Determine Security Vulnerabilities by Studying UBA

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

User Behavior Analytics: Methods and Best Practices –

Here’s a daunting question asked by many security professionals today: “How can I discover malicious user behavior more rapidly?”

It’s hard enough after the fact to point at an event and say: “Aha, this was a breach underway.” But that, of course, is far too late. The goal should be to detect such events as they occur, in or as close to real time as possible, and shut them down to minimize any possible business impact.

masks-827730_640

That’s where things begin to get a bit awkward, because looking for those needles-in-a-haystack isn’t the simplest thing in the world to do. New log data is constantly emerging from the complete IT infrastructure of servers, databases, routers, and other assets. All of it is potentially relevant to security breaches in process.

And while the huge majority of log data is insignificant, the way three or four exceptions combine can mean all the difference between business as usual and a catastrophic loss of sensitive data.

To put this in perspective, consider the difference between the word breaches and the word breeches. They look much the same, and sound much the same… but the first means a devastating failure of the security strategy, and the second only means short pants. Ideally, you’d be able to spot the first and ignore the second — every time — fast.

What is User Behavior Analytics?

That challenge is exactly what’s driven the emergence of User Behavior Analytics (UBA) solutions. These tools leverage machine learning to approximate the expertise that human security specialists use to spot real breaches — but faster! They can often zero in on the tiny percentage of anomalous events that merit a closer look.

If this reminds you of the way marketing analytics tools have worked for some time, that’s no coincidence. User behavior analytics has emerged as a security-specific application of the same basic principles involved in all smart business analytics.

How does User Behavior Analytics work?

First, user behavior analytics solutions collect information emerging from many points in the infrastructure. Using this, they then create a baseline to determine what normal means under different conditions.

That accomplished, they continue to aggregate data, slicing and dicing it looking for patterns that (depending on how the proprietary algorithms work) are deemed not normal. These determinations assess just how, and how much, a new event is unusual in context, as well as prioritize its significance and possible business impact. Custom rules can also be created by user behavior analytics administrators to tailor the solution more closely to the organization — its unique services, data, account classes, business priorities, etc.

One important principle to understand is that UBA tools address anomalous user behavior much more than infrastructural events in general — hence the name of the solution class. This focused approach helps address some of the most vexing issues facing security professionals today, like:

• Determining when a valid privileged account has been compromised

• Determining when unusual behavior by such an account is justified vs. when it should be flagged for further examination

For example, it’s one thing for Steve (an American database administrator) to access a database during working hours from inside the firewall, and quite a different thing for Steve to do the same from Uzbekistan at 2am on a Friday. Determining rapidly that the second situation is indeed taking place is easy for humans, but traditionally difficult for automated technology — until now.

When such a determination is made, user behavior analytics solutions can take a variety of effective steps. Commonly, they can update monitoring dashboards, e-mail alerts to appropriate team members, and in some cases, take direct action to stop the event. Which brings us to:

The future of user behavior analytics

Gartner estimates that “by 2017, at least 20% of major security vendors with a focus on user controls or user monitoring will incorporate advanced analytics and UEBA into their products, either through acquisitions, partnerships or internal development.”
– (http://www.gartner.com/technology/reprints.do?id=1-2NVC37H&ct=150928&st=sb)

This is a reflection of the rapid growth and maturity in UBA capabilities (referred to by Gartner as UAEB – User & Entity Behavior Analytics) over the last 18 months. This is due in part to general, significant interest and improvements in machine learning, big data, and artificial intelligence across a broad spectrum of industries. But, is specifically being driven into IT security applications because of the difficulty in detecting today’s Advanced Persistent Threats, sophisticated botnets, malicious insider behavior, and a variety of other modern attack methods.

In the very near term, expect to see user behavior analytics solutions integrate more directly with the infrastructure. For instance, firewalls might be configured to take user behavior analytics-derived insight and create new traffic rules immediately, shutting down invasive connections long before human talent would even notice they’re there.

Similarly, databases might be automatically modified to eliminate the access privileges of accounts that have just been deemed compromised.

These capabilities aren’t technologically difficult to implement, but they come with significant concerns over risk. What happens when the system automatically incorrectly shuts down the wrong activities at just the wrong time? An e-commerce site over the holidays? A defense system? A utility? Could the reaction be triggered on purposes in a form of a Denial of Service attack where the purpose is disruption, not theft? Certainly the early days of Intrusion Detection Systems and their many false positives come to mind.

Best practices in today’s user behavior analytics tools

For now, however, we can recommend these basic best practices to get optimal results from user behavior analytics tools:

• Take both external and internal threats into account when developing new rules/policies.

• Look for solutions that feature analytical strengths in areas important to your organization, such as offsite contractors, the relative business significance of different data repositories, etc.

• Consider carefully which team members should be notified when alerts are generated.

• Don’t assume standard accounts (without special privileges) are harmless — some attacks create a cascade effect, compromising assets in sequence to arrive finally at control of a privileged account or escalation of privileges on a standard account.

It’s a very promising area — we feel that user behavior analytics capabilities are already well worth a look for almost any security-conscious organization. And as they evolve, the case for them will just get stronger and stronger.

Original Post

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
3263 Followers
About AT&T CyberSecurity
AT&T Cybersecurity’s edge-to-edge technologies provide phenomenal threat intelligence, collaborative defense, security without the seams, and solutions that fit your business. Our unique, collaborative approach integrates best-of-breed technologies with unrivaled network visibility and actionable threat intelligence from AT&T Alien Labs researchers, Security Operations Center analysts, and machine learning – helping to enable our customers around the globe to anticipate and act on threats to protect their business. --
Promoted Content
2018 Threat Intelligence Report
Threat intelligence has become a significant weapon in the fight against cybersecurity threats, and a large majority of organizations have made it a key part of their security programs. This threat intelligence report, produced by Cybersecurity Insiders, explores how organizations are leveraging threat intelligence data, the benefits and most critical features of threat intelligence platforms, and the biggest cyber threats organizations are using their threat intelligence to combat. Download this report now to learn industry findings around threat intelligence.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel