Every CSO needs to vigilantly guard against the growth and sophistication of external cyber-threats, but the biggest cyber-risk may be what is lurking within their own network. Negligent employees, malicious insiders, and compromised users and hosts often have the benefit of legitimate credentials to exploit weaknesses in traditional security infrastructure.
Traditional perimeter defenses give free rein to those credentials. But to determine if those “users” are part of an attack, enterprises really need to focus security on the behavior of who or what is using authorized credentials.
In a recent discussion on Verizon’s 2017 Data Breach Investigation Report, the company’s senior security specialist and RISK Team leader, John Grim, told Computer Business Review that “[in] 81% of the data breaches that we looked at this year in terms of data sets, the threat actors are leveraging those default passwords, those weak passwords, or those passwords that have been stolen.”
One in five employees in a recent survey indicates they keep passwords in plain sight. Another survey finds that 23% of workers would share sensitive, confidential, or regulated company information if they believed the risk was low and the potential benefit high.
Other risks come from authorized guests. Guest networks may not be necessarily well-protected, allowing those guests to move into places they shouldn’t be allowed to go and to access data that should be restricted.
Trusted partners represent yet another threat vector. As CSO pointed out recently, “The use of third-party providers is widespread, as are breaches associated with them.”
The breach of Target’s point-of-sale systems in 2013 was traced to a heating and air conditioning vendor whose legitimate credentials had been stolen, according to KrebsOnSecurity.
A bad actor with legitimate credentials, whether an insider or outsider, can probe for weaknesses once on the network. In that type of situation, the only way to defend the enterprise is by finding the changes in the actor’s behavior that would indicate an attack is under way.
With the benefit of machine learning, user and entity behavior analytics (UEBA) can detect anomalous actions that may indicate unauthorized activity and attacks. Aruba IntroSpect utilizes supervised and unsupervised machine learning models to ensure that the system is self-learning, continually adapting, and accurately identifying anomalies and confirming malicious activity before attacks inflict damage.
Bad behaviors on the network can be detected if you know what to look for and have the capabilities to do so. For example, when users access systems, how long do they stay on an application? What amount of data do they access? From where and with what devices are they doing so?
All those activities can be used to build baselines, or profiles, of what is normal behavior; anomalies can then be detected individually and correlated over time, alerting security professionals to take appropriate action when certain threshold conditions are met. With UEBA, baselines can be built around the activities of peer groups, so that if for example, a member of the finance group is behaving differently from his or her peers, it can be quickly detected.
Knowing what is going on in your network is as important as knowing who is on it.
Get the CISO’s Guide to Machine Learning & User and Entity Behavioral Analytics.