Behavioral analysis was the hot concept back in the late 90s. Except that the approach never really worked well enough to adopt; even folks slave to routine managed to disrupt the baseline pattern wide enough to drive a truck through it.
Not anymore. Good timing, too.
Confirmed again with the release of the 2014 Verizon Data Breach Investigations Report is the reality that attackers seek credentials. As noted in the executive summary:
"User credentials are also a popular target, but mainly as a gateway to other kinds of data or other systems."
Addressing the challenge means detecting when credentials are compromised and used. A key to success is developing an accurate understanding of how people use the systems and resources we need to protect.
As the importance of better insight to make better decisions continues to grow, we have to adjust our own thinking, processes, and capabilities. Part of getting it right includes considering the role people play.
Putting people back in focus
While profiling behavior is important, it tends to be a touchy subject with people. The way we approach -- and explain -- the program, process, and results goes a long way toward acceptance and success.
Minimally, this is a way to protect the systems and information our colleagues rely on every day. We're part of a team, and this is ultimately an opportunity to make it easier for people to do their jobs -- not continue to tell them no and block them.
Aside: while I generally advise against broadly referring to colleagues as ‘users’ in a means to distance ourselves, when it comes to behavior profiling and analytics, the term user is appropriate. Just keep in mind it works in aggregate, but we still serve people.
The upside of understanding who we serve
As Kevin Epstein, VP of Advanced Security and Governance at Proofpoint put it simply, “people are your clients.”
With a mindset of serving our colleagues, focus turns to understanding how different people use the systems and information. With the benefit of improved solutions, this allows us to capture accurate behavioral profiles.
Epstein points out that "by building an understanding of how our clients use the system, we improve incident response. It’s helping discern the difference between 'Mr. Clicky and the mistake'.”
It provides the cues as to the level and type of response required. Looking at trends and identifying common disruptions points out areas for improving the security culture (read more about getting started here).
Capturing the right information and comparing it to the baseline also helps with attribution. Quickly understanding if you are under 'attack' with information about who, what, and potential targets improves both immediate and future responses. It's the difference between constant reaction (sometimes considered practice) and steady improvement.
Done right, this approach improves the entire cycle of prevention, detection, and response. These benefits are possible when we know what "normal" looks like.
Understanding normal in the age of constant change
“If behavior is malicious, the only way to find out is to understand normal” explains Matt Hathaway, Senior Product Manager at Rapid7.
In a time when constant change is the new normal, the methods have to adapt. When I asked what's changed from the last great push into behavior profiling in the 90s, Hathaway pointed out that a key element is looking for two or more indicators instead of reliance on a single behavior.
For example, Hathaway explained that during the recent response over Heartbleed, a lot of Rapid7 put in an all-nighter (or two). In previous approaches, one or more people logging into their systems at odd hours of the evening would be a flag of potential misuse or compromise.
Current technologies are able to take into account location, timing, activities of multiple people and use that to consider if the behavior is deviating from the baseline enough to warrant action. And they learn -- including what not to learn -- in the process.
Hathaway notes the key point in picking the right system relies on the ability to drive actionable intelligence instead of just a series of alerts.
Actionable intelligence from machine learning with human validation
I'm seeing more companies incorporate machine learning and data science to offer better solutions. When I asked Hathaway about that, he explained that UserInsight, the new program from Rapid7, uses a blended approach of machine learning with "the right touch of human validation."
What caught my attention was the ability to build on the experience of the metasploit and penetration testing teams and incorporate human guidance into the overall solution.
Hathaway pointed out that reliance on only machine learning “could lead to an environment of unwanted behavior included in the baseline.”
In the process of learning, some things are accepted, while others - like correlating user accounts to specific people may trigger an initial manual review.
The goal of any solution is to build an accurate understanding of what is normal in your organization to drive actionable intelligence when something isn't right.
Focusing on people to protect systems and information
We know attackers seek credentials. The more we do to profile normal behavior, the more likely we are to make this route of attack harder.
The importance of behavioral profiling and analysis is increasing. The good news is the technology is improving, too.
Even better, emerging solutions are poised to provide insights and guidance that benefit the entire cycle of prevention (setting our bias aside), detection, and response.
This is another opportunity to partner with the people we serve and make their jobs easier by protecting the systems and information we all rely on.