low and Slow Attacks: Rules vs Behavioral Analytics  Manual threat hunting and investigation  Calculation of an aggregated entity risk score based on anomalies detected over time  Amount of data sent to a destination by a machine in a week or month is higher than its average  Amount of data sent to a destination by a machine in a week or month is higher than its second highest  Shared drive access attempt by a user, not recently accessed by anyone  Shared drive access attempt by a user, that few peers access Behavioral AnalyticsRules
  5. 5. 5 | © 2018 Interset Software Data Exfiltration: Rules vs Behavioral Analytics  Volume of data interacted with by a user is higher than a threshold  Number of accesses to a storage volume is higher than a threshold  Amount of data sent to a destination by a machine is higher than the organization's average  Amount of data sent to a destination by a machine is higher than the organization's second highest  Number of exfiltration attempts by a user is higher than their average  Number of exfiltration attempts by a user is higher than their second highest Behavioral AnalyticsRules
  6. 6. 6 | © 2018 Interset Software Fileless Malware: Rules vs Behavioral Analytics  Detection of process launch  Use of a process by a user, not recently used by anyone  Use of a process by a user, not recently used by the user  Amount of data received from a destination by a machine is higher than the organization's average  Amount of data received from a destination by a machine is higher than the organization’s second highest  Volume of events generated by a user is higher their average Behavioral AnalyticsRules
  7. 7. 7 | © 2018 Interset Software Privileged Access: Rules vs Behavioral Analytics  Detection of service creation/start  Detection of privileged process launch  Use of service or a privileged process by a user, not recently used by anyone  Use of service or a privileged process by a user, not recently used by the user  Use of service or a privileged process by the machine, not recently used by the machine Behavioral AnalyticsRules
  8. 8. 8 | © 2018 Interset Software Bot Activity: Rules vs Behavioral Analytics  Volume of events generated by a user is higher than a threshold  Uniform distribution of user activity over a period of time  Unusual use of port/protocol at irregular working time  Volume of events generated by a user is higher than their average  Volume of events generated by a user is higher than their second highest Behavioral AnalyticsRules
  9. 9. 9 | © 2018 Interset Software Rules vs Behavioral Analytics for Endpoint Threat Detection With Interset Behavioral AnalyticsWithout Interset
  10. 10. 10 | © 2018 Interset Software SecurityAI@interset.com IntersetAI Interset

×