ANALYSE

THE ESSENTIAL
OVERWRITE COMMAND
GUIDE TO
USER
OUTSOURCE

TIMED

LOCATION

BEHAVIOR
ANALYTICS
www.balabit.com

EVOLUTION OF
IT SECURITY
“There’s no such thing as
‘secure’ anymore.”
Debora Plunkett, head of the NSA’s
Information Assurance Directorate
The history of IT Security is only a generation old, yet the direction of
the arms race has already changed completely several times. Initially,
perimeter-based security played the most important role at organizations,
with firewall and anti-virus products the most prevalent of that era.
This approach became outdated by the beginning of the new millennium,
when the focus of security turned to identity-based security solutions.
Appearance of the first hackers – called “phreakers”
1970s
– who tried to make free phone calls.
Arrival of the first virus (Brain) and the first worm
1980s
(Morris) in 1986 and 1988.
Debut of distributed denial of service (DDoS) attacks
1990s
and the bots that made them possible. AOL is the
victim of the first phishing attack. The criminals stole
users’ credentials.
Emergence of adware and spyware as well as zero
2000s
day attacks, rootkits and clickfraud.
Rise of sophisticated attacks, such as Advanced
2010s
Persistent Threats (APT).
Perimeter-based Identity-based Behavior-based
security security security
Large enterprises and governmental institutions started to recognize
that humans are the weakest link in their defense system, so they spent
billions of dollars on various Identity & Access Management solutions.
However, the growing number of successful attacks and data breaches
confirmed that IAM is also not a silver bullet. Sophisticated cybercriminals
implemented targeted attacks; in other words, they could easily acquire
valid user credentials by using simple social engineering methods. Some
of these attacks were avoidable with state-of-the-art session recording
solutions, but most were successful. There is a logical next step in the
evolution of IT security solutions: existing systems such as SIEMs gather
plenty of data about users and devices, as well as known patterns of bad
behavior, but “unknown unknown” threats still remain uncovered and
invisible. The industry needs a solution which can reveal and visualize
these unknown threats.
“There are known knowns; there are things
we know we know. We also know there are
known unknowns; that is to say we know
there are some things we do not know. But
there are also unknown unknowns – the
ones we don’t know we don’t know.”
Donald Rumsfeld’s sentences about the types of threats became
very popular among IT security experts and data scientists. Most
security products deal with known unknowns by looking for things
like malware in the system. The real problem, however, is the case
where the attacks are previously unknown, commonly referred to as
0-day or 0-hour attacks. We need some way of handling the “unknown
unknowns” of IT security, which are the main challenges for the future.
KEY LEARNINGS FROM RECENT DATA BREACHES

50% How should we start the implementation

of security intelligence technologies?
Almost half of organizations suffered at least one security incident in the last 12 months. Privileged users present the most risk for
companies. After acquiring the credentials
of a privileged user, attackers will be able

1 BILLION to move freely in the corporate network and

obtain the most valuable assets. This is the

Almost 1 billion data records were compromised in attacks in 2014. reason why it is crucial to focus IT security
efforts on privileged users:

256 DAYS
Detect malevolent outsiders trying

1
Malicious attacks can take an average of 256 days to identify.
to come in from the outside through
compromised accounts
$21,155/DAY
The mean number of days to resolve cyber attacks is 46 with an average cost of

2
$21,155 per day – or a total cost of $973,130 over the 46-day remediation period. Recognize malicious insiders abusing
their normal credentials

Target, Neiman-Marcus, Snapchat, Kickstarter, LaCie, German Space According to the 2015 Cost of Cyber Crime Study of Ponemon, deployment
Center, eBay, UPS, JP Morgan, iCloud, Home Depot, Sony Pictures and of security intelligence systems makes a difference. Findings suggest
even the White House. This is only a small sample of those companies that companies using security intelligence technologies were more efficient Visualize “unknown unknown” security

have been breached in recent months. Hackers successfully accessed and
stole valuable information from these organizations, including development
data, financial information or the private data of millions of users. Although
there were some cases where systems for the protection of confidential user
in detecting and containing cyber attacks. As a result, these companies 3 events, which remain invisible to current
security solutions
enjoyed an average cost savings of $1.9 million when compared to
companies not deploying security intelligence technologies. What’s
more, companies deploying security intelligence systems experienced a

