03:45 PM
Connect Directly

4 Tricks For Getting The Most Out Of User Behavior Analytics

First thing's first: establish what 'normal' metrics look like.

While most security programs today collect data around application event logs and firewall and network devices to form the bedrock of their security analytics programs, in many cases they're still not tracking that to users. According to the recent SANS Analytics and Intelligence Survey, only about one-third of organizations today collect user behavior monitoring data. But that's expected to change--about three-fourths of respondents say they'd like to start collecting this data in the future.

User behavior analytics can offer a ton of value on a number of fronts. Not only do these metrics offer visibility into potential insider threats, but they can also show early red flags for when accounts have been compromised by external attackers. The key is remembering that these metrics are most useful when they're measuring change of behavior--which means that the foundation of a behavior analytics program is understanding what normal behavior looks like before seeking out anomalies.

"While most compromises take only minutes to execute, they can remain undetected for days, weeks, and months after the fact," wrote Rapid7's Tod Beardsley, security research manager, and Roy Hodgman, data scientist, in a best practices guide they recently developed about user behavior analytics. "IT security administrators should be alert for some tell-tale compromise events, but this is difficult to do without first establishing a baseline of what is to be expected in a particular network."

According to the pair, there are four important areas organizations should focus on when establishing baselines and measuring changes in user behaviors.


Differentiate Between Humans And Machines

"Normal" behavior for accounts used by humans will look very different than that of service accounts used to carry out automated application activity and the like. These machine accounts usually have more permissions but are much more predictable than human-run accounts. At the same time, the volume of activity is likely to be much higher than human accounts.

"Incident responders looking to identify account takeovers through user behavior analytics must know what type of account they are looking at when deciding what constitutes abnormal behavior," Beardsley and Hodgman say.


Use These 3 Measurements To Get A Baseline Cloud Usage Reading

To start understanding the extent of cloud usage and get a handle on how users are interacting with cloud accounts, organizations should start first by examining web proxy, DNS records and firewall data to establish which applications are used most.

"Once services and their associated users are identified, you have great data to start a conversation with particular teams within the organization on which cloud services are required for productivity and how to provide these services, or alternatives, securely," Beardsley and Hodgman write.

That benchmark having been established, these metrics can also be used to track how well shadow IT is being contained in the future.


Take Advantage Of Mobile Device Location Data

Mobile devices may be a pain in the neck for security pros in many respects, but their ubiquity actually presents a really great opportunity for tapping into the power of user behavior analytics.

"Forward-looking security programs are using the location of smartphones as a data point in user behavior analytics to flag any situation where an authentication is coming from a different physical location than the location of the smartphone," they write.

Keep Tabs On Local Machine Admin Accounts

Enterprises are wont to leave themselves open to a huge analytics blind spot if they only watch Active Directory accounts without keeping track of local machine administrator accounts. That's because the bad guys tend to leverage these local accounts to move laterally until they can find a really juicy vulnerability to exploit in a more critical account.

"This is especially fruitful in companies that use a standard, golden image for rapid desktop deployment and keep all local domain administrator passwords identical to simplify helpdesk requests," Beardsley and Hodgman write.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.