Analytics

11/19/2015
03:45 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

4 Tricks For Getting The Most Out Of User Behavior Analytics

First thing's first: establish what 'normal' metrics look like.

While most security programs today collect data around application event logs and firewall and network devices to form the bedrock of their security analytics programs, in many cases they're still not tracking that to users. According to the recent SANS Analytics and Intelligence Survey, only about one-third of organizations today collect user behavior monitoring data. But that's expected to change--about three-fourths of respondents say they'd like to start collecting this data in the future.

User behavior analytics can offer a ton of value on a number of fronts. Not only do these metrics offer visibility into potential insider threats, but they can also show early red flags for when accounts have been compromised by external attackers. The key is remembering that these metrics are most useful when they're measuring change of behavior--which means that the foundation of a behavior analytics program is understanding what normal behavior looks like before seeking out anomalies.

"While most compromises take only minutes to execute, they can remain undetected for days, weeks, and months after the fact," wrote Rapid7's Tod Beardsley, security research manager, and Roy Hodgman, data scientist, in a best practices guide they recently developed about user behavior analytics. "IT security administrators should be alert for some tell-tale compromise events, but this is difficult to do without first establishing a baseline of what is to be expected in a particular network."

According to the pair, there are four important areas organizations should focus on when establishing baselines and measuring changes in user behaviors.

 

Differentiate Between Humans And Machines

"Normal" behavior for accounts used by humans will look very different than that of service accounts used to carry out automated application activity and the like. These machine accounts usually have more permissions but are much more predictable than human-run accounts. At the same time, the volume of activity is likely to be much higher than human accounts.

"Incident responders looking to identify account takeovers through user behavior analytics must know what type of account they are looking at when deciding what constitutes abnormal behavior," Beardsley and Hodgman say.

 

Use These 3 Measurements To Get A Baseline Cloud Usage Reading

To start understanding the extent of cloud usage and get a handle on how users are interacting with cloud accounts, organizations should start first by examining web proxy, DNS records and firewall data to establish which applications are used most.

"Once services and their associated users are identified, you have great data to start a conversation with particular teams within the organization on which cloud services are required for productivity and how to provide these services, or alternatives, securely," Beardsley and Hodgman write.

That benchmark having been established, these metrics can also be used to track how well shadow IT is being contained in the future.

 

Take Advantage Of Mobile Device Location Data

Mobile devices may be a pain in the neck for security pros in many respects, but their ubiquity actually presents a really great opportunity for tapping into the power of user behavior analytics.

"Forward-looking security programs are using the location of smartphones as a data point in user behavior analytics to flag any situation where an authentication is coming from a different physical location than the location of the smartphone," they write.


Keep Tabs On Local Machine Admin Accounts

Enterprises are wont to leave themselves open to a huge analytics blind spot if they only watch Active Directory accounts without keeping track of local machine administrator accounts. That's because the bad guys tend to leverage these local accounts to move laterally until they can find a really juicy vulnerability to exploit in a more critical account.

"This is especially fruitful in companies that use a standard, golden image for rapid desktop deployment and keep all local domain administrator passwords identical to simplify helpdesk requests," Beardsley and Hodgman write.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.