At the 2018 CRIAQ RDV Forum, Interset Director of Field Operations Jay Lillie presented on Interset's mission to apply principled math and data science to cybersecurity in order to detect insider threats.
3. The practice includes…
Rules and thresholds
Training algorithms with data
Ideal for finding malware
Decades of data to study
Always looks the same no
matter where it manifests
Traditional cybersecurity
4. The practice includes…
Rules and thresholds
Training algorithms with data
Ideal for finding malware
Decades of data to study
Always looks the same no
matter where it manifests
Traditional cybersecurity
“Tell me what I’m looking for…”
5. Traditional cybersecurity
You only find exactly what you’re
seeking… nothing more.
Working at midnight?
Attaching 500MB to an email?
Looking at corporate strategy data?
Checking out software code from Project X?
A machine communicating on port 465?
Machine A & B connecting via HTTP?
Printer “P015” printing 50 pages at noon?
cmd.exe launched on a workstation?
Which of these represent a
malicious actor on your network
attempting to steal data?
This makes the approach
ineffective for detecting
insider threats because the
appropriateness of the
behavior is based on
context.
6. Traditional cybersecurity
You only find exactly what you’re
seeking… nothing more.
Working at midnight?
Attaching 500MB to an email?
Looking at corporate strategy data?
Checking out software code from Project X?
A machine communicating on port 465?
Machine A & B connecting via HTTP?
Printer “P015” printing 50 pages at noon?
cmd.exe launched on a workstation?
Q: Which of these actions
are a sign of a malicious
insider?
A: It depends.
7. Traditional cybersecurity
You only find exactly what you’re
seeking… nothing more.
Without context for reference
when assessing insider actions,
you’re “flying blind.”
You can’t fight what you don’t see…
9. Rather than a cybersecurity company trying to learn to properly
apply analytical principles…
is an analytics company
applying principled math and data science
to the cybersecurity domain.
Our fundamental innovation premise
10. Rather than trying to define the nearly infinite
ways that “bad” (abnormal) behavior can
manifest itself….
…observe the “good” (normal) behavior and
focus on the small set of actions that deviate.
The idea
11. This produces an approach that is uniquely
suited for detection of insider threats and
external exploits with insider characteristics.