People, Technology Together Are Best Bet to IDing Security Threats

Expert Tips for Filtering Out Anomalies

istock 595331596

“It is difficult for users to identify when poor network performance is caused by a security threat. From their perspective, all they notice is slowness or unresponsiveness.” – Jams Townsend, InfoStrat

In the security world, the signal-to-noise ratio can get out of balance quickly. With the sheer volume of security data now available — thanks in part to the proliferation of devices — the ability to tell an everyday, harmless anomaly from a threat indicator emerges as a KPI.

Security experts we consulted had a host of great ideas on how to filter out the noise and focus on the warning signs of an imminent — or unfolding — security breach. 

The practice of monitoring networks for security has been upended in recent years. Attackers are becoming more persistent and sophisticated. The perimeter has been rendered obsolete. And let’s admit it, IT infrastructure, including the network, has become more complex.

Still, threat monitoring remains a key component of any effective security program, and monitoring has its own challenges. Among them: separating an innocuous network anomaly from a potential, or very real threat. The good news is that the same tools that are emboldening attackers — machine learning, artificial intelligence, and analytics among them — can be used to improve threat detection, even in today’s noisy security information channel. 

First, this is a well-recognized challenge. Chris Rouland, Founder of Phosphorus, offers this perspective. “A network compromise is frequently misdiagnosed as a network performance or utilization anomaly,” he says. That’s partly because “modern malware is designed to disguise itself as legitimate network traffic.” 

He recommends that “the first place to look is at netflow and DNS data — this is where the diagnosis can be easily determined.”

John Fruehe, Enterprise Technology Analyst, cautions about complacency over a quick resolution. “Quick answers are often the worst answers as hacks can be disguised in order to be dismissed,” he says. “Performance anomalies are often driven by DDoS so it is important to understand where traffic is coming from and whether the end points for the traffic match normal patterns. Source and destination are critical.” 

Mind your people

It starts, says Ben Rothke, Principal Security Consultant at Nettitude Group, with competent people. “A good doctor can tell the difference between heartburn and a heart attack,” he says. “So too can a good SoC (Security Operations Center) analyst or security administrator tell the difference between a network performance anomaly and a potential security threat. They look very much alike, and it’s quite easy to confuse the two. But if a firm hires and trains good people, they won’t confuse what was too much chow mein, with the need for an ER visit.”

Eric Vanderburg, security and technology thought leader, consultant, and author, points out that people and technology each have a role.

“Experience with network equipment and security threats is the best preparation for differentiating between the network performance anomaly and a security threat,” he asserts. “The experienced analyst will be able to quickly know what is plausible behavior due to a network malfunction and what constitutes an indicator of a security threat. Computer systems, likewise, conduct behavioral analysis, sometimes utilizing machine learning, to better understand how systems interact and the combination of machine and human intelligence can lead to quite accurate assessments of the potential threat.” 

But even the best people are fallible, especially to an emerging challenge: security-related fatigue, says Kaushik Narayan, CTO, Skyhigh Networks. “Alert fatigue causes nearly a third of security professionals to ignore alerts.”

A behavioral, pattern perspective

Recognizing changes in user behavior can give clues about the nature of any anomalies.

“Network behavior anomaly detection (NBAD) can complement security approaches based on the threat signature by flagging bad performance potentially caused by security threats,” says James Townsend, President at InfoStrat. “It is difficult for users to identify when poor network performance is caused by a security threat. From their perspective, all they notice is slowness or unresponsiveness.”

Still, that’s a start. From there, “It's about pattern recognition and baselining,” says Wayne Sadin, CIO at Affinitas. “You have to observe and record ‘normal’ network activity, then identify ‘suspect’ behavior. At that point the recognition of a ‘busy’ activity pattern and discriminating that from an ‘unknown’ pattern — a potential threat — gets anomalies surfaced quickly.”

All about analysis

Recognizing a pattern or change in behavior is just data. It’s the analysis of that information that yields a plan for action. That sometimes mean rolling up your sleeves and crunching some data, says George Gerchow, Vice President at Sumo Logic.

“The key here is to do this host-based, and log everything with analytics and metrics,” Gerchow recommends. Cast a wide net, he urges as well. “If you focus just on the network, you are limited by the inline choke point solutions that Spam Ports. What about cloud? In the cloud there is no ‘In Line’ so everything is done on the host (Firewall, IDS...). But you still need log everything — and add machine learning analytics.” 

Adds Wayne Sadin, with Affinitas, “AI is invaluable for rapid pattern identification, once you've trained it.”

Gerchow offers an example: “If I can detect that a user has now logged into a device or application for the first time, and also see that soon after there was an outage, I can assume it was a security anomaly. The key is to get alerted right when authentication takes place before they can do damage.”

Says Narayan, “Cross referencing multiple sources of usage data – for example analyzing the application risk, device status, data sensitivity, and frequency of activity for a user’s behavior – and running the information through machine-learning algorithms can refine the alert pipeline from simple anomalies to actual threats.”

Looking ahead

The fact is, “Network meltdowns happen,” says Patrick C Miller, Managing Partner at Archer Security Group. The key is “quickly knowing why,” he says, and that “depends on your security maturity. If you don't have quality security tools – and more importantly, skilled people using them - you won't know what's happening on your network, you will have a false sense of security and you're wasting your money.” 

Adds Paul Teich, Principal Analyst at TIRIAS Research, “Advanced threat detection can help, but is still maturing.”

The good news is “network performance issues don't just happen,” says Gerchow. “They happen over time so you can leverage metrics to be more pre-emptive.”


Copyright © 2017 IDG Communications, Inc.