Don't Let Outliers Sabotage Your Cybersecurity Analytics


Cybersecurity analytics solutions are becoming more intelligent and nuanced to understand anomalous behavior that's outside the norm and potentially dangerous. Identifying outliers is important, but not every outlier is a threat, nor is every threat an outlier.

"Companies have made hundreds of millions of dollars building tools that look for behavior that's outside a rule or a set of parameters," said Jason Straight, SVP of Cyber Risk Solutions and chief privacy officer at legal outsourcing services provider United Lex. "For machines that works pretty well, for people it doesn't."

Tracking behavior at the machine level can be as simple as monitoring the number of packets sent to and from a particular machine.

Humans behave differently in different contexts. For example, many of us usually work at particular office Monday through Friday during "normal" work hours. However, if we're traveling internationally, we're probably accessing the same corporate network, albeit at a different time from a different IP address that's located somewhere else in the world.

A rule-based system could be programmed to disallow network access under those conditions, but traveling professionals wouldn't get much work done. The trick is to balance the needs of users and the business against potential threats.

"Instead of setting a bunch or rules that say if someone logs in from an IP address that they've never used before, at a time they've never logged in before, and they're accessing part of the network they've never used before, that's a complicated rule that would require constant updating and it would be impossible to manage on a person-by-person basis," said Straight.

User Behavior Analytics Can Help

Enterprise security budgets have been heavily focused on keeping outside threats at bay, but more enterprises are realizing that to protect their assets, they need to assume that their network has been hacked and that there's an active intruder at work.

Similarly, when the average person thinks about a cybersecurity breach, hackers come to mind. However, insiders are a bigger problem. In addition to being responsible for more security breaches than hackers, insiders fail their companies accidentally and willfully.

"If I see a server doing something funny, I can shut it down, take it offline, or reroute the traffic, which doesn't disrupt an organization much or at all," said Straight. "If I do that to people, that could be really disruptive."

User behavior analytics are an effective mechanism for insider threats because they're able to model a user's behavior. For example, when an employee is getting ready to leave a job, that person usually visits certain websites and updates her resume, which isn't the best use of company assets, but it doesn't justify security intervention. However, when that employee starts downloading files to USB drives, uploading files to file-sharing services, and printing volumes of information, intervention is may necessary.

Monitoring a single user doesn't always tell the entire story, however, which is why user behavior analytics enable users to see what an individual is doing within the context of a group. For example, if someone in marketing accessed a part of the network she's never visited before, that's strange. Whether it actually requires action or not may depend on whether others in her department have accessed that same part of the network and if so, when.

While such capabilities sound attractive, many organizations are failing to get value they expected from user behavior analytics, despite spending seven figures, because they don't know how to handle the alerts and intelligence, Straight said.

User behavior analytics can also help determine whether someone's login credentials have been stolen. Unlike traditional rule-based systems, user, machine learning, and AI are used to model an authorized user's behavior and that behavior is associated with that person's login credentials. If someone else tries to use the same User ID and password, her behavior indicates the account has been compromised.

"That's when you start to see an account that's never really used more than a departmental server suddenly scanning the entire network, trying to get into different places and being denied access," said Straight.

Think First

Before investing in a new security tool, it's essential to understand the problem you're trying to solve, which is true of any technology. Different security tools serve different purposes.

"Do you want to understand problems you haven't identified or are you trying prevent data leakage?" said Avivah Litan, vice president and distinguished analyst at Gartner. "You have to be real clear, and then you also need to spend some time training the models and supervising them."

What's your experience? Is your company's cybersecurity getting more sophisticated? If so, how and what still needs to be improved? We'd love to continue the discussion in the comments section.

Lisa Morgan, Freelance Writer

Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include big data, mobility, enterprise software, the cloud, software development, and emerging cultural issues affecting the C-suite.

How to Modernize Business Intelligence for Self-Service

Are you looking to add more self-service options for business users? Here's how one company is updating its business intelligence program with Agile methodologies to open the doors to better user insights.