4
data were inadequate, most of these enterprises were highly compliant. substantially higher ROI (at 23 percent) than all other technology categories Prevent the consequences of a privileged
They had implemented the traditional IT security solutions expected by presented. user credential theft
auditors of PCI-DSS, SOX and other policies. So what went wrong?
THE SOLUTION The new perimeter is our users What is digital
Many companies’ worst nightmare – a sophisticated external attacker or malicious insider – behavior?
USER is already within their perimeter. Nowadays, attackers are intelligent and well-funded, and According to biologists, “behavior is the internally
their attacks are increasingly complex and well targeted. The recent, high-profile breaches coordinated responses of whole living organisms to

BEHAVIOR were carefully planned and went undetected for some time, with the attackers moving freely
inside the victim’s IT environment. Malicious insiders hold an advantage over a company’s
internal and/or external stimuli” – so basically behavior
is everything that we are doing consciously. Similarly,

ANALYTICS primary security tools which are predominantly designed to protect against external threats, not
trusted employees. Targeted attacks by humans use a combination of IT vulnerabilities, social
engineering, and ordinary crime to gain unauthorized access. It means that the new perimeter –
where the focus of IT security now needs to be – is the users, not the infrastructure.
digital behavior is everything that we are doing in the
digital world. Typing characteristics, screen resolution
of our computer, smartphone or tablet, favorite
applications or websites and many others are our digital
footprints that typifies us so strongly than our habits.
As parents are able to recognize and differentiate their
children based on the sound of their footsteps, User
Behavior Analytics solutions are able to recognize and
differentiate users based on their digital activities.

Machine learning and

Big Data in security
Machine learning helps smartphones to understand
a human voice, control driverless cars and provide
Top 8 application fast and relevant answers to our questions in search
Traditional security approaches focus on prevention of attacks through perimeter defenses and
based on machine engines. It provides computers with the ability to learn
static, predefined rules. This old approach of building higher and higher walls is no longer sufficient.
learning Attackers are intelligent and know that their targets will have defensive controls in place to protect without being explicitly programmed to do so. This is

1. Search engines against known threats. Pattern and rule-based security tools cannot identify all threats, as they evident in the world of living creatures: even a small
2. Driverless cars only defend against what is known. They still have a role to play but using this approach alone child learns not to touch a hot surface again if they
3. Voice recognition will fail to discover the more sophisticated attacks, and data breaches will continue to take place burn their hands. This is much more difficult in the
4. Product recommender systems of webshops unchallenged. world of machines, which can implement programmed
5. Spam filtering tasks rapidly and precisely, but without any reasoning
6. Handwrite recognition Organizations should expect to be hacked, which means security strategies should be upgraded to or consideration. But machines perform much weaker
7. Machine vision identify threats on the assumption that there is no perimeter, including tools that identify suspicious when it is not possible to translate the problem into
8. Face recognition of digital cameras behavior and prioritize investigation. Prevention tools alone will not work. Active discovery, simple logical rules, as even the programmers do not
investigation, response and intervention are the new foundations of security strategy. know what kind of commands they should use.
 Top 3 promises of machine learning
The product recommender systems used by Amazon and other e-commerce for IT Security
vendors are excellent examples of machine learning. They recommend books,
Prevent data breaches by detecting accounts

1
CDs or other products – for example sci-fi novels, jazz CDs or Hungarian hot
paprika – to users based on their buying habits or those of similar shoppers. hijacked by external attackers or misused by
malicious insiders

In addition, machine learning is also now being used in IT security. The main concept of UBA solutions is very simple: UBA software

2
Increase the productivity of security operations by
is able to recognize users based on specific behavioral characteristics and detect if they do something out of the ordinary – even if
improving the efficiency of investigations
the person behind the user account is an external attacker who has stolen valid user credentials. Besides many other characteristics,
typing dynamics and mouse movement patterns are unique to every single user. An attacker cannot simulate these features, so the UBA
solution will identify him as an intruder.
Help to exploit compliance investments better by

3 revealing the gap between policies and real-life

usage of the IT-system

Analysis of user behavior also has practical uses beyond thwarting attackers. Employees
resigning their positions often collect huge amounts of confidential corporate data – such as
source code or a client list they wish to use at their next company – and save the data to a
USB drive before they leave. As this behavior is categorized as unusual based on the user’s
profile, a UBA solution can send an alert to the security team and store the event details,
providing legal proof for the employer that this activity took place.

During any kind of battle it is crucial to precisely see – and foresee – the movements of your
adversary. Invisible attackers have a tremendous advantage over defenders – this is the
reason why stealth aircrafts, such as F-117 Nighthawk or B-2 Spirit have been so successful
on the battlefields of the last two decades and why reconnaissance has played such an
important role in the history of warfare. CISOs are currently working as generals without
scouts and assistants: not only are they unable to prepare themselves for unexpected enemy
attacks, they also do not know their own weaknesses. User Behavior Analytics changes this
situation: by providing a behavioral overview of the people working within the IT system it can
uncover unknown and hidden threats and reveal the weakest link in the chain of defense.
HOW TO START As with other IT projects, UBA must be implemented step by step. It is
highly recommended to start the first phase by focusing in on the riskiest
Network data such as NetFlow is a great source of plentiful

YOUR OWN
group of users – namely, privileged users such as system administrators.
data but it does bring several challenges:
A narrow group also ensures that the scope won’t be too broad, making
it easier to decide what has gone well and what has gone wrong in the • We can see only the low-level reactions of users, not their

UBA-PROJECT? first phase of the implementation. After the success of the first phase, new exact activities

targeted groups can be progressively added to the project. • It generates too much data, the signal-to-noise ratio is
unfavorable
Any analysis is only as good as the source data – as the saying goes,
Based on the experiences of several dozen ongoing garbage in, garbage out. This is the reason why the collection of meaningful • Due to the huge amount of data, scaling can be impossible

projects the three main questions that a company must data is crucial in every UBA project. It is essential to collect as much data as when we want to analyze several thousands of users

consider before it starts implementing User Behavior possible from multiple sources, but only as it pertains to the user context.
Analytics are the following:
In other words, only user-related data is valuable for user behavior
analysis. As privileged users are the most dangerous for the
1 company, their data is the single most important source in
Which group of users should EVALUATION almost every project. All data must be traceable to individual
Fine-tune the results
we involve in the project? Respond if needed users, so system & applications logs, network traffic and
SCOPE
Add a (new) group of users
screen recordings can be useful for behavior analysis.
2 Define the key services
Biometric information such as mouse movement
What kind of relevant and meaningful data characteristics and typing dynamics are also
do we already have? excellent as means of identifying attackers who
UBA have acquired valid user credentials.
3 PROJECT
What is the question we want LIFE CYCLE If someone has the results of the analytics, the next
step is to evaluate and fine-tune them. Everyone
the UBA project to answer?
can learn a lot from this, before starting to add a
ANALYTICS
4 Build user profiles
new group of users or services to the User Behavior

