User behavior analytics for security operations efficiency

So, you’ve been informed by the FBI, a business partner, or security consultant that they have spotted a bunch of your company’s employee records on the paste bin website. Your first thought – this is obviously the result of a data breach due to unauthorized access.

This scenario is repeated over and over again and is continuously seen in the headlines. The company names mentioned are likely only the tip of a much larger iceberg. Multiple surveys and case studies tell us that the average time to detection of targeted attacks – those that involve stolen credentials and user impersonation – is greater than 200 days. That’s how long the attacker is able to stay resident inside the network without detection. What there isn’t as much discussion about is the time it takes to figure out the path the attacker took through the IT environment once you know you’re the subject of this kind of attack. This time-line intersection of identity, assets and security alerts represent what’s best known as the attack chain.

There isn’t much information about how long this analysis phase takes. However, a recent study of federal agencies by Meritalk tells us that even though more data is collected than every before, nine of 10 security professionals can’t put together the complete story of the attack. When they can, on average it takes over 30 hours or six to 10 days to complete the analysis and this is visibility not available with traditional security information and event management (SIEM) systems. Putting together this analysis is a painstaking manual process. There are several reasons why organizations struggle with putting together this analysis.

The difference between too much data and the right data
The security organization either isn’t collecting or doesn’t have access to the data they need. Many organizations still pay more attention to login failures that successes. There are some forms of malware that use brute force attacks as a way to gain access to a system. Malware that uses the identity of its host to perform functions making it look like a legitimate user do not. If successful login data is collected and stored, it’s often “owned” and stored in another organizational silo. For the targeted attack use case, getting access to the right data gives the attacker additional time after detection.

Identity shifts
Correlation of user activities across a single IP address or a single identity is something that most log management systems support. Search capabilities have been made a priority these products. Most targeted attackers have specific goals in mind that force them to use multiple accounts and multiple user identities. If they can gain administrator access to an active directory, they can create multiple highly privileged user accounts. In an investigation, if the attacker changes identities or even IP addresses, the investigation stops and things get a lot harder.

Linking an identity to a security alert
Today’s security processes often start with a critical alert from some part of the infrastructure. If a product like FireEye produces a critical alert that shows up in the SIEM, the investigator has to figure out who had an open session on the device FireEye alerted them to at (or near) the time of the alert. If the security team isn’t putting access success log data in the SIEM, there’s no way for the SIEM to do this for them. This means adding the context of “who” to the alert is a manual process. There’s another annoyance for security teams – lack of time synchronization across devices. While time synchronization is a payment card industry (PCI) requirement, the objective of many organizations is to limit the scope of PCI wherever possible. Even a few minutes of time shift can add to the headache of an investigation.

Time-to-detection needs to be reduced in both the detection and analysis phases of the security process. User behavior analytics and analysis solutions offer four key benefits when added to existing security architecture:

  • Adding an additional layer of reprioritization to alerts, which can be placed on an attack timeline and prioritized based on their association with anomalous credential behaviors;
  • Visibility into compromised accounts and their intersection with assets and identities;
  • Understanding the “normal” behaviors of the organization’s collective identities; and
  • Combining detection and analysis phases of the security process for operational efficiency.



Share this