Introduction
Joshua Neil will provide an overview of anomaly detection for enterprise cyber defence at scale with real world examples and Cole Sodja will dive in to specific statistical issues at a more technical level.
About the event
Talk One: Joshua Neil, Microsoft
Microsoft Defender Advanced Threat Protection is a suite of tools for enterprise defense. In particular, the Endpoint Detection and Response research team uses telemetry gathered from enterprise networked computers, in near real time, to design detection methods. These methods are running in Azure, and reporting alerts to our customers, who are typically security operations personnel. While the detection techniques vary, a majority of detections are based upon data driven methods, including both supervised and unsupervised learning. For post breach applications, where the attacker has already penetrated the enterprise perimeter, we have very few labels and the attacker has many options, motivating an unsupervised approach. As our product monitors millions of endpoints, scale is of the essence.
In this talk, Joshua will present a modular, scalable system for streaming anomaly detection for enterprise cyber security, along with some real user stories of such detections.
Talk Two: Cole Sodja, Microsoft
In support of Microsoft Defender Advanced Threat Protection, there is a need to monitor scores from billions of anomaly detectors running on disparate multidimensional data sources that are modeling an unknown process with complex spatial and temporal dynamic. Not accounting for how well calibrated the scores are results in suboptimal accuracy when combining and thresholding. Furthermore, it is not scalable to have subject matter experts continue to review and fix detectors. An automated statistical diagnostics system or meta-process that infers how to weight anomaly scores based on probabilistic inference of the accuracy of each detector would bridge this gap.
This talk will propose a methodology for measuring probabilistic calibration and updating scores dynamically and conditionally incorporating this feedback by learning adaptive mixtures of functional inflated beta-binomial models. An application for identifying and updating scores for cyber indicators of attack will also be shared.
The Alan Turing Institute is located on the first floor (right hand side) of the British Library and can be accessed via the main doors from 09:30 onward. Please allow 15 minutes for queuing when planning your journey.