Sophisticated attackers routinely compromise enterprise and government networks, allowing adversaries to steal sensitive data, extort businesses for millions of dollars, engage in political espionage, and disrupt critical infrastructure.  To address these threats, many organizations collect extensive amounts of data about their networks and employ teams of security analysts to detect and stop attacks.  Unfortunately, security teams struggle to use this data to protect their organizations because conventional techniques are ill-suited to find stealthy and targeted (unlabeled and rare) attacks in vast, noisy datasets.

My research addresses this problem by developing new data-driven methods that leverage insights from large, real-world datasets, security domain knowledge, and collaborations with a variety of commercial and academic organizations.  This talk will explore two systems I’ve built that enable enterprise security teams to uncover and thwart attacks against their network.  First, I’ll describe a set of methods that organizations can use to detect spearphishing attacks, mitigating the predominant way that attackers break into an enterprise’s network.  Second, I’ll discuss a system that can help stop attackers from spreading within an enterprise’s internal environment, allowing organizations to minimize the damage incurred by successful breaches.  Organizations such as the Lawrence Berkeley National Laboratory, Facebook, and Barracuda Networks have used the ideas from my research to detect real-world attacks against their networks and improve the security of millions of users.