BFFs: UEBA Threat Detection and Post Infection Prevention
I believe detection and prevention are the most chewed-over words in the security market. In the last 20 years, I have seen the term virus evolve to worm and horse (Trojan). Then it left the living creature world and moved to the “Bond” world by becoming spyware, malware, ransomware and even getting recognized by names, such as Zeus, Cryptolocker and more.
And yet the basic terms of detection and prevention have remained steady. No matter the triggers, no matter the technology or the company. Sometimes you’ll hear detection and prevention used together and sometimes separately depending on the solution’s capabilities. What changes with these terms lies underneath as the threats to organizations continue to proliferate.
As the User and Entity Behavior Analytics (UEBA) market evolves, it is now clear to everyone that this is the new threat detection. Since we launched the first Behavioral Firewall (UEBA 2.0), security experts realize that beyond the detection there is a real need for post infection threat prevention. That they can actively respond in real time, as it is happening, versus manually responding post incident through the Incident Response (IR) program and forensics, is becoming a requirement.
As we all know, there are challenges associated with detection and prevention. Many of these relate directly and indirectly with accuracy, false positives, false negatives and in many cases an IT security skills shortage in the organization. Our CEO touches on some of these challenges here.
When planning the security strategy for an organization there are a few basic guidelines that every company, no matter the size, should take into consideration:
- Practice the best practices.
For example, not disabling stale accounts and service account abuse are just two common examples of bad practices that I witness all too often. It is indeed bad practice! Don’t use the excuse: “that’s the way it works in our company.” Make it better Reduce the attack surface.
- It is worth focusing on and challenging the suspects post infection.
There is a better chance at preventing damage with this approach. In a recent blog post, Avi Kama explains why: “…the compromise is commonly used as a single act that is expected as attackers like to keep the zero-day weaknesses undiscovered and only use them when absolutely necessary. A lot of effort was put into exploiting other means of spreading the malware, so that when the it is identified, the zero-day weakness is not.” Using Multi-Factor Authentication (MFA) to challenge the adversary when their network or access behavior becomes anomalous is powerful!
- Use your end users as resources.
They are there and at your service, and they can be used to help automate the incident response, resulting in a reduction in the level of noise and false positives. By making users part of the process, it helps focus the security team’s efforts on what matters most particularly when there is a skills shortage. Solutions such as the Preempt Behavioral Firewall can help with that with adaptive user engagement. Read more about employee engagement here.
- Focus on the use cases that matter.
Trying to digest as many log sources at the SIEM or other level, without a clear vision, is doomed to fail. Read more about it in the second part of the blog post by Eyal Karny, on the common misconceptions in enterprise security.
Posted by Eran Cohen on August 26, 2016 10:26 AM