User Threat Analysis Solution Showcased at Black Hat Europe

Applying machine learning to user data pulled from the network bolsters cyber defenses against insider threats

User Threat Analysis Solution Showcased at Black Hat EuropeBy Fergal Toomey    December 14, 2018      Events

The Corvil stand was bustling with visitors at last week’s Black Hat Europe event with demo stations constantly occupied, highlighting how network visibility has become an overarching priority for security professionals. They are also looking to machine learning for preventative solutions, so we struck a chord on two fronts.

In our session, ‘Recognize Users From Their Network Traffic’, we introduced delegates to a new solution that employs machine learning to identify users involved in suspicious behavior. Insider threats now account for more than 80 per cent of cybersecurity incidents – a combination of hackers stealing identities and disgruntled employees stealing company data – so there is a growing demand for tools to fight back.

Linking threats to users

Because Corvil appliances decode and extract metadata from network traffic, we have a foundation for analyzing changes in user behavior that might point towards malicious activity. We see inside the packets and flows; we track users as they access different resources on different devices and hosts; we see the domains they visit on the internet.

We also recognize malicious files that are transferred across the network. The Holy Grail is to make sense of all this activity by linking all the elements together to show which specific users are accessing which files, and who transferred what and from which hosts. If someone is accessing an external domain that’s used by hackers, for example, you need to know which user accounts and what files are being transferred there.

One way we do this is by monitoring network activity on a per user basis. So once J Bloggs has logged in, we are able to link him to network traffic in terms of the bytes and packets he is generating, the hosts and devices he is using, and the files, website and databases he may be accessing.

The best way to identify suspicious individual activity is to detect a change in behavior patterns. Having collated all data associated with J Bloggs, we can construct a user behavior timeline that will reveal unusual activity. You can do this manually with the data that Corvil collects, but it’s a time-consuming process, particularly if you want to do it proactively at enterprise scale across hundreds of thousands of users.

Automated analysis

We have developed an automated solution that uses machine learning to recognize 99 percent of people each day, based on past behavior. The challenge was finding the best way to distinguish one user from another. With a sample of 30-50 employees, the algorithm is able to learn what makes J Bloggs distinct - that he reads the New York Times, for example, is a Spotify user and his favorite browser is Firefox.

Corvil continuously updates the classifier that feeds the model so it’s always up to date. As a new sample comes in we test it to see how well it fits and score accordingly. When the score deviates significantly from the historical pattern, it starts to be assessed as a possible threat.

Because people change behavior for perfectly legitimate reasons, this is not our only measure. We combine the data with threat intelligence, file analysis, and various methods of malicious activity detection. The role of the user will also be considered – if J Bloggs has privileged access to highly sensitive data then the alert level will rise.

All of the combined information is presented as the overall risk score in the Corvil dashboard when the security analyst signs in. Recognizing users from their network traffic is not easy, but we’ve shown it can be done with a solution that represents a significant step towards insider threat containment.

Find out more about machine learning accuracy.

User Threat Analysis Solution Showcased at Black Hat Europe

Fergal Toomey, Co-Founder & Chief Scientist, Corvil
Corvil is the leader in performance monitoring and analytics for electronic financial markets. The world’s financial markets companies turn to Corvil analytics for the unique visibility and intelligence we provide to assure the speed, transparency, and compliance of their businesses globally. Corvil watches over and assures the outcome of electronic transactions with a value in excess of $1 trillion, every day.
@corvilinc

You might also be interested in...