A multinational energy company active in nearly 180 countries identified Advanced Persistent Threats (APTs) as a major business risk. APTs are extremely difficult to detect because for a number of reasons: data is large and disparate and often stored in semi-structured logs; signals are often hidden in large, noisy networks; and attackers intentionally disguise and change their activity, making it difficult to detect.
As a result, the company’s cyber security data scientists were forced to spend inordinate amounts of time cleaning data, combining it, and chasing false positives. They used a highly manual, time-consuming process – powered by technologies such as MSSQL and Tableau – to respond to reports of suspicious trends in network intrusions or attempts.
In light of these issues, management wanted a new way to:
- Identify if specific employees or hosts (such as computers) are being targeted because they are more valuable or vulnerable to attackers
- Create a suspected incident investigation tool to enhance and accelerate the investigation of suspected incidents
How Maana Helped
This data and human knowledge was then modeled to create a custom line-of-business app, which people can now use to create a query that defines a suspicious trend in malware and/or malicious email detections. For example, the platform identified that for victim hosts (i.e. computers), attackers were interested in attributes that made the host more vulnerable, such as the type of host, the operating system running on it, and whether or not the host was fully compliant with pre-approved software. For victim users (i.e., accounts), they were interested in what might make that account valuable to an attacker; for instance, they would be interested in knowing the business unit a user works in (for example, accounts recievable) and his or her role (for instance, approver of invoices).
Now data scientists can understand whether specific trends are actually significant based on the victim data set, which helps them avoid spending time on false positives. They can also receive directional guidance on which correlations to dig into more deeply, allowing them to uncover more threats faster.
Armed with more sophisticated models, data scientists can improve the quality of business decisions regarding incidents and threats. They can, for example, focus investigations on the events most likely to be part of a targeted attack and the victim traits that matter. Moreover, they can do all of this faster. For example, the company reports that the Maana Knowledge App saves:
- Hours to days of data wrangling per investigation.
- Hours of ad hoc tableau creation.
- Hours spent investigating false positives.
And by helping security analysts and data scientists uncover threats faster and investigate incidents more thoroughly, Maana has reduced the risk of data leakage, legal fines, litigation, and data leakages, as well as protected the company’s brand and high level of consumer trust.