For years now, one of the most common defense mechanisms in IT environments has been signature-based defense. Indicators of compromise (IOCs) are a cornerstone of this cybersecurity strategy.
With signature-based defense, virus signatures and IP addresses – along with MD5 hashes of malware files, URLs, and domain names of botnet command and control servers – are identified as an IOC. Their distinct characteristics provide the vital data needed to block similar attacks in the future.
These signatures are regularly updated into intrusion detection systems and other types of perimeter security software. These IOCs are the “known” attacks. Unfortunately, they are not the only source of threats. Consider these two facts:
- The AV-TEST Institute registers over 350,000 new malicious programs every day
- 99% of malware is only seen once before it’s modified, rendering signature-based defense virtually useless
There are also new, zero-day attacks, as well as insider threats, that signature-based defense cannot stop.
The endpoint – the human factor – is the most prