Lack of employee context hinders protection efforts
Even with significant security solution spend, program maturity and external third-party certification efforts, organizations continue to struggle to adapt and protect themselves from attackers employing new and innovative approaches that take advantage of the very systems put in place to thwart them.
Today’s attackers are very sophisticated, well-funded and patient. They act more like detectives and scientists as they follow a systematic approach to understand their targets’ environments, their nuances and day-to-day operations even better than you do. They know that security point solutions have an important role to play in protecting your environment but that they also have their limitations. Attackers test these to understand exactly when an organization reacts and when it does not. But it doesn’t end there.
These malicious actors know that because of the significant noise level generated by individual security solutions, even with the best of teams, security operations typically gets overwhelmed from data overload. They also know that internal security teams suffer from a severe lack of consolidated visibility and contextualization across the individual security solution deployed within your environment. Specifically, they know that when a user triggers an event in one system, it typically is not correlated with other events reported in another security solution by this same user. This is important because what might first appear to be benign noise in one security solution perhaps becomes the event that tips the scale of importance when taken in context with events reported in other security solutions.
Attackers exploit this gap in a security operation’s risk visibility to hide in plain sight. They masquerade within the activities of existing entities such as regular users, system accounts, administrative accounts and privileged user accounts while subtly mutating normal behaviors to elevate privileges, install various hacking tools and, over time, gain greater access to sensitive systems and data. The wolf truly is in sheep’s clothing and it is walking amongst the flock picking up the crown jewels along the way.
The best way to start addressing these new attack approaches: user behavior analytics. First, organizations must continue to deploy point solutions that mitigate specific technology and operational threats. Next, they must also link security solutions together in a coordinated fashion to get the most leverage and effectiveness from their security investments. Finally, the last, and arguably the most critical, piece of the puzzle is gaining a clear understanding of the typical actions and behaviors from each type of entity operating in your environment. This forms the foundation for establishing baselines that act as guides, identifying anomalous behaviors indicative of something that should be investigated.
So, how do organizations take this from concept to reality? They should:
- Establish automation processes to baseline employee behaviors and identify anomalies
- Build processes to automate responses for non-malicious user activities by assigning them to training and monitoring for recidivism
- Escalate users with clear indicators of compromise to investigative teams for immediate action
Focusing on a users’ overall behavior instead of individual events in isolation provides the leverage that finally tips the scales in the favor of your security team instead of attackers. It removes the noise and shines a light on what is most important to your organization right now.
Eric Ouellet is Vice President of Strategy at Bay Dynamics. Eric brings more than 25 years of experience in various disciplines within the information technology industry. He is responsible for Bay Dynamics’ overall market and product strategy, positioning, communications and channel and partner enablement. Prior to Bay Dynamics, he spent 10 years at Gartner, were he defined and established some of the highest growth areas in the fast-paced security industry. Eric is a well respected public speaker, prolific author and holds several industry designations including CISSP, ISSAP and ISSMP, amongst others.