Monday, February 1, 2016

Interview with Ankur Modi, CEO/Founder of StatusToday


Who are you?
I'm the CEO and Co-Founder of StatusToday. We are a data driven, cyber security startup that is looking to solve the challenge of insider threat in enterprises and businesses.
Can you say more about what StatusToday does for its clients?
At StatusToday, we’re trying to address the current cybersecurity crisis. The traditional approach to security via exclusive perimeter protection on systems via passwords, firewalls, access control and even encryption doesn't work.


What works is the ability to use contextual knowledge from a variety of sources to better understand activity. We use three key sources of knowledge for our analysis. First is psychology, or more specifically organizational behavior. Second is the data from large scale analysis of activity logs, i.e. data that is already collected in most organizations and IT systems. And third is a human centric activity model we have created to better understand how users interact in distributed IT systems. The combination of these three, has allowed StatusToday to better understand systems and natural behavior, to predict deviation and detect anomalies that are otherwise too human to detect.
Our charter is very simple. Instead of locking down systems beyond the point of usability, we're trying to advocate an open system model, where malicious activities are detected and flagged even if the user is compromised.
On our way, we’ve researched most of the major data breaches in the last 5 years; from NSA, Sony to Ashley Madison. What we've found is that, while the breach might originate outside the company, the eventual medium of attack is almost exclusively via internal employees. Humans are, by far now, the weakest link in any security system. We help companies detect such incidents, explore possible impact and then provide the tools necessary to understand the damage. If you look at recent breaches in the industry, most companies were unable to answer the most basic of all questions: "What information was actually compromised?". At StatusToday, our solution is able to help them answer this fundamental question promptly. Detect if something happened and if so, identify the scope of the damage immediately.
What caused you to start StatusToday? What's the origin story?
I worked within the emerging field of data science at Microsoft for the last 5 years in Ireland and Denmark. Most recently I was behind the Microsoft Office Store platform managing the ocean of data that was generated from user behavior in order to find out how to enhance popular features.
I reached a defining moment at Microsoft when I understood that, the power of big data doesn't lie in the data itself, it lies in the way you analyze it. Deep insights come from an external understanding of the data – sometimes via an in-depth understanding of the user, sometimes via human psychology, sometimes via user behavior.


I decided to leave my position at Microsoft to start the company and met Mircea out here in London at Entrepreneur First. I started knowing that security is an industry that was long overdue for a fresh approach. The big data and human centric AI based approach I was about to take, was relatively new and teaming-up with Mircea, who used to head up security in large enterprises, was an ideal combination.


Insider threat by itself was not our initial focus. We started experimenting with large industrial datasets, the most noteworthy being one from DARPA, the US Department of Defense on malicious insiders. We soon found that there was a lot of power in the human-centric methodology we adopted. That's when we started StatusToday.
Tell me more about the AI that you've developed.
The AI that we've developed is quite unique, and I know that this is something every tech startup would love to say. One of the reasons our approach is truly unique is that we are able to connect distributed sources of information and handle them in a source agnostic way. The data could come from a Windows file server, a cloud-based API (like Google or Microsoft) or even service providers like Dropbox or Salesforce. At the same time, it could come from a custom backbone application that a company might have written themselves. The ability to collapse all of that into one unified source of information is huge because that gives us the power to run our AI algorithms globally. The methods we developed have the ability to renormalize all these data sources from an object-centric perspective to a more human-centric view. For example, we would to be able to see that a certain entity, has logged on to a machine, then download an unusual amount of information from Salesforce CRM, and finally sent a bunch of these via email. Then, it edited a couple of company files on Dropbox and finally left the company premises. Such a malicious chain of events, would traditionally sit in different silos of security, that we are now breaking through.


To be able to bring them together and to identify anomalies on top, can have massive implications in terms of being able to detect what is normal and what is not. That's what we’ve started building. What we have today is an advanced time series analysis that has the ability to observe subtle cues in behavior. Based on even limited sources of data, you can now infer, whether a certain individual is more introverted or extroverted.


Now fundamentally, when an introverted person gets hacked or goes rogue, there's a lot of outward activity. That change in the basic signature of the person's behavior doesn't require massive learning in terms of supervision. The change can be triggered quite accurately based on organizational psychology. That's what part of our AI does, to understand the object and the user contextually, and identify what is normal.


Our AI is able to look at several aspects of organizational normality, from time of day, type of systems, machines, activities to normal user behavior. When there's a significant change in such aspects, it is able to alert and say, "The sequence of events is quite suspicious.  The user might have been breached/compromised." That's a very strong indicator of what we call, an incident. This can then be investigated or it can then be analyzed, depending on the respective event that's in question.
How do you measure and communicate the quality of your AI?
We use a combination of approaches. We are running several pilots with large enterprises, to monitor the events that we detect. One of the simplest way of measuring an AI is to monitor actions taken as a consequence of it’s results. Measuring the AI itself in terms of its accuracy or speed is foolish in a business context, where the results matter more.


For us, the measurement of quality is not on the actual AI, but on the scenario it attempts to capture. For example, if we’re out helping a law firm, and our goal is to prevent rogue insider incidents, then we measure our AI on how many valid events get triggered that result in a tangible change within the organization. That could involve making changes to the internal security in the best case or mitigating an actual data breach via an identified incident in the worst case.


An AI should be monitored via the quality of the alert that it generates. In our case this is written in terms of risk potential. We've made it quantitative by capturing attributes like incident frequency, severity, risk potential and noise.


One of the problems with AI startups is that tuning up the accuracy even by a little bit often results in a flood of false alerts. Even for the highly sensitive enterprises out there, be it financial services or legal firms, getting a few hundred alerts a week, no matter how accurate, is not an option. Startups and solution providers need to start thinking in operational 80:20 terms. The real problem to solve is, "How can I leverage AI to tell businesses, the top five things they should take action on, that will the most impact?" Combine accuracy with possible impact to create prioritized and actionable alerts. A key member of our product team, Mihai Suteu who has an expertise in smart AI driven approaches to time analysis, has been looking at precisely this.


If we send you five alerts a week, I want to ensure that they all have a high potential for damage and you're going to do something about each of them. If we can manage that, then our AI is successful.  This is a very important measurement because it allows us to not get overly focused on the algorithm, which might be really cool or great, but rather the problem we are trying to solve.
Can you share something awesome that your AI has done that, either surprised you or would surprise most people?
"If we have a global view of everything that's happening, we are able to say when an engineer is acting like a salesperson or a salesperson is acting like an accountant." As much as people like to think otherwise, the truth is that we are actually very predictable. We all act within certain well observed parameters.


A typical engineer, as unique he/she might be, is similar to the other engineers while being fundamentally different to say a salesperson. We expected to observe this predictability since the beginning, and eventually just recently we did.
A bi-product of our approach is that we often find non-insider threats which usually lead to system optimization. In one particular case, to give you an example, we noticed a large amount of network bandwidth going through a single user account against all normal baselines. This bandwidth usage was quite rhythmic and robotic, on specific days of the week. Upon investigated, what we effectively found was, this particular user had admin access and was using a misconfigured bandwidth monitoring service to check if their web services were up or down.


The impact was that this service downloaded the full contents of the large server every 5 minutes, throughout the day under the user’s explicit credentials. From our systems point of view, this user was downloading unusual amounts of data at regular and sustained intervals in unusually automated manner. Our measurements indicate that about 30% of all the bandwidth going through that server, was to this one misconfigured service appearing hidden in plain sight under the authorized user’s activities. There's little to no monitoring on authorized access in most systems across the world. By being able to cap this out, we were effectively able to identify a way to reduce the bandwidth on this server, by 30% overnight.


Anomalies in authorized access underpins the new age of security products. This is what insider threat is all about. Insider threat is not just about bad users, it’s about hacked and compromised users who are unknowingly being used in most large scale data breaches and leaks today.
Give me your thirty second sales pitch.
We are StatusToday and our goal is to protect businesses from insider threat. We do it using multiple patent pending AI approaches that learns human behavior within organizations, to flag unusual activity. By providing organizations with the global visibility they need, we enable them to detect, investigate and mitigate any malicious activity that can cost millions in potential damage. You can reach me on Twitter.



No comments:

Post a Comment