One of my favorite cybersecurity axioms is oft-spoken by my colleague Matt Devost (@MattDevost): “Your attacker is not a 1 or a zero.”
In other words, your attacker is, in fact, a motivated person (or a group of people), and it’s the insider threats that know you best.
The insider’s techniques show up, one way or another, because what they do looks different than your business-as-usual activity. Insiders access resources atypical for their roles, work differently than their peers and may not be obviously breaking policy. Still, they look just different enough to raise the security pro’s suspicion.
As I wrote in my previous Accenture Security blog post, businesses are getting better at addressing two of the three primary types of insider threats (the “benign” and “unwitting”).
It’s the third and potentially most damaging category—the “malicious”—where behavioral analytics and other advanced tools are coming into play more and more.
Traditionally, a typical enterprise’s security operations center (SOC) was focused on external threats and very much dependent on machine data. But given growing concern over insider threats, more organizations are incorporating “identity” into their security operations to gain a fuller picture of what people are doing and why.
About 25 percent of security professionals surveyed recently by Accenture and HfS Research said they expected behavioral tracking to be “very important” or “critically important” for their cybersecurity capabilities over the next 12 to 18 months. That was the third-highest figure among 13 technology categories (behind artificial intelligence and data anonymization).
Behavioral analytics merges user activity, data access patterns and technical indicators from the network to get a fuller picture of whether people are acting outside normal parameters. We’re looking for meaningful anomalies in these patterns—anomalies that may indicate threats.
So how do we put this capability to work? Consider a group of users - say, nurses in a hospital emergency room who all have the same rights to data systems, patient records, scheduling and billing information and other digital assets.
By bringing user behavior into the SOC, you could see if one subset of nurses is accessing more patient records than others. If a couple of nurses are snooping on patient information and putting hospital data at risk, the SOC can use behavioral analytics to decide whether that’s normal course of business, or if it needs to be investigated.
Under traditional methods, the SOC probably wouldn’t have flagged this kind of activity. But until you bring “business understanding” into the SOC, it’s difficult to make sound judgements.
Context and understanding are operative terms here. Without business context, you can get a lot of false positives and other noise in your system and end up crying wolf and creating distraction. You might actually decrease your security effectiveness and find yourself swamped with data that doesn’t really matter. It takes a solid team on the ground, with a firm grasp of the business, to make good judgments.
It’s becoming clear that behavioral analytics, applied effectively and coupled with business understanding, will be a valuable asset as organizations look for the individuals behind the 1s and zeroes and defend what matters most.