In this talk, Joshua will present a modular, scalable system for streaming anomaly detection for enterprise cyber security, along with some real user stories of such detections.
Microsoft Defender Advanced Threat Protection is a suite of tools for enterprise defense. In particular, the Endpoint Detection and Response research team uses telemetry gathered from enterprise networked computers, in near real time, to design detection methods. These methods are running in Azure, and reporting alerts to our customers, who are typically security operations personnel. While the detection techniques vary, a majority of detections are based upon data driven methods, including both supervised and unsupervised learning. For post breach applications, where the attacker has already penetrated the enterprise perimeter, we have very few labels and the attacker has many options, motivating an unsupervised approach. As our product monitors millions of endpoints, scale is of the essence.
