Analyze. Detect. Protect.

ZoneFoxMachine learning and the Insider Threat

Who are ZoneFox?ZoneFox is an award winning market leader in User

Behaviour Analytics, providing critical insights around data-flow that you need to secure against the Insider

Threat.

Did I just accidentally send that customer list

to someone?

I’ve just been offered job with

our biggest competitor

I’m really annoyed that I didn’t get that

promotion

The Insider Threat - Your top-performing team…..

My account has been compromised

Company profile

Several departments includingR&DTestingClient/Consultancy Services

The Behaviour

User had installed backup software In violation of policy

SubterfugeIncremental backup (check for updates)Files collated into easily handled ZIPWould run out-of-hours‘Fire and forget’

182,000 files including:

Results of confidential product testingCAD designs for prototypes and new productsBills of Materials for new designsPrinted Circuit board designsContracts and agreements with research and manufacturing partners

The Data

Exfiltration

User disconnected end-point as they had a ‘hunch’ they were being monitoredPlugged-in removable media

When we presented the report to the CISO– Individual had handed-in their

resignationto go to a competitor

– Disabled existing controls

Issues– Had the employee been backing up

other information before the HR event?

– What if the employee had lied about joining a competitor?

– Not enough people to spot this kind of behaviour

The debrief

What can we do?

• If the sophistication of attacks increases, our response needs to be more sophisticated…

Rules, Manual Monitoring & SearchMachine Learning and UBA

Time to do something different…..

Addressing this – Machine Learning (UBA 101)

• Harness the power of machine learning to spot unusual user activity automatically

• Record actual user activity at the endpoint• Build a profile for a user over a period of time.

Ideally a small number of days rather than weeks so that you can re-build models regularly

• Compare a user’s new activity to their previous activity

• Use peer groups to reduce false positives

How Does it Work?

Peer Group 3

Peer Group 4

Peer Group 2Peer Group 1

Statistically relevant outlier a.k.a Bad Guy

What does this look like in production?

UEBA – Capabilities and Limitations

• Capabilities• Monitor large amounts of users and data• Gets in-depth into your users’ activities• Doesn’t need a scale-up of security staff• Compute power is cheap – harness it

• Limitations• Over-reliance?• Inability to see what triggered an alert?• Push back over amount of data analysed?• Court cases over validity of algorithms?

Future of UBA

• Deep learning• Integration with external systems

• HR• Social Media• Access control systems• Etc

Questions

Get in touch today to find out how ZoneFox can protect you