Grafvision - Fotolia
- Kathleen Richards, Information Security
The one-two punch of Edward Snowden caused security officers to spend more time monitoring “credentialed users” as the threat of additional privacy regulations and compliance loomed following the exposure of NSA’s widespread surveillance.
But in an ironic twist, the insider threat is one of the use cases driving new approaches to user behavior analytics (UBA), which enables on-premises security analysts to track individual data and activities with less heavy lifting than earlier technologies. What’s the difference between security analytics and these tools? These identity-based technologies focus on individuals first, monitoring their interactions and building baseline profiles to compare with historical behaviors and that of their peer groups. Most of these platforms are designed to track every user, not just those deemed high risk.
Whether it’s theft of sensitive data and intellectual property or accidental data loss caused by well-intentioned employees who have been socially engineered, monitoring risky user behavior remains a top concern for senior security professionals.
According to a 2014 Wisegate member survey, insider threats topped the list of organization’s vulnerability concerns at 59%, followed by phishing at 55%. Third-party partner risk ranked fourth, at 32% (after malware, at 45%). The senior IT and security professionals who were surveyed also reported concern about finding the staff to fight these threats.
Insider threats range from current and former employees to contractors and business partners with authorized access to networks and critical data systems. They pose numerous security and fraud concerns for enterprises and their security officers, whether it’s protecting the network against hijacked user credentials or ferreting out authorized users who take shortcuts for convenience like Dropbox or other shadow IT.
Some employees, such as Sergey Aleynikov, the former Goldman Sachs programmer, take IP with them when they leave the company. Undergoing his second trial for an alleged 2009 IP theft, Aleynikov is accused of copying source code for Goldman’s high frequency trading platforms as he was exiting the company to join a startup, Teza Technologies. Part of his defense: He may have breached a confidentiality agreement but lifting code is not a crime.
While privilege abuse remained the “defining action of the internal actor breach” in 55% of reported incidents, as in past years, according to the 2015 Verizon Data Breach Investigations Report, organizations “saw more incidents involving the end user than ever before.” Since 2011, “cashier” has topped the report’s “Insider Misuse” list, but in 2014, end users ranked highest at 37.6%, followed by cashiers at 16.8% and finance at 11.2%. Executives ranked 10.4%. Financial gain and convenience were behind 40% of incidents, according to report. The insider abuse was usually discovered by forensic analysis of devices after users left the company.
Enterprises have analyzed network, systems and traffic behavior for years. As security analytics continues to gain a foothold, some tools are building on centralized log management repositories by adding functionality aimed at pinpointing user behavior and anomalies in near real time and historical data. That’s a substantial undertaking in terms of computational power and performance for companies with upwards of 100,000 employees and credentialed users.
“It has been tough to understand the user problem itself,” says Barry Shteiman, a security researcher who was appointed director of Exabeam Labs in April. (He formerly worked with the company’s founders at Imperva.) “Companies have followed two main paths: One was logging … ‘If I record everything that happens the incident is in there.’ The other side was ‘Let’s find patterns that we know of attacks and see if attackers fall into those traps.’ ”
The startup company is taking the data that is written by SIEM or other log management repositories and building a “brain on top of it” using machine learning and advanced mathematical algorithms to model behavior, according to Shteiman, who says: “Let’s build models that learn instead.”
Announced in June 2014, the Exabeam platform is already in production at several customers, including the Safeway supermarket chain. The on-premises software is designed for user monitoring and data exploration by security staff of all levels. Exabeam has patented its User Session Tracking technology, which offers a Facebook-like timeline to help security analysts.
While Exabeam’s approach is new, UBA systems have been around in various forms for at least a decade -- generally, customized vendor or user-driven modules that monitored structured data. Most UBA systems analyze historical data logs -- network, system and authentication logs that are collected and stored in SIEM systems and Splunk -- and patterns to develop individual behavioral profiles. The technology then generates a baseline for each employee in the enterprise. The user’s behavior is monitored based on the individual’s history and their peer group.
