Nestlé prevents cybersecurity threats with Azure Machine Learning

A global household name

If you were to walk the aisles of any grocery store in the world, chances are you’d find them filled with Nestlé products. With a portfolio of more than 2,000 brands—like Nespresso, Perrier, Aero, and Gerber—Nestlé is the largest food and beverage company in the world and employs more than 300,000 people in 189 countries. This massive global presence is great for business but challenging for Nestlé’s Global Security Operations Center (GSOC), which is tasked with keeping the company—and its 300,000 email accounts—safe from malicious phishing attacks among many other cybersecurity threats.

A sea of false positives

Email phishing scams have grown increasingly sophisticated over the years. From impersonation emails to fake virus alerts to overdue or unpaid “bills,” there are myriad ways to convince people to click. The GSOC had initiatives in place to spot these campaigns, but there was a catch: some cases would only be found if an employee self-reported a suspicious email. The GSOC quickly realized that, although that strategy was successful at finding phishing that was not on the radar, it wasn’t enough as busy employees have their own obligations and little time to report every odd-looking email.

Nestlé started using a more proactive approach to have global visibility over all potential phishing threats. It began looking at new incoming email subjects for things like syntax and structure. (Neither employee identities nor the email contents are used.) This would fix the problem of asking employees to do their own detective work, but it would create a “needle in the haystack” scenario for the team. As Ignasi Paredes-Oliva, Lead Data Scientist at Nestlé’s Global Security Operations Center, puts it, “For every 1 million emails coming across your security desk, only 20 might look suspicious enough, and out of those, maybe 1 or 2 are actually malicious (if any). And this is really important. If a 24/7 security analyst sees hundreds of false positives a day, he or she will eventually lose faith in the security product.” 

Reeling in threats using Microsoft Azure Machine Learning

Seeing an opportunity to fine-tune parts of its investigative process, Nestlé decided to custom-build a new solution on Azure. The result was PhishScreener, a software solution (Figure 1) that uses Microsoft Azure DevOps and the machine learning and operations (MLOps) capabilities in Azure Machine Learning to score and flag incoming emails and route only those cases that look suspicious enough for further investigation. 

PhishScreener works by systematically analyzing the language structure of all incoming email subjects using deep learning to extract specific patterns previously employed for phishing. On top of this, it also looks for other red flags happening at the same time, like recently created external email domains, to further increase its precision. It then uses Azure DevOps to orchestrate the workflow into three pipelines. Pipeline 1 is a model-training pipeline that stores email data in Azure Data Lake Storage and uses the compute power of Azure Databricks to prepare data, train the models, and register them to Azure Machine Learning. Then, Pipeline 2 builds the inference pipeline, where Azure Machine Learning uses its ParallelRunStep functionality to split new incoming data into parallel batches to be read and scored based on threat risk. Pipeline 3 conducts the actual inference defined in Pipeline 2 (tallying hundreds of thousands of inferences per hour) and is the final component that sends the scored email to GSOC for investigation. Paredes-Oliva explains, “The email then shows up in our ticketing system as a new incident, classified as potential phishing prioritized by threat risk probability. Then, security analysts looking at it need to investigate the suspicious email to make sure it’s actually phishing and then take the appropriate countermeasures—like shutting down the link or contacting anyone who clicked.”

1: Nestlé solution architecture; for a larger version, go to the Downloads section of the left-hand sidebar

Faster detection, fewer false positives

Currently in pre-production, PhishScreener is showing promising results so far. “There’s no question we’re seeing benefits. It’s the first custom phishing solution we have in place that’s fully proactive. We don’t need a single action from the employee, whether that’s filing a report or being the first link on the campaign for us to track it,” says Paredes-Oliva. By not relying exclusively on manual reporting and taking advantage of batch processing, security teams are now notified of a suspicious email within one hour of it hitting an employee’s inbox—a timeframe that used to take hours. 

They’re not only uncovering threats faster, they’re finding scams they might’ve missed otherwise. Says Paredes-Oliva, “Our models automatically retrain about once a week. This, coupled with our information on what people are reporting or what they’re clicking on, has increased our phishing coverage.”

Learning new things with Microsoft

Nestlé had already been using Azure Machine Learning prior to building PhishScreener but wasn’t aware of its parallel batching capabilities. “After our working sessions and hands-on training with the SDK and Azure Machine Learning, we had what we needed to make it work. The hands-on technical partnership helped immensely,” says Paredes-Oliva. 

Looking ahead

After these promising early trials, Nestlé hopes to have PhishScreener integrated with its existing security and threat portfolio by the end of 2020. So, as the company continues expanding its presence in stores and stomachs worldwide, it can confidently keep phishing attacks at bay. 

Find out more about Nestlé on Twitter, Facebook, and LinkedIn.