Interset Expands Support for Compromised Account Detection with More Probabilistic Models for Unsupervised Machine Learning

With its latest release, the automated, intelligent security analytics platform intensifies compromised account attack detection

Ottawa, ON, April 13, 2017  – Security analytics pioneer Interset has added, in its March release, more than 100 pre-built probabilistic math-based account compromise models to its ever-growing threat detection library. The new models leverage Interset’s patented approach to unsupervised machine learning techniques. Together, they automatically detect account compromise, insider threat, internal reconnaissance, lateral movement, and data exfiltration.

The models further increase detection by surfacing account compromise-related anomalies in dissimilar data sets, including Active Directory, endpoints, Win/Linux server logs, and application logs from enterprise IP repositories such as file shares, SCM, and PLM systems.

The additional data sources and analytics bolster the capabilities of the Interset Security Analytics Platform, an intelligent system that learns and adapts autonomously. Gartner has identified such systems—which use unsupervised machine learning, massive data sets, and algorithms— as the primary battleground for technology vendors over the next several years.

Interset’s latest release includes unique, unsupervised machine learning models with expansive visibility to pinpoint account compromises. For example:

  • Active Directory models that factor in changes—such as altered access or addition to new groups —to admins and other privileged accounts. Models compare the user’s baselines and weigh the user behavior against peers’ baselines.
  • Active Directory models that monitor all accounts to detect unusual destination server access, sudden activity from rare users, and unusual VPN authentication and access based on location and time of day.
  • Endpoint models that connect anomalous registry and system events to potential account compromise, linking the compromised account to anomalous file events and network/IP data transfer anomalies for endpoint-to-network threat context.
  • Analytic models for Linux and Windows server logs. This includes unusual access to servers as well as unusual data types and volumes moved to or from the server. Models compare the server activity to its own log history, and to other servers in the same role.

Interset’s Analytics Engine is uniquely capable of tying together disparate events using patented, multi-stage probabilistic math to connect events to “entities” (users, machines, files, applications) involved. The analytics engine assigns a relative risk score to each entity based on the anomalous nature of the actions—weighted by sensitivity of the data, type of user account, and security of the machine.

Interset’s approach yields fast and accurate account compromise detection: It includes visual context of the files, machines, applications, and other accounts involved in a potential threat against sensitive data. Because these capabilities are based on unsupervised machine learning models, rather than on hard-coded rules or thresholds, Interset can be deployed rapidly and cost-effectively, and is significantly more sensitive to compromised account attacks, which can evade native policy and rules-based systems.

“Account compromise detection is a critical part of the targeted attack use case because it occurs early in the attack cycle,” says Interset CTO Stephan Jou. “When UEBA technology surfaces this stage of the attack, it is essential that analytic models detect what actions the compromised account will take next to expand the attack. Early detection and context offer security teams the best chance at taking the correct response actions to stop the attack, minimize the ability for another attack, and contain potential damage,” he says. “Many UEBA technologies fail to focus behavioral analytics on all attack stages. Security analysts must then search and guess as to what comes next and, more critically, leave companies open to missing subtle or sophisticated attacks.”

Interset ingests broad amounts of data, uses extensive unsupervised machine learning models against all phases of an attack, and has the unique ability to correlate anomalous events from different data sources back to the entities involved (user, file, application, and machine). This, in turn, offers a complete picture of an unfolding attack and enables security teams to take effective steps to stop the attack.

Schedule a demo of the Interset Security Analytics Platform.

About Interset

Interset provides highly intelligent, accurate insider and targeted outsider threat detection. Our solution unlocks the power of behavioral analytics, machine learning, and big data to provide the fastest, most flexible, and affordable way for IT teams of all sizes to operationalize a data-protection program. Utilizing agentless data collectors, lightweight endpoint sensors, advanced behavioral analytics, and an intuitive user interface, Interset provides unparalleled visibility into sensitive data. This enables early attack detection and actionable forensic intelligence with reduced false positives and noise. Interset solutions are deployed to protect critical data across the manufacturing, life sciences, high-tech, finance, government, intelligence communities, aerospace and defense, and securities brokerage industries. For more information, visit and follow us on Twitter @intersetca.

Betsy Kosheff