Published on April 13, 2015
Security analytics applied to SCADA devices can detect changes in pressure, temperature or flow that indicate a valve is 3X hotter than any other valve with 3X the pressure, and is about to blow. Applied to medical devices like Pyxis pharmacy dispensing applications, analytics can detect a clinician withdrawing a dose 10X the norm that may kill a patient. When used with unstructured data with the company’s secrets on file systems like SharePoint and Documentum, analytics can detect when a user is accessing files they shouldn’t without tortuous, time consuming data discovery and classification projects.
Security is down but not out. The hackers and the Internet won the first round and took the last decade. Pick up a paper (or open your news reader) and you’re bound to be inundated with the list of the latest compromised companies being publicly shamed. Sony, Target, Experian… multi-billion dollar companies with budgets most of us can only dream about can’t keep the bad guys out, so how can we?
There are some basic flaws in security. They walk on two legs and click on every “speed up your PC now” download and “update your password now” popup and email they see. While we’re busy securing the back door and fighting malware, our users give away our secrets faster than we can respond. So what can we do?
DLP? Unlikely. SIEM? Hasn’t worked yet. People? Yeah, right! Where are the wizards, and who’s going to approve the FTEs to hire them?
CIOs and CISOs are getting a bad rap. More and more they’re being dismissed as “IT Guys” and not strategic players in the business. (See CISOs Struggle for Respect.)
The answer lies in a new promising technology: Security Analytics. Gartner has decided it breaks into two technologies, user behavior analytics (UBA) and enterprise network forensics (ENF). (See recent posts with links to SANS and Gartner.) In fact it is one new concept applied to different data sources. The concept is simple – “learn normal and alert on weird.”
The twist is in the “learn” part of the concept. Machine algorithms can learn normal behavior for “entities.” Those entities may be users (UBA), or devices with IP addresses (ENF). Applied properly, security analytics can make the security business relevant again by collecting and analyzing logs from critical applications and alerting when things deviate substantially from normal.
Sounds like what we’ve been trying to do for years, but one difference is auto-learning rather than being manually told (by rules, filters and lists), what normal looks like.
This first trick is building a list of all known things about a user learned from the event data we’re already collecting. What IP addresses does this user login from? What transactions do they normally execute in any given application? Which source and destination accounts numbers are used normally? However, we can’t stop there. Individual profiling won’t help us if the account or host is already compromised.
We fight back by reaching into identity data stores (IAM tools, human resource spreadsheets, Active Directory), and learning as much about our users and who else is like them and then comparing the behaviors of similar users or devices.
If your favorite database administrator is the only DBA to ever execute a wire transfer in Oracle financials, and if the destination account number in the Bahamas has never been used by anyone else in the company, he sticks out like a sore thumb when compared to his peers.
Behavioral analytics lets security professionals apply a common methodology to any log source, applying the concept of learn normal and alert on weird into any environment. When we start moving away from malware and network layer devices into the business critical applications, our value to the business increases exponentially.
I hate to sound like I’m drinking too much Kool-Aid and reusing tired clichés. Nevertheless, I’ve seen the promised land and I know how behavioral analytics can find threats without signatures and without thousands of hours of human effort teaching a rule-based tool how to detect a known bad pattern. Best of all, I can show it to you and show you how to get it to work in your network.