How do we want to respond to

Visualize how the users are
Analytics solution.
using the IT-system DATA
Identify the possible data sources
the results of the analytics? Ingest only user-relevant data
Cover as much data as possible
User Behavior Analytics is not the industry’s long-awaited
silver bullet to answer all future security challenges. It can be
effective only if companies identify what problems they want the
UBA project to solve.
 01 Build or buy?
Don’t try to build an in-house User Behavior Analytics solution without skilled
data scientists, an analytics mindset in the organization and experience in
several-year-long development projects. Prepare yourself to invest heavily in
analytics resources, staff with very special skills and custom tool development
efforts.
02 Focus on privileged users
Always start the analysis with the most risky group of users; namely privileged
users. As they have far more rights than others, external attackers are able to
cause much more damage if they successfully acquire their credentials. But
don’t neglect other high risk users amongst the general workforce who also
understand the real value – and price – of confidential information.
03 Think before investing
Although User Behavior Analytics is currently one of the most promising IT
security solutions, always identify your main use-case before you start to
implement it. The market is very volatile; vendors have different plans and
roadmaps to develop their solutions. Find the vendor which best suits your
needs.
04 Easy integration is crucial
TOP 10
As you need as much data about your users as possible for precise and
reliable behavior analysis, choose a solution that you can easily integrate
with 3rd party data sources. Additionally, do not let it stand alone in your IT
BEST PRACTICES Security system; integration with ticketing or workflow systems or applications
is highly recommended.
05 Logs are not enough
For a reliable analysis you need as much detail about the activities of users
as possible. Logs don’t provide the necessary level of detail, so always try
to find other data sources that you can integrate into your User Behavior
Analytics solution, such as Salesforce, Google Apps, Amazon Cloudtrail or
CRM software.
06 Garbage in, garbage out
Any analytics is only as good as the source data – if you can’t trust in your
logs, you also can’t trust in your User Behavior Analytics solution.
07 Don’t bother with patterns and policies
Even continuously updated patterns and rules are unable to cover all aspects
of an attack scheme. One of the most important characteristics of User
Behavior Analytics is that it does not need an updated list of activities that are
considered suspicious. Instead it detects deviations from what is normal for a
given user – such anomalies might mean that the account was stolen.
08 Peer group analysis adds real value
Malicious users might try to slowly change their user behavior profile to hide
a data theft. Peer group analysis is very useful in this case, as the user will
not be able to significantly change the behavior profile of their peers, so an
analysis of this peer group will reveal their suspicious activity.
09 There is no silver bullet in IT Security
Do not trust in any security vendor who promises to sell the silver bullet of IT
Security – and similarly, do not believe in the existence of a magical machine
learning algorithm that solves all your problems. Mathematical studies have
proved that the combination of several carefully selected algorithms is much
more effective than any one single algorithm.
10
Agents can be painful
Management and maintenance of agents is problematic – it worth using data
that is already being collected in the system. Investigate what kind of data is
already available in the system besides the logs.
+1 Take care of the added value of UBA
The huge amount of data collected by security monitoring solutions such as
SIEMs, can very easily overwhelm security teams. User Behavior Analytics
solutions not only help in “finding the bad guys”, but reducing the noise by
prioritizing the alerts and focusing in on the user context within the data.
 Main IT related challenges
MOST
AFFECTED
Increasing risk of fraud Business continuity Trust in employees Strict compliance

SECTORS
& cyber-attacks & availability of critical data & outsourcing partners regulations

How can User Behavior Analytics help?

