Interset UTM Brings Machine Learning to Network Security Policy Best Practices

Wednesday Apr 6th 2016 by Frank Ohlhorst

Interset's UTM platform uses machine learning to identify network security threats.

Unified threat management (UTM) is a critical component of modern network security policy best practices, and those in the market for a new UTM would do well to check out Interset, a threat management platform that combines Machine Learning (ML) with a Big Data architecture to identify potential threats that would otherwise go undetected. Interset uses extensive data ingestion capabilities that correlate events/activities with entities to determine the level of risk that is being encountered at any given time.

Interset's Role in Network Security Policy Best Practices

Modern network security policy best practices include the use of Big Data analytics to harvest and examine ostensibly unrelated bits of data to find relationships and expose trends that lead to predictions of risky or bad behaviors. Interset does so in a different fashion than most threat mitigation products.

Interset ingests multiple data sources related to the movement of data across (or inside) of the network, while also gathering information about the entities involved. An entity can be any actor that impacts the transmission or consumption of data, such as a user, an endpoint, or an application. The product can also detect sensitive files and associate normal usage patterns with a given entity. It creates an overall environment where anomalies are readily revealed using alerts, dashboards or notifications.

Interset boasts the following features:

  • Connect and aggregate a broad range of data sources, including endpoints, directories, IP repositories such as PLM, SCM, and content management tools like SharePoint, into analytic models, increasing accuracy and timeliness of detection
  • Employ multiple, probabilistic math models to more accurately surface and alert on persons, machines, repositories, and files at risk or under threat
  • Clearly deliver a prioritized and contextually rich view of the entities and events related to risks and threats so security teams understand which events represent the greatest risk and what to do to stop them before data is lost.

Applying Network Security Policy Best Practices with Interset:

To get started with Interset, I deployed the Interset Data Gateway (I-DG) on premises as a data collection, aggregation, anonymization, encryption, and communication appliance. The I-DG sports an anonymized data analytics capability, which works by incorporating behavioral analytic models that are run against anonymized log and metadata. All data in this Big Data data security platform remains private, secure, and completely in the customer's control, further supporting network security policy best practices.

Data ingestion and processing are the primary functions of the I-DG, which is managed via a browser-based console. Setup consists of defining the how’s, why’s, and where’s of data collection that can then be analyzed using self-evolving algorithms powered by the device’s ML capabilities. Wizards and interactive help screens smooth the process of creating use cases, which in essence are administrator-defined policies.

The Interset platform fully automates the ML and analytics-based threat detection processes, allowing the system to present risk scores based on how anomalous an event is in relation to the reputational scores of the entities involved in the event.  That analysis is visualized in a series of “top riskiest” lists, including top riskiest users, machines, applications and files.  A single click brings up the context of each risky entity and all the events that created the risk.  That makes it easy to identify who/what is acting badly, what is being done, when the activity is occurring, and what sensitive asset is being used.

Policy-defined use cases are an additional critical element for creating alerts, defining actions, and driving reports. Policy-defined use cases leverage Boolean logic to drive actions. Examples include plain English constructs such as “If Analytics detects that Someone has Been Behaving Strangely where Any of the Following are True the Risk is Greater than 50 then Call a Script script Block_Login.PL”.

Constructs are created using pull-down menu fields and offer several pre-populated options. In the example above, each of the bold-italicized terms are available via pull down lists, making it very simple to create complex use cases that can fulfill a multitude of security needs.

Much the same can be said for the data ingestion process, where wizards guide administrators through the needed steps to gather data to be analyzed. The product can consume all types of data via Interset Connectors, which are basically predefined connection scripts that includes PLM, SIEM, SCM and DLP data gathering capabilities from leading platforms, such Splunk, SAP, Siemens, RSA, Symantec, and dozens more. Interset can also gather data using Interset Endpoint Sensors, which run on Windows and Mac OSX platforms.

Applying Network Security Policy Best Practices to Deal with Threats:

Unlike traditional security products, which rely on signatures and packet analysis, Interset offers a more nuanced approach that ties threat detection to behavior. The Interset platform learns the behavior of users, applications, devices, and so forth to generate a baseline of normal behavior and use that as a litmus test to detect suspicious behavior.

For example, the Interset analytics engine can quickly identify a behavior pattern, such as “Joe User” always logging into the accounts payable application from “Your Town, USA” during normal working hours. While that may be an over simplification of user behavior, it does illustrate that machine learning is able to determine normal usage and then alert if that usage falls out of norm, such as “Joe User” logging in to the sales system in the middle of the night from a remote office. An activity such as that sets off warnings and alarm bells.

Add to that other user or application activity, such as surfing the web during lunch breaks or accessing the HR system every 2nd Thursday, and Interset can create a very reliable, detailed user or entity activity profile. The less someone strays from predicted activity, the higher their reputation score becomes.

Interset can also detect usage patterns much more subtle than the one described above, where even the smallest of anomalous use cases can trigger alarms, such as with the case of an Advanced Persistent Threats (APT), which try to hide suspicious activity in the volume of normally unrelated events. That is precisely where the advanced algorithms and machine learning comes into play.

Interset can uncover those normally overlooked relationships between data, devices, users, locations and applications to create a reputation score as well as execute network security policy based upon administrator rules.

Interset Stories Reveal Events:

Interset uses different terminologies than most security products. For example, the product calls a series of recorded events a “story." A story is told via a report that illustrates what has happened based on what the machine learning and analytics finds or defined by a set of filters selected by the administrator.

Stories are a critical element of the Interset platform, since each story reveals dominant behaviors and illustrates what activities are traversing the network and how those activities fit into normalized behavior. Stories are further put to use as an educational element, where administrators can turn to a story to help define use cases.

What’s more, stories help put threats into context, enabling administrators to fully comprehend the risk behind certain behaviors based upon the context of the activity. Once again, that ties into the reputation-based scoring offered by the product. Ideally, stories placed in context become the litmus test for determining normalized traffic, which the Machine Learning component of the platform can then use to continually fine tune risk scoring. That in turn creates a security shield that constantly evolves to detect new threats, all without human intervention, making the platform ideal for combating the next generation of advanced threats, which will leverage AI technology to weave their way into hardened networks.


Interset goes above and beyond the capabilities of the majority of security products on the market. By integrating machine learning with reputation scoring along with identified behavior patterns, Interset is able to counter threats as they arise, evolve and mutate into entities that were previously never seen and conquers the biggest failing of most security products, the reliance on signatures and identified behaviors to protect systems.

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved