More Related Content Similar to WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats (20) WEBINAR: How To Use Artificial Intelligence To Prevent Insider Threats1. 1 | © 2018 Interset Software
How To Use Artificial
Intelligence To Prevent
Insider Threats
2. 2 | © 2018 Interset Software
Today’s Webinar Hosts
Stephan Jou
CTO, Interset
Holger Schulze, CEO
Cybersecurity Insiders
3. 3 | © 2018 Interset Software
Impact Of Insider Attacks
4. 4 | © 2018 Interset Software
Barriers To Insider Threat Management
5. 5 | © 2018 Interset Software
Almost All Cybersecurity Problems Become Inside(r) Threats
Unauthorized
User
Malware
Phishing
Ransomware
CISO
Security
Architect
Security
Practitioner
• Low Risk Visibility
• Slow Threat Detection
• Increasing Security Spend
• Reduced SOC Efficiency
• Security Tool Integration
• Scalability, Interoperability
• Analyst Efficiency
• Alert Fatigue
• Alert Triage
• Threat Hunting & Investigation
• Attack Mitigation
6. 6 | © 2018 Interset Software
Unauthorized
User
Malware
Phishing
Ransomware
But, Threats Are Obscured By Too Much Data, Too Many Systems
CISO
Security
Architect
Security
Practitioner
• Low Risk Visibility
• Slow Threat Detection
• Increasing Security Spend
• Reduced SOC Efficiency
• Security Tool Integration
• Scalability, Interoperability
• Analyst Efficiency
• Alert Fatigue
• Alert Triage
• Threat Hunting & Investigation
• Attack Mitigation
Perimeter
Network
Servers
Apps
Users
Data
7. 7 | © 2018 Interset Software
Who Wants This Type Of Risk Visibility?
8. 8 | © 2018 Interset Software
Current Security Tools Are Limiting
• Rules & Thresholds Based
• Fragmented
• Inefficient
• Reactive
• Scattered
• Overwhelming
• 60–80% false positives
• Not enough data for visibility
• Not enough staff
9. 9 | © 2018 Interset Software
Where Companies Want To Use AI
34% of companies
plan/are using AI to
mitigate security risks
10. 10 | © 2018 Interset Software
Need AI To Automate And Scale To Risk
“By 2020, 60% of digital businesses
will suffer major service failures due
to IT security teams’ inability to
manage digital risk”
Gartner
11. 11 | © 2018 Interset Software
DEFINING AI
12. 12 | © 2018 Interset Software
Artificial Intelligence
Input Processing Output
Learning
Decision
&
Inference
Knowledge
& Memory
Knowledge Representation,
Ontologies, Graph
Databases, …
Prescriptive Analytics,
Optimization,
Decision Making, …
Machine Learning
(supervised, unsupervised)
NLP
Speech
Recognition
Visual
Recognition
…
Data Sources
Robotics,
Navigation
Systems
Speech
Generation
Threat Leads
13. 13 | © 2018 Interset Software
Different Types Of Machine Learning
Source: MathWorks
Deep Learning
Learning by example Learning by pattern
discovery
14. 14 | © 2018 Interset Software
§ Based on ideas started in 1940’s
§ Biologically inspired “Neurons”
§ Input on the left, output on the right
Learning =
§ Examples compared to actual output
§ Differences used to modify the
weights (strength of connections)
§ Iterate
Input Output
1980’s: Neural Networks
15. 15 | © 2018 Interset Software
Use a neural network to
discriminate between
tanks and trees
Data
§ 200 pictures (100
tanks, 100 trees)
Compute
§ One 1980’s mainframe
Results
§ Suboptimal :-)
1980’s: Pentagon & Tanks
16. 16 | © 2018 Interset Software
1M x cycles (Hz)
More Compute
33,000 x pixels
More Data
Convolutional, Feedforward, Adversarial
LSTM, Ensemble
Better Algorithms
Government, Universities,
Startups, Big Companies
Broad Investment
* According to Andreessen Horowitz
What’s Different Now?
17. 17 | © 2018 Interset Software
AI FOR INSIDE(R)
THREAT DETECTION
18. 18 | © 2018 Interset Software
Insider Threat Detection Requires Measuring “Unique Normal”
Current tools scalability shortcomings must assume
common patterns/rules for entire population
Comparing everyone to the same
pattern means many false positives
Measuring “Unique Normal” for
each user/ machine/ filesystem
/printer /.. results in accuracy
Only large scale machine learning can measure
what is normal for every user for every category
19. 19 | © 2018 Interset Software
“Unique Normal”, Or Not Requires Big Data & Unsupervised #ML
Supervised approaches, such as deep learning, is good for
cybersecurity data with lots of labels, i.e. malware. The
malware use case has decades’ worth of example
binaries, both malicious and innocent.
