Take a deep dive into the Interset AI-enabled, security analytics platform to learn how to cut through the noise and identify the high-quality threat leads that matter the most - before your data is stolen.

1. 1 | © 2018 Interset Software
Technology Spotlight
Dallas 2018
Stephan Jou, CTO

2. 2 | © 2018 Interset Software
2 | © 2018 Interset Software
Hey. I’m Stephan Jou. I like analytics.
 CTO at Interset
 Previously: Cognos and IBM’s Business Analytics
CTO Office
 Big data analytics, visualization, cloud, predictive
analytics, data mining, neural networks, mobile,
dash-boarding and semantic search
 M.Sc. in Computational Neuroscience and
Biomedical Engineering, and a dual B.Sc. in
Computer Science and Human Physiology, all from
the University of Toronto

3. 3 | © 2018 Interset Software
3 | © 2018 Interset Software
About Interset.AI
SECURITY ANALYTICS LEADER PARTNERSABOUT US
Data science & analytics
focused on cybersecurity
100 person-years of security
analytics and anomaly
detection R&D
Offices in Ottawa, Canada;
Newport Beach, CA
Interset.AI

4. 4 | © 2018 Interset Software
Attackers are Fast
Defenders are Slow
Alert Overload
AV-test.org, 2015
64% of US companies
face 10,000+ alerts
per month
203 Days - Breaches
take on average 80
days to discover and
123 days to resolve
60%
of data is
stolen in hours
54%
Of breaches
remain
undiscovered
after 6 months
Ponemon Institute, 2015
Missed Incidents
8% of incidents are
detected by
endpoint, firewall &
network solutions
Verizon DBIR, 2014
Problem Domain: Drowning In Data And Missing Incidents

5. 5 | © 2018 Interset Software
Standard Approach – Rules and Thresholds
A Pattern for Increased Monitoring for Intellectual Property Theft by
Departing Insiders, Andrew Moore, Carnegie Mellon 2011

6. 6 | © 2018 Interset Software
The Threshold Approach Challenge
Abnormal
Normal

7. 7 | © 2018 Interset Software
The Threshold Approach Challenge
Abnormal
Normal

8. 8 | © 2018 Interset Software
The Threshold Approach Challenge
Abnormal
Normal

9. 9 | © 2018 Interset Software
A Probabilistic Approach
• Computes probability that a value in
a given hour is anomalous
• Bayesian approach
• Explicitly models both normal and
abnormal distributions
• Gaussian, Gamma
• Estimators for both normal and
abnormal based on observation

10. 10 | © 2018 Interset Software
USB drives are marked as
high risk method
Method
The volume of copying is large, compared
to John’s past 30 days and
compared to other sysadmins
Activity
John Sneakypants is a
contractor and sysadmin
with privileged access
User/Machine
These files have a high risk
and importance value
Asset
Behavioral Risk – Quantifying suspicious events
John Sneakypants is copying an unusually large number of
sensitive files to an external USB drive.

11. 11 | © 2018 Interset Software
Entity Risk – Distilling evidence to find leads
Activity
User/Machine Asset Method
Behavioral
Risk Score
Rentity = importance(t)´vulnerability(t)
User
Asset
Machine
Rbehavior = P(event | y)´wy ´
wu 2-i
× Ru[i]
uÎU
å + wf 2- j
× Rf [ j]
f ÎF
å + wm 2-k
× Rm[k]
mÎM
å
é
ë
ê
ê
ù
û
ú
ú
wu + wf + wm

12. 12 | © 2018 Interset Software
Activity
User/Machine Asset Method
Behavioral
Risk Score
Rentity = importance(t)´vulnerability(t)
User
Asset
Machine
Rbehavior = P(event | y)´wy ´
wu 2-i
× Ru[i]
uÎU
å + wf 2- j
× Rf [ j]
f ÎF
å + wm 2-k
× Rm[k]
mÎM
å
é
ë
ê
ê
ù
û
ú
ú
wu + wf + wm
Entity Risk – Distilling evidence to find leads
• Ann Funderburk works at an unusual hour 15
• … and accesses repositories that she and her peers do not usually access 65
• … and takes from a folder on a repository an unusual number of times 80
• … and moves a significantly high volume of data than normal 96
• … VPN’s in from China 46

13. 13 | © 2018 Interset Software
Data
Repository Logs
Active Directory Logs
VPN Logs
Feature Extraction
Ann moves a significant volume of data
Ann access and takes from file folders
Ann accesses anomalous repositories
Ann logs in from anomalous location
Ann logs in at unusual time of day
(other features)
(other features)
(other features)
𝑝1
𝑝2
𝑝3
∑
𝑝4
𝑝5
𝑤1
𝑤2
𝑤3
𝑤4
𝑤5
Anomaly Detection
Auth./Access
Anomaly Model
File Access &
Usage Models
Volumetric Models
VPN Anomaly
Models
Entity Risk Aggregation
Entities
- Account
- Machine
- File
- Application
96
Mathematical Framework

14. 14 | © 2018 Interset Software
Distill billions of events into a handful of prioritized threat leads
A Handful of Threat LeadsBillions of Events Hundreds of Anomalies

15. 15 | © 2018 Interset Software
Technology Demonstration

16. 16 | © 2018 Interset Software
16 | © 2018 Interset Software
QUESTIONS?
Stephan Jou, CTO
@eeksock
Learn more at Interset.AI