Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Detecting advanced threats with user behaviour analytics

Saryu Nayyar, CEO, Gurucul | April 1, 2015
Using big data and machine learning to assess the risk, in near-real time, of user activity.

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

Day after day, an employee uses legitimate credentials to access corporate systems, from a company office, during business hours. The system remains secure. But suddenly the same credentials are used after midnight to connect to a database server and run queries that this user has never performed before. Is the system still secure?

Maybe it is. Database administrators have to do maintenance, after all, and maintenance is generally performed after hours. It could be that certain maintenance operations require the execution of new queries. But maybe it isn't. The user's credentials could have been compromised and are being used to commit a data breach.

With conventional security controls there's no clear cut answer. Static perimeter defenses are no longer adequate in a world where data breaches increasingly are carried out using stolen user credentials. And they have never been of much use against malicious insiders, who abuse their privileges. Today's BYOD environment can also leave a static perimeter in tatters as new rules have to be continually added for external access.

A new approach called User Behavior Analytics (UBA), can eliminate this guesswork using big data and machine learning algorithms to assess the risk, in near-real time, of user activity. UBA employs modeling to establish what normal behavior looks like.

This modeling incorporates information about: user roles and titles from HR applications or directories, including access, accounts and permissions; activity and geographic location data gathered from network infrastructure; alerts from defense in depth security solutions, and more. This data is correlated and analyzed based on past and on-going activity.

Such analysis takes into account -- among other things -- transaction types, resources used, session duration, connectivity and typical peer group behavior. UBA determines what normal behavior is, and what constitutes outlier or anomalous activity. If one person's anomalous behavior (i.e., midnight database queries) turns out to be shared by others in their peer group, it is no longer considered medium or high risk.

Next, UBA performs risk modeling. Anomalous behavior is not automatically considered a risk. It must first be evaluated in light of its potential impact. If apparently anomalous activity involves resources that are not sensitive, like conference room scheduling information, the potential impact is low. However, attempts to access sensitive files like intellectual property, carries a higher impact score.

Consequently, risk to the system posed by a particular transaction is determined using the formula Risk = Likelihood x Impact.

Likelihood refers to the probability that the user behavior in question is anomalous. It is determined by behavior modeling algorithms.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.