[Webinar] Supercharging Security with Behavioral Analytics

1 | © 2018 Interset Software
Name, Title
Date
Supercharging
Security with
Behavioral Analytics
September 19, 2018

Today’s Panel
STEPHAN JOU
Chief Technology Officer
PAUL REID
Security Strategist
Special Guest
JOSEPH BLANKENSHIP
Principal Analyst

Why Does Security Need Analytics?

4© 2018 FORRESTER. REPRODUCTION PROHIBITED.
Biggest Security Challenges
Base: 1,502 Security decision-makers
Source: Forrester Data Global Business Technographics Security Survey, 2018
19%
21%
21%
21%
22%
23%
24%
25%
26%
28%
29%
34%
Lack of empowerment to make security decisions
Lack of visibility and influence within the organization
Other priorities in the organization taking precedence over…
Inability to measure the effectiveness of our security program
Unavailability of security employees with the right skills
Building a culture of data stewardship
Lack of staff (the security team is understaffed)
Lack of budget
Day-to-day tactical activities taking up too much time
Compliance with new privacy laws
Changing/evolving nature of IT threats (internal and external)
Complexity of our IT environment
Which of the following are the biggest IT security challenges for
your firm?

56% of Firms Were Breached in the Last 12 Months
1Base: 1,147 Network Path Security decision-makers who have experienced a breach in the past 12 months
Source: Forrester's Business Technographics Global Security Survey, 2018
External
attack
41%
Internal Attack
23%
Third-party
Incident
21%
Lost/stolen
asset
15%
Causes of confirmed breaches in the past 12
months
In these cases 35% were due
to software exploits, 36% were
due to web application attack,
and 22% due to stolen
credentials
In these cases 55% were due
to malicious intent, 38% were
due to inadvertent misuse,
and 7% were a combination
of both

Top 5 Data Types Breached
Base: 546 Network Path Security decision-makers who have experienced a breach in the past 12 months
Source: Forrester Data Global Business Technographics Security Survey, 2018
27%
27%
28%
29%
33%
Authentication credentials (user IDs and
passwords, other forms of credentials)
Account numbers
Payment/credit card data
Intellectual property
Personally identifiable information (name, address,
phone, Social Security number)
"What types of data were potentially compromised or breached in the past
12 months?"
(Multiple responses accepted)

Too Many Alerts / Too Few Analysts
Source: Forrester’s Security Operations Center (SOC) Staffing

We Need a New Set of Tools
› Rules based SIM hasn’t proven effective
• Too many alerts, too many false positives
• Difficult to maintain
• Only finds known threats
› Effective security analytics tools:
• Use data science to detect anomalous behavior
• Utilize internal and external threat intelligence
• Examine historical data
• Detect data exfiltration
• Provide increased security context for responders
• Enable investigations and response

The Security Analytics Ecosystem

The Security Analytics Ecosystem
Source: Forrester’s Vendor Landscape: Security Analytics (SA)

Evolution of Security Analytics
Perimeter Defense
• Focus on network security
• Event filtering and basic correlation
• Log management and retention
• Events per second: <5,000
• Storage: gigabytes
• Manual breach response
• High false positive rate, limited scalability
Compliance
• Reporting
• Information sources: various log formats
(still log focused)
• Advanced correlation
• Signature-based alerting
• Increasing devices: >1,000
• Events per second: >10,000
• Storage: terabytes
• Focus on threat detection and response,
breach response still slow, highly
dependent on security analyst skills
Enterprise Security Intelligence
• Log management
• Feeds from applications, databases,
endpoints
• Threat detection
• More robust IAM integration
• Advanced analytics with additional
security context
• User and network behavior
• Feeds from additional sources: multiple
log sources, NetFlow, reputation data,
threat intelligence feeds
• Huge number of devices: >5,000
• Events per second: >100,000
• Storage: petabytes – Big Data
infrastructure
• Near real-time breach response, same
day remediation
Sophistication,volume,velocityandcomplexity
1995 – 2000 (SEM)
2005 – 2014 (SIM)
2014+ Security Analytics

Defining Security Analytics
A platform built on big data infrastructure to converge logging, correlating, and
reporting feeds from security information management (SIM), security solutions,
network flow data, external threat intelligence, and diverse endpoints and
applications. The SA platform uses this information and machine learning
techniques to provide real-time monitoring and facilitate the rapid incident
detection, analysis, and response.
Source: Forrester’s Counteract Cyberattacks With Security Analytics

Security User Behavior Analytics (SUBA)
› Detects anomalous user and device behavior
• Ingests endpoint, network, and host log data
• Uses machine learning techniques to detect suspicious behavior
• Alerts on abnormal activity
• Deploys as a SIM supplement in many cases
SUBA is often the first technology
organizations think of when starting an
insider threat team.

