Cybersecurity trends come and go, but machine learning looks to be here to stay. According to a recent survey, 43% of of data breaches in recent years were caused by employees, contractors or suppliers, either negligently or maliciously. How can we harness UEBA and machine learning technologies to protect against the insider threat?
Harnessing UEBA and Machine Learning technologies to protect enterprises from insider threats
1. 1
ZoneFox – Harnessing UEBAand Machine Learning
Technologies to Protect Enterprises from Insider Threats
2. 2
Spun out of Napier University Edinburgh by CEO & Founder,
Dr Jamie Graves in 2011
Multiple awards for Cyber Innovation, Best Product, Best Start Up
Global customers – headquartered in Edinburgh
Start up to scale up - 3 people to 30+
Growth driven by innovation and differentiation
Now a Fortinet company
Background to ZoneFox
Lynsey Jenkins,
Director of Marketing
3. 3
ZoneFox is an award winning market leader in User Entity Behavior Analytics, providing
critical insights around data-flow that you need to secure against the Insider Threat.
A few of our reference customers:
Who Are We?
4. 4
People working from home “a threat to Cyber Security” charities warned.
Neil Sinclair, London Digital Security Centre
Why is there such a risk in business today?
5. 5
• People - asset and a liability
• Accidental, malicious, careless, collusion
• Causes - lack of training, lack of controls, lack of
visibility, easy to bypass controls
So what is the Insider Threat?
6. 6
According to McAfee, in recent years 43% of data breaches – affecting
companies of all sizes – were caused by employees, contractors or
suppliers, either negligently or maliciously.
The rise of the Insider Threat
7. 7
Job titles that didn’t really exist 3 years ago:
Head of Insider Threat Deloitte
Insider Threat Consultant EY
Insider Cyber Risk Assessor Barclays
Insider Threat Analyst BAE Systems
Director of Insider Threat GE
Head of Investigation & Insider Threat Worldpay
VP of Insider Threat Citizens Bank
Insider Risk Manager Lloyds BG
Head of Data – Insider Risk HSBC
Relevance to the Enterprise
8. 8
• Intrusion Detection
• Perimeter Protection
• Anti Virus
• Firewalls
• Application Whitelisting
• Network Packet Inspection
• Encryption
• Next Generation Anti Virus
• Log aggregation & SIEM
Cyber Security 101– traditional methods
10. 10
• Machine Learning is a good human augmentation for
filtering and sifting massive data sets
• Ideal tool for spotting non-compliant, suspicious or
anomalous behaviour - the needle within the haystack
• As UEBA learns the behaviour of individuals over time it
becomes more accurate
Where does UEBAand Machine Learning fit?
11. 11
• Two principal distinct approaches for Machine Learning
- supervised
- unsupervised
• It’s not an elixir; it’s a tool to be used (or misused) amongst
others in your arsenal. Complimentary to SIEM (Fortinet
Fabric)
Getting Started with Machine Learning
12. 12
Getting started with Machine Learning
Unsupervised
ML
Clustering
Finds inherent
groupings within data
sets
Association
Finds relationships
within the data points
Supervised
ML
Classification
Predicts discrete,
specific responses
Regression
Predicts continuous
responses
13. 13
How Machine Learning Works
Select Data
Training
Validation
Test
Use Model
Run on live
data
Test Accuracy
Check
performance
using test
data
Model Data
Build
features
Validate
Assess
using
validation
data
14. 14
• When used correctly, machine learning is like having an
eager employee that’s keen to highlight all potentially
interesting data points
• Resources can be focussed on the really interesting stuff
• Build models of user behaviour and get early warning
• Ideal tool for spotting non-compliant, suspicious or
anomalous behaviour -
What Machine Learning means for the Security Team
Anomalous doesn’t necessarily mean bad however
Bad is usually anomalous!
15. 15
• Harness the power of machine learning to spot unusual user
activity automatically
• Record actual user activity
• Build a profile for a user over a period of time. Ideally a small
number of days rather than weeks so that you can re-build
models regularly
• Compare a user’s new activity to their previous activity
• Use peer groups to reduce false positives
• Compare user ‘X’ this week to last week
Putting it into practice
18. 18
Case Study - Government
• Highly regulated environment
• 15,000 end users
• Provision of more and more IT services for agencies
• Need to protect sensitive information
• Competitive replacement
19. 19
Case Study - Legal
• Requirement to prove compliance
• EUBA a component of DX and DLP
• Measurement of overall security stature
“The introduction of ZoneFox has given us the insights to measure effectiveness against acceptable usage
policies and also gives us superb visibility of potential security risks we cannot write rules for.”
- CISO, Pinsent Masons
20. 20
• Insider threats are on the rise across businesses of all sizes
• UEBA and machine learning technology is the ideal tool for
spotting non-compliant, suspicious or anomalous behavior
• Harnessing this technology frees up resource to focus on other
security issues
In conclusion