Derek Lin, Chief Data Scientist at security intelligence software firm Exabeam explores how behavioural analytics can help to discover cyber threats hiding in big data.
Data breaches are continuing to hamper businesses with no signs of stopping. According to Gemalto’s Breach Level Index, a report on the number of data records lost over time, more data records have been lost or stolen in the first half of 2017 than all of 2016. The statistics not only reveal the worrying state of cyber security globally, they also highlight credential theft as a major part of the problem. Each year since 2013, ‘identity theft’ has been the most common attack vector, a tactic that allows malicious actors to act covertly while inside networks.
Clearly, when it comes to enterprise security, mindsets need to change because relying on threat prevention technologies is no longer enough. What’s needed is a more proactive, data-driven approach that can transform how companies protect their sensitive data.
Cyber threats
The time it takes for companies to discover a security breach is critical. Breaches can go undetected for weeks or months – it took over a year for the Sony breach to be identified, during which time millions of records were compromised. More often than not, there are multiple telltale signs that an attack is under way. The issue is that companies struggle to sift through the enormous number of logs and alerts that security technologies are producing to know what is important.
What security analysts need, is a means to leverage these big data sets to help identify uncharacteristic activity as it happens and ideally before data is compromised. These data sets are made up of activity logs from which a ‘baseline’ for normal user or machine activity can be established. With this baseline in place, the moment a user or machine’s activity strays from the norm, the security teams can be instantly alerted to take action, locking down the account in question and launching an investigation.
Analytics shine a light on anomalous behaviours
User and Entity Behaviour Analytics (UEBA) technologies have emerged to meet this growing need. By leveraging machine learning, UEBA can uncover deviations from normal behaviour and automatically increase a risk score for that user or machine. Once the risk score reaches a certain threshold, the security analyst is notified. This approach helps eliminate the time IT teams spend looking into false positives. Machine Learning takes much of the work out of sifting through alerts and logs and helps remove ‘alert fatigue’, allowing security analysts to deal with real threats in near real-time.
Analysts can review data across a variety of vectors; for example, by user or individual anomaly to identify patterns; while one anomaly in itself may not be of interest, an aggregation of anomalies related to one user will more than likely indicate a threat. Similarly, by applying complex data-mining processes to the VPN and activity logs, infrastructure access from compromised accounts can be quickly identified. Meanwhile, database and file-level access logs can help identify abnormal activity related to specific accounts and assets – whether that’s an intruder from outside or an internal threat.
Helping to detect ‘unknown unknowns’, UEBA platforms effectively combine big data, machine learning and analytics to deliver a deep understanding of how systems and users behave. And, since cyber criminals are constantly evolving their attack vectors, it’s good to know that the algorithms built into UEBA tools keep on getting smarter too. Focusing only on preventing attacks made sense years ago. However, the modern threat landscape calls for a modern approach to security. Arming teams with the tools to protect networks, alert users to breaches, and minimise the fallout caused by an attack prepares them to address the risks most prevalent today. Ultimately, UEBA offers a highly efficient way of detecting both perimeter breaches and insider threats in real-time. Indeed, it’s a big data and analytics technology approach that delivers truly proactive security operations.
