zonefox, machine learning, the insider threat and how ueba protects the user and the company
TRANSCRIPT
Analyze. Detect. Protect.
ZoneFoxMachine learning and the Insider Threat
Who are ZoneFox?ZoneFox is an award winning market leader in User
Behaviour Analytics, providing critical insights around data-flow that you need to secure against the Insider
Threat.
Did I just accidentally send that customer list
to someone?
I’ve just been offered job with
our biggest competitor
I’m really annoyed that I didn’t get that
promotion
The Insider Threat - Your top-performing team…..
My account has been compromised
Company profile
Several departments includingR&DTestingClient/Consultancy Services
The Behaviour
User had installed backup software In violation of policy
SubterfugeIncremental backup (check for updates)Files collated into easily handled ZIPWould run out-of-hours‘Fire and forget’
182,000 files including:
Results of confidential product testingCAD designs for prototypes and new productsBills of Materials for new designsPrinted Circuit board designsContracts and agreements with research and manufacturing partners
The Data
Exfiltration
User disconnected end-point as they had a ‘hunch’ they were being monitoredPlugged-in removable media
When we presented the report to the CISO– Individual had handed-in their
resignationto go to a competitor
– Disabled existing controls
Issues– Had the employee been backing up
other information before the HR event?
– What if the employee had lied about joining a competitor?
– Not enough people to spot this kind of behaviour
The debrief
What can we do?
• If the sophistication of attacks increases, our response needs to be more sophisticated…
Rules, Manual Monitoring & SearchMachine Learning and UBA
Time to do something different…..
Addressing this – Machine Learning (UBA 101)
• Harness the power of machine learning to spot unusual user activity automatically
• Record actual user activity at the endpoint• Build a profile for a user over a period of time.
Ideally a small number of days rather than weeks so that you can re-build models regularly
• Compare a user’s new activity to their previous activity
• Use peer groups to reduce false positives
How Does it Work?
Peer Group 3
Peer Group 4
Peer Group 2Peer Group 1
Statistically relevant outlier a.k.a Bad Guy
What does this look like in production?
UEBA – Capabilities and Limitations
• Capabilities• Monitor large amounts of users and data• Gets in-depth into your users’ activities• Doesn’t need a scale-up of security staff• Compute power is cheap – harness it
• Limitations• Over-reliance?• Inability to see what triggered an alert?• Push back over amount of data analysed?• Court cases over validity of algorithms?
Future of UBA
• Deep learning• Integration with external systems
• HR• Social Media• Access control systems• Etc
Questions
Get in touch today to find out how ZoneFox can protect you