The Healthcare Giant

“With Interset in place, I am confident my unknowns are significantly less and my security-operations teams are focused on mitigating high-risk events, not guessing where they might be.” —CSO

A large health company suspected that an employee was engaging in high-risk activities. Yet none of the company’s security tools surfaced that behavior. This is a recurring theme among insider threats: Bad actions are recorded, but never found quickly enough to prevent the attack. The healthcare company initially used user behavior analytics company, but quickly realized a shortcoming: To be truly powerful, a platform must be adaptive to several use cases. So they turned to Interset.

Roughly eight months after Interset’s solution was deployed, an employee’s risk score triggered an investigation. Interset detected this worker copying this sensitive information, which was against company policy. This kicked off an immediate incident-response process, stopping the employee. Interset’s data about the event was used as proof to fire and prosecute the employee. (A court case against the employee is ongoing.)

Interset’s user behavior analytics can find comprised accounts and spot fraud in compliance with HIPAA. The above customer continues to utilize Interset to watch for anomalous activities. This includes 520 employees and 6.5 billion annual transactions in procedures, labs, payments, and prescriptions.

The Technology Manufacturer

Despite investing more than $1 million on a large security vendor, a technology manufacturer learned that very valuable data had been compromised. Their existing security software failed to surface any breach.

Realizing how blind to risk they were—especially in their backend repositories, where IP is stored—this company reached out to Interset for a swift solution. So they sent us 30 days of log data (or, millions of events) and our advanced behavior analytics promptly found and documented two engineers, out of 20,000 employees, stealing source code from them.

In less than two weeks, Interset spotted even more user and entity anomalies. To the company’s surprise, it identified 11 others swiping data from this technology company—three in North America, eight in China. Previously, the company’s risk-management team could not see if users were stealing data or spot any risky activity. Interset optimized their existing security detail and applied multidimensional analytics which ranked risks, giving this team clarity. Because the only way to stop increasingly complex threats is through visibility ously, sensitive data being put at risk, improper data access and movement by any user (including third parties), account compromises, and rogue-machine anomalies.

The Medical-Innovations Company

Interset worked as designed! No other tool in our environment—DLP network and endpoint—could have provided the information Interset did to detect and research what this person was doing.” —Director of Information Security, IT Audit, and Quality

With Interset, I can predict with 90% accuracy when someone will leave the company, alert HR, and eliminate that person’s ability to steal our sensitive data on their way out the door.” —CSO

A medical-technology company reached out to Interset to secure its valuable, proprietary data from tough-to-detect insider threats. After being deployed, the Interset Platform alerted the security team to an IT administrator who demonstrated anomalous behaviors of someone about to leave the company—chief among them, emailing out large amounts of data through Gmail attachments.

Interset was also able to verify that these attachments contained critical IP, related to business processes for the development and testing of new drug therapies. Using Interset’s data, the company fired the employee, who admitted she was about to quit her job to work with a competitor. All data of the stolen data was recovered.

She was stopped thanks to Interset’s ability to predict a departing employee, even in a case such as this, involving various ranks across the globe. The platform does this by creating a picture of the business, which includes actual risks and threats that haven’t been seen before. Meanwhile, the actionable data that comes with this real-time investigation empowers companies with the legal recourses to follow-through on this type of crime.

The Defense Contractor

“Interset’s analytics are like nothing else in the market.” —Information Security Manager

“With Interset, I understand where intellectual property is being used or saved on endpoints, and apply dynamic risk-scoring to inform data-enforcement tools. Most importantly, I can also find derivative files that are created from classified documents.” —Director of IP Protection and Security

Working for an organization that brings in a half-billion dollars in revenue, this defense contractor was concerned that privileged users were compromising highly sensitive weapons and intelligence-collecting systems data.

The company deployed Interset’s endpoint sensors to monitor employees with high levels of access to classified information. The platform detected a person who was exfiltrating IP onto a portable hard drive, because algorithms connected these actions to a high-risk score. And it did this in real time.

Company security acted immediately, coordinating with legal and HR teams. The latter was reminded that the employee had given notice the previous week to work for a competitor, stealing thousands of files on the way out the door. The hard drive was recovered, and no data was lost. Using Interset’s actionable data, this employee is currently being investigated on criminal charges.

The Hospitality Company

At a major hospitality company, Interset leveraged endpoint data and detected a nation-state-level Red Team attack. Behavioral indicators of an attack quickly came to light, and Interset uncovered the entire attack lifecycle.

By identifying unusual processes and anomalous activities, Interset discovered that the attacker leveraged an Outlook Web Access (OWA) timing attack to uncover valid user accounts and used remote attack tools Mimikatz and CrackMapExe against a known administrative server. Interset also uncovered that a compromised administrator account accessed an administrator laptop and enumerated directories on other machines to look for files with passwords. This same compromised account was also spotted engaging in lateral movement to adjacent servers and launching more reconnaissance attacks. 

Meanwhile, Interset identified a secondary attack testing for default password, which resulted in numerous failed authentication attempts and a high volume of processes generated by a python script used by the attacker. A final attack leveraged a sustained series of Windows Management Instrumentation (WMI) attacks multiple servers, detected by anomalous process activity on the attacked servers and an unusual volume of processes on the attacking machine. 

High-quality security leads showed the threat hunters and incident responders important attack characteristics, giving the company’s security team the right context to respond to attack. Thankfully, this attack was orchestrated by the company’s Red Team, but detecting this kind of attack signals that the company is better prepared to detect a real attack.