Introducing Model Builder: Move Faster with Customizable Machine Learning

Security practitioners can customize machine learning algorithms for their environments without data science expertise.


Speed matters. Earth-shattering, I know. Hyper-connectivity has created a need to be connected, aware, and responsive.

Socially, you can decide whether or not that’s important to you. But if you work in cybersecurity, you don’t have that luxury. The cost of being slow can be catastrophic.

In my many years as a product manager, I have not met a user community more deserving of better tools to do their jobs than cybersecurity analysts. They have the impossible job of finding and stopping attacks of all types; the “radiation” of Internet bots, advanced persistent threats by organized actors, insider threats that have the keys to the kingdom, to name a few.

It’s been said that these folks don’t sleep. Can’t say I blame them!

That’s why I have never been more excited about a feature—ever—than I am excited about Model Builder. Our amazing UX team is making this a beautiful, intuitive feature. But what sets it apart for me is its ability to help us move faster.

Interset is well-known for being a true big data analytics platform with patented, award-winning machine learning. The models do a great job of understanding unique normal and raising a flag when behaviors stray from normal. But new threats emerge every day, organizational changes happen every day, and, like I said earlier, speed matters.

We need to empower our analysts to build custom use cases fast.

With Model Builder, security analysts can create custom machine learning use cases in just a few clicks. These use cases leverage entities’ unique normal, but can also incorporate any combination of other anomalies or event details.

For example, if I want to know when someone is accessing an unusual file share and touches the CLIENT DATA file share, and is accessing more data than normal, then tell me.

To put this in perspective, if you were to try to do this without machine learning-based unique normal, you would need to:

  • Review all accesses from that fileshare.
  • Figure out the users for which accessing that file share is unusual. How far back do you go? And what frequency of access is normal? What if someone only touches that file share once per quarter at quarter end, is that normal?
  • Then, for each person, figure out how much data they accessed at that time, and whether or not it was unusual. How far back do you go to measure that? What if you have 10,000 users in your organization, and you have hundreds and hundreds of people from Products, Sales, and marketing accessing that file share? How do you quickly figure out if there’s a problem to solve? Is it even possible?

Interset Model Builder

Let’s look at another example. A new malware strain is making use of a legit process on a workstation, and I’m worried about proliferation. So I may want to know if a machine is running that specific process and is exhibiting unusual process behaviors and is connecting to an unusually high number of hosts on my internal network.

The permutations are endless!

Thanks to Interset’s unsupervised machine learning, I don’t need to worry about knowing what is normal and unusual. With math that never sleeps, Interset’s unique normal takes care of understanding what’s unusual for all users, machines, and all other entities.

Model Builder puts the power of unsupervised machine learning in the hands of security analysts in the context of building custom use cases. Fast.

I’ve never seen more excitement when showing a new concept to a user community, and I can’t wait to see the creative ways in which this will be used. It promises to be a game-changing tool in security operations’ arsenal!