interset-advanced threat detection wp

Advanced Threat DetectionA technical overview of how the Interset platform can quickly and accurately alert you to when your sensitive data is under threat.

2 WHITE PAPER – ADVANCED THREAT DETECTION

IntroductionThe sensitive data (Intellectual Property, trade secrets, business plans, MandA data and customer data) of a company represents its most important assets and is a critical component of the company’s ability to compete on a global scale. The loss of this data to either an insider attack, a targeted outside attack, or the negligence of an employee, contractor or partner can be catastrophic and companies are spending thousands and even millions of dollars to protect it. So why are the headlines still full of data loss incidents? It seems that every month a new story of significant data loss makes the headlines and another organization that invested major resources to protect their data is dealing with the fallout of bad PR, fines, and worse potentially large amounts of lost revenue. This white paper explores the challenges of protecting this critical data, examines why existing technologies and approaches to data protection have largely failed and introduces a different approach to protecting sensitive data, like intellectual property (IP) and trade secrets, based on advanced behavioral analytics: the Interset Enterprise Threat Detection Platform.

Defining the Risks and Threats to OrganizationsRegardless of size or vertical, organizations drive competitive advantage and revenue from the sensitive data assets they create or acquire. Many of these organizations are populated by highly skilled and highly valued employees (engineers, software developers, designers, researchers, scientists, and technicians) who work in highly creative and dynamic environments. Almost all organizations have extensive partnerships including; OEM partners, suppliers, dealers, outsources, services firms and sometimes even competitors. Organizations also have a variety of internal end users such as contractors, consultants, and auditors who are not employees, but still have access to critical data. Connecting the high value workers, partners and their work are integrated computing and file share systems that purposely make access to software applications and data both easy and pervasive.

Internal end users, whether employees, third parties, or partners have access to sensitive data and are all capable of causing a data compromise either through carelessness, ignorance or malicious activity. The most dangerous and difficult to detect is a malicious insider. Beyond the infamous names of Manning and Snowden, these types of attacks have become so widespread that the FBI has added ‘insider threat’ as a major focus in its counter intelligence effort1. With over 70% of insider attacks going unreported, US CERT statistics shows that the average cost of an insider attack exceeded $1 Million USD in almost 50% of cases investigated2. Insider attacks by privileged users of all types define a significant and growing data loss risk to the enterprise.

At the same time, companies with valuable data are being targeted by a growing threat of skilled, motivated, organized and often state-funded attackers willing to push the limits on corporate espionage via malware and bribing employees to steal IP. These attackers can avoid investing billions of dollars in costs by stealing the RandD, testing and manufacturing data from established companies. The consequences for legitimate companies are enormous with losses of revenue in the millions from being cut out of foreign markets or price undercutting in existing markets.

1 http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat2 http://www.cert.org/blogs/insider_threat/2013/12/theft_of_ip_by_insiders.html


Defining a New ApproachA system that looks holistically across the activities and events of an organization is able to build a series of baselines that define normal business behavior. This system understands the context of normal behavior and provides visibility into IT and operational risk. Further, it searches out events in real-time that do not match normal behavior. These events are the anomalies that represent possible attacks from both insiders and outsiders. When found, alerts are surfaced so that the appropriate individuals can be quickly investigated. This new approach offers significant advantages, such as:

• The overall number of alerts and false positives are greatly reduced when compared to DLP or SIEM tools because alerts are based on anomalies as compared to normal baseline behavior.

• The information about an alert is presented in the context of the event so that investigators do not waste time trying to correlate who did what, when, and with what file.

• The events include the context of the file or files involved, and are not limited by file types so that specialized applications and data types that include IP and trade secrets can be protected.

• The sensors that capture the relationships between users, files, and endpoints, are not limited when they are offline or in virtual or cloud environments and can see data moving to mobile devices, eliminating much of the challenges of integrated and new technology.

• The system works across all users, whether privileged IT admins, knowledge workers, contractors or partners when deployed in their organization.

• Events from an attack, whether from an insider or from an outsider who attempts surreptitious access for the purpose of exfiltration, show up immediately because they trigger anomaly alerts. The analytics engine finds these attacks, and sends an alert as soon as the anomaly is discovered, providing security managers time to react and quick access to information so they can stop the threat before data is compromised.

This is the approach used by the Interset Platform, powered by a cutting edge behavioral analytics engine and innovative big data collection and aggregation capabilities.


