Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

11/19/2015
03:45 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

4 Tricks For Getting The Most Out Of User Behavior Analytics

First thing's first: establish what 'normal' metrics look like.

While most security programs today collect data around application event logs and firewall and network devices to form the bedrock of their security analytics programs, in many cases they're still not tracking that to users. According to the recent SANS Analytics and Intelligence Survey, only about one-third of organizations today collect user behavior monitoring data. But that's expected to change--about three-fourths of respondents say they'd like to start collecting this data in the future.

User behavior analytics can offer a ton of value on a number of fronts. Not only do these metrics offer visibility into potential insider threats, but they can also show early red flags for when accounts have been compromised by external attackers. The key is remembering that these metrics are most useful when they're measuring change of behavior--which means that the foundation of a behavior analytics program is understanding what normal behavior looks like before seeking out anomalies.

"While most compromises take only minutes to execute, they can remain undetected for days, weeks, and months after the fact," wrote Rapid7's Tod Beardsley, security research manager, and Roy Hodgman, data scientist, in a best practices guide they recently developed about user behavior analytics. "IT security administrators should be alert for some tell-tale compromise events, but this is difficult to do without first establishing a baseline of what is to be expected in a particular network."

According to the pair, there are four important areas organizations should focus on when establishing baselines and measuring changes in user behaviors.

 

Differentiate Between Humans And Machines

"Normal" behavior for accounts used by humans will look very different than that of service accounts used to carry out automated application activity and the like. These machine accounts usually have more permissions but are much more predictable than human-run accounts. At the same time, the volume of activity is likely to be much higher than human accounts.

"Incident responders looking to identify account takeovers through user behavior analytics must know what type of account they are looking at when deciding what constitutes abnormal behavior," Beardsley and Hodgman say.

 

Use These 3 Measurements To Get A Baseline Cloud Usage Reading

To start understanding the extent of cloud usage and get a handle on how users are interacting with cloud accounts, organizations should start first by examining web proxy, DNS records and firewall data to establish which applications are used most.

"Once services and their associated users are identified, you have great data to start a conversation with particular teams within the organization on which cloud services are required for productivity and how to provide these services, or alternatives, securely," Beardsley and Hodgman write.

That benchmark having been established, these metrics can also be used to track how well shadow IT is being contained in the future.

 

Take Advantage Of Mobile Device Location Data

Mobile devices may be a pain in the neck for security pros in many respects, but their ubiquity actually presents a really great opportunity for tapping into the power of user behavior analytics.

"Forward-looking security programs are using the location of smartphones as a data point in user behavior analytics to flag any situation where an authentication is coming from a different physical location than the location of the smartphone," they write.


Keep Tabs On Local Machine Admin Accounts

Enterprises are wont to leave themselves open to a huge analytics blind spot if they only watch Active Directory accounts without keeping track of local machine administrator accounts. That's because the bad guys tend to leverage these local accounts to move laterally until they can find a really juicy vulnerability to exploit in a more critical account.

"This is especially fruitful in companies that use a standard, golden image for rapid desktop deployment and keep all local domain administrator passwords identical to simplify helpdesk requests," Beardsley and Hodgman write.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .