Taming Network Chaos By Understanding User Behavior
Enterprises are badly burned by security tools that don’t work. When they finally see a solution that does what it purports to do, the shock is palpable.
Organizations simply don’t understand what is going on in their networks. Effective network security combines multiple layers of defense to ensure that only authorized users gain access to the right network resources. However, when many network software and hardware devices were built in the 80s, it’s no wonder that enterprise security teams have no real visibility.
Networks are turbulent by nature (broadcast storms, for example). Organizations are often deceived by the standards of network protocols because they expect traffic to be well organized and easily monitored. However, this is almost never the case. Protocols are often customized to their specific environment and implemented by vendors who only aim to suit their immediate and/or niche needs. In addition, teams will adopt new technology to address growing security needs and are forced to bolt on more and more point solutions. By throwing more solutions and change to their existing network architecture, they have discovered the recipe for chaos.
Adding to the complexity of the changing network ecosystem is the issue of unregulated protocols and a growing mobile workforce. Employees change their digital behavior regularly because they work from multiple locations, use multiple sanctioned and unsanctioned software, and need different administrative privileges. While mobility allows for a more productive workforce, the ever-changing nature of employee behavior creates a plethora of “blind spots” that makes understanding user behavior difficult.
User Behavior Profiling: Why It is Key to Identify Threats
Behavioral profiles come in incredibly handy when it comes to identifying threats in the network. By taking a look at patterns in behavior, administrators can bridge the gap between dynamic behaviors and contextual risk to truly understand what is anomalous behavior. UEBA solutions baseline normal behavior by establishing patterns in activities by both the user and their groups to understand what is considered a behavioral anomaly. While UEBA solutions are a great starting point to understanding what is risky user behavior in the network, many of these behavioral anomalies are false positives because of the changing nature of network architecture with the adoption of new technology and devices. When there is an overabundance of data sources that go into a UEBA solution, it is often difficult to separate between what is a real threat and what isn’t. Therefore, rather than taming the chaos, your UEBA product might be exacerbating it.
What’s the Right Way to Understand User Behavior?
The wrong way to understand user behavior is to just pull in data sources and statistically baseline the profile with a binary algorithm without understanding that the user is unique and the network ecosystem is ever-changing. Unfortunately, while this method detects anomalies, it can include anomalies that are simply false positives. When abnormal activity causes an alert to be sent to a security analyst, there is manual labor that comes into play with the investigation of the alert. Often it is difficult for security analysts to understand if it is a real attack or simply a false positive.
While unusual activity can be a sign of lateral movement from an account takeover or a rogue employee wreaking havoc on the network, it is often not the case. In a recent conversation with a Preempt sales prospect, we learned that as many as 90% of their security incidents were false positives and they didn’t know what to do with all the noise. With the shortage in security resources and talent, it becomes an uphill battle to not only sift through the noise but to contain actual threats. It is increasingly difficult for organizations to keep up with the bad guys.
How can we overcome this uphill battle to be successful? There is one valuable security resource that has not been effectively tapped. Traditional security programs see employees as the risk that needs to be managed rather than empowered. We need to rethink the model where security only flows one direction without any feedback, input, or engagement. What today’s leaders in security fail to see is that user empowerment is the key to understanding threats in the network. Every other field in technology (travel, food, consumer, etc) all leverage crowd-sourcing as a way to be dynamic, fluid, and intelligent: both receiving and delivering analytics. Security should follow suit.
User Engagement is the Key to Understanding Risk Dynamically
User engagement starts with users verifying their own activity and validating their identity. By doing so, we can help alleviate a lot of the burden placed on security teams to verify authenticity and intent. In addition, this will help reduce the number of false positives that occur in a network as users will confirm themselves what would otherwise be seen as “abnormal behavior”. Users who are engaged and contribute to the effort of protecting an organization will help security analysts focus on identifying actual breaches in the network.
Engaging users in real-time as part of your user behavior analytics is a relatively new concept. Users have always been seen as the weakest link. Instead of trying to set one-directional policies one after another to catch up to a dynamic user base, it is a much more efficient method to let users help you define policy. This way, organizations can be proactive to changes within their employee base, rather than reactive.
In summary, the prevailing opinion in the last few years is a defeatist opinion of “assume you were breached.” This opinion was established to cover the incompetence of security solutions to deliver proper mitigation. With proper user engagement, security teams can be much more effective at mitigating risk and reducing the damage of data breaches. Employees can be the first line of defense if they are properly empowered to be part of the solution.
Posted by Eran Cohen on May 20, 2019 3:31 AM