TECHNOLOGY F-SECURE’S UNIQUE CAPABILITIES IN DETECTION & RESPONSE Jyrki Tulokas, EVP, Cyber security products & services UNDERSTANDING THE THREAT LANDSCAPE

Human orchestration Nation states NATION STATE Unknown 0-day tools and ATTACKS techniques

Organized cyber crime TARGETED Human conducted, stealthy, ATTACKS targeted attacks

ADVANCED Cyber crime THREATS Fileless scripts, System tools, Ransomware

MASS Commodity threats ATTACKS Opportunistic phishing Malware Spam Technology drives the scale Volume

2 CUSTOMERS CONTINUE TO NEED BOTH PREVENTIVE AND REACTIVE CAPABILITIES

PREVENTIVE DETECTION & RESPONSE

RECON WEAPONIZE DELIVER EXPLOIT CONTROL EXECUTE MAINTAIN

TACTICS, TECHNIQUES AND PROCEDURES Persistence Discovery Exfiltration Privilege Escalation Lateral Movement Command Defense Evasion Execution and Control Credential Access Collection

3 Targeted Attack Simulation

Incident response Threat Hunting INDUSTRY LEADING RESEARCH AND THREAT VISIBILITY

AUTONOMOUS SELF LEARNING F-Secure Labs BIG DATA PLATFORM Forensics

Corrective actions

Endpoint data Big Data and AI platform Actionable is essential insights and response

4 AUTONOMOUS BIG DATA DETECTION & RESPONSE PLATFORM BUILT FOR MASSIVE SCALE

DATA COLLECTION SENSORS REAL-TIME ANALYTICS IN THE CLOUD

The endpoint sensors collect : Cloud used for analytics: ✓ file accesses; ✓ ✓ process creations; ✓ Broad Context Detection ™ ✓ network connections; ✓ Automatic analysis, categorization and ✓ registry writes; detection creation ✓ system log entries relevant to ✓ Telemetry of the attacks shared in real- detecting security breaches; time with our security cloud ✓ extracts of scripts derived from ✓ Long-term view to threat propagation run-time execution; EVENTS/MONTH66 BN

