Almost all security incidents have to answer the same set of questions: what has been compromised? Who did it? How did they do it? By what method and from where? But obviously, this is easier said than done. Until recently, using the available tools and methods to answer these questions has been tremendously difficult because you typically need one or more tools just to answer one of these questions- never mind all three. For example, you generally need one tool to track cloud users and activity and at least one more to do that for on-premise applications. And because of the overwhelming number of security alerts, just figuring out which events to investigate is overwhelming.
However, with the application of machine learning, analytics has improved tremendously. Many User and Entity Behavioral Analytics (UEBA) and Cloud Access Security Brokers (CASB) can track users, data, and applications, so the question now becomes – what should the behavioral tools and analysts focus on?
Because the vast majority of reported breaches involved the use of stolen credentials or other unauthorized and suspicious insider threats, it only makes sense to focus on user and data activity. Here are some of the more common behaviors that indicate you may have a problem and a proper user behavior analytics solutions will need to detect each of these:
Suspicious geolocation activity. Today's mobile workforce can be logging on from multiple remote locations, such as their homes, the gym, hotels, airports, the beach and customer locations. When users sign-in from off-campus locations, security teams need to determine if they are legitimate users or remote attackers who are using compromised valid user credentials. Behavioral analysis applies geolocation monitoring to every access attempt and validates it against what’s physically possible. While at the same time taking into account time and the distance between sign-in attempts and, then comparing this activity to a baseline of what is normal behavior for the legitimate account owner- this is critical in determining if user credentials have been stolen and are being used by remote hackers.
Exfiltration attempts. Data exfiltration is a big concern for many organizations and can occur when employees are negligent or are trying to be more efficient by creating workarounds of outdated technology (I can be more productive using my personal device instead of the company issued equipment) and using USB drives or online apps like Slack or Box. Detecting and preventing data leaks has become more difficult as new technologies and methods to transfer data emerge. Monitoring for abnormal user behavior such as obtaining data that are not normally accessed by the user, or transferring data to unusual locations can detect data exfiltration attempts.
Credential sharing. Studies show that more than 20% of employees share their passwords with someone else, even though it’s strictly against policy. Monitoring for simultaneous, remote, or unusual usage of user accounts can help detect and mitigate credential sharing.
While some many offerings have the capability to answer these questions, it’s important to take into account both on-premise and cloud based data and applications. And optimally be able to reconstruct the hidden relationship between data movement with its user, device, and application in real-time and maintain that relationship. So make sure you're able to get the answers to what has been compromised? Who did it? How did they do it? By what method and from where?
Today's enterprise security processes generate massive amounts of log data from user actions, server activity, applications and network devices across the organization's IT ecosystem both on-premise and in the cloud. Security teams are overwhelmed by the amount of data generated from their SIEMs, and analysts are suffering from alert fatigue. Furthermore, they struggle to get meaningful, actionable information because the output lacks contextual relevance and requires significant effort and analysis involving multiple products to gain the insight necessary to take action or determine the whether it is benign. To reduce analyst fatigue and provide more relevant information and visibility an increasing number of security products are incorporating behavioral analytics. However, there is a lot of variation regarding how these products capture data such as real-time vs. historical and on-premise vs. cloud. At the same time, there are some components that they all have in common.
Cybersecurity applications of user behavior analytics typically consist of the following three primary components:
Data integration: This is the foundational requirement to build user behavior analytics capabilities. It should be able to integrate with the required log sources of the enterprise, including structured or unstructured information example logs from security information and event management systems, VPN gateways, network flow data, and application logs, as well as ingest logs from CSV files and Syslog.
Data Analytics: Data Analytics' primary purpose is to enrich and analyze data, use analytical algorithms to learn an environment -- such as server versus user activity, or normal users versus executive users or privileged users -- and make sense of it. Also, this component is designed to be able to analyze the user and system behavior and to distinguish between normal and malicious activity.
Data presentation and visualization: This shows the data analytics results in a manner that useful and relevant to the enterprise IT and security teams so that patterns and trends in user interactions are readily apparent and can be acted on by drilling down into the detailed level events.
So what might this look like in practice? To illustrate let's look at the compromise of an end-point computer
To better understand how behavioral analytics detects malicious breaches, and what distinguishes it from traditional solutions, consider a realistic business scenario: the CFO’s laptop has been compromised by a hacker, who then tries to use the computer to steal confidential data files from inside the company network.
In a conventional security environment, the IT team has no good solution for detecting a compromised machine until the damage is done. Network-based anomaly detection solutions may be able to see suspicious activity on the network, but will likely generate too many false positives and impede the IT team’s ability to respond.
With an advanced behavioral analysis solution, it will have profiled the CFO’s laptop. Through a built-in content inspection engine, it identifies the types of sensitive files the CFO typically moves, and from where – for example, financial statements from the main finance department server. The platform links all data movements with the actual user – the CFO – and her device in real- time, and profiles that behavior accordingly. After a brief learning period, OnFire will have built a base pattern for the CFO’s movement of data using her laptop.
When the hacker gets control of her laptop, he attempts to access source code from a completely different server in a different department. This is clearly out of the CFO’s normal pattern. The system provides a visually clear display of the event, instantly detects the abnormal behavior and alerts the CFO and the security team.