How Interset WorksBehavioral Analytics are not new, but applying these proven methodologies for identifying and mitigating risk within security is a paradigm shift. To make behavioral analytics truly effective, a rich set of information must be collected and modelled so that anomalies can be accurately surfaced. The Interset platform is specifically designed to optimize the threat detection process from metadata collection to analytical modeling.

Event Data CollectionInterset offers multiple agentless and agent-based data collection capabilities and is continually increasing collection capabilities over time to drive ever richer data sets. Agentless data collection starts with specialized Interset connectors that gather data from existing enterprise applications and systems. With a focus on applications where IP and trade secrets are created, managed and stored, Interset connectors collect log data from source code management systems, product lifecycle management systems, enterprise content management systems, identity management systems, and security information and event management (SIEM) systems. Examples of such systems include Perforce, Windchill, SharePoint, Active Directory, and Splunk.

Interset also offers a lightweight endpoint sensor that can be deployed across your organization on desktops, laptops, workstations and servers. The collector works at the system level to continuously track data interactions, user events, and system events. Once deployed, interactions are recorded every day, ranging from what applications are opened to whether the user has taken a screenshot of a sensitive document, or attempted to “print to file.” Supported on both Windows and Mac, the Interset endpoint sensor is also designed to work on and offline and maintains a minimal footprint, such that system performance is not affected.

Log data collected via a connector or endpoint sensor includes the following fields: user, IP address, timestamp, action (commit, sync, get, etc.), resource (folder, file, path, etc.) and other specialized data fields that may be helpful. This data is then aggregated and stored in Hadoop and retrieved by Apache Spark and Phoenix for analytics. After collection, aggregation, and analysis is completed, the results can be explored via the Interset UI or exported through an open API to SIEM solutions or into a Security Operations Center (SOC).

Behavioral AnalyticsThe Interset Behavioral Analytics Engine is driven by two main classes of mathematics; behavioral risk modeling, and entity risk modeling. Behavioral risk models are multivariate math models that take in all available contexts for each event that occur across an organization and combine event and context in a meaningful way to produce a Behavior Risk Score.

Entity Risk Models are a second set of math models that drive Entity Risk Scores for Users, Machines and Assets adjusting these risk scores over time based on events that occur. Every entity (user, machine and asset) maintains its own risk score. Assets are most commonly files but can also be applications, source code and other valuable objects. Entity risk models create the normal activity baselines that are then compared against events to determine how anomalous an event is in the behavioral risk model.

Ķ The connected relationship model between events, behavioral risk, behavioral risk scores, entities and entity risk scores.


The Interset Behavioral Analytics Engine sees and understands the relationship between Events and Entities as it observes activities across the organization. The analytics engine builds and maintains irrevocable relationships between entities as events occur. As Interset observes activities and builds relationships, the analytics engine continuously creates and refines metrics that drive behavioral baselines. The engine is able to see each anomalous behavior and connect the dots of a series of behaviors in terms of its context (files touched, application used, machines involved, projects accessed, users involved) to offer a complete picture of the threat as it is occurring. By connecting the events, the Interset Platform creates stories — a series of anomalous events which enables the analytics engine to remove noise and false positives.

In addition, through statistical analysis, the engine quantifies just how anomalous an observed behavior is. As usage and anomaly patterns are refined, the analytics engine learns which users create more risk, which files are the most at risk, and which machines are most often part of risky activities. Interset actively maintains a risk score for all of these entities using normalized values. The more an entity is involved in high-risk anomalous activities, the more its risk score will increase. Conversely, an entity that is not involved in high-risk activities, and that doesn’t trigger alerts, will have its risk score decrease over time. When entities are involved in anomaly alerts, the alerts will be presented in a prioritized order based on the risk score.

Entities and RiskEntities are defined as users, machines (identities) and assets. A core feature of Interset is its ability to accurately model the risk of all entities in your organization. Entity risk needs to be more than just a simple one-time data classification exercise: entity risk changes over time, and needs to respond automatically over time, to result in a maintainable, scalable system.

Tracking user risk enables IT teams to identify persons of interest. For example, as users (or their accounts) exhibit more behavior with indicators of compromise, or their activity starts to show anomalous events (and therefore are possible indicators of an account takeover), or their activity starts to show indications of becoming a leaver (and therefore is statistically prone to IP exfiltration), the user risk score will increase correspondingly to signal a warranted follow up investigation. With Interset, the ability to instantly show the top most risky users in the organization is a very valuable way to focus the investigation team and maintain a scalable process. Such a view shows the users that, among your entire organization, have accumulated the most risk. Clicking on the user then allows you to see the underlying alerts and events that have resulted in the system increasing the user risk score.

