Detecting and preventing cyberattacks with anomaly detection and machine learning

by in Security

Guest post by Stephan Jou, CTO, Interset

The Gartner Security & Risk Management Summit is just a few days away, and I’m delighted to have the opportunity to chat with attendees about how anomaly detection and machine learning can help give your organization a more proactive security posture. 

Detecting and preventing cyberattacks with anomaly detection and machine learning.pngYou don’t need to have been in the cybersecurity space for long to be bewildered by and unsure about vendor claims around artificial intelligence, machine learning, and analytics. At Interset (acquired by Micro Focus in February of this year), we have regular conversations with security professionals who struggle to understand which techniques and tools are effective in boosting breach defense in the real world. Ultimately, these conversations lead to an important question for us: How can you implement user and entity behavioral analytics (UEBA) in a way that will enable an efficient security operations center (SOC)? 

There are multiple factors that go into an effective UEBA implementation, but it’s helpful to start with ensuring that the math and machine learning powering the solution are suitable for your security objectives. One of the key differentiators for Interset is that we leverage unsupervised machine learning, a type of learning that looks at patterns within unlabeled datasets. This is unlike supervised machine learning, which requires labels in order to train a model. The difference is helpful to understand because it impacts what we’re able to detect. 

When we first started building our technology, most solutions on the market were falling short on effectively detecting complex insider threats or targeted outside attacks. With the exception of malware, labeled data was hard to come by. Insider threats, compromised accounts, privilege escalation, advanced persistent threats (APTs) rarely had datasets with labels. As a result, for us to pursue a solution that detected these types of more sophisticated threats, supervised machine learning just wasn’t an option. So we turned to an unsupervised approach, and specifically embraced anomaly detection methods. 

Of course, if we had built a set of anomaly models and stopped there, we’d essentially be another rules-based solution—admittedly a very smart one—generating alerts based on behavior that was flagged as out of the ordinary. Our anomaly models are an essential part of our solution, but we developed another layer of math to automatically corroborate an entity’s anomalous behaviors together. This became the entity risk models that help compress billions of events into hundreds of thousands of anomalies, and then finally into a small list of high quality leads. This dramatically helped reduce the noise associated with a traditional alert-based approach. 

Our journey to designing our UEBA solution has given us a clearer understanding of how to operationalize anomaly detection to specific security use cases. In my session at Gartner, I intend to explore this in greater detail, helping attendees to understand how to create the most effective anomaly detection approach create accurate baselines, reduce false positives, and identify real threats quickly so that your SOC can boost productivity and more effectively protect your organization. 

If you haven’t yet, be sure to register for the 2019 Gartner Security & Risk Management Summit and join our conversation on anomaly detection on Tuesday, June 18th, at 3:30 p.m. You can also swing by booth #1045 on June 18th - 19th to chat with me about your organization’s specific security needs. See you there! 


TUESDAY, JUNE 18, 2019 / 03:30 PM - 04:00 PM

Micro Focus: UEBA: Effective Anomaly Detection and ML for Cyberattack Detection and Prevention
Stephan Jou, CTO, Interset Software Inc.
There is plenty of buzz around the power of machine learning and analytics to detect threats, but what techniques and tools are succeeding in the real world? Stephan Jou, CTO at Interset, a Micro Focus company, will explore the math and motivation behind effective anomaly detection and machine learning, followed by case studies showing detection of APTs, data theft, red team attacks, and more.


Security Operations