Cybersecurity threats have evolved beyond what traditional SIEMs and firewalls can detect. We present case studies highlighting how: •An advanced manufacturer was able to identify new insider threats, enabling them to protect their IP •A media company’s security operations center was able to verify they weren’t the source of a high-profile media leak. The common thread across these real-world case studies is how businesses can expand their threat analysis using security analytics powered by artificial intelligence in a big data environment. Cybersecurity threats increasingly require the aggregation and analysis of multiple data sources. Siloed tools and technologies serve their purpose, but can’t be applied to look across the ever-growing variety and volume of traffic. Big data technologies are a proven solution to aggregating and analysing data across enormous volumes and varieties of data in a scalable way. However, as security professionals well know, more data doesn’t mean more leads or detection. In fact, all too often more data means slower threat hunting and more missed incidents. The solution is to leverage advanced analytical methods like machine learning. Machine learning is a powerful mathematical approach that can learn patterns in data to identify relevant areas to focus. By applying these methods, we can automatically learn baseline activity and detect deviations across all data sources to flag high-risk entities that behave differently from their peers or past activity. ROY WILDS, Principal Data Scientist, Interset

1. 1 | © 2018 Interset Software
How Big Data and AI
Saved the Day:
Critical IP Almost
Walked Out the Door
Roy Wilds, PhD
Field Data Scientist
Interset.AI

2. 2 | © 2018 Interset Software2 | © 2018 Interset Software
Welcome
Partners
About Interset
• 75 employees & growing
• 450% ARR growth
• Data science & analytics focused on cybersecurity
• 100 person-years of Anomaly Detection R&D
• Offices in Ottawa, Canada & Newport Beach,
California
About Me
• Data miner scientist since 2006
• 4+ years building machine
learning systems for threat
hunting
• 8 years experience using
Hadoop for large scale
advanced analytics
Field Data Scientist
• Identify valuable data feeds
• Optimize system for use cases
We uncover the threats that matter!

3. 3 | © 2018 Interset Software3 | © 2018 Interset Software
What is AI-Based Security Analytics About?
Advanced analytics to help you catch the bad guys

4. 4 | © 2018 Interset Software4 | © 2018 Interset Software
zz
Increasing Threat Hunting Efficiency
Low Success Rate SOC Cycle Generate Highly Anomalous Threat Leads

5. 5 | © 2018 Interset Software5 | © 2018 Interset Software
Platform based on Unsupervised Machine Learning & AI
ACQUIRE
DATA
HIGH QUALITY
THREAT LEADS INTERNAL RECON
INFECTED HOST
DATA STAGING
& THEFT
COMPROMISED
ACCOUNT
LATERAL
MOVEMENT
ACCOUNT MISUSE
CUSTOM
FRAUD
DLP
ENDPOINT
Biz Apps
CUSTOM
DATA
NETWORK
IAM Kibana
DETECT,
MEASURE AND
SCORE
ANOMALIES
CREATE UNIQUE
BASELINES
Contextual views.
Drill-down and
cyber-hunting.
Broad data
collection
Determine what
is normal
Gather the
raw materials
Find the behavior
that matters
Workflow engine
for incident
response.
SIEM

6. 6 | © 2018 Interset Software6 | © 2018 Interset Software
z
Mathematically Measure Cybersecurity Risk

7. 7 | © 2018 Interset Software7 | © 2018 Interset Software
Multiple ML Algorithms to Assess Enterprise Risk
Authentication
Logs
Endpoint
Logs
Operating
System Logs
Proxy Logs
VPN Logs Printer Logs
Network LogsFile/Network
Share Logs
Volumetric Models
Neural Networks
Probability Distribution
Estimation
Other
Detection of Threats like:
 Compromised Account
 Data Breach
 Fraud
 Infected Host
Based on Anomalies like:
 Multiple failed logins
 Unusual locations
 Unusual successful attempt
From Individually Measured
Statistics for Every Entity Like:
 Ann moves a significant volume of data
 Ann accesses and takes from file folders
 Printer had multiple failed logins
 Server accesses unusual locations
 Server shows unusual successful login
 Ann’s peer has different expense report for the same event
 Ann sends email to personal account
Entities:
 Account
 Machine
 File
 IP Addresses
 Servers
 Websites
 Printers
 Projects
Many Data Sources Detect Anomalies Produce Risk Score
96

