FloCon 2020 has ended
Back To Schedule
Wednesday, January 8 • 2:00pm - 2:30pm
How to Use Machine Learning for a Phishing Incident Response

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Phishing is one of the most popular and prolific attacks that organizations face today. Security Operations Center (SOC) teams spend a huge chunk of their time investigating suspicious emails to determine if they are legitimate phishing attempts.

In this talk, we will share observations accumulated from building a machine learning (ML) classifier for detecting phishing emails, based on the analysis of over 200K suspicious emails gathered from top-tier SOC teams around the world.

As part of the discussion, we will cover how various SOC teams handle their phishing investigations. We will describe the processes they employ as part of the phishing investigation and what they can, and cannot, automate out of those processes. We will also share real-world metrics for the time spent on various stages of the investigation process.

Next, we will cover an introduction to Supervised Machine Learning and the advances made in the field of text classification, especially around the supporting open source libraries. We will explain how we collected the dataset used in our research and describe what is unique about that dataset. We will touch upon the explainability technique for the model decision and its importance to the security analyst.

Lastly, there will be a deep dive into the ML development process in building a phishing classifier. We will elaborate on each of the following steps, explaining the obstacles encountered and their workarounds:
1. Problem definition
2. Data
3. Evaluation
4. Features
5. Model
6. Experimentation

Attendees will learn how to build their own phishing email classifier based on their email datasets, observe a model in action, and see how the model numbers net out in real-world in SOC deployments.

Session outline:
Introduction to phishing incidents and response processes at SOC teams
Phishing problem definition
Datasets used
Process followed to build the model
Model deployment

Attendees Will Learn:
  • How SOC teams handle phishing investigations internally today.
  • How Machine Learning can be applied to accelerate phishing incident response
  • How the ML model can be adapted to different security incident environments.
  • How ML classifiers are a powerful tool in decision making for security.

avatar for Erez Harush

Erez Harush

Data Scientist, Palo Alto Networks
Erez Harush is a Data Scientist at Palo Alto Networks. His career began in the Israeli Defense Forces, “Unit 8200” - an elite military technology unit that has become an incubator for Israel’s renowned high-tech sector. He served in “Unit 8200” for six years, researching... Read More →

Wednesday January 8, 2020 2:00pm - 2:30pm EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401