How to understand bad user behaviour
Lutz Blaeser, MD of Intact Software Distribution, says incident responders need to narrow the time between when an incident or breach occurs, and when it is discovered. "One of the major reasons there is such a vast delay in the discovery of a breach, is that businesses are too focussed on defending against threats, and not focused enough on detection and mitigation."
He says if the plethora of breaches that have occurred in the last few years have taught us anything, it is that a new and more effective approach to detect and mitigate security breaches is needed, one that enables businesses to understand the complex activities occurring on their networks, and what legitimate and anomalous cyber activity looks like."
Understanding user behaviour
There is only one way to accomplish this, and that is by scrutinising all network activity, which will include how users and devices behave. "Today's wisdom is that users are the weakest link and pose the biggest threat to an organisation's security. Yet despite this, most companies do not spend enough time examining their users' behaviours, including what they access and what their patterns of behaviour are. Without being aware of this, it is impossible to identify anomalous or 'dodgy' behaviour."
By actively monitoring, detecting and understanding user access and usage patterns, any risky activities can quickly be identified. "As with all dangers, early warning signs can help prevent and control them. In terms of IT security, early warnings can prevent threat actors who have hi-jacked legitimate accounts as well as inside users who are up to no good," says Blaeser.
Know what good behaviour looks like
"Implementing a good security information and event management (SIEM) solution is a good start. These systems will examine all security-related information that is being collected through various forms of logging. To understand and harness this data, firstly establish a baseline determining which activities are logged, and which are not, as this will expose any vulnerabilities in the collection process."
For the next step, apply data analytics to understand the data you have, and identify what good behaviours look like, as this will make it far simpler to pinpoint any bad or anomalous behaviours. "Also identify and monitor all authorised access credentials that are being employed, as threat actors often make use of legitimate credentials to accomplish their nefarious deeds. Once compromised, attackers can lurk around your network for months, so pay these the attention they deserve."
Moreover, Blaeser says, don't forget to scrutinise accounts with high access privileges, such as systems, IT or database administrator accounts. "These are highly important, as these individuals will have access to even the most private and sensitive information. Being able to identify 'bad' behaviour among your users is the very basis for being able to act intelligently, and stop a breach before it causes too much damage. It is the very basis for lessening the time from breach to detection, and therefore preventing date exfiltration or other damage to the company's systems, and therefore reputation."