While SIEM offers some level of context-based activity monitoring, UBA platforms generally offer more advanced profiling and exception monitoring that is not tied into policy definitions and authorization rights in identity and access management (IAM) systems, according to Gartner, which covered UBA technology in an extensive report last August. Companies should review the user monitoring, profiling and anomaly detection functionality in their current SIEM systems before evaluating UBA platforms, say the report’s authors.
“It is all based on what you do,” according to Shteiman, who says Exabeam lets the data speak for itself. “There’s no need to ‘tune’ what is being learned, like a lot of systems that are logic-based.”
However, Gartner cautions that every UBA system requires some form of tuning, even those with canned analytics.
Risk Scores at the User Level
Fortscale, with headquarters in San Francisco and R&D in Tel Aviv, Israel, is another startup in the UBA space that features advanced analytics that do not require customized rules or defined signatures. The company recently enhanced its on-premises UBA platform with application-level visibility. Security analysts are alerted to anomalous behavior of credentialed users who interact with enterprise software, including customized applications. These correlations are based on logins, resource-access patterns, content transfer (volume), time of activity, location and so on.
“Most modern attack models talk about attack chains,” says Guy Mordecai, Fortscale’s director of product management. “A lot of it focuses the attention on how attackers get their foothold. One thing those models don’t take into account is what if I already have user credentials. That’s when most of those attack chains are short-circuited.
“When we are talking about insider threats, it might be a contractor or an external attacker who is now trying to becoming an insider,” he adds. “Companies now need to know not just who logged in to the network, but what they did once they logged in.”
The company’s self-contained Hadoop-cluster sits on top of SIEM or Splunk and uses machine-learning algorithms and contextual data (from IAM, accounts payable, human resources and travel systems, for example) to analyze logs and enrich them to build user profiles, monitor exceptions and create user risk scoring. Hadoop allows the technology to scale linearly and economically. It can also perform the batch operations quickly. The idea is to shorten incident response time and quickly pinpoint abnormal or suspicious behavior.
Insider Rogue Activity a Surprise
Featured during an Innovation Sandbox presentation at the RSA conference in April, CEO and co-founder Idan Tendler said that the technology was finding stolen user credentials, but he was surprised that the majority of findings were users engaged in rogue activity (at their Fortune 1000 clients in industries such as finance, insurance retail and technology). “We find nosy admins; we find employees that were about to be terminated, to leave the company and started to dig into sensitive servers. Even if they failed we track them. We found employees -- call center representatives that dug into sensitive customer data at CRM applications -- and we helped the enterprise to stop that,” he says.
“The benefits to the analysts are not only in pinpointing the bad users -- the bad employees inside the enterprise -- but also in making [their] workflow much faster, and much more accurate.”
Fortscale is currently focused on visibility, but the company is interested in developing tools for policy and prevention, according to Tendler. Like other UBA technologies, the platform is designed for analyzing the data collected by SIEM or Splunk. If the data is not there, Fortscale “cannot do it today.”
Like Exabeam, the Fortscale technology shipped in Q4 2014. The software is sold on a subscription basis in one-, two- or three-year contracts. Cost is primarily based on the number of accounts being monitored (priced per user), according to Mordecai. Typically, that’s a six-figure investment, he says.
“Part of our challenge is to educate our users,” says Mordecai. Some of the company’s Fortune 1000 customers see UBA as a new discipline; even if they are highly skilled and have a lot of experience, they are not familiar with the user-centric approach. Fortscale has trained analysts as part of its team who work closely with customers so that they can drill down and efficiently use the software. The legal department is also involved at some clients, usually with regard to internal auditing and what kind of information must be mapped, he says.
In addition to Exabeam and Fortscale, some other vendors in the crowded UBA space include Bay Dynamics, Gurucul, IBM, Oracle, Secournix and even Splunk. HP introduced user behavior analytics to its ArcSight platform in April. But only a handful of vendors offer innovative approaches that detect advanced and insider threats.
Many companies are using UBA technologies “suboptimally” to investigate security or fraud events, according to Gartner. But analysts expect that to change over time with a greater focus on event detection and predictive analytics.
“We see 2015 as becoming the year of the user in cybersecurity,” says Mordecai.