Professional Documents
Culture Documents
Balabit Essential Guide To User Behavior Analytics
Balabit Essential Guide To User Behavior Analytics
Balabit Essential Guide To User Behavior Analytics
THE ESSENTIAL
OVERWRITE COMMAND
GUIDE TO
USER
OUTSOURCE
TIMED
LOCATION
BEHAVIOR
ANALYTICS
www.balabit.com
The history of IT Security is only a generation old, yet the direction of
EVOLUTION OF the arms race has already changed completely several times. Initially, Perimeter-based Identity-based Behavior-based
perimeter-based security played the most important role at organizations, security security security
IT SECURITY with firewall and anti-virus products the most prevalent of that era.
This approach became outdated by the beginning of the new millennium, Large enterprises and governmental institutions started to recognize
when the focus of security turned to identity-based security solutions. that humans are the weakest link in their defense system, so they spent
billions of dollars on various Identity & Access Management solutions.
However, the growing number of successful attacks and data breaches
Appearance of the first hackers – called “phreakers” confirmed that IAM is also not a silver bullet. Sophisticated cybercriminals
1970s implemented targeted attacks; in other words, they could easily acquire
– who tried to make free phone calls.
valid user credentials by using simple social engineering methods. Some
of these attacks were avoidable with state-of-the-art session recording
solutions, but most were successful. There is a logical next step in the
Arrival of the first virus (Brain) and the first worm evolution of IT security solutions: existing systems such as SIEMs gather
1980s
(Morris) in 1986 and 1988. plenty of data about users and devices, as well as known patterns of bad
behavior, but “unknown unknown” threats still remain uncovered and
invisible. The industry needs a solution which can reveal and visualize
these unknown threats.
Debut of distributed denial of service (DDoS) attacks
1990s
and the bots that made them possible. AOL is the
“There are known knowns; there are things
victim of the first phishing attack. The criminals stole we know we know. We also know there are
users’ credentials. known unknowns; that is to say we know
there are some things we do not know. But
there are also unknown unknowns – the
Emergence of adware and spyware as well as zero
2000s ones we don’t know we don’t know.”
day attacks, rootkits and clickfraud.
Donald Rumsfeld’s sentences about the types of threats became
very popular among IT security experts and data scientists. Most
“There’s no such thing as security products deal with known unknowns by looking for things
‘secure’ anymore.” Rise of sophisticated attacks, such as Advanced like malware in the system. The real problem, however, is the case
2010s
Debora Plunkett, head of the NSA’s Persistent Threats (APT). where the attacks are previously unknown, commonly referred to as
Information Assurance Directorate 0-day or 0-hour attacks. We need some way of handling the “unknown
unknowns” of IT security, which are the main challenges for the future.
KEY LEARNINGS FROM RECENT DATA BREACHES
Almost 1 billion data records were compromised in attacks in 2014. reason why it is crucial to focus IT security
efforts on privileged users:
256 DAYS
Detect malevolent outsiders trying
1
Malicious attacks can take an average of 256 days to identify.
to come in from the outside through
compromised accounts
$21,155/DAY
The mean number of days to resolve cyber attacks is 46 with an average cost of
2
$21,155 per day – or a total cost of $973,130 over the 46-day remediation period. Recognize malicious insiders abusing
their normal credentials
Target, Neiman-Marcus, Snapchat, Kickstarter, LaCie, German Space According to the 2015 Cost of Cyber Crime Study of Ponemon, deployment
Center, eBay, UPS, JP Morgan, iCloud, Home Depot, Sony Pictures and of security intelligence systems makes a difference. Findings suggest
even the White House. This is only a small sample of those companies that companies using security intelligence technologies were more efficient Visualize “unknown unknown” security
have been breached in recent months. Hackers successfully accessed and in detecting and containing cyber attacks. As a result, these companies 3 events, which remain invisible to current
security solutions
stole valuable information from these organizations, including development enjoyed an average cost savings of $1.9 million when compared to
data, financial information or the private data of millions of users. Although companies not deploying security intelligence technologies. What’s
there were some cases where systems for the protection of confidential user more, companies deploying security intelligence systems experienced a
4
data were inadequate, most of these enterprises were highly compliant. substantially higher ROI (at 23 percent) than all other technology categories Prevent the consequences of a privileged
They had implemented the traditional IT security solutions expected by presented. user credential theft
auditors of PCI-DSS, SOX and other policies. So what went wrong?
THE SOLUTION The new perimeter is our users What is digital
Many companies’ worst nightmare – a sophisticated external attacker or malicious insider – behavior?
USER is already within their perimeter. Nowadays, attackers are intelligent and well-funded, and According to biologists, “behavior is the internally
their attacks are increasingly complex and well targeted. The recent, high-profile breaches coordinated responses of whole living organisms to
BEHAVIOR were carefully planned and went undetected for some time, with the attackers moving freely
inside the victim’s IT environment. Malicious insiders hold an advantage over a company’s
internal and/or external stimuli” – so basically behavior
is everything that we are doing consciously. Similarly,
ANALYTICS primary security tools which are predominantly designed to protect against external threats, not
trusted employees. Targeted attacks by humans use a combination of IT vulnerabilities, social
digital behavior is everything that we are doing in the
digital world. Typing characteristics, screen resolution
engineering, and ordinary crime to gain unauthorized access. It means that the new perimeter – of our computer, smartphone or tablet, favorite
where the focus of IT security now needs to be – is the users, not the infrastructure. applications or websites and many others are our digital
footprints that typifies us so strongly than our habits.
