Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

When All Behavior Is Abnormal, How Do We Detect Anomalies?

Identifying normal behavior baselines is essential to behavior-based authentication. However, with COVID-19 upending all aspects of life, is it possible to build baselines and measure normal patterns when nothing at all seems normal?

(image by andigreyscale, via Adobe Stock)

We log into work in the morning, usually between 0900 and 0915. We log into mail, the collaboration system, then the business applications. The place we log in from, the time we start work, and the sequence of logins form a unique pattern. And unique patterns can be useful as authentication factors. Right now there's a possible problem, though: How do you establish "normal" behaviors in an utterly abnormal time?

The issues around behavior-based authentication echo larger IT behavior issues of the moment. "During times of crisis, behavior can be overwhelmed by stress and especially by disruption to daily routines," says Daniel Norman, research analyst at the Information Security Forum. "The COVID-19 lockdown has demonstrated the requirement for organizations to manage behavior effectively or face disruption from a growing range of security threats, both from outside and within the business."

Defining a Useful Normal
Robert Capps, vice president at NuData Security, a Mastercard company, says that benchmarking and using behavior may begin with understanding which behaviors remain useful indicators of a user's identity.

"Users who are sheltering in place will have some or all of the same characteristics present in their interactions, as they did pre-COVID," Capps explains. "They will continue to use their home Internet connection, their existing devices, and will use those devices in the same way as before."

He points out that the habits and patterns can actually decrease the "friction" in a user's computing experience, allowing the person to open and use some applications without stopping to think deeply about the user experience. That same "automatic" nature of the actions is what makes them useful from an authentication perspective.

Fortunately, while the overall business environment is at a highly unusual point, experts say that computer user behavior is not as anomalous as it might seem — and might be more consistent than before the pandemic.

"I would imagine that today people's behaviors are less anomalous than usual. On a normal day, people log into or visit sites from networks at work, on the train, at the Starbucks, at the airport, and also at home. Today they only login from home," says Jason Kent, hacker in residence at Cequence Security. "Most organizations already understand their infrastructure goes out to the remote worker; there are just more remote workers now."

Organizations should always use many different data points to make a determination of behavior, he adds. Some factors will always matter more than others, and it is their combination that needs to be considered to determine the risk.

Shahrokh Shahidzadeh, CEO at Acceptto says that looking past the login is critical.

"There are normal behaviors where some users use VPN, but that is not important," he says. "Besides the VPN login, there are other factors in play, such as the patterns gained through the analysis of the applicational behavior. What we are interested in is what happens throughout the life cycle of the session."

Using behaviors across the entire user interaction provides valuable, rich context for the behaviors we see.

"The key to effective behavior based detection is context for the algorithms to learn from. When behavior-based algorithms, specifically for authentication, are able to take in the whole picture, they are quickly able to adapt to new conditions," says Wade Woolwine, principal security researcher at Rapid7. "The whole picture means that we can see local system authentications against the domain, we can see VPN authentications, internal resource authentication and authorization, and external services authentication. With that level of visibility, behavior-based detections quickly figure out that the strange IP authenticating to the external service is actually the same IP that successfully authenticated to the VPN just a minute ago."

Necessary Complexity
While behavior-based analysis for authentication (and threat detection) is necessary for many organizations, it is anything but simple.

"The focus on network-based behavior is always going to be fraught with complexity and lack in key context to make effective decisions," Woolwine says. "Think about network-based behavior analytics as being able to understand the travel patterns of commuters but not understand what they do before, after, and during their commute."

Says Chris Rothe, co-founder and chief product officer at Red Canary: "Anomaly detection is inherently difficult, but it is basically impossible if you don't have baseline of what normal is to compare against. Depending on what you used to establish that baseline, it may be completely invalid when a fundamental change in where or how your employees are working." 

Still, Woolwine says, "Anyone tossing behavior-based detections out the window due to the shift in work habits doesn't really get behavior-based detection in the first place. While we did see a temporary decrease in the effectiveness of network-based behavior detections against authentication gateways, the algorithms recovered within 48 hours."

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights