User behaviour analytics is key to IT security, says Asystec’s McPhillips

Pro

14 March 2016

Every cyberattack and potential data breach begins with some illicit activity. Of course the entire exploit, whether successful or not, is illicit. But it is in detecting that first step, often tiny and apparently insignificant, at the earliest possible stage that all cybersecurity tools perform best in repelling attacks and preventing damage. There are many techniques for detecting such early stage attacks but they are all subject to the challenge of a sophisticated and growing cybercriminal community.

Spotlight_Small

A huge part of that is the constant development of new forms of threat delivered by ever-smarter technologies. It is now a full scale war and not just a battle, as anyone dealing with an organisation’s security management is all too well aware.

Defeating the enemy today is not as focussed on the perimeters any more, although that continues to be an important element of cyberdefence. But with the mobile and online worlds we live and work in today, there are multiple ‘perimeters’ and attack surfaces and they change all the time — often in minutes. So the security experts have generally moved to instant and real-time defence as the more effective approach. Which is fine provided you can identify an attack, especially at the crucial earliest stages. The statistics vary but most commentators agree, that the time to detect breaches is normally over 200 days.

That is where User Behaviour Analytics (UBA) is an enormously valuable modern security tool in data and systems protection. Essentially, this is a set of tools to monitor users, data and systems to create a baseline or profile of ‘normal’ activity which enables anomalous or illicit activity to be detected quickly, bringing that time to detect from hundreds of days to minutes. It tracks and collects data on the millions of transactions that occur between users, data and systems.

“With the mobile and online worlds we live and work in today, there are multiple ‘perimeters’ and attack surfaces and they change all the time — often in minutes. So the security experts have generally moved to instant and real-time defence as the more effective approach”

A variant term is User and Entity Behaviour Analytics (UEBA) because of course the attack may be from other entities such as managed and unmanaged endpoints, applications (including cloud, mobile and other on-premises applications) and networks as well as external threats. A good example is Cryptolocker, the ransomware tool that gains entry past the perimeter by acquiring genuine user credentials. But once it starts to open and modify files at a rapid rate it will be detected immediately and will trigger an automated defence response. Similarly, UBA will alert to so-called zero-day exploits with malware or software weaknesses that have not been identified previously and so will not be caught by traditional signature-based security tools.

We work with Varonis Systems, a leading data governance and security software provider, but there are other products on the market. UBA offers a number of advantages over and above traditional security software, although it is intended to complement rather than replace such tools. It can also feed into and link with on-site or managed SIEM solutions. Any attackers will cause deviations from normal behaviour patterns, no matter how skilled they are. UBA is also particularly suited to analysing and thwarting insider attacks, which of course will be using genuine credentials so hard to detect.

The techniques have been gaining credibility with information security professionals because of their ability to find both malicious and unintentional insider threats as well as planned, highly sophisticated external attacks. The key is the data and metadata built up by a UBA system. It can be linked to other security tools and provides an additional layer of intelligence, which can be customised to an organisation’s own business rules and security requirements. We are moving into a digital world where analytics provides intelligence to gain advantage. In IT security and governance, UBA is now providing that advantage against those looking to cause damage to our clients, both financial and reputational.

 

Brendan McPhillips is director of Security and Governance Practice for Asystec

 

Read More:


Back to Top ↑

TechCentral.ie