• United States




Why we need behavior-centric detection and response

Oct 16, 20154 mins
CybercrimeData and Information SecurityData Breach

Breach discovery can take days using traditional methods

According to the Verizon 2015 Data Breach Investigations Report (DBIR), 60 percent of the time, attackers were able to compromise an organization within minutes. Meanwhile, in more than 75 percent of the cases, the average time to discover breaches was measured in days. These findings  indicate a growing “detection deficit” between attackers and defenders. Verizon sees this as one of the primary challenges to the security industry today and going forward.

For incident responders, time spent in the same position, area, or stage of a process, such as the delta between when a compromise occurs and when it is discovered, is called dwell time. Reducing dwell time is critical to enabling successful prevention or resolution of a cyber incident.

The primary reason for the long delays in breach discovery reported by Verizon is that we are still very much focused on defending against intrusions. A new and more effective approach to quickly decode cyber incidents is needed, one that enables us to understand the complex activities occurring on our networks, and what “good” cyber activity looks like. To accomplish this, we need  to start at the source of all network activity — the behaviors of users and entities or devices.

Why focus on behaviors? It’s well documented that users are the weakest link in the security chain and pose the highest risk to our computing environments. Yet, knowledge of user behaviors is where we typically have the least amount of visibility, especially into what users are accessing and their patterns of usage. Active engagement in monitoring, detecting and deriving insight into user access and usage patterns can foretell risky activity. Identifying early warning signs is critical for protecting against sophisticated threats including malicious insiders and external attackers that have hijacked legitimate user accounts.

Let’s examine the steps for implementing activity- and usage-centric incident response.

As a starting point, review all security-related data that is being collected by any form of logging. To make sense of this data establish a baseline of which user access and usage activities are being logged and which are not. This will expose any glaring blind spots in collection schemes.

Next, apply analytic techniques to understand the data that’s been collected and determine what “good behavior” looks like. This will make it easier to isolate user behaviors that are suspicious, should be monitored or investigated. Examples of suspicious behavior may include inappropriate use of elevated access privileges, or more latent threats, such as data breaches.

This should be followed by continuous monitoring of behavioral data in order to assess user access and usage within “trackable” peer groups. The use of peer groups places behaviors in context and helps to expose ‘outliers’ based on the roles each user performs in comparison to other members of their department, project or work groups, etc.

An important subsequent step is to identify and track all authorized access credentials that are in use, including orphaned, shared, third-party and remote access accounts. Most can be used  to access sensitive company data, systems and applications, and as a springboard for data breaches. Once a user’s access credentials are hijacked, they can enable attackers to move around the network undetected.

Also, access credentials should be monitored across all networks, voice and data channels, infrastructure, computer systems, devices, databases and applications. As part of this process, any excess access credentials that are not required by users should be revoked. Especially those that do not match up or conflict with other users in an individual’s relevant peer groups.

In addition, pay close attention to user accounts with elevated access privileges, such as systems or database administrator accounts and system-level accounts on all security and perimeter devices, etc. Some of these accounts may not be used on a regular basis, and should therefore  be scanned continuously to evaluate whether they need to be removed or disabled.

Once user credentials are being monitored and logged, access activity should be analyzed against sensitive or privileged data. For example, which user accounts are accessing customer, supplier or finance data? Why is this type of data being accessed by these user accounts? Are users access privileges consistent with their need to access this type of data?

Being able to differentiate between “good” and “bad” user behavior is the foundation for gathering actionable incident detection and response intelligence. It is also vital for shortening the dwell time of intrusions and containing or preventing data exfiltration.


Leslie K. Lambert, CISSP, CISM, CISA, CRISC, CIPP/US/G, former CISO for Juniper Networks and Sun Microsystems, has over 30 years of experience in information security, IT risk and compliance, security policies, standards and procedures, incident management, intrusion detection, security awareness and threat vulnerability assessments and mitigation. She received CSO Magazine’s 2010 Compass Award for security leadership and was named one of Computerworld’s Premier 100 IT Leaders in 2009. An Anita Borg Institute Ambassador since 2006, Leslie has mentored women across the world in technology. Leslie has also served on the board of the Bay Area CSO Council since 2005. Lambert holds an MBA in Finance and Marketing from Santa Clara University and an MA and BA in Experimental Psychology.

The opinions expressed in this blog are those of Leslie K. Lambert and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.