Machine risk tracks suspicious behaviors that accumulate on certain machines. Are some machines more prone to store important files and become vulnerable to exfiltration? If so, that will be reflected in a high machine risk score. For all machines monitored by an endpoint sensor, Interset will show the machines that are most at risk. This risk can be due to compromise of the machine by malware, usage of the machine by an insider, or high value assets being moved to or stored in machines making them more at risk.

Ķ The behavior risk score is an aggregate of identity (user or machine), activity, asset, and asset movement risk scores involved in the behavior.


Asset risk is a different set of models that identify where important data such as IP or trade secrets have collected within your organization. Having Asset risk tracked through a separate and accurate set of models is important because file contents change over time. Some files, for example, may be highly important and therefore any anomalous behaviors or violations involving those assets should respond more rapidly than other files. Computing a higher importance value for those files compared to others quantifies this relationship. As the Interset platform defines important files, machine learning methods are used to learn common attributes of these files, and discover and identify other, new files that are likely to be important as well.

The “vulnerability” of an entity is used to amplify the entity’s importance over time, based on the observed behaviors involving that entity. As every user, file or machine exhibits anomalies, violations and exits, the vulnerability of the entities involved are increased in proportion to the severity and recency of the event. In other words, the more serious the bad event, and the more that happen close together, the more quickly the vulnerability and overall risk score of the entity increases.

Ķ The relationship of Events, Behavioral Risk and Entity Risk: Three events drive all risk scores higher.

The figure above illustrates a simple three event example that shows the relationship between behavioral and entity risk models and how entity risk scores change over time. As J Mason executes three events, the anomalous nature and riskiness of each event creates higher behavioral risk scores. To start, the entity risk scores begin very low, showing little danger across the user, the machine that is logged into and the file that has been accessed. As each event occurs, the behavior and entity risk scores climb. The Interset Behavioral Analytics Engine then surfaces the threat across the event as well as the entities. The derivative file created is also surfaced as it inherits the high risk score of its parent asset.

RulesThe Interset Platform also utilizes a rules engine, which complements the behavioral analytics engine, and is applied at two points in the threat detection process. The first is prior to full behavioral analysis, and is the point where corporate or compliance policies can be defined in the system. Policies can be defined to govern user access, applications usage including cloud, USB devices, and the access of sensitive files. The alerts based on these policies can be measured against risk thresholds, so that alerts are triggered only when these


thresholds are exceeded. Companies can quickly identify prioritized gaps in their existing IT systems and policies through Interset’s visibility into the activities between users, files and devices and the risk measurements Interset applies. Interset rules can also be set to interact directly with the end user whose actions are creating the violation, offering a powerful real-time training and awareness tool to help employees understand and self-correct risky behavior.

Reducing noise and false positivesThrough Interset’s stories approach which are driven by various behavioral and entity risk models, security teams are able to cut through noise and false positive events that currently overwhelm them. As an example — suppose “John Sneakypants” was detected accessing an important network share, an unusual event, given his historical access patterns and/or the patterns of his peers in the same role. This may be suspicious, but it could also be a false positive if John has had a recent role change or has been assigned to a new project. But suppose that John also accessed this file at a time of day that he was never active at before, and that he also just took files from a source code project that had been inactive for months, and that he also copied an unusually large amount of sensitive files to a USB drive. Suddenly, this event is a lot more suspicious. It is this intuition that the entity risk models capture, in real time, via mathematics.

This enables the Interset platform to automatically focus in and alert on actual threats, while tuning out the massive amounts of uninteresting noise that overwhelm existing tools and the security teams that operate them. The stories approach can vastly improve an organization’s ability to quickly determine the root cause of a threat and respond proactively before critical data is compromised.

Ķ Interset Enterprise Risk and Threat Detection Architecture.