Unsupervised approaches are best for cybersecurity data
with limited data, typically without labels, such as
detecting anomalies indicative of unique insider threats
where there is not enough data for supervised ML.
Supervised learning is learning by example
and requires “labeled” data.
Unsupervised learning is self-discovery of
patterns and doesn’t need labels/examples.
20. 20 | © 2018 Interset Software
Unsupervised Machine Learning Requires Big Data Compute
Self-Learning
Big Data Storage Big Data Compute
Contextually
Integrated
Automated
21. 21 | © 2018 Interset Software
Platform Based On Unsupervised Machine Learning & AI
ACQUIRE
DATA
HIGH QUALITY
THREAT LEADS INTERNAL RECON
INFECTED HOST
DATA STAGING
& THEFT
COMPROMISED
ACCOUNT
LATERAL
MOVEMENT
ACCOUNT MISUSE
CUSTOM
FRAUD
DLP
ENDPOINT
Biz Apps
CUSTOM
DATA
NETWORK
IAM
Kibana
DETECT,
MEASURE AND
SCORE
ANOMALIES
CREATE UNIQUE
BASELINES
Contextual views.
Drill-down and
cyber-hunting.
Broad data
collection
Determine what
is normal
Gather the
raw materials
Find the behavior
that matters
Workflow engine
for incident
response.
22. 22 | © 2018 Interset Software
Measuring Unique Normal Enables Accurate Anomaly Detection
Data
Repository Logs
Active Directory Logs
VPN Logs
Feature Extraction
Ann moves a significant volume of data
Ann access and takes from file folders
Ann accesses anomalous repositories
Ann logs in from anomalous location
Ann logs in at unusual time of day
(other features)
(other features)
(other features)
𝑝"
𝑝#
𝑝$
∑
𝑝%
𝑝&
𝑤"
𝑤#
𝑤$
𝑤%
𝑤&
Anomaly Detection
Auth./Access
Anomaly Model
File Access &
Usage Models
Volumetric Models
VPN Anomaly
Models
Entity Risk Aggregation
Entities
- Account
- Machine
- File
- Application
96
23. 23 | © 2018 Interset Software
AI Transforms Existing Security Data Into Threat Leads
24. 24 | © 2018 Interset Software
Here, Interset distills more than
5.1 billion events into 1 million
anomalies, for 29 validated and
prioritized threat leads
Anomalies Detected By AI Are Surfaced In The User Interface
”Unique Normal” measured for 12K
users, 12.8K machines, 2.4M files, 632
projects, 59 servers, 104 shares, 82
resources, 1.37M websites, 12K IP
addresses.
Enterprise risk score aggregated
across all individual entities’
“unique normal” (or not!)
measurements.
25. 25 | © 2018 Interset Software
Ex. Data Exfiltration via Email Anomaly Detection (e.g. Proofpoint)
960 GB of email
data per hour was
observed at 3-4 am,
higher than any
personal or
population norm
Yaman has a norm
of 1.5 kB of
email/hr
Yaman has a high of
2.4 kB of email/hr
1
Avg of 14.8 kB of
email/hr for all pop.
690 MB/hr of email
is expected high for
all pop.
2
3
26. 26 | © 2018 Interset Software
Ex: Insider Fraud Detection via Expense Reporting Anomalies
18
entertainment
claims in a
week - higher
than any norm
Norm of 6
for D Larkin
High of 4
for D Larkin
Avg 1.5 for
all users
High 16 for
all users
1
2
3
27. 27 | © 2018 Interset Software
Ex: Using Anomalies To Distinguish Humans From Bots
TCP/465 on this
machine is not a
human activity
This particular machine
doesn’t normally have
humans using it at 4am
1
2
Click to Investigate
Potential Infected Host
3
28. 28 | © 2018 Interset Software
Unauthorized
User
Malware
Phishing
Ransomware
AI Surfaces The Insider Threats Hidden By All The Noise
CISO
Security
Architect
Security
Practitioner
• Accelerated Threat Detection
• Expanded Risk Visibility
• Increased SOC Efficiency
• Optimize Security Investments
• Augment Security Tools
• Integrated Risk Visibility
• Noise-Cancelling Analytics
• Integrated Platform
• Faster, Focused Threat Hunting
• Accelerated Alert Triage
• Guided Investigation
• Detect Multi-faceted Attacks
29. 29 | © 2018 Interset Software
AI Enables Automated Trace And Investigation Of Insider Threats
30. 30 | © 2018 Interset Software
About Interset.AI
SECURITY ANALYTICS LEADER PARTNERSABOUT US
Data science & analytics
focused on cybersecurity
100 person-years of security
analytics and anomaly
detection R&D
Offices in Ottawa, Canada;
Newport Beach, CA
Interset.AI
31. 31 | © 2018 Interset Software
QUESTIONS?
INTERSET.AI