As parents are able to recognize and differentiate their
children based on the sound of their footsteps, User
Behavior Analytics solutions are able to recognize and
differentiate users based on their digital activities.
1. Search engines against known threats. Pattern and rule-based security tools cannot identify all threats, as they evident in the world of living creatures: even a small
2. Driverless cars only defend against what is known. They still have a role to play but using this approach alone child learns not to touch a hot surface again if they
3. Voice recognition will fail to discover the more sophisticated attacks, and data breaches will continue to take place burn their hands. This is much more difficult in the
4. Product recommender systems of webshops unchallenged. world of machines, which can implement programmed
5. Spam filtering tasks rapidly and precisely, but without any reasoning
6. Handwrite recognition Organizations should expect to be hacked, which means security strategies should be upgraded to or consideration. But machines perform much weaker
7. Machine vision identify threats on the assumption that there is no perimeter, including tools that identify suspicious when it is not possible to translate the problem into
8. Face recognition of digital cameras behavior and prioritize investigation. Prevention tools alone will not work. Active discovery, simple logical rules, as even the programmers do not
investigation, response and intervention are the new foundations of security strategy. know what kind of commands they should use.
Top 3 promises of machine learning
The product recommender systems used by Amazon and other e-commerce for IT Security
vendors are excellent examples of machine learning. They recommend books,
Prevent data breaches by detecting accounts
1
CDs or other products – for example sci-fi novels, jazz CDs or Hungarian hot
paprika – to users based on their buying habits or those of similar shoppers. hijacked by external attackers or misused by
malicious insiders
In addition, machine learning is also now being used in IT security. The main concept of UBA solutions is very simple: UBA software
2
Increase the productivity of security operations by
is able to recognize users based on specific behavioral characteristics and detect if they do something out of the ordinary – even if
improving the efficiency of investigations
the person behind the user account is an external attacker who has stolen valid user credentials. Besides many other characteristics,
typing dynamics and mouse movement patterns are unique to every single user. An attacker cannot simulate these features, so the UBA
solution will identify him as an intruder.
Help to exploit compliance investments better by
Analysis of user behavior also has practical uses beyond thwarting attackers. Employees
resigning their positions often collect huge amounts of confidential corporate data – such as
source code or a client list they wish to use at their next company – and save the data to a
USB drive before they leave. As this behavior is categorized as unusual based on the user’s
profile, a UBA solution can send an alert to the security team and store the event details,
providing legal proof for the employer that this activity took place.
During any kind of battle it is crucial to precisely see – and foresee – the movements of your
adversary. Invisible attackers have a tremendous advantage over defenders – this is the
reason why stealth aircrafts, such as F-117 Nighthawk or B-2 Spirit have been so successful
on the battlefields of the last two decades and why reconnaissance has played such an
important role in the history of warfare. CISOs are currently working as generals without
scouts and assistants: not only are they unable to prepare themselves for unexpected enemy
attacks, they also do not know their own weaknesses. User Behavior Analytics changes this
situation: by providing a behavioral overview of the people working within the IT system it can
uncover unknown and hidden threats and reveal the weakest link in the chain of defense.
HOW TO START As with other IT projects, UBA must be implemented step by step. It is
highly recommended to start the first phase by focusing in on the riskiest
Network data such as NetFlow is a great source of plentiful
YOUR OWN
group of users – namely, privileged users such as system administrators.
data but it does bring several challenges:
A narrow group also ensures that the scope won’t be too broad, making
it easier to decide what has gone well and what has gone wrong in the • We can see only the low-level reactions of users, not their
UBA-PROJECT? first phase of the implementation. After the success of the first phase, new exact activities
targeted groups can be progressively added to the project. • It generates too much data, the signal-to-noise ratio is
unfavorable
Any analysis is only as good as the source data – as the saying goes,
Based on the experiences of several dozen ongoing garbage in, garbage out. This is the reason why the collection of meaningful • Due to the huge amount of data, scaling can be impossible
projects the three main questions that a company must data is crucial in every UBA project. It is essential to collect as much data as when we want to analyze several thousands of users
consider before it starts implementing User Behavior possible from multiple sources, but only as it pertains to the user context.
Analytics are the following:
In other words, only user-related data is valuable for user behavior
analysis. As privileged users are the most dangerous for the
1 company, their data is the single most important source in
Which group of users should EVALUATION almost every project. All data must be traceable to individual
Fine-tune the results
we involve in the project? Respond if needed users, so system & applications logs, network traffic and
SCOPE
Add a (new) group of users
screen recordings can be useful for behavior analysis.
2 Define the key services
Biometric information such as mouse movement
What kind of relevant and meaningful data characteristics and typing dynamics are also
do we already have? excellent as means of identifying attackers who
UBA have acquired valid user credentials.