Proactive ForensicsLeveraging end-user behavioral analytics is also key to lowering the cost of the forensic investigations. It illuminates patterns and relationships created by the habits and activities of users and their devices. By capturing the relationships between identities, activities, assets (files and machines), and the movement of the data, an investigation can quickly and accurately identify the information that defines the risk or threat down to the user, application or file in question. Since all activity is captured, a complete historical record of the events related to the threat and all relationships is immediately available. This enables you to reconstruct the activities that led up to the event, automating the reconstruction and loss analysis, compressing the time it takes to determine the root cause and extent of a breach. Forensics are no longer reactive, but rather proactive dramatically lowering the cost to investigate an incident and enable fast pursuit of legal action or policy adjustments to prevent or reduce the risk of a future breach.

Use CasesBeyond the protection of intellectual property and trade secrets, the Interset Platform addresses several other use cases:

• Employee ResignationThe US CERT reports that more than 70% of resigning employees leave with IP, trade secrets and other sensitive business data. Interset captures all end user file level events and when an employee announces their resignation, reports can be quickly generated to see what sensitive data was accessed and where it was moved to. HR departments can include these reports in their exit interviews and take effective action to eliminate this common data loss risk. Similarly, when employees have not yet announced their resignation but have planned to leave with malicious intent, the Interset Platform captures the behavioral changes of such users and can alert security and HR to prevent data exfiltration. With its unique and extensive visibility, Interset can see and capture all sensitive file movements involving, USB devices, cloud environments, and also whether the machine is on or off the corporate network or completely offline.

• IT Controls/Policy ViolationsRisks from improper application usage, improper file access and storage, usage of unauthorized cloud storage systems are all captured by Interset and can be easily seen through the Interset UI. Common risks like USB device usage, web mail attachments and employees emailing work home is also captured. It is very common for scientists, researchers and technicians to “bring their work home,” and in some cases even approved, but Interset can provide an understanding of how users are moving the data home and what risk they are creating when they do. One Life Sciences customer had an IT control on Outlook attachment size to minimize storage and help with some compliance regulations. Interset quickly showed that employees were bypassing the control by attaching large files to webmail and using that for data transfer to other employees and partners creating even greater risk of data loss and non-compliance.

• EducationInterset also supports the notion that your best data security tool is an educated employee. This is especially true in highly creative and open industries. When Interset recognizes that a user is violating a policy or taking an unusual risk, real-time notifications detailing what the violation or risk is and alternative paths the employee can choose are immediately sent to the user. Education on corporate policy, awareness of new risks and self-remediation on improper activity represent the most effective IT control available.


ConclusionUsing the science of Behavioral Analytics, Interset helps IP and trade secret centric companies and partners gain visibility into what is truly happening across their collaborative enterprise. The ability to detect risky user behaviors, processes, and controls enable companies to quickly detect and take action on anomalies that represent insider and outsider threats. This level of risk visibility and detection provides you with the power to secure high-value intellectual property and trade secrets, as well as other sensitive business data.

Interset’s innovative approach offers significant advantages, including;

• Reducing noise and false positives so that security teams can focus on material risks and actual threats

• Reducing the time required to forensically investigate a risky event or anomaly

• Expanding protection to include all types of IP and trade secrets including specialized design, engineering, PLM and source code management applications

• Expanding protection to endpoints, whether they are on the corporate network or offline

• Accurately detecting insider and outside attacks during their early stages, enabling the attack to be stopped before sensitive data is compromised

These advantages reduce the overall cost and complexity of a threat detection and data protection program while increasing a security team’s ability to reduce risk and surface actual threats to the organization. In doing this, Interset enables security teams and companies of all sizes to be more efficient, effectively protect their IP and trade secrets, and most importantly be more competitive in global markets.

About IntersetInterset provides a highly intelligent and accurate insider and targeted outsider threat detection solution that unlocks the power of behavioral analytics, machine learning and big data. Interset provides the fastest, most flexible and affordable way for IT teams of all sizes to operationalize a data protection program. Utilizing lightweight endpoint sensors, agentless data collectors, advanced behavioral analytics and an intuitive user interface; Interset provides unparalleled visibility over sensitive data, enabling early attack detection and actionable forensic intelligence without false positives or white noise.

For more information, visit www.interset.com and follow us on twitter @intersetca

16 Fitzgerald Road, Suite 150, Ottawa, ON K2H 8R6, CanadaPhone: (613) 226-9445 | Fax: (613) 226-5299

© 2015 Interset Software, Inc. All Rights Reserved. Interset, the Interset logo, FileTrek and the FileTrek logo are trademarks of Interset Software, Inc. All other logos are the property of their respective owners. The content of this document is subject to change without notice.