While most security programs today collect data around application event logs and firewall and network devices to form the bedrock of their security analytics programs, in many cases they're still not tracking that to users. According to the recent SANS Analytics and Intelligence Survey, only about one-third of organizations today collect user behavior monitoring data. But that's expected to change--about three-fourths of respondents say they'd like to start collecting this data in the future.
User behavior analytics can offer a ton of value on a number of fronts. Not only do these metrics offer visibility into potential insider threats, but they can also show early red flags for when accounts have been compromised by external attackers. The key is remembering that these metrics are most useful when they're measuring change of behavior--which means that the foundation of a behavior analytics program is understanding what normal behavior looks like before seeking out anomalies.
"While most compromises take only minutes to execute, they can remain undetected for days, weeks, and months after the fact," wrote Rapid7's Tod Beardsley, security research manager, and Roy Hodgman, data scientist, in a best practices guide they recently developed about user behavior analytics. "IT security administrators should be alert for some tell-tale compromise events, but this is difficult to do without first establishing a baseline of what is to be expected in a particular network."
According to the pair, there are four important areas organizations should focus on when establishing baselines and measuring changes in user behaviors.
Differentiate Between Humans And Machines
"Normal" behavior for accounts used by humans will look very different than that of service accounts used to carry out automated application activity and the like. These machine accounts usually have more permissions but are much more predictable than human-run accounts. At the same time, the volume of activity is likely to be much higher than human accounts.
"Incident responders looking to identify account takeovers through user behavior analytics must know what type of account they are looking at when deciding what constitutes abnormal behavior," Beardsley and Hodgman say.
Use These 3 Measurements To Get A Baseline Cloud Usage Reading
To start understanding the extent of cloud usage and get a handle on how users are interacting with cloud accounts, organizations should start first by examining web proxy, DNS records and firewall data to establish which applications are used most.
"Once services and their associated users are identified, you have great data to start a conversation with particular teams within the organization on which cloud services are required for productivity and how to provide these services, or alternatives, securely," Beardsley and Hodgman write.
That benchmark having been established, these metrics can also be used to track how well shadow IT is being contained in the future.
Take Advantage Of Mobile Device Location Data
Mobile devices may be a pain in the neck for security pros in many respects, but their ubiquity actually presents a really great opportunity for tapping into the power of user behavior analytics.
"Forward-looking security programs are using the location of smartphones as a data point in user behavior analytics to flag any situation where an authentication is coming from a different physical location than the location of the smartphone," they write.
Keep Tabs On Local Machine Admin Accounts
Enterprises are wont to leave themselves open to a huge analytics blind spot if they only watch Active Directory accounts without keeping track of local machine administrator accounts. That's because the bad guys tend to leverage these local accounts to move laterally until they can find a really juicy vulnerability to exploit in a more critical account.
"This is especially fruitful in companies that use a standard, golden image for rapid desktop deployment and keep all local domain administrator passwords identical to simplify helpdesk requests," Beardsley and Hodgman write.