8. 8 | © 2018 Interset Software8 | © 2018 Interset Software
Because Every SOC Has LOTS of Data
5,210,465,083
Billions of events
analyzed with
machine learning
Anomalies
discovered by
data science
High quality
“most wanted”
list
Users, machines, files, projects, servers, sharing behavior, resources,
websites, IP Addresses and more

9. 9 | © 2018 Interset Software9 | © 2018 Interset Software
To Find Threats Such As:
•At-Risk employee
•High-Risk Employees
•Account Misuse
•Privilege Account Misuse
•Terminated Employee
Activity
•Data Staging
•Data Exfiltration
•Email Exfiltration
•Print Exfiltration
•USB Exfiltration
•Unusual data access
•Unusual uploads
•Compromised Account
•C2 Activity Detection
•Impossible Journeys
•Internal Recon
•Dormant Account Usage
•Unusual Login Patterns
•Audit Log Tampering
•Unusual Traffic
•Password Manipulation
•Abnormal Processes
•Unusual Applications
•Infected Host
•Malicious Tunneling
•Bot Detection
•Mooching
•Snooping
•Interactions with dormant
resources/files
•High Risk IP/Data Access
•Lateral Movement
•Transaction Abuse
•Expense Fraud
Insider Threat Advanced Threat IP TheftData Breach Fraud

10. 10 | © 2018 Interset Software10 | © 2018 Interset Software
Case Study #1: $20B Manufacturer
X
2 Engineers
stole data
1 Year
$1 Million Spent
Large security
vendor failed to
find anything
2 Weeks
Easily
identified the 2
Engineers
Found 3
additional users
stealing data in
North America
Found 8
additional users
stealing data in
China

11. 11 | © 2018 Interset Software11 | © 2018 Interset Software
Case Study #2: High Profile Media Leak
IT’S ABOUT VISIBILITY

12. 12 | © 2018 Interset Software12 | © 2018 Interset Software
Case Study #3: Healthcare Records & Payments
 Profile: 6.5 billion transactions annually, 750+ customers, 500+
employees
 Team of 7: CISO, 1 security architect, 3 security analysts, 2
network security
 Analytics surfaced (for example) an employee who attempted to
move “sensitive data” from endpoint to personal Dropbox
 Employee was arrested and prosecuted using incident data
Focus and prioritized incident responses
Incident alert accuracy increased from 28% to 92%
Incident mitigation coverage doubled from 70 per week to 140

13. 13 | © 2018 Interset Software13 | © 2018 Interset Software
Case Study #4: Defense Contractor
zz
High Probability Anomalous Behavior Models
 Detected large copies to the portable hard drive,
at an unusual time of day
 Bayesian models to measure and detect highly
improbable events
High Risk File Models
 Detected high risk files, including PowerPoints
collecting large amounts of inappropriate content
 Risk aggregation based on suspicious behaviors
and unusual derivative movement

14. 14 | © 2018 Interset Software14 | © 2018 Interset Software
z
Lesson: AI is the buzzword, but The Math Matters – Test It
Recommendations
• Agree on the use cases in advance
• Use a proof-of-concept with historical/existing data to test the SA’s math
• Engage red team or pen testing if available
• Evaluate the results: Do they support the use cases you care about?

15. 15 | © 2018 Interset Software
15 | © 2018 Interset Software
QUESTIONS?
Roy Wilds – Field Data Scientist
@roywilds
Learn more at Interset.AI

16. 16 | © 2018 Interset Software16 | © 2018 Interset Software
About Interset.AI
SECURITY ANALYTICS LEADER PARTNERSABOUT US
Data science & analytics
focused on cybersecurity
100 person-years of security
analytics and anomaly
detection R&D
Offices in Ottawa, Canada;
Newport Beach, CA
Interset.AI