3 PROJECT
What is the question we want LIFE CYCLE If someone has the results of the analytics, the next
step is to evaluate and fine-tune them. Everyone
the UBA project to answer?
can learn a lot from this, before starting to add a
ANALYTICS
4 Build user profiles
new group of users or services to the User Behavior
needs. Security – and similarly, do not believe in the existence of a magical machine
learning algorithm that solves all your problems. Mathematical studies have
04 Easy integration is crucial
TOP 10
proved that the combination of several carefully selected algorithms is much
As you need as much data about your users as possible for precise and more effective than any one single algorithm.
10
reliable behavior analysis, choose a solution that you can easily integrate
Agents can be painful
with 3rd party data sources. Additionally, do not let it stand alone in your IT
BEST PRACTICES Security system; integration with ticketing or workflow systems or applications Management and maintenance of agents is problematic – it worth using data
is highly recommended. that is already being collected in the system. Investigate what kind of data is
already available in the system besides the logs.
05 Logs are not enough +1 Take care of the added value of UBA
For a reliable analysis you need as much detail about the activities of users
The huge amount of data collected by security monitoring solutions such as
as possible. Logs don’t provide the necessary level of detail, so always try
SIEMs, can very easily overwhelm security teams. User Behavior Analytics
to find other data sources that you can integrate into your User Behavior
solutions not only help in “finding the bad guys”, but reducing the noise by
Analytics solution, such as Salesforce, Google Apps, Amazon Cloudtrail or
prioritizing the alerts and focusing in on the user context within the data.
CRM software.
Main IT related challenges
MOST
AFFECTED
Increasing risk of fraud Business continuity Trust in employees Strict compliance
SECTORS
& cyber-attacks & availability of critical data & outsourcing partners regulations
AFFECTED
Service continuity: detect anomalies Detect potentially risky events in the IT
which could lead to outage infrastructure
For the development of new digital services, providers need to collect, Behavior analytics can be used to detect unusual, and potentially risky
store and protect an increasing amount of potentially sensitive customer events that are not necessarily attacks. Detecting account sharing or if
SECTORS data. While developing these services, business agility is critically im-
portant, and the employees working on these solutions need to be able
a user account is used for automated tasks enables security analysts to
investigate such activities and decide if these require further action to
to access all the data and systems that enable them to perform their job. prevent abuse or a potential data breach.
This need sometimes conflicts with the need to keep the data secure.
TELECOMMUNICATIONS
See what outsourced partners are doing
Applying preventive security controls on a “least privilege” and “need to
in the system
know, need to do” basis is becoming increasingly challenging. UBA is
Often there are several 3rd party employees working at a telecommu-
the ideal solution in such a situation: it is able to reduce this extended
nications operator, accessing the operator’s IT systems and data. UBA
risk by providing state-of-the-art analytics and monitoring capabilities
helps you spot if any of these users are doing something potentially
Main IT related challenges and defending against malicious access of sensitive data without pre-
dangerous by providing a unique, behavior based overview of how they
venting legitimate users from doing their jobs.
are interacting with the IT system.
Protecting client, billing and call data Scalable solution for big data
• Heavy compliance regulations. Optimize the efficiency of security teams
• Monitoring of data access is a must. environments
Increases the effectiveness of security teams by providing a prioritized
Telecommunications operators store and manage significantly more data
list of security events, so security analysts can focus on the most impor-
than most other enterprises. For this reason, they require an easily scal-
tant incidents. In addition, UBA gives an overview of how different ser-
Thousands of networking devices managed able security solution which is able to work optimally in big data environ-
by countless 3rd party operators vices are used within the company, and thus help discover the access
ments as well. UBA solutions are designed to tackle this challenge.
• Crucially important to know who is doing privileges the individual users should be granted.
exactly what.
Detect malicious insiders and external
attackers as early as possible Enhance security without hindering
Great need for business continuity
Lowers the impact of potential breaches and provides an effective de- business flexibility
• Too many control-based defense systems can
be counter-productive to business continuity. fense against Advanced Persistent Threats. Attackers using valid user Every minute of service downtime may cost telecommunications op-
• Early detection and time to respond is crucial.
credentials, or malicious insiders who want to steal company data show erators millions in revenue and falling brand value. The reduction of
different behavior patterns from regular users. UBA is able to detect the preventive controls imposed by IT security solutions supports business
level of deviation from normal user activity in near real-time and alert flexibility, but this comes at the cost of overall security. In such cases,
Huge IT infrastructure
• Scalable security solutions are needed. the security team. Moreover, it can also help discover the leakage of only detection-based security technologies – such as UBA – may pro-
confidential data, such as personally identifiable information. vide sufficient levels of defense without impacting business flexibility.
LEARN MORE Balabit’s
Contextual Security
Intelligence Suite
INFORMATION?
in Budapest, Hungary. Balabit is a leading provider
of contextual security technologies with the mission
of preventing data breaches without constraining
business. Balabit operates globally through a network
of local offices across the United States and Europe
together with partners.