Machine Learning Models

Machine learning An alarm rule correlates incoming events based on predefined or user-configured critera to trigger alarms in USM Anywhere when that event or sequence of events requires attention or investigation. enhances your USM Anywhere, allowing it to identify anomalies in your environment through data science and machine learning. Powered by specialized models, the machine learning capabilities of USM Anywhere learn patterns of normal behavior within your environment to better identify anomalous activity, enabling you to better prioritize alarms Alarms provide notification of an event or sequence of events that require attention or investigation. generated from events Any traffic or data exchange detected by AT&T Cybersecurity products through a sensor or external devices such as a firewall. and user behavior.

What Is Machine Learning?

Machine learning leverages data science and learning models to better identify anomalous behavior through a deeper understanding of the behavior that is normal for your environment. The events received and processed by USM Anywhere carry important information illuminating what your users are doing, what data is being accessed, how your system and network are performing, and if there are any security threats or attacks taking place.

The machine learning process provides deeper detection capabilities, putting events specific to your assets and users into the full context of your environment's behavioral patterns.

For example, USM Anywhere instances enhanced with machine learning enable security analysts and incident responders to make informed decisions on how to respond to security threats, validate the effectiveness of existing security controls, and detect policy violations.

Machine learning enhances the ability of your USM Anywhere to detect and respond to compromised credentials, lateral movements, suspicious execution, and data exfiltration:

  • Compromised Credentials: Machine learning algorithms for stolen or compromised credentials leverage multiple parameters around login activity (geographical location, internet service provider (ISP) data, IP address, device, and time stamps) to identify outliers and anomalous behavior.

  • Lateral Movement: Machine learning algorithms feed authentication logs from services observed in lateral movement scenarios (such as Windows Remote Desktop Protocol [RDP] or Kerberos), leverage context data, such as source and destination hostname or active directory (AD) domain name, and are key to spotting these anomalies.

  • Suspicious Execution: Machine learning algorithms for suspicious execution leverage process creation data to identify anomalous executions. These algorithms consider hostname, file name, and file path, as well as command line data structures (such as execution flags and arguments). User data is also compared across the organization to examine binary prevalence.

  • Data Exfiltration: Machine learning algorithms for data exfiltration are processed by USM Anywhere using computed historic user data (such as the average number of files processed per day) to apply a risk score to any given scenario. Integration with file storage services enables early detection of anomalous file access. These models can evaluate a wide range of frequencies to find anomalies, from minutes to weeks.

Machine Learning Models

The data science algorithms powering USM Anywhere machine learning are called models, which are highly specialized algorithms trained to recognize certain types of patterns. These algorithms are developed by the AT&T Cybersecurity data science team and are built via proven methods to realize features that lend themselves to reliably identifying malicious actors and actions. Further, through constant evaluation they are proven to reduce false positives and save analysts time. This allows faster detections and, as a result, faster notification and thus resolution of malicious activity in your ecosystem.

The models currently informing machine learning in USM Anywhere operate based on two different types of activity: user login and file modification.

User Login

This suite of models all operate by identifying key features from distinct sources via specially trained algorithms. The models in this suite are all able to identify potentially malicious login activity.

Sources for this activity include the following:

  • Microsoft Office 365

  • Google G Suite

  • Cisco Duo

  • Okta

  • RDP

  • Kerberos

File Modification

This suite of models all operate by analyzing file modification patterns across distinct sources and are specially trained to identify potentially malicious file modifications.

Sources for this activity include the following:

  • G Suite