5 ANOVA, Active learning, AdaBoost, Analogical modeling, , Apriori algorithm, Artificial neural network, Association rule learning algorithms, Averaged One-Dependence Estimators (AODE), BIRCH, Back-Propagation, Bayesian Belief Network (BBN), (BN), Bayesian knowledge base, Bias-variance dilemma, Binary classifier, Boosting, (Bagging), C4.5 algorithm, C5.0 algorithm, analysis (CCA), CaseA -SELFbased reasoning,-LEARNINGChi-squared AutomaticAIInteraction PLATFORMDetection (CHAID), Classification and regression tree (CART), Co-training, Conceptual clustering, , Conditional decision tree, Conditional random field (CRF), Convolutional Neural Network (CNN), DBSCAN, ALREADYData Pre-processing, DecisionPROVENstump, Decision ONtree, THEDeep Belief MARKETNetworks (DBN), Deep Boltzmann Machine (DBM), Deep Convolutional neural networks, Deep Recurrent neural networks, Eclat algorithm, Elastic net, Empirical risk minimization, Ensemble averaging, Ensembles of classifiers, Expectation Maximization (EM), , FP-growth algorithm, , , Feature extraction, , , Feedforward neural network, Fisher's linear discriminant, Flexible Discriminant Analysis (FDA), , Gaussian Naive Bayes, Gaussian process regression, Gene expression programming, Generative models, Generative Adversial Network (GAN), Generative topographic map, Gradient boosted decision tree (GBDT), machine (GBM), Graph-based methods, Graphical models,SUPERVISEDGroup method of MLdata handling (GMDH),UNSUPERVISEDHidden Markov model (HM), ML , HierarchicalDATA classifier, Hierarchical ,MODULESHierarchical temporal memory, Hopfield Network,MODULESID3, Independent component analysisTRANSFORMATION(ICA), Inductive bias, Inductive logic programming, Information bottleneck method, Information fuzzy networks (IFN), Instance-based learning, Iterative Dichotomiser 3 (ID3), K-means clustering, K-•mediansDetectingclustering,threatsK-nearest neighbors algorithm• User/host(KNN), Lazy profilinglearning, Learning Automata,• LearningAdvancedVector Quantization (LVQ), , Least Absolute Shrinkage and Selection•Operator (LASSO), Least-angle regression (LARS), Linear classifier, Linear discriminant analysis (LDA), Linearbasedregression, on trainingLocal outlierdata factor, Logic learningAnomalymachine, detectionLogistic Model Tree, ,visualizationLocally Estimated Scatterplot Smoothing (LOESS),• LearningLocally Weightedfrom expertLearning (LWL), Long Short-Term Memory Recurrent Neural Networks• Intelligently(LSTM), Low-density clustersseparation, M5, Mean-shift, Metadata,feedbackMinimum message length, Mixture Discriminant Analysis (MDA), Multi-label classification,anomaliesMultidimensional scaling (MDS), Multinomial Naive Bayes, Multinomial logistic regression, Multivariate adaptive regression splines (MARS), Naive Bayes, Nearest Neighbor Algorithm, Non-negative matrix factorization (NMF), OPTICS algorithm, , , Ordinal classification, Ordinary least squares regression (OLSR), PAC learning, Partial least squares regression (PLSR), , Principal component analysis (PCA), Principal component regression (PCR), Probabilistic classifier, Probably approximately correct learning (PAC) learning, Projection pursuit, Q-learning, Quadratic classifiers, Quadratic Discriminant Analysis (QDA), , Radial Basis Function Network (RBFN), Regression, , Ridge regression, Ripple down rules, a knowledge acquisition methodology, SLIQ, SPRINT, Sammon mapping, Self-organizing map (SOM), Semi-, Single-linkage clustering, Stacked Auto-Encoders, Stacked Generalization (blending), State–action–reward–state–action (SARSA), Statistical learning, Stepwise regression, , Support vector machine (SVM), Symbolic machine learning algorithms, t-distributed stochastic neighbor embedding (t-SNE), Temporal difference learning (TD), Transduction, , VC theory, Vector Quantization 6 RESULT: INDUSTRY’S FASTEST AND MOST ACCURATE DETECTIONS

900,000 SUSPICIOUS EVENTS 25 15 DETECTIONS REAL THREATS 2 billion • Event enrichment DATA EVENTS/MONTH • Detections of Customer confirmed Host & User Profiling which customer that these were • Anomaly Detection was notified. real threats • Detection Significance Analysis

7 F-SECURE COUNTERCEPT: HUMAN AUGMENTED TECHNOLOGY, DEEP INSIGHT TO TARGETED ATTACKS

The hunt team use ‘Explore’ and ‘Investigate/Respond’. They create new ‘assisted hunts’ and tags which propagate to all other instances of THP including those used by our clients and our own 24/7 detection and response team.

AVAILABLE IN THREE MODELS: • As a service • Assisted • Customer specific

8 8 TOWARD SELF-HEALING SYSTEMS AND GUIDED RESPONSE

• Recommends response actions of RECOMMENDED F-SECURE THREAT RESPONSE ACTIONS HUNTER’S GUIDANCE informing users, or isolating hosts

High risk Acknowledged • Get help on tough investigations Medium Confidence Jan 12, 2018 12:34:56 High Criticality from F-Secure experts with Elevate to F-Secure Inform users

Inform admins 3 similar Recent BC detections • Constantly improves

Isolate hosts recommendations and detections with machine learning Recommended actions Elevate to F-Secure

9 SUMMARY

• Aiming to be a key player in detection and response technology and services

• Best-in-class integrated cyber security suite

• Scalability through managed services partners

• Security for the cloudified world

10