News

Industries

Companies

Jobs

Events

People

Video

Audio

Galleries

My Biz

Submit content

My Account

Advertise with us

How to understand bad user behaviour

A hacker who is determined enough will eventually get in, usually in minutes. Even more frightening is that most advanced threats remain undetected for weeks or months, presenting huge challenges for the security industry.
How to understand bad user behaviour
©Rancz Andrei via 123RF

Lutz Blaeser, MD of Intact Software Distribution, says incident responders need to narrow the time between when an incident or breach occurs, and when it is discovered. "One of the major reasons there is such a vast delay in the discovery of a breach, is that businesses are too focussed on defending against threats, and not focused enough on detection and mitigation."

He says if the plethora of breaches that have occurred in the last few years have taught us anything, it is that a new and more effective approach to detect and mitigate security breaches is needed, one that enables businesses to understand the complex activities occurring on their networks, and what legitimate and anomalous cyber activity looks like."

Understanding user behaviour

There is only one way to accomplish this, and that is by scrutinising all network activity, which will include how users and devices behave. "Today's wisdom is that users are the weakest link and pose the biggest threat to an organisation's security. Yet despite this, most companies do not spend enough time examining their users' behaviours, including what they access and what their patterns of behaviour are. Without being aware of this, it is impossible to identify anomalous or 'dodgy' behaviour."

By actively monitoring, detecting and understanding user access and usage patterns, any risky activities can quickly be identified. "As with all dangers, early warning signs can help prevent and control them. In terms of IT security, early warnings can prevent threat actors who have hi-jacked legitimate accounts as well as inside users who are up to no good," says Blaeser.

Know what good behaviour looks like

"Implementing a good security information and event management (SIEM) solution is a good start. These systems will examine all security-related information that is being collected through various forms of logging. To understand and harness this data, firstly establish a baseline determining which activities are logged, and which are not, as this will expose any vulnerabilities in the collection process."

For the next step, apply data analytics to understand the data you have, and identify what good behaviours look like, as this will make it far simpler to pinpoint any bad or anomalous behaviours. "Also identify and monitor all authorised access credentials that are being employed, as threat actors often make use of legitimate credentials to accomplish their nefarious deeds. Once compromised, attackers can lurk around your network for months, so pay these the attention they deserve."

Moreover, Blaeser says, don't forget to scrutinise accounts with high access privileges, such as systems, IT or database administrator accounts. "These are highly important, as these individuals will have access to even the most private and sensitive information. Being able to identify 'bad' behaviour among your users is the very basis for being able to act intelligently, and stop a breach before it causes too much damage. It is the very basis for lessening the time from breach to detection, and therefore preventing date exfiltration or other damage to the company's systems, and therefore reputation."

About Lutz Blaeser

In 2011, Blaeser founded Intact Security, building on his knowledge and experience of the reseller market. His main focus at Intact Security is to continue building the Avira Antivirus market but also provide additional solutions into the offering. Since the company's inception, he has added additional antivirus and content security products such as Bitdefender, AVAST, G Data and Kaspersky as well as leading backup and disaster recovery solution StorageCraft.
Let's do Biz