Today's enterprise security processes generate massive amounts of log data from user actions, server activity, applications and network devices across the organization's IT ecosystem both on-premise and in the cloud. Security teams are overwhelmed by the amount of data generated from their SIEMs, and analysts are suffering from alert fatigue. Furthermore, they struggle to get meaningful, actionable information because the output lacks contextual relevance and requires significant effort and analysis involving multiple products to gain the insight necessary to take action or determine the whether it is benign. To reduce analyst fatigue and provide more relevant information and visibility an increasing number of security products are incorporating behavioral analytics. However, there is a lot of variation regarding how these products capture data such as real-time vs. historical and on-premise vs. cloud. At the same time, there are some components that they all have in common.
Cybersecurity applications of user behavior analytics typically consist of the following three primary components:
Data integration: This is the foundational requirement to build user behavior analytics capabilities. It should be able to integrate with the required log sources of the enterprise, including structured or unstructured information example logs from security information and event management systems, VPN gateways, network flow data, and application logs, as well as ingest logs from CSV files and Syslog.
Data Analytics: Data Analytics' primary purpose is to enrich and analyze data, use analytical algorithms to learn an environment -- such as server versus user activity, or normal users versus executive users or privileged users -- and make sense of it. Also, this component is designed to be able to analyze the user and system behavior and to distinguish between normal and malicious activity.
Data presentation and visualization: This shows the data analytics results in a manner that useful and relevant to the enterprise IT and security teams so that patterns and trends in user interactions are readily apparent and can be acted on by drilling down into the detailed level events.
So what might this look like in practice? To illustrate let's look at the compromise of an end-point computer
To better understand how behavioral analytics detects malicious breaches, and what distinguishes it from traditional solutions, consider a realistic business scenario: the CFO’s laptop has been compromised by a hacker, who then tries to use the computer to steal confidential data files from inside the company network.
In a conventional security environment, the IT team has no good solution for detecting a compromised machine until the damage is done. Network-based anomaly detection solutions may be able to see suspicious activity on the network, but will likely generate too many false positives and impede the IT team’s ability to respond.
With an advanced behavioral analysis solution, it will have profiled the CFO’s laptop. Through a built-in content inspection engine, it identifies the types of sensitive files the CFO typically moves, and from where – for example, financial statements from the main finance department server. The platform links all data movements with the actual user – the CFO – and her device in real- time, and profiles that behavior accordingly. After a brief learning period, OnFire will have built a base pattern for the CFO’s movement of data using her laptop.
When the hacker gets control of her laptop, he attempts to access source code from a completely different server in a different department. This is clearly out of the CFO’s normal pattern. The system provides a visually clear display of the event, instantly detects the abnormal behavior and alerts the CFO and the security team.
Rather than reactive and time-consuming analyses, security and IT teams can now focus on events with a higher probability of identifying malicious behavior.
This blog reflects the contribution of the HoloNet team and guest bloggers who are security experts. HoloNet Security is led by a team of seasoned security industry professionals with a long, proven track record of successful security products and services.