Published on June 15, 2017
Michael Lipinski, Securonix CISO, chief security strategist and Institute for Critical Infrastructure Technology (ICIT) fellow, contributed the following essay to ICIT's Anthology, "Next Generation Defenses for a Hyper Evolving Threat Landscape" highlighting next-gen defenses in the new and evolving threat landscape.
Protecting the Data – The Final Battle? Can Behavior Analytics Technology be the Answer?
By Michael Lipinski, CISO & Chief Security Strategist, Securonix
“Cyber” is defined as the all-inclusive space where connected devices and data reside. I think this helps paint a clearer picture of the whole Internet, IoT and vast corporate and private connected networks, data stores and complex IT systems. I like to use “Cyber” to define where data flows and lives. Whether you’re a business enabling delivery of product or service or a person simply wanting enabled access to everything you own or do; your sensitive data now moves through and lives in Cyberspace. Perimeter boundaries are almost completely eroded and point-based security solutions are proving less effective at protecting the true assets of the organization; our data. To adapt to the changing landscape, information security professionals are shifting focus to risk-based data protection strategies that can help us detect, respond, contain and recover from data breaches.
Insiders pose one of the most significant threats to the security of an organization. Trusted insider “Sally” could be a bad apple who joined the company specifically to steal, sabotage, or commit fraud or espionage. Or, more likely, Sally could be negligent and carelessly give an outsider access to her credentials. The people we trust and the credentials we entrust to them represent the largest risk to enterprise data. According to the most recent Verizon report, 63 percent of the breaches analyzed were carried out with legitimate insider credentials. The 2015 Vormetric Incident Threat Report states that 89 percent of global respondents feel more at risk from insider threats than ever before. Even more surprising, Vormetric reports that 40 percent of respondents have no formal insider threat program in place.
Why is finding insider threats such a struggle? The answers are in our log data. In every breach you have read about over the past couple of years, the information to determine who, what, how and why an insider attack took place was available for forensic collection and review. So why can’t we use this information proactively to detect and contain breaches? One issue facing IT and security teams is data overload. The massive amount of data produced from traditional security solutions generate more alerts and false positives than most security teams have man power to fully review. Another issue is the silos we have built within our IT and security teams. The SIEM team does their SOC related activities, the identity and access management team performs their work, maybe you have DLP/endpoint teams, proxy teams, application monitoring... the list can keep going. You have data overload and no single pane of glass to help sort it out. All the evidence you need to discover bad behavior is there, but the data sits in silos or goes unnoticed. A seemingly nonconsequential event sitting in a point or siloed solution takes on much greater meaning once it is correlated to very other event in the environment relating to a user or entity.
Another issue is that to date, most security technologies have relied heavily on rules and signatures. That means they only look for known threats. Unknown threats are able to elude these defenses. To protect our data from insider threats, advanced persistent threats, zero-day and other signature-less threats, we need to be able to map behaviors over time, detect behavior outliers, understand context, and correlate suspicious behavior to their corresponding entities. Without these capabilities, security teams will continue to drown in the flood of false alerts generated by signature-based systems.
I began researching behavior analytics two years ago. Behavior analytics technology has been around for several years, but the field is experiencing a renaissance and a mass entry of companies have emerged in the market. User behavior analytics (UBA), as it was originally defined, has now evolved into user and entity behavior analytics (UEBA). UEBA technology compliments your existing IT and security infrastructure and provides a means to economically store, analyze, remediate and report on security risks to the organization. At a high level, this is accomplished through heavy use of analytic models in combination with threat modeling. Sophisticated correlation technology is capable of taking every event generated in your environment and correlating those events to an entity. An entity is a user, machine, IP address, etc. This single pane of glass is very powerful on its own; just envision being able to view every event associated with a certain user and develop a complete view of that user’s activities within an enterprise. This user activity data can then be even further enriched with HR data, geo- location information, and just about any other data source you desire.
Once you have this data correlated into a big-picture painting of an entity, you can now use the machine learning capabilities of the technology to establish a baseline of “normal” activity for every entity in the environment. Once the technology learns what normal behavior looks like, it can alert security teams to suspicious, abnormal behaviors that could indicate a threat with impressive speed and accuracy. These suspicious behaviors could come from any entity: think user, point of sale system, SCADA device, hospital critical care device, or compromised service account.
With behavior analytics, security teams are alerted to potential threats in near-real-time – before a catastrophic breach. The mature technologies in this space are capable of finding unknown threats (such as insiders) that go unnoticed by signature-driven security mechanisms. They can empower security teams with a holistic view of context-rich data that illuminates an entirely new perspective on enterprise risk. UEBA will change how we detect, respond, contain and recover from insider threats and unknown attacks in the new Cyber realm.