Last week we held a webinar focusing on the use of the PatternEx Threat Detection Platform to detect Data Exfiltration, led by Head of Security Solutions Erik Bloch and Chief Data Scientist Ignacio Arnaldo. The webinar had a lively Q&A that touched on some questions we frequently hear from prospects and customers so we thought it might be helpful to list some of the best of them here to help you explore the role AI can play in protecting your enterprise.
Q. What kinds of data do you use for making predictions?For this use case we are using Palo Alto, but we are not limited to that. Our models are very flexible. Any data that show us flows or truth can be used by adapted to our models. So if you have different data sources — logs from ADC’s, DLP’s, Firewall, IAM, etc-- we can easily adapt them into our models, no problem.
Anything that can show us “this is the activity that happened over some period of time” is something we can ingest.
Q: How is PatternEx’s Exfiltration Detection different than what DLP does?
DLP can play a complementary role to PatternEx. DLP finds the thing that it knows about, but it will miss everything else. And DLP, from my experience, requires a lot of tuning and updating. For example, you have to specify the data or files you want to keep track of or think important. You constantly have to discover new sources of data and you have to tag it in some way, like via a watermark, apply the various policies to different kinds of data. This leaves room for not only human error but also missing data. PatternEx monitors all data outflows, no matter how obscure they are.
And of course, DLP’s don’t learn. They are static, rules based tagging systems. A DLP was simply not made to do things like that.
Q: I understand that your platform can enable a good analyst to generate an army of good virtual analysts. What if your analysts are average or junior? Do you generate an army of mediocre or junior virtual analysts?
If the system is provided the wrong labels, then the predictions won’t be accurate. We have ways to overcome this as well. We can do something called ‘inter-rater reliability’ where we compare the labels performance from one analyst to another, and we overweight the better analyst over time.
Q: What is the threshold that the system uses to determine whether future events fit the "profile" as a previously labeled event? For instance, with the example from the demo, if the events subsequently flagged by the system were going to 3 DIPs instead of 4, would the system flag those events?
It depends on the labeled data you have. The more examples you have, the more robust you are to small variations. We are running ML models on top of that that are very good at generalizing the information.
Q:Please discuss the ACM sensitivity with respect to zero-day attacks, or where the analyst may be stumped. Do you help here?
If the behavior found in that example has not been seen before, then it’s possible that the predictive models will not catch it. Rather, we would expect the Rare Event Modeler to catch a zero-day attack. These attacks will have a very distinctive behavior that we will not have seen before.
Q: Have you threat modeled your system?
Very interesting question. We have to remember there is always a human at the end of our system. So if you are trying to trick the AI system, first of all, good luck with that, but you also have to trick the human.
Q: How do you perform when you are not under ideal circumstances?
It’s an open question and a longer discussion. The answer depends on how someone is trying to do it. Everything comes down to behaviors- and if you extract the right entities our system will be robust. It comes down to the specific case.
We hope you found these helpful. They only represent a small portion of those asked and answered during the session, so we encourage you to listen to the entire webinar.
If you have additional questions, please go here to submit them. We read every one and do our best to respond.