Behavior is the Leading Threat Indicator

If there is one sure thing in life, it’s that behavior never lies. Your behavior defines you just as it defines others. When your behavior changes for any reason, it raises alarm bells. Are you suddenly working late because you have project deadlines? Or are you unable to keep focused on work during the day because your personal life is a distraction? Either way, the question remains: why the change in behavior?

You Can Steal an Identity, But You Can’t Steal Behavior

In the world of cybersecurity, criminals may steal an identity, but they can’t steal the behavior associated with that individual (or device). Behavior is the tell. Attackers may compromise someone’s credentials, but they cannot mimic that user’s behavior.

A cybercriminal won’t know when users normally login, from what IP address(es), what applications they typically access, what documents they’re working on, who they normally email or meet with, and more.

Why is this a big deal? Because a sudden change in online behavior tells you that someone or something is anomalous.

Is It Live, or Is It Memorex?

Back in the 1970s and 1980s Memorex launched a series of advertisements featuring Ella Fitzgerald singing a note that shattered glass. Her singing was being recorded to a Memorex audio cassette. Whether she sang the note live or it was played back on Memorex, the glass still shattered.

If a user, Hank, suddenly logs in at midnight on a Saturday night, is that really Hank? Or is it someone pretending to be Hank? More specifically, has someone compromised Hank’s credentials?  Is it Hank or is it “anonymous”? How would you be able to tell?

Let’s take a look at Hank’s peers – are any of his peers also logging into their systems around the same time? Perhaps the team is doing an upgrade off hours. You can look at activity logs for details. If yes, then this anomalous behavior would be acceptable given the context.  After all, not all anomalous behavior is risky.

If a user’s behavior suddenly changes for the worse, is that user malicious? Or is that user’s account compromised?

Context is Critical

The key to determining if anomalous behavior is risky is context. Context is going to paint a more enhanced picture of what exactly is going on. Let’s look at an analogy. You’re at the airport and a man runs up a down escalator. Is he trying to catch a flight? Or is he fleeing from authorities? Context is critical.

Gurucul User and Entity Behavior Analytics (UEBA) uses activity and access context to determine whether anomalous behavior is risky. We take unlimited data feeds from structured and unstructured security sources – SIEMs, firewalls, identity and access management systems, NetFlow and more. We can also gather context from your business applications – SAP, EPIC, Salesforce or even your proprietary applications on virtually any platform. All we need are transaction logs.

We aggregate, correlate, and link that data to provide a 360 degree view of users and entities. Who or what is on the network, what they are doing, what they have access to and what they are doing with that access. We compare that information with baselined behavior patterns, as well as peer group behavior, and look for oddities.

If you’re suddenly traversing the network and downloading a bunch of documents you never look at – you’re either an insider threat or your credentials have been compromised. Either way, it’s bad behavior and we catch it – in real-time, on a continuous basis, so you don’t lose data or IP.

Catching Bad Behavior at Scale Requires Machine Learning

If you have thousands of users and tens of thousands of devices, then you have a real problem on your hands only machine learning based user behavior analytics can resolve. If it’s one or two bad actors or compromised accounts, then you can pick them off one by one. But if you need to defend your enterprise against attacks at scale, then you need to leverage machine learning. Cybercriminals are using artificial intelligence to automate their attacks. Machine based attacks require machine based responses.

A Customer Success Story

Check out this customer success story. Infosys was able to automate real-time threat detection with Gurucul Behavior Analytics. Infosys achieved the following objectives: insider threat detection, IP protection, detecting threats in real-time, reducing manual efforts, and reducing false positives.

Behavior analytics is powerful technology. Contact us to learn how we can help your organization detect and stop bad behavior before it stops you.