FINANCE
Reduces operational risk
Helps companies to reduce their operational risk
via the effective reconnaissance of data breaches
initiated by external and internal attackers, and
accelerated forensics investigation enriched by
contextual information.
Detects malicious insiders and
external attackers quickly
Lowers the impact of potential breaches and provides
an effective defense against APTs by detecting
deviation in the activities of users in real-time and
alerting the security team immediately.
Detects potentially
risky events in
the IT infrastructure
Decreases the risk factor of the IT system by finding
security holes such as shared accounts or scripted
activities.
Lightning fast forensics
investigation
Significantly accelerates forensics by providing broad
and deep contextual data about security incidents,
making it easier to restore normal business operation
and potentially save millions of dollars by preventing
extended downtime.
Focuses on what is important
Focuses on exactly those critical systems – users
and data – which entail the biggest risks for financial
institutions by analyzing the related activities and
detecting anomalies and other suspicious instances
in real-time.
Optimizes the efficiency
of security teams
Increases the effectiveness of security teams by
providing a prioritized list of security events.
MOST
AFFECTED
SECTORS
TELECOMMUNICATIONS
Main IT related challenges
Protecting client, billing and call data
• Heavy compliance regulations.
• Monitoring of data access is a must.
Thousands of networking devices managed
by countless 3rd party operators
• Crucially important to know who is doing
exactly what.
Great need for business continuity
• Too many control-based defense systems can
be counter-productive to business continuity.
• Early detection and time to respond is crucial.
Huge IT infrastructure
• Scalable security solutions are needed.
How can User Behavior Analytics help?
Service continuity: detect anomalies
which could lead to outage
For the development of new digital services, providers need to collect,
store and protect an increasing amount of potentially sensitive customer
data. While developing these services, business agility is critically im-
portant, and the employees working on these solutions need to be able
to access all the data and systems that enable them to perform their job.
This need sometimes conflicts with the need to keep the data secure.
Applying preventive security controls on a “least privilege” and “need to
know, need to do” basis is becoming increasingly challenging. UBA is
the ideal solution in such a situation: it is able to reduce this extended
risk by providing state-of-the-art analytics and monitoring capabilities
and defending against malicious access of sensitive data without pre-
venting legitimate users from doing their jobs.
Scalable solution for big data
environments
Telecommunications operators store and manage significantly more data
than most other enterprises. For this reason, they require an easily scal-
able security solution which is able to work optimally in big data environ-
ments as well. UBA solutions are designed to tackle this challenge.
Detect malicious insiders and external
attackers as early as possible
Lowers the impact of potential breaches and provides an effective de-
fense against Advanced Persistent Threats. Attackers using valid user
credentials, or malicious insiders who want to steal company data show
different behavior patterns from regular users. UBA is able to detect the
level of deviation from normal user activity in near real-time and alert
the security team. Moreover, it can also help discover the leakage of
confidential data, such as personally identifiable information.
Detect potentially risky events in the IT
infrastructure
Behavior analytics can be used to detect unusual, and potentially risky
events that are not necessarily attacks. Detecting account sharing or if
a user account is used for automated tasks enables security analysts to
investigate such activities and decide if these require further action to
prevent abuse or a potential data breach.
See what outsourced partners are doing
in the system
Often there are several 3rd party employees working at a telecommu-
nications operator, accessing the operator’s IT systems and data. UBA
helps you spot if any of these users are doing something potentially
dangerous by providing a unique, behavior based overview of how they
are interacting with the IT system.
Optimize the efficiency of security teams
Increases the effectiveness of security teams by providing a prioritized
list of security events, so security analysts can focus on the most impor-
tant incidents. In addition, UBA gives an overview of how different ser-
vices are used within the company, and thus help discover the access
privileges the individual users should be granted.
Enhance security without hindering
business flexibility
Every minute of service downtime may cost telecommunications op-
erators millions in revenue and falling brand value. The reduction of
preventive controls imposed by IT security solutions supports business
flexibility, but this comes at the cost of overall security. In such cases,
only detection-based security technologies – such as UBA – may pro-
vide sufficient levels of defense without impacting business flexibility.
LEARN MORE
Balabit Blindspotter
A Sophisticated UBA Tool
Blindspotter is a monitoring solution
that maps and profiles user behavior to
reveal human risk. It helps companies
1 end-to-end discovery, investigation and
focus their security resources and
replace some controls, yielding greater
business efficiency. It tracks and
visualizes user activity in real-time
for a better understanding of what
is really happening in the network.
It integrates a variety of contextual
information in addition to logs, processes
them using a unique algorithm, and offers
a wide range of output, ranging from
warnings to automatic interventions. It is
perfectly suited to stopping APT attacks or
identifying internal info-criminals.
3 to existing end-user workflows. This means
Balabit’s
Contextual Security
Intelligence Suite
The Balabit Contextual Security Intelligence
Suite has been designed using the
experience gained as a leader in the field
of enterprise security. It integrates class
leading log management, privileged user
activity monitoring and user behavior
2 analytics tools to provide a platform for
response to previously unknown threats.
It provides a forensic-level of visibility into
user activities, and the impact on applications
and data. Using machine-learning algorithms
it maintains a digital footprint of normal user
and system behavior. This footprint is then
used in real-time to analyze user activity and
identify potential threats when a user acts
out of context. Highly visual user interfaces
provide seamless integration between threat
detection and investigation together with
deep levels of visibility into the context of
4 activity, including video replay of individual
user sessions. All this happens transparently
that Balabit solutions do not introduce
additional business constraints while they
accelerate the time to detect and investigate
malicious user activities.
WANT MORE About Balabit

Balabit is an international IT security vendor, founded

INFORMATION?
in Budapest, Hungary. Balabit is a leading provider
of contextual security technologies with the mission
of preventing data breaches without constraining
business. Balabit operates globally through a network
of local offices across the United States and Europe
together with partners.

Balabit’s Contextual Security Intelligence™ strategy

Take a guided tour!
CONTACT ME
Download more premium content!
RESOURCE LIBRARY
protects organizations in real-time from threats posed
by the misuse of high risk and privileged accounts.
Solutions include reliable system and application
Log Management with context aware data ingestion,
Privileged User Monitoring and User Behavior
Analytics. Together they can identify unusual user
activities and provide deep visibility into potential
threats. Working in conjunction with existing control-
based strategies Balabit enables a flexible and
people-centric approach to improve security without
adding additional barriers to business practices.

Founded in 2000 Balabit has a proven track record

including 23 Fortune 100 customers among over
1,000,000 corporate users worldwide.

Connect with us! For more information, visit www.balabit.com or

call +1 555 5555 555