Interset Has Expanded Its Compromised-Account Detection

We added more probabilistic models to bolster unsupervised machine learning

Interset platform cybersecurity analytics

We take pride in how we’ve been innovating in the security-analytics space. Recently, we released a new version of the Interset platform, and wanted to tell you how we designed it smartly impacts compromised-account detection.

Our science team added more than 100 pre-built, account-compromise models to our ever-growing library of hundreds of behavioral models. Working with unsupervised machine-learning techniques, the new models increase accuracy and speed in pinpointing account compromise. (This likewise deepens the detection of hard-to-spot activity such as insider threats, internal reconnaissances, lateral movement, and data exfiltration.)

The models surface account compromise-related anomalies in dissimilar data sets, including Active Directory, endpoints, Win/Linux server logs, and application logs from enterprise IP repositories such as file shares, SCM, and PLM systems. Here are a few examples:

  • Active Directory models that factor in changes—such as altered access or addition to new groups —to admins and other privileged accounts.
  • Active Directory models that detect unusual destination server access, sudden activity from rare users, and unusual VPN authentication.
  • Endpoint models that connect anomalous registry and system events to potential account compromise. These link compromised account to anomalous file events and network/IP data-transfer anomalies for endpoint-to-network threat context.
  • Analytic models for Linux and Windows server logs, which look for unusual server access and unusual data types and volumes moved to or from the server. These models compare the server activity not only to its own log history, but also to other servers in the same role.
“Many UEBA technologies fail to focus behavioral analytics on all attack stages.”
—Stephan Jou, Interset’s CTO

“Account compromise detection is a critical part of the targeted-attack use case because it occurs early in the attack cycle. When UEBA technology surfaces this stage of the attack, it is essential that analytic models detect what actions the compromised account will take next to expand the attack,” explains Interset CTO Stephan Jou. “Early detection and context offer security teams the best chance at taking the correct response actions to stop the attack, minimize the ability for another attack, and contain potential damage. Many UEBA technologies fail to focus behavioral analytics on all attack stages. Security analysts must then search and guess as to what comes next and, more critically, leave companies open to missing subtle or sophisticated attacks.”

Gartner has identified such systems—which use unsupervised machine learning, massive data sets, and algorithms—as the primary battleground for technology vendors over the next several years.

Interset’s approach includes visual context of the files, machines, applications, and other accounts involved in a potential threat against sensitive data. Because these capabilities are based on unsupervised machine learning models—rather than on hard-coded rules or thresholds—Interset can be deployed rapidly and cost-effectively. It is also significantly more sensitive to compromised account attacks, which can evade native policy and rules-based systems.