Don't Let Outliers Sabotage Your Cybersecurity Analytics - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Data Management // Big Data Analytics
Commentary
3/10/2017
03:35 PM
Lisa Morgan
Lisa Morgan
Commentary
Connect Directly
Twitter
RSS
50%
50%

Don't Let Outliers Sabotage Your Cybersecurity Analytics

Cybersecurity analytics must balance the lessons of user behavior with the need to maintain service levels for workers while always assuming that the intruder is already inside the network.

Cybersecurity analytics solutions are becoming more intelligent and nuanced to understand anomalous behavior that's outside the norm and potentially dangerous. Identifying outliers is important, but not every outlier is a threat, nor is every threat an outlier.

"Companies have made hundreds of millions of dollars building tools that look for behavior that's outside a rule or a set of parameters," said Jason Straight, SVP of Cyber Risk Solutions and chief privacy officer at legal outsourcing services provider United Lex. "For machines that works pretty well, for people it doesn't."

Tracking behavior at the machine level can be as simple as monitoring the number of packets sent to and from a particular machine.

Humans behave differently in different contexts. For example, many of us usually work at particular office Monday through Friday during "normal" work hours. However, if we're traveling internationally, we're probably accessing the same corporate network, albeit at a different time from a different IP address that's located somewhere else in the world.

A rule-based system could be programmed to disallow network access under those conditions, but traveling professionals wouldn't get much work done. The trick is to balance the needs of users and the business against potential threats.

"Instead of setting a bunch or rules that say if someone logs in from an IP address that they've never used before, at a time they've never logged in before, and they're accessing part of the network they've never used before, that's a complicated rule that would require constant updating and it would be impossible to manage on a person-by-person basis," said Straight.

User Behavior Analytics Can Help

Enterprise security budgets have been heavily focused on keeping outside threats at bay, but more enterprises are realizing that to protect their assets, they need to assume that their network has been hacked and that there's an active intruder at work.

Similarly, when the average person thinks about a cybersecurity breach, hackers come to mind. However, insiders are a bigger problem. In addition to being responsible for more security breaches than hackers, insiders fail their companies accidentally and willfully.

"If I see a server doing something funny, I can shut it down, take it offline, or reroute the traffic, which doesn't disrupt an organization much or at all," said Straight. "If I do that to people, that could be really disruptive."

User behavior analytics are an effective mechanism for insider threats because they're able to model a user's behavior. For example, when an employee is getting ready to leave a job, that person usually visits certain websites and updates her resume, which isn't the best use of company assets, but it doesn't justify security intervention. However, when that employee starts downloading files to USB drives, uploading files to file-sharing services, and printing volumes of information, intervention is may necessary.

Monitoring a single user doesn't always tell the entire story, however, which is why user behavior analytics enable users to see what an individual is doing within the context of a group. For example, if someone in marketing accessed a part of the network she's never visited before, that's strange. Whether it actually requires action or not may depend on whether others in her department have accessed that same part of the network and if so, when.

While such capabilities sound attractive, many organizations are failing to get value they expected from user behavior analytics, despite spending seven figures, because they don't know how to handle the alerts and intelligence, Straight said.

User behavior analytics can also help determine whether someone's login credentials have been stolen. Unlike traditional rule-based systems, user, machine learning, and AI are used to model an authorized user's behavior and that behavior is associated with that person's login credentials. If someone else tries to use the same User ID and password, her behavior indicates the account has been compromised.

"That's when you start to see an account that's never really used more than a departmental server suddenly scanning the entire network, trying to get into different places and being denied access," said Straight.

Think First

Before investing in a new security tool, it's essential to understand the problem you're trying to solve, which is true of any technology. Different security tools serve different purposes.

"Do you want to understand problems you haven't identified or are you trying prevent data leakage?" said Avivah Litan, vice president and distinguished analyst at Gartner. "You have to be real clear, and then you also need to spend some time training the models and supervising them."

What's your experience? Is your company's cybersecurity getting more sophisticated? If so, how and what still needs to be improved?

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
Achieving Techquilibrium: Get the Right Digital Balance
Jessica Davis, Senior Editor, Enterprise Apps,  10/22/2019
Commentary
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll