Why you need to pay attention to how people use your systems

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.csoonline.com/article/2150825/security-leadership/why-you-need-to-pay-attention-to-how-people-use-your-systems.html

Behavioral analysis was the hot concept back in the late 90s. Except that
the approach never really worked well enough to adopt; even folks slave to
routine managed to disrupt the baseline pattern wide enough to drive a
truck through it.

Not anymore. Good timing, too.

Confirmed again with the release of the 2014 Verizon Data Breach
Investigations Reportis the reality that attackers seek credentials. As
noted in the executive summary:

"User credentials are also a popular target, but mainly as a gateway to
other kinds of data or other systems."

Addressing the challenge means detecting when credentials are compromised
and used. A key to success is developing an accurate understanding of how
people use the systems and resources we need to protect.

As the importance of better insight to make better decisions continues to
grow, we have to adjust our own thinking, processes, and capabilities. Part
of getting it right includes considering the role people play.

Putting people back in focus

While profiling behavior is important, it tends to be a touchy subject with
people. The way we approach -- and explain -- the program, process, and
results goes a long way toward acceptance and success.

Minimally, this is a way to protect the systems and information our
colleagues rely on every day. We're part of a team, and this is ultimately
an opportunity to make it easier for people to do their jobs -- not
continue to tell them no and block them.

Aside: while I generally advise against broadly referring to colleagues as
‘users’ in a means to distance ourselves, when it comes to behavior
profiling and analytics, the term user is appropriate. Just keep in mind it
works in aggregate, but we still serve people.

The upside of understanding who we serve

As Kevin Epstein, VP of Advanced Security and Governance at Proofpoint put
it simply, “people are your clients.”

With a mindset of serving our colleagues, focus turns to understanding how
different people use the systems and information. With the benefit of
improved solutions, this allows us to capture accurate behavioral profiles.

Epstein points out that "by building an understanding of how our clients
use the system, we improve incident response. It’s helping discern the
difference between 'Mr. Clicky and the mistake'.”

It provides the cues as to the level and type of response required. Looking
at trends and identifying common disruptions points out areas for improving
the security culture (read more about getting started here).

Capturing the right information and comparing it to the baseline also helps
with attribution. Quickly understanding if you are under 'attack' with
information about who, what, and potential targets improves both immediate
and future responses. It's the difference between constant reaction
(sometimes considered practice) and steady improvement.

Done right, this approach improves the entire cycle of prevention,
detection, and response. These benefits are possible when we know what
"normal" looks like.

Understanding normal in the age of constant change

“If behavior is malicious, the only way to find out is to understand
normal” explains Matt Hathaway, Senior Product Manager at Rapid7.

In a time when constant change is the new normal, the methods have to
adapt. When I asked what's changed from the last great push into behavior
profiling in the 90s, Hathaway pointed out that a key element is looking
for two or more indicators instead of reliance on a single behavior.

For example, Hathaway explained that during the recent response over
Heartbleed, a lot of Rapid7 put in an all-nighter (or two). In previous
approaches, one or more people logging into their systems at odd hours of
the evening would be a flag of potential misuse or compromise.

Current technologies are able to take into account location, timing,
activities of multiple people and use that to consider if the behavior is
deviating from the baseline enough to warrant action. And they learn --
including what not to learn -- in the process.

Hathaway notes the key point in picking the right system relies on the
ability to drive actionable intelligence instead of just a series of alerts.

Actionable intelligence from machine learning with human validation

I'm seeing more companies incorporate machine learning and data science to
offer better solutions. When I asked Hathaway about that, he explained that
UserInsight, the new program from Rapid7, uses a blended approach of
machine learning with "the right touch of human validation."

What caught my attention was the ability to build on the experience of the
metasploit and penetration testing teams and incorporate human guidance
into the overall solution.

Hathaway pointed out that reliance on only machine learning “could lead to
an environment of unwanted behavior included in the baseline.”

In the process of learning, some things are accepted, while others - like
correlating user accounts to specific people may trigger an initial manual
review.

The goal of any solution is to build an accurate understanding of what is
normal in your organization to drive actionable intelligence when something
isn't right.

Focusing on people to protect systems and information

We know attackers seek credentials. The more we do to profile normal
behavior, the more likely we are to make this route of attack harder.

The importance of behavioral profiling and analysis is increasing. The good
news is the technology is improving, too.

Even better, emerging solutions are poised to provide insights and guidance
that benefit the entire cycle of prevention (setting our bias aside),
detection, and response.

This is another opportunity to partner with the people we serve and make
their jobs easier by protecting the systems and information we all rely on.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!