Why we need behavior-centric detection and response

Breach discovery can take days using traditional methods

According to the Verizon 2015 Data Breach Investigations Report (DBIR), 60 percent of the time, attackers were able to compromise an organization within minutes. Meanwhile, in more than 75 percent of the cases, the average time to discover breaches was measured in days. These findings  indicate a growing “detection deficit” between attackers and defenders. Verizon sees this as one of the primary challenges to the security industry today and going forward.

For incident responders, time spent in the same position, area, or stage of a process, such as the delta between when a compromise occurs and when it is discovered, is called dwell time. Reducing dwell time is critical to enabling successful prevention or resolution of a cyber incident.

The primary reason for the long delays in breach discovery reported by Verizon is that we are still very much focused on defending against intrusions. A new and more effective approach to quickly decode cyber incidents is needed, one that enables us to understand the complex activities occurring on our networks, and what “good” cyber activity looks like. To accomplish this, we need  to start at the source of all network activity -- the behaviors of users and entities or devices.

Why focus on behaviors? It’s well documented that users are the weakest link in the security chain and pose the highest risk to our computing environments. Yet, knowledge of user behaviors is where we typically have the least amount of visibility, especially into what users are accessing and their patterns of usage. Active engagement in monitoring, detecting and deriving insight into user access and usage patterns can foretell risky activity. Identifying early warning signs is critical for protecting against sophisticated threats including malicious insiders and external attackers that have hijacked legitimate user accounts.

Let’s examine the steps for implementing activity- and usage-centric incident response.

As a starting point, review all security-related data that is being collected by any form of logging. To make sense of this data establish a baseline of which user access and usage activities are being logged and which are not. This will expose any glaring blind spots in collection schemes.

Next, apply analytic techniques to understand the data that’s been collected and determine what “good behavior” looks like. This will make it easier to isolate user behaviors that are suspicious, should be monitored or investigated. Examples of suspicious behavior may include inappropriate use of elevated access privileges, or more latent threats, such as data breaches.

This should be followed by continuous monitoring of behavioral data in order to assess user access and usage within “trackable” peer groups. The use of peer groups places behaviors in context and helps to expose ‘outliers’ based on the roles each user performs in comparison to other members of their department, project or work groups, etc.

An important subsequent step is to identify and track all authorized access credentials that are in use, including orphaned, shared, third-party and remote access accounts. Most can be used  to access sensitive company data, systems and applications, and as a springboard for data breaches. Once a user’s access credentials are hijacked, they can enable attackers to move around the network undetected.

Also, access credentials should be monitored across all networks, voice and data channels, infrastructure, computer systems, devices, databases and applications. As part of this process, any excess access credentials that are not required by users should be revoked. Especially those that do not match up or conflict with other users in an individual's relevant peer groups.

In addition, pay close attention to user accounts with elevated access privileges, such as systems or database administrator accounts and system-level accounts on all security and perimeter devices, etc. Some of these accounts may not be used on a regular basis, and should therefore  be scanned continuously to evaluate whether they need to be removed or disabled.

Once user credentials are being monitored and logged, access activity should be analyzed against sensitive or privileged data. For example, which user accounts are accessing customer, supplier or finance data? Why is this type of data being accessed by these user accounts? Are users access privileges consistent with their need to access this type of data?

Being able to differentiate between “good” and “bad” user behavior is the foundation for gathering actionable incident detection and response intelligence. It is also vital for shortening the dwell time of intrusions and containing or preventing data exfiltration.

Join the CSO newsletter!

Error: Please check your email address.

Tags data breachesverizonsecuritycyber security

More about CSOVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Leslie K. Lambert

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts