Micro Focus is now part of OpenText. Learn more >

You are here

You are here

How behavioral analytics helps close the credentials security gap

Stan Wisseman Chief Security Strategist, CyberRes

Protecting user credentials from compromise is a nearly impossible task. Billions of credentials uncovered in data breaches are circulating online, and every month millions more are exposed, either through intrusions or unprotected servers. In addition, phishing attacks continue to dupe users into coughing up their credentials voluntarily, confounding the best-laid identity and access control plans.

Because credential compromise offers so many vectors for attackers, organizations have deployed a multitude of products to address them, such as:

  • Antivirus and email protection to mitigate phishing attacks
  • Access controls, including identity management to ensure that users are who they say they are, and single sign-on for reducing risks associated with accessing third-party sites
  • Two-factor authentication, which can make a stolen password useless

You'll always need layers of security controls to secure credentials. But when credential controls are bypassed—either by an external threat actor or an insider—user and entity behavioral analytics (UEBA) can help. The technology lets you detect unusual credential usage that could represent misuse, and respond accordingly to minimize or prevent data loss, sabotage, or other adverse effects on your business.

Here's what your team needs to know about UEBA.

Marshaling machine learning

User and entity behavioral analytics focuses on patterns of human behavior to detect anomalies that can indicate a potential threat. However, classic UEBA implementations can turn into data science experiments with little return on investment. A new generation of UEBA solutions apply machine learning (ML), which can greatly speed up the process of identifying and analyzing important trends, better protecting against genuine threats.

ML helps teams distill a vast amount of data efficiently, identify the most suspicious activities, and deliver the leads they need to find cyber-threats in minutes or days, not weeks or months.

Unsupervised machine learning-based UEBA solutions can train themselves to differentiate normal from anomalous activity with a much lower false-positives rate than traditional user and entity behavioral analytics approaches. They can provide high-confidence, actionable alerts to security analysts about the most risky users within an organization that could indicate a compromised account or a malicious insider.

The leads provided to analysts can present a distilled view of measured risk generated through dynamic machine learning and advanced mathematical models.

Attack velocity and frequency continue to increase, especially from phishing attacks. No security professional can match the rate at which a computational system can process and correlate the vast amounts of security data required to mitigate account takeovers. That's why the ML capability in UEBA products provides security teams a leg up to reduce the dwell time of these threat actors.

Appetite for data

For an ML-based UEBA product to work at its best, it needs quality data, and lots of it. The more data it's given to digest, the better it's able to educate itself and support targeted use cases. Data sources that can be fed into a user and entity behavioral analytics system include the following:

Security information and event management (SIEM) data

SIEMs don't create data, but they are a useful repository of data from security-related sources, such as user directories, server logs, and security tools.

Active Directory and LDAP directory information

These are common sources of security data for analytics programs. They can help a system understand role, organization, authentication, and access rights—all of which can be used to establish baselines from which anomalies can be tagged.

VPN, proxy, and NetFlow analytics products

You can use the network data those products collect—information such as data transfer volumes, data transfer locations, unusual connections between machines, and communications to unusual internal and external sources—to identify advanced attacks on a network.

Endpoint data

This is a rich source of user and IoT device activity data. It offers context for malware-based and insider attacks, and includes file activity (print, copy, paste, post, download), device activity (USB or Bluetooth activity, copy, download), application activity, and a variety of network communications.

Data consumed from data/IP repositories 

These sources include SharePoint, programs for source-code management, product lifecycle management, and electronic-content management. The data can enhance context about advanced and insider attacks and create visibility into threats within the enterprise.

Log and access-control data to major enterprise applications

These apps include SAP, Oracle, and SQL databases. These data sources offer additional context and coverage of attacks against business processes, financial data, and HR records. The data also offers attack visibility by insiders—especially privileged users—and targeted-attack account takeovers.

Other sources of data

These include watch lists, threat-intelligence feeds, and alerts from security, governance, and control tools. When correlated with analytics-defined incident data, this data can increase detection speed.

In addition, data from enrichment tools can be used to weigh analytic scores higher or lower, call out and alert specific events defined by the tool, or add incident context for a more complete picture of an unfolding attack.

Go beyond the basics

Security sources such as SIEM, IDS/IPS, and identity and access management are table stakes. Expanding into corporate email and unstructured data in the cloud is necessary if you want to understand what is normal for a given user.

Ultimately, closing the gaps in credential security requires an awareness of which gaps exist and how to mitigate them. As with most security efforts, there is no silver bullet: Each control has a role to play in credential security.

And remember that strong security is not just a matter of deploying tools and letting them do the work. Security teams need to work closely with their colleagues on the business side to gain a better understanding of—and the context of—the data that you're analyzing.

For more information on UEBA, see the recent Webinar, "SecOps Innovation: A look into the future of security insights."

Keep learning

Read more articles about: SecurityIdentity & Access Management