As cyber attacks continue to rise, businesses are seeking more robust security solutions, writes Derek Lin, pictured, Chief Data Scientist at IT security intelligence product company Exabeam.
Having a properly secure network is a fundamental part of total security, helping to protect against insider and external threats. One way of addressing this is through network traffic flow monitoring tools and threat analysis based on the flow data produced.
In spite of this, security breaches continue to happen. Why is this? Because very few of the network monitoring systems available on the market take into consideration one of the biggest risk factors on the network; the user.
The key to effective security is to take a user-centric approach, understanding each and every user’s normal or baseline behaviour. This allows businesses to answer some of the key questions that cannot be resolved by network monitoring tools alone. These include:
Exactly who is accessing the network?
The notion of being able to track who is accessing the network may seem simple in theory, but as business practices evolve, it’s becoming harder and harder to accurately achieve in practice. Most employees today have composite identities consisting of information from multiple accounts, applications, and repositories under their name. Even in a medium sized business, an employee’s identity can include a standard windows ID, as well as numerous other accounts for apps such as SAP, Salesforce.com and Oracle, just to name a few. Adding to the confusion is the rise of BYOD policies, meaning many employees also use personal devices on the business network as well.
As a result, effectively tracking every ID for each employee in one central location is extremely difficult. Further muddying the waters is the issue of shared accounts used by multiple individuals. How can any business tie these to a specific user if there’s no way of knowing who that user is? Without a way to answer to these questions, it’s impossible to know who is accessing the network.
Exactly what are they accessing?
Tracking exactly what assets and servers are being accessed on the network may seem like a fairly straightforward part of day-to-day network security, but unfortunately it’s rarely the case. In many instances, a limited understanding of exactly what assets are on the network plays a major role, usually caused by a lack of centralised asset monitoring system being in place.
This is often down to IT security systems having been built up in a piecemeal fashion over time, resulting in a mass of different solutions ostensibly doing the same job, but all with limited functionality of their own. What this means is that IT may know what server is being accessed and which employee is accessing it. However, it’s unlikely the IT team would know what other information is on that same server, or how sensitive it is.
Is the person displaying normal user behaviour?
Even if the IT team is able to effectively track who is accessing the network and exactly what they are accessing, the question of whether it is ‘normal behaviour’ for the individual in question can be extremely difficult to answer. This is because the context required to effectively assess user behaviour isn’t captured by network flow data alone. As such, it is often little more than educated guess work as to whether an individual is behaving within the confines of what is deemed ‘normal’, or if their actions are abnormal and therefore, suspicious.
While the term data science or ‘machine learning’ started as something of a buzzword within the IT industry, security experts are now waking up to its significant potential in helping to accurately answer key questions like those above. Using machine learning techniques, important connections between seemingly unrelated parts of identities can be discovered, allowing IT teams to create a detailed map of a user’s activity, even if various identity components are not explicitly linked.
For example, if an employee logs into the network from the office using his/her personal credentials, then later that day, logs in again remotely via a personal device from home using an admin account, these two actions would typically not be flagged as connected to the same individual. However, machine learning engines would not only be able to connect them using behavioural data, but also provide tracking for the employee’s actions over time, helping build up a broad view of his/her true network activity.
Machine learning algorithms can also be used to analyse trends and create behaviour baselines on a per-user basis. Doing so helps provide the much-needed context required to spot and flag any activity that deviates too far from what is considered acceptable or normal. Furthermore, different machine learning techniques can be used to build accurate network asset models that give IT teams a true picture of everything on the network. As a result, it is far easier to keep a close eye on exactly what is being accessed at any given time. As part of this, assets belonging to executives and board members can be tagged as ‘high-risk’ items, meaning they are subjected to greater scrutiny and/or more stringent security measures.
Finally, the amount of computing power necessary to make all this work is just a tenth of what it was just a few years ago, putting powerful machine learning platforms well within reach of businesses both big and small.
The threat of cyber attack is an on going and daily consideration for security teams. Effective network security is essential to help understand who is accessing the network, what they are doing and whether or not it is ‘normal’ for them to be doing it. Machine learning will play an integral part in this. There are no longer limits to the levels of awareness and visibility for incident response teams, as key information will be tied together in ways not previously possible. IT teams finally have the context needed to make informed security decisions and better protect the network.
