Interset Accelerates Investigations With New Innovation

It ingests third-party data feeds to drive analytic models, create custom workflows/alerts, and enhance incident context

We previously briefed you on how our recent release will expand compromised-account detection. Now, we’d like to explain how our new, advanced data-enrichment framework has grown our specialized-threat and compliance use-case coverage, as well as enhanced attack-path visualizations.

This framework ingests third-party data—threat-intelligence feeds, security systems (including DLP alerts), and even special watch lists (employee notices, HR systems). Interset uses this critical information to optimize to analytic-model weighting and workflow actions/alerts. This creates context-rich visualizations that empower SOC analysts to swiftly pinpoint and halt high-risk actors.

“Security teams need to bring all available resources to bear, yet relevant data is often unavailable to the analyst when they need it most,” notes Interset CTO Stephan Jou. “The goal of Interset’s data-enrichment framework is to ingest vastly different types of data that can be highly valuable to threat detection, and use that information to further support the detection and investigations process.”

Existing security tools already produce valuable warnings related to anomalous events, but these systems cannot stitch them together. For instance, HR records can yield great identifying insider attacks, yet these are rarely available in real time. With Interset’s flexible framework, security tool alerts, third-party data feeds, watch lists, and outputs from applications can intensify the threat detection and response process.

This enrichment framework is processed analytically. This means that Interset’s analytical models can incorporate severity information in the third-party feeds to automatically adjust the sensitivity of its models and the behavioral risk model scores themselves.

Use cases improved by the new Interset’s data enrichment framework include:

  • Incident Context Enhancement SOC analysts validating and evaluating threats need as much context as possible. IOC data, anomalous activity, and other high-risk entities must be displayed on a “single pane of glass.” Interset’s data enrichment framework ingests and connects alerts, threat feeds, watch lists, and other third-party data to deliver a complete picture of the threat. So SOC analysts can make fast and effective decisions regarding incident response and mitigation.
  • Insider Threat Detection Non-IT data related to the working and social activities of an employee can be useful in determining who is at risk for malicious activity, and the motives driving that action. HR system feeds, high-risk use watch lists, employees who have given notice, reduction in force lists, and social-media monitoring system outputs can all be ingested into the Interset platform via the data-enrichment framework. Inputs are used to change the weighing of analytic models, kickoff specialized workflow or alerts, and provide rich visual context to investigators.
  • Data Exfiltration Interset analytics uniquely capture data-staging and exfiltration anomalies from ingested server, file share, and IP repository system logs. The Interset data enrichment framework allows the content inspection, finger printing, and policy violations of DLP systems to be ingested. This connects customer data movement and compliance violations directly into the Interset platform, combining the data loss protection of DLP systems with the threat detection of the Interset platform.
  • Targeted Outside Attack From malware introduction to compromised-account detection, Interset’s data enrichment framework adds new capabilities to pinpoint attacks faster, and provide greater context for investigations. Malware threat-intelligence feed information, application blacklists, cyber-attack alerts from perimeter systems, and EDR system alerts can all be ingested into the Interset system to connect this data with the results of Interset machine learning and analytic models. When an Interset endpoint sensor detects an anomalous executable that matches content from a threat feed, Interset alerts security teams to the presence of the threat and visualizes the anomaly and matching intelligence in the Interset incident view.

In addition to the new data-enrichment framework and account-compromise enhancement, the latest release of the Interset platform also includes a unified risk dashboard that provides unprecedented visibility into an organization’s overall threat surface, IT systems, and user risk.