Four advantages of an identity behavior-based approach to cybersecurity

With an ever-increasing number of data breaches, more money is being poured into IT security budgets. According to Gartner, the average global security budget increased 8 percent from 2013 to 2014 and will grow another 8 percent in 2015. Additionally, data loss prevention (DLP) system investments will increase by almost 19 percent.

More and more companies are falling into the trap of buying a next-gen security system that still relies on today’s ineffective firewall, IPS, malware sandboxing system and security information and event management (SIEM) processes and technologies. Many believe that these next-gen tools will stop data breaches better than their predecessors, yet, year-over-year, we see an increase in the number of data breaches. Furthermore, research, such as Experian’s 2015 Annual Data Breach Industry Forecast, tells us that organizations are continuously focusing too much on external attacks and not enough on larger threat of insiders.

We can no longer continue to develop outdated and ineffective security technology. Isn’t it time to reexamine the types of products we are producing and purchasing, and rebuild the processes around them?

Identity behavior-based solutions, often referred to as user-behavior intelligence or behavior analytics, offer the updated approach we need. These systems employ machine learning and behavior modeling to understand what normal behaviors are for users and their peer groups, and then identify abnormal behaviors that signify an attacker is using compromised credentials. Are you thinking about adopting an identity behavior-based approach to cybersecurity? Below are four ways it can change the way an organization exposes attackers:

1. Identity tracking across multiple attack chain activities
Most IT security budgets go toward point products that detect initial compromise and data exfiltration (data-loss prevention), and leave attacker detection at the wayside. Identity-behavior solutions track movement in the middle of the attack chain – where the use of stolen credentials is most acute and the lengthiest portion of the attack takes place.

2. Offer a dynamic (and business-aligned) approach to risk
Businesses are dynamic. Employees change roles, go on vacations, bring their own devices, work remotely and use different systems. Off-the-shelf algorithms that track these movements are meant to analyze scientific data, not that of an ever-changing business. Dynamic access characteristic questions get automatically asked for each behavior model. Identity behavior solutions utilize custom algorithms built for these dynamic business environments and learn the differences in behavior between legitimate business uses and attacker behavior – eliminating a sea of alerts for analysts to comb through.

3. Deprioritizing false-positives by design
Tens of thousands of alerts are generated every day from point solutions and DLP systems, and SIEM correlations bring this number down to about 1,000 per day. While that is a significant decrease, by only depending on a SIEM deployment, security teams still have 1,000 “legitimate” critical alerts to reprioritize and resolve manually each day – most of which are never seen. Relying on identity behavior-based analysis means only alerts directly associated with anomalous behaviors will notify security analysts, leaving the “noise” behind. Additional insight is there if you need it, but only as context for the behavior, content for compliance reporting, or as part of your organization’s key performance indicators.

4. Create security operations efficiencies
Imagine the traditional security funnel process turned upside down. The tens of thousands of security point solution alerts are at the bottom of the funnel and credentials exhibiting anomalous behaviors from are at the top. As a valid credential is seen exhibiting anomalous behaviors during a session of activity and, if an identifying correlation can be made, one or more of point solution alerts is pulled up the funnel and attached to the session. The session is assembled and all activities, including the point solution alerts, are scored. A tier-one analyst views the session with the highest score and calls the credential owner and asks, “Was that you using the VPN from Shanghai with never-before-seen device, at an odd time of day, accessing systems you and your peer group have never accessed before and then switching identities?” If the answer is “no” then disconnect them from the network and perform forensic analysis.

When tier-one analysts and user behavior intelligence solutions do the brunt of the work, there is no need for an escalation to tier-three analysts, freeing time and gaining efficiency in security operations.

While we should not abandoning current technologies altogether, we must recognize that attackers aren’t focused on bypassing outdated technologies from the past. Once attackers have obtained a set of valid user credentials to impersonate a legitimate user, our other security processes and technologies are rendered useless. If valid credentials are the most coveted item an attacker can obtain, we must realign processes and technologies to end the cycle.