Defining SUBA
Functionality that enables security and risk teams to build a unified view of users'
actions across the network. SUBA collects and correlates detailed information
about user activity from a variety of logs and other data sources to heuristically
and automatically set a user activity baseline from which it can detect, risk score,
prioritize, intercept, and enable the investigation of anomalous behavior in real
time.
Source: Forrester’s Market Overview: Security User Behavior Analytics (SUBA), 2016 report

Interset’s behavioral analytics allows for detection of anomalies, complementing the
pattern matching of rules and thresholds for policy enforcement and the machine
learning of malware detection.
Interset Augments Your Security Ecosystem

How Does Interset Do This?

Machine Learning is Everywhere…
I’m
smart!
Super machine
learning!The best
Bayesian! Buy me!
I do it all!

Two Categories of Machine Learning Algorithms
Bu
y
me!
Supe
r ML!
The best
Bayesian
!
I
do it
all!
Classification
Support Vector Machines
Discriminant Analysis
Naive Bayes
Nearest Neighbor
Regression
Linear Regression | GLM
SVR | GPR
Ensemble Methods
Decision Trees
Neural Networks
Clustering
K-means | Fuzzy C-means
Hidden Markov Model
Neural Networks
Hierarchical
Guassian Mixture
Supervised Unsupervised

Cybersecurity: Supervised Machine Learning Approach
Ideal for ﬁnding malware
▪ Decades of data to study
▪ Always looks the same no
matter where it manifests
“Tell me what I’m looking for…”

When searching for insider threats, how do you determine what is productive or
malicious activity within your enterprise?
The activities related to insider threats are masked by behavior that, when removed from
context, present as benign. This means we cannot simply match a pattern or look for a
signature—we have to take a different approach that separates abnormal from normal.
▪ Working at midnight?
▪ Attaching 500MB to an email?
▪ Looking at corporate strategy data?
▪ Checking out software code from Project X?
▪ A machine communicating on port 465?
▪ Machine A & B connecting via HTTP?
▪ Printer “P015” printing 50 pages at noon?
▪ cmd.exe launched on a workstation?
Cybersecurity: Unsupervised Machine Learning Approach

What are the ”MOST WANTED” Insider Threats?
Compromised
Account
Infected Host Account Misuse Data Staging
Low & Slow
Attacks
Unauthorized
Print Job
Fileless Malware Zero-day Attack
Not all insider threats are internal employees or disgruntled personnel.

How Does Security Analytics Impact
the SOC?

SA Enables SOC Processes
› Monitoring and alerting
› Event correlation
› Alert triage
› Incident response
› Threat hunting

How Does Interset Change SOC Operations and Threat Hunting?

Interset Security Analytics Dashboard: Top Risky Entities

Interset Security Analytics Dashboard: Anomalous Behavior

Considerations for Selecting An SA Solution
› Monitoring requirements
› Data sources
› Out of the box content
› Scalability
› Threat intelligence sources
› Size of security staff
› Security team maturity
› Compliance needs

Wrap-Up
› Security teams lack the speed and agility to stop breaches
• Inadequate tools and slow, manual processes impede progress
› Rules-based SIM alone not able to detect anomalous behavior
• Combination of capabilities enabling better threat detection and response
› We have to make better, faster security decisions
• Security analytics tools help make that happen
• Analysts require analytics to speed detection and enable threat hunting

Questions?

Want to learn more? Contact us!
STEPHAN JOU
CTO, Interset
sjou@interset.com
@eeksock
PAUL REID
Security Strategist, Interest
preid@interset.com
JOSEPH BLANKENSHIP
Principal Analyst, Forrester
jblankenship@forrester.com
@infosec_jb

Thank You!
Learn more at Interset.AI

[Webinar] Supercharging Security with Behavioral Analytics

More Related Content

What's hot (20)

Similar to [Webinar] Supercharging Security with Behavioral Analytics (20)

More from Interset (13)

Recently uploaded (20)

[Webinar] Supercharging Security with Behavioral Analytics