While insider threats are a critical risk to organizations, little is publicly known about how to detect those attacks effectively. To help address this gap, we present FACADE: Fast and Accurate Contextual Anomaly DEtection, Google’s internal AI system for detecting malicious insiders. FACADE has been used successfully to protect Alphabet by scanning billions of events daily over the last 7 years.
At its core, Facade is a novel self-supervised ML system that detects suspicious actions by considering the context surrounding each action. It uses a custom multi-action-type model trained on corporate logs of document accesses, SQL queries, and HTTP/RPC requests. Critically, FADADE leverages a novel contrastive learning strategy that relies solely on benign data to overcome the scarcity of incident data.
Beyond its core algorithm, Facade also leverages an innovative clustering approach to further improve detection robustness. This combination of innovative techniques led to unparalleled accuracy with a false positive rate lower than 0.01%. For single rogue actions, such as the illegitimate access to a sensitive document, the false positive rate is as low as 0.0003%.
Beyond presenting the underlying technology powering Facade during this talk, we will showcase how to use the just released Facade open-source version so you can use it to protect your own organizations.