Rather than reactive and time-consuming analyses, security and IT teams can now focus on events with a higher probability of identifying malicious behavior.
Machine learning is a very hot topic (some might say buzzword ) in the tech world in general and in especially in cyber security. This post will provide an easy to understand explanation of how it is being applied to some of today's most pressing cybersecurity issues. Machine learning is a topic that will be regularly touched upon in this blog since there are many dimensions to the application of machine learning and rapid advances taking place in its development.
Technology is moving rapidly. And it seems like you can't avoid hearing about machine learning. Almost every large online storefront use it to recommend items you may want to purchase, it’s analyzing your credit card purchases, and self-driving cars depend upon it.
But what is it? It is often used interchangeably with Artificial Intelligence; however, Machine learning is a type of artificial intelligence (AI) that provides computers with the ability to learn without being explicitly programmed. Machine learning focuses on the development of computer programs that can change when exposed to new data.
Common applications of machine learning in today’s security technology include voice recognition, fraud detection, email spam filtering, text processing, log searches, video analysis, etc. Also, these current technologies are being improved daily, with these improvements fueled by greater data analytics, reduction in the cost of computation, and advancements in the state of the art of machine learning research
So how exactly is machine learning being applied in cyber security?
There are two ways: Data gathering and data analysis. Cyber security leverages data gathering or big data for the collection and storage of large amounts of useful data points. This becomes helpful to security operations teams and analysts who are overwhelmed by the vast amount of raw data that gets collected every day. In larger and more mature environments (aka those who are more advanced and better funded) there are many tools deployed that have been designed to help sort, slice, and mine this data in a somewhat automated fashion to help the analyst perform in their day-to-day activities.
Take for example the user and entity behavioral analysis; machine learning can be used to profile each user, each device, each application, and each file/document to establish a baseline and then flag behavior that is contextually abnormal.
For IoT, it's easier, because there is no user to associate with, and the behavior patterns of IoT are much simpler: typically the "thing" is only sending traffic to a fixed destination with standard volume. As soon as the device starts to send to multiple destinations, or the volume significantly increases, it can be detected. For example, the Target IoT attack which happened last year could have been easily detected if this type of system had been deployed.
These technologies exponentially improve cybersecurity effectiveness and can dramatically improve the initial detection of threats by addressing the initial overload problem — reducing 500,000 alerts to 500, for example. But at the end of the day, we still need a human in the loop for that last step. Humans have the ability to apply real-world experience and knowledge to flag exceptions, and while better AI will help decrease the number of exceptions, those that remain will still require the attention of an IT or security professional.
Behavioral analytics are being developed for cyber security applications to address the vast number of interactions between users, devices, applications, data, and networks. However, not all applications operate the same -there are two types of behavioral analytics platforms, and you should consider the differences carefully.
According to the latest Verizon Data Breach Investigations Report, stolen, weak or default credentials were involved in 81 percent of confirmed data breaches. Given that this attack vector is so prevalent it only makes sense to strictly watch user behavior and identify abnormal patterns. Cybersecurity has begun to incorporate methods to monitor user actions to try and distinguish between legitimate and threatening user behavior. This has given rise to a category of security products known as behavioral analytics which focus on the detection of anomalies. While user behavior is a the core of these offerings, there are many more that extend beyond the behavior of the user and can include entities or other elements in addition to users including hosts, devices, etc. (This is known as user and entity behavior analytics (UEBA) which is a topic for another post)
Now back to behavioral analytics; every company has data that are at risk of attack by cyber criminals, and at some point, a user attempts to move that data to exploit it – when this happens user behavior analytics is used to spot attackers who may have gotten past perimeter defenses -- or suspicious behaviors by company insiders and allows organizations prevent and detect incidents and breaches.
While monitoring and analyzing user behavior may seem obvious it raises the question of how to track and analyze behavior - and the choices in methods can have significant implications for deployment cost, time and effectiveness. There are two types products: Algorithm model based and those that perform in a more adaptive "learning " mode.
When going with the algorithm-based model, a deployment can take a couple of months and requires a team of experts to come in and set up the technology racking up professional services fees in the process. This approach needs constant maintenance to refine existing algorithms and create new ones. Which gives an advantage to the offense -not the defense.
On the other hand, products that use artificial intelligence or machine learning typically plug into the existing infrastructure very quickly and start collecting information right away. Through machine learning and analytics, platforms can develop baseline normal activity and process vast amounts to see abnormal patterns of behavior. When anomalies are identified analysts can then data drill down to the see where they may be at risk.
Monitoring user behavior provides a way of flagging suspicious activity which then requires further investigation involving the interactions between the users, devices, applications, data, and networks, so consideration should also be given to how user behavior can be most easily put in the proper contexts.
Typically an incident response workflow can be established that includes email and text alerts, the creation and distribution of incident reports, the collection of data for evidence and the activation of containment and mitigation controls.
While it does take time for a machine learning based platform to process all your data and establish a baseline - it can be put in place in days. And once deployed this type of approach can take incident response times down to minutes and hours rather than a process that takes days and even weeks and enable a security team to react.
So consider the cost and complexity of these approaches as you explore.
This blog reflects the contribution of the HoloNet team and guest bloggers who are security experts. HoloNet Security is led by a team of seasoned security industry professionals with a long, proven track record of successful security products and services.