The missing act for user and entity behavior analytics

In March 2018, Symantec unveiled its annual Internet Security Threat Report (ISTR). Two of the main takeaways are that the types of threats are broadening, and already popular attacks are seeing significant increases in execution. The report notes an 8,500 percent increase in detections of coinminers on endpoint computers in 2017, and a 600 percent increase in overall IoT attacks. While the average ransom dropped in value, the number of new ransomware variants increased by 46 percent. The bottom line is that as more data flows through our networks, machines and devices, more malicious actors want to get their hands on it. And many are successful.

Who’s the real winner?

I am sure you have read all kinds of hypotheses as to why the bad guys are winning. However, before we add another speculation to the pile, it’s important to define what we consider “winning.” When walking around the RSA Conference this year, I noticed a consensus. Most vendors and cyber security professionals agree that organizations have been breached or are breached and don’t know it. While some may jump to the conclusion that that means the bad guys are winning, that’s not necessarily true. Just because criminals broke in, does not mean they stole valuable data. Sure, that’s their goal. However, if security teams can stop the criminal before sensitive data walks out the door, then the security team wins.

An interview with Symantec’s SVP of Information Protection Nico Popp

So, what should security leaders be doing differently to make sure sensitive data doesn’t leave the organization? I sat down with Symantec’s SVP of Information Protection, Nico Popp, to discuss the concept of information centric cyber defense.  

Ryan: Thanks for taking the time to chat, Nico. Why are security teams challenged with stopping bad actors once they are inside?

Nico: Ryan, I like to think of it as a bank. I am a thief, or in cyber terms, an advanced persistent threat, targeting a bank. I walk into the bank and encounter a security guard named Endpoint Protection (EP). EP looks at my face, my clothes, trying to determine if I am a thief. He sees I have glasses and am wearing a wig. But, he still does not know for sure I am a thief, UNTIL I try to steal the money. The money is the data. The primary indicators of compromise (IoC) are the data (the money) and user (thief), yet many organizations are so focused on the physical IoCs – registries, IP addresses, DNS, domain names, opening systems, etc. – they ignore both.

The French writer François Mauriac said, “Tell me what you read and I’ll tell you who you are is true enough, but I’d know you better if you told me what you reread.” The first part of that statement could not be truer when it comes to detecting a compromise. Follow the data and you will know you’re under attack.

Ryan: Can you give us an example of how an organization can discover an attack in progress by following the data?

Nico: Sure. Let’s say using user and entity behavior analytics (UEBA), an organization spots an employee in marketing logging into an application containing confidential financial information that that person, his peers nor overall business unit would typically not access. This behavior could indicate the employee plans to steal sensitive information. However, maybe the employee was given permission by his manager to access the file for business purposes? Monitoring the user and the file would provide a clear indication. If the user attempts to e-mail the file to an unknown external third party, that’s a good indication he’s doing something malicious. 

Look at the WannaCry ransomware. A lot of antivirus solutions missed it because they didn’t have the file signature. The traditional IoCs were not effective. If organizations followed the data, they could have caught WannaCry as it encrypted data, and minimized the damage.

By following the data, you may miss how the attackers came in, but you won’t miss the attack.

Ryan: You mentioned how UEBA detects a potential compromise in progress. What other cyber security technologies can be used to enable this information centric cyber defense approach?

Nico: Integrating data loss prevention (DLP) with UEBA is powerful because the two combined look at the behavior of the user but with respect to the data. UEBA compares a user’s activity to himself, peers and overall business unit to determine if the behavior is normal or abnormal. DLP detects and stops sensitive data from walking out the door, so the two combined builds a complete picture of who is attempting to steal what before it’s too late. Endpoint protection is another technology that enables a data-focused defense.

Here are two use cases for an information centric cyber defense approach:

1. Zero-day protection: You receive an email with a resume attached. You open the resume. Suddenly, a powershell appears. Endpoint protection determines the script that the powershell is executing is suspicious. DLP monitors the powershell as it attempts to access a top-secret file. DLP alerts endpoint protection which then blocks access. The fact that an unknown process is accessing confidential data is indeed revealing!
2. Data jailing: “Jane” is promoted to head of HR. You let Jane access private data of employees, however Jane takes advantage of her new access rights, and repeatedly tries to send the data to an unknown external party, outside the “jail” per se. UEBA detects the behavior, performs behavioral comparisons, and sends the event to investigators. Meanwhile, DLP blocks the exfiltration.

Ryan: To conclude, what can organizations do today to shift to an information centric cyber defense approach?

Nico: They need to start tracking data activity like they are doing for user activity. Data activity is as important as user activity. Start with the analytics. Once you have established a good analytics program that tracks user behavior, then use those analytics to track data behavior. If you are already using UEBA with machine learning capabilities, then you are on the right path.