Sergey Nivens - Fotolia
Behaviour analytics technology is being developed or acquired by a growing number of information security suppliers. In July 2015 alone, European security technology firm Balabit released a real-time user behaviour analytics monitoring tool called Blindspotter and security intelligence firm Splunk acquired behaviour analytics and machine learning firm Caspida. But what is driving this trend?
Like most trends, there is no single driver, but several key factors that come together at the same time.
In this case, storage technology has improved and become cheaper, enabling companies to store more network activity data; distributed computing capacity is enabling real-time data gathering and analysis; and at the same time, traditional signature-based security technologies or technologies designed to detect specific types of attack are failing to block increasingly sophisticated attackers.
As companies have deployed security controls, attackers have shifted focus from malware to individuals in organisations, either stealing their usernames and passwords to access and navigate corporate networks without being detected or getting their co-operation through blackmail and other forms of coercion.
Stealing legitimate user credentials for both on-premise and cloud-based services is becoming increasingly popular with attackers as a way into an organisation that enables them to carry out reconnaissance, and it is easily done, according to Matthias Maier, European product marketing manager for Splunk.
“For example, we are seeing highly plausible emails that appear to be from a company’s IT support team telling a targeted employee their email inbox is full and their account has been locked. All they need to do is type in their username and password to access the account and delete messages, but in doing so, the attackers are able to capture legitimate credentials without using any malware and access corporate IT systems undetected,” he said.
An increase in such technique by attackers is driving a growing demand from organisations for technologies such as behaviour analytics that enable them to build an accurate profile of normal business activities for all employees. This means if credentials are stolen or people are being coerced into helping attackers, these systems are able to flag unusual patterns of behaviour.
New behaviour analytics tools such as Balabit’s Blindspotter are able to perform analysis in real time or near real time, enabling organisations to respond quickly, but also apply analytics retrospectively.
Detecting the threat posed by the increased abuse of legitmate credentials as well as insiders collaborating willingly or unwillingly with attackers is the most obvious application of behaviour analytics, which enables organisations to look at activities across multiple business silos, but this is only the beginning, according to Maier.
Through its acquisition of Capida, Splunk aims to integrate machine learning into its products to enable organisations to tap into non-security data to help build ever more accurate user profiles to reduce false positives to an absolute minimum. “Machine learning is relatively mature and effective in detecting fraud in the credit card industry, and we believe there is great potential for applying this technology to detecting malicious or criminal activity on company networks,” said Maier.
Read more about behaviour analytics
- Behavioural analysis could have prevented Salesforce.com employee inadvertently handing over access to customer database
- There is a growing trend in the industry towards merging big data and security
- Many logs are generated and then ignored as resources to review and analyse them in a timely and useful manner are lacking
- Deploying a successful network behavioural analysis project begins with co-operation and involvement from many teams in your organisation
While he admitted behavioural analytics is not a cure-all, Maier said he believes that as the technology matures, there will be a growing number of use cases where the technology is a good fit, especially if organisations expand their monitoring from IT infrastructure to include key business systems and applications. “This means organisations will need to identify not only their most important data assets but also their key IT systems, which many organisations are still unable to do,” he said.
Another important area to focus on, said Maier, is response. Balabit’s Blindspotter is not only about detection, but also enables automatic responses such as requiring additional authentication or shutting down a process or transaction where highly unusual behaviour is detected. Splunk is also focusing on developing response capabilities to enable organisations to block malicious activity as soon as it is detected.
Splunk’s technology is also aimed at going beyond identifying attacks in progress to identifying the attackers behind them. “The job of company and national computer emergency response teams is to find the attackers, and many of them are heavy users of Splunk’s technology,” said Maier.
Behaviour analytics technology also brings all activity together in a central place, enabling organisations to identify who in the organisation was affected by an attack and could possibly have had their user credentials compromised.
“Deleting a phishing email from the inboxes of all targeted employees does not stop the threat; it is also important to know who responded to the email before it was detected and deleted, which is an example of how the technology can be used in incident response,” Maier said.
The promise of behaviour analytics is that it will enable organisation to know who did what, where and when, as well as if it was anomalous and worth of investigation or not. Judging from the recent round of investments product announcements around behaviour analytics, it is likely this will be the focus of attention for the security industry in the coming months.