How Customer Intelligence Impacts Customer Loyalty, Wallet Share

Most organizations that sell to consumers aspire to gaining a 360-degree view of customers. But is that really attainable?


Re: How to hold UBA?
  • 3/24/2017 10:15:16 AM
NO RATINGS

To be able to design a machine to behave like a human woiuld probably assume that if you can predict a human's behavior for a particular task to a near 100% probability you can most likely make a machine to do that task. So we can make robots built certain parts of cars and machinery, and we can get cars to drive themselves on predictable roads and situations, but human thinking of course can not always so far be entirely predictable and that's where the problem may lie.

Re: How to hold UBA?
  • 3/20/2017 5:38:19 PM
NO RATINGS

..

Michelle writes


... I don't think we'll see machines work as smoothly as humans. Building something capable of processing like the human brain might be impossible.


 

The problem is that the human cognitive system has been developed through natural processes and continues to develop via those same processes. The development process is itself extremely complex. Even if AI engineers manage to "map" and replicate the original cognitive system (itself a pretty daunting task), will they succeed in fully replicating the ongoing development processes with a mechanistic analogue? 

..

Re: How to hold UBA?
  • 3/20/2017 4:27:13 PM
NO RATINGS

I think it's safe to say everything an employee does is being tracked by their employees, badges often track physical location, and internet behavior has been tracked for years! Employees should just assume big brother is watching while in the offices or at the home office!

Re: How to hold UBA?
  • 3/20/2017 8:59:33 AM
NO RATINGS

As noted the " trick is to balance the needs of users and the business against potential threats," and since lots of those concerns might be from an "inside" job that may be the first palce to look. But those outliers can really foul things up, not knowing just "how far" out one should be looking trying to protect themseelves from harm of those very very unlikely scenarios, yet very dangerous ones.

Re: How to hold UBA?
  • 3/15/2017 5:19:49 PM
NO RATINGS

One thing is for certain, while computers may be able to check for strange behavior they certaintly shouldn't have any final say on who gets fired. 

I think it's also important for employees to realize that any strage behavior such as uploading docs to an external drive is being tracked.

Re: How to hold UBA?
  • 3/15/2017 12:33:27 AM
NO RATINGS

It is interesting to look at outliers and differential behavior, but I think cyber attacks are getting more sophisticated and utilizing more uncommon methods that seem common. The attackers understand how the cyber security software works in they are trying at every turn to confuse it or capitalize on its weaknesses. I agree that the modeling and identification will need to evolve and morph consistently to keep up. The analytics involved will need to be constantly updated.

Re: How to hold UBA?
  • 3/14/2017 4:08:32 PM
NO RATINGS

@SaneIT I agree, I don't think we'll see machines work as smoothly as humans. Building something capable of processing like the human brain might be impossible.

Re: How to hold UBA?
  • 3/14/2017 10:14:22 AM
NO RATINGS

Given that social engineering is still the leading tool for cyber-attacks I agree that you need humans keeping an eye on the outliers.  I don't know if machines will ever be able to think and shift thinking the way that humans can.  Yes, they can follow decision trees but sometimes to figure out why something is happening you need to be able to jump between decision trees or skip branches along that tree to figure out what's going on.  Humans are nothing if not inventive so trying to guess what a human is doing if it doesn't fit a pre-defined model can be incredibly difficult if not impossible for machines. 

Re: How to hold UBA?
  • 3/13/2017 8:47:32 PM
NO RATINGS

@Terry That certainly seems to be the case. I agree with Lyndon -- humans should be involved to handle outlier cases. I assume there will be many outliers to contend with...

Re: How to hold UBA?
  • 3/13/2017 9:10:49 AM
NO RATINGS

This is obviously an area where a lot more work needs to be done and much better tools developed. You run the risk of breating more problems than you fix with tools available today.

Page 1 / 2   >   >>
INFORMATION RESOURCES
ANALYTICS IN ACTION
CARTERTOONS
VIEW ALL +
QUICK POLL
VIEW ALL +