Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/20/2016
10:30 AM
Tom Pendergast
Tom Pendergast
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Behavioral Analytics: The Future of Just-in-Time Awareness Training?

It's high time we leveraged modern threat detection tools to keep users on the straight and narrow road of information security.

My mom bought a new car the other day and like most new cars today, it comes equipped with all the modern bells and whistles, including driver assistance features. If she starts wandering out of her lane, beeps and flashing lights direct her to get back in her lane. Or if she gets too close to the car ahead of her, the car brakes automatically. Great stuff for those who aren’t always paying close attention, right?

I’d say it’s high time we brought these kinds of features into the information security space, because right now we’re trusting employees to drive our “cars”— or expensive IT infrastructure – and the precious information that flows through it. But humans are fallible, and too often they’re just not paying close enough attention. As a result, they’re getting into accidents that are costing us dearly.

The good news is User Behavior Analytics (UBA) tools offer the promise of solving this problem – if they evolve in the right direction. These tools — which draw information from various other data gathering systems in the market, such as security information and event management (SIEMs), data loss pevention (DLP) systems, etc. — are providing real value in identifying patterns and signs that reveal the presence of bad actors in the IT environment.

These bad actors are typically malware or system vulnerabilities, but also insiders who are trying to commit malicious acts. Once identified, those bad actors can be dealt with, and risk reduced. It’s really positive, but it can go even further.

Right now, UBA and these other threat detection tools are great at identifying and addressing the symptoms of technical failure (such as system vulnerabilities), but we’ve only just tapped into their capacity to really track and respond to the symptoms associated with human failure. But this can and I believe will change.

For my tastes, the scope of UBA needs to be broader, to expand beyond identifying and tracking the traces left by malicious insiders, system vulnerabilities, and malware, and into tracking and then directly addressing patterns of human ignorance* and inattention. (*Author’s note: I’m using “ignorance” to mean “lack of understanding” or “unawareness,” not to imply that end users are ignorant!)

It will start when UBA takes a lesson from phishing simulations. The information security community loves phishing simulation tools – and why not? These tools do a great job at identifying employees who put the organization at risk by clicking on (fake) phishing attempts. Once you know who falls prey to phishing, you can target them with just-in-time education and (ideally) improve their performance and their ability to protect the organization. It works perfectly – or so say advocates.

However, phishing simulations have some real limitations; they’re too easy to manipulate to get the results you want; they can make employees feel “violated;” some phishing lures can scare IT or HR; and phishing is just one threat among many, after all. Despite those negatives, they do deliver just-in-time education — they are the warning light when employees drift “out of their lane.” That’s a real positive – and this is where UBA tools come in, because of their capacity to identify so many more problems.

Imagine, if you will, a robust UBA system that identified and addressed human risks related to data classification, access controls, password reuse, remote connectivity, inappropriate use of cloud computing, etc., coupled with correctives to guide the user back to safety.  Here’s how it might work:

The first time Joe Employee saves a document to an unapproved cloud storage site (for example), he gets a system-generated pop-up that directs him to company policy on the use of cloud storage. Problem solved, 70% of the time—but not always.

So the next time he does it, the system provides a two-minute video on the problems with unapproved cloud usage. More improvement. But, Joe is among the 5% who still don’t get it, so when he does it again the system enrolls him in a required 15-minute training course on Acceptable Use policies.

Despite that, there will be .1% who still do it wrong – and that’s where human intervention or termination might need to come into play.

Now imagine this kind of identification and correction across the spectrum of human risk. I’m not talking about malicious acts, but rather inadvertent acts, or acts committed out of ignorance or inattention —the very same problems we too often try to correct with boring policies and lengthy security awareness training courses.

Can we “tune” UBA systems to identify these kinds of triggers? I believe we can. Pair these risk triggers with a flexible deployment of just-in-time training and you’ve created “lane assistance” warnings for information security, with the added benefit of only training those who need it and not wasting the time of those who don’t. 

Tom Pendergast is MediaPRO's Chief Learning Officer. He believes that every person cares about protecting data, they just don't know it yet. That's why he's constantly trying to devise new and easy ways to help awareness program managers educate their employees. Whether it's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
kshaurette
100%
0%
kshaurette,
User Rank: Strategist
1/20/2016 | 10:58:01 AM
What are the Pros and Con - Features In Solutions
This is a very good article and i believe higher end analytics of behavior based activity tracking coudl become the 2016 and beyond trend.  Solutions with the right features become the best way to catch unusual (anamolous) activity like performed by a Snowden that could indicate behavior not normal as compared to what goes on daily, weekly, monthly based on a lot of possible comparisons.  The larger the repository of User Bahavior to perform analytics against the great the potential to detect activity that stands out as unusual.  What are some of hte most popular tools, I'm aware of Aristotle Insight, and probably bigger vendor solutions like Arcsight, Qradar, but what are typicaly feature sets that these tools exhibit that make them an accepted practice?
ITSecurityTraining
50%
50%
ITSecurityTraining,
User Rank: Apprentice
1/21/2016 | 6:37:54 AM
Re: What are the Pros and Con - Features In Solutions
Writing with style and getting good compliments on the article is quite hard, to be honest.But you've done it so calmly and with so cool feeling and you've nailed the job. It is my favorite subject. This article is possessed with style and I am giving good compliment. Get more information about IT security training
tompendergast
50%
50%
tompendergast,
User Rank: Author
1/21/2016 | 4:16:51 PM
Re: What are the Pros and Con - Features In Solutions
Thanks for your kind words! I'm flattered.
tompendergast
50%
50%
tompendergast,
User Rank: Author
1/21/2016 | 4:19:22 PM
Re: What are the Pros and Con - Features In Solutions
Kshaurette, thanks for your comment. One of the interesting providers that I'm keeping an eye on is ObserveIT, take a look there. But I do expect to see more firms like this (and those you mentioned) using their data gathering capacities to shine a light on user behavior, especially the "Insider Threat" posed not just by the Snowden's of the world, but also by those with far more innocent intentions.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...