Almost all security incidents have to answer the same set of questions: what has been compromised? Who did it? How did they do it? By what method and from where? But obviously, this is easier said than done. Until recently, using the available tools and methods to answer these questions has been tremendously difficult because you typically need one or more tools just to answer one of these questions- never mind all three. For example, you generally need one tool to track cloud users and activity and at least one more to do that for on-premise applications. And because of the overwhelming number of security alerts, just figuring out which events to investigate is overwhelming.
However, with the application of machine learning, analytics has improved tremendously. Many User and Entity Behavioral Analytics (UEBA) and Cloud Access Security Brokers (CASB) can track users, data, and applications, so the question now becomes – what should the behavioral tools and analysts focus on?
Because the vast majority of reported breaches involved the use of stolen credentials or other unauthorized and suspicious insider threats, it only makes sense to focus on user and data activity. Here are some of the more common behaviors that indicate you may have a problem and a proper user behavior analytics solutions will need to detect each of these:
Suspicious geolocation activity. Today's mobile workforce can be logging on from multiple remote locations, such as their homes, the gym, hotels, airports, the beach and customer locations. When users sign-in from off-campus locations, security teams need to determine if they are legitimate users or remote attackers who are using compromised valid user credentials. Behavioral analysis applies geolocation monitoring to every access attempt and validates it against what’s physically possible. While at the same time taking into account time and the distance between sign-in attempts and, then comparing this activity to a baseline of what is normal behavior for the legitimate account owner- this is critical in determining if user credentials have been stolen and are being used by remote hackers.
Exfiltration attempts. Data exfiltration is a big concern for many organizations and can occur when employees are negligent or are trying to be more efficient by creating workarounds of outdated technology (I can be more productive using my personal device instead of the company issued equipment) and using USB drives or online apps like Slack or Box. Detecting and preventing data leaks has become more difficult as new technologies and methods to transfer data emerge. Monitoring for abnormal user behavior such as obtaining data that are not normally accessed by the user, or transferring data to unusual locations can detect data exfiltration attempts.
Credential sharing. Studies show that more than 20% of employees share their passwords with someone else, even though it’s strictly against policy. Monitoring for simultaneous, remote, or unusual usage of user accounts can help detect and mitigate credential sharing.
While some many offerings have the capability to answer these questions, it’s important to take into account both on-premise and cloud based data and applications. And optimally be able to reconstruct the hidden relationship between data movement with its user, device, and application in real-time and maintain that relationship. So make sure you're able to get the answers to what has been compromised? Who did it? How did they do it? By what method and from where?