Christopher Galbraith

Let’s Make it Personal: Customizing Threat Intelligence with Metric Learning (pdf, video)

Whether it's music, movies, search results, or social media posts–-most online content today is personalized to reflect users’ evolving interests and preferences. However, threat intelligence is still stuck in the “one feed for all” paradigm. As a result, defenders are inundated by countless irrelevant signals that prevent them from focusing their time and energy on the real threats. Security teams need solutions that track threats according to their own unique environments and threat models. To address this gap, we present a data-driven approach for personalizing the threat landscape to specific security team needs.

We will show how to leverage the rich relationships and semantics in threat graphs to produce security object embeddings via metric learning. The learned embeddings enable numerous downstream tasks including personalized information retrieval, object clustering, and scoring. Focusing on information retrieval, we will demonstrate how to combine the embeddings with nearest neighbor search to create personalized threat recommendations and allow pivoting between threat intelligence objects. After the demo, we will reflect on the benefits of embeddings for learning useful threat intelligence data representations. Finally, we will discuss the extensibility of our approach and make the case that similar frameworks can be applied to other critical problems in cybersecurity. Overall, our approach can be viewed as a tool to organize semi-structured, unlabeled and large-scale cybersecurity threat intelligence data to make it actionable.