Why we need behavior-centric detection and response
- 16 October, 2015 21:03
According to the Verizon 2015 Data Breach Investigations Report (DBIR), 60 percent of the time, attackers were able to compromise an organization within minutes. Meanwhile, in more than 75 percent of the cases, the average time to discover breaches was measured in days. These findings indicate a growing “detection deficit” between attackers and defenders. Verizon sees this as one of the primary challenges to the security industry today and going forward.
For incident responders, time spent in the same position, area, or stage of a process, such as the delta between when a compromise occurs and when it is discovered, is called dwell time. Reducing dwell time is critical to enabling successful prevention or resolution of a cyber incident.
The primary reason for the long delays in breach discovery reported by Verizon is that we are still very much focused on defending against intrusions. A new and more effective approach to quickly decode cyber incidents is needed, one that enables us to understand the complex activities occurring on our networks, and what “good” cyber activity looks like. To accomplish this, we need to start at the source of all network activity -- the behaviors of users and entities or devices.
Why focus on behaviors? It’s well documented that users are the weakest link in the security chain and pose the highest risk to our computing environments. Yet, knowledge of user behaviors is where we typically have the least amount of visibility, especially into what users are accessing and their patterns of usage. Active engagement in monitoring, detecting and deriving insight into user access and usage patterns can foretell risky activity. Identifying early warning signs is critical for protecting against sophisticated threats including malicious insiders and external attackers that have hijacked legitimate user accounts.
Let’s examine the steps for implementing activity- and usage-centric incident response.
As a starting point, review all security-related data that is being collected by any form of logging. To make sense of this data establish a baseline of which user access and usage activities are being logged and which are not. This will expose any glaring blind spots in collection schemes.
Next, apply analytic techniques to understand the data that’s been collected and determine what “good behavior” looks like. This will make it easier to isolate user behaviors that are suspicious, should be monitored or investigated. Examples of suspicious behavior may include inappropriate use of elevated access privileges, or more latent threats, such as data breaches.
This should be followed by continuous monitoring of behavioral data in order to assess user access and usage within “trackable” peer groups. The use of peer groups places behaviors in context and helps to expose ‘outliers’ based on the roles each user performs in comparison to other members of their department, project or work groups, etc.
An important subsequent step is to identify and track all authorized access credentials that are in use, including orphaned, shared, third-party and remote access accounts. Most can be used to access sensitive company data, systems and applications, and as a springboard for data breaches. Once a user’s access credentials are hijacked, they can enable attackers to move around the network undetected.
Also, access credentials should be monitored across all networks, voice and data channels, infrastructure, computer systems, devices, databases and applications. As part of this process, any excess access credentials that are not required by users should be revoked. Especially those that do not match up or conflict with other users in an individual's relevant peer groups.
In addition, pay close attention to user accounts with elevated access privileges, such as systems or database administrator accounts and system-level accounts on all security and perimeter devices, etc. Some of these accounts may not be used on a regular basis, and should therefore be scanned continuously to evaluate whether they need to be removed or disabled.
Once user credentials are being monitored and logged, access activity should be analyzed against sensitive or privileged data. For example, which user accounts are accessing customer, supplier or finance data? Why is this type of data being accessed by these user accounts? Are users access privileges consistent with their need to access this type of data?
Being able to differentiate between “good” and “bad” user behavior is the foundation for gathering actionable incident detection and response intelligence. It is also vital for shortening the dwell time of intrusions and containing or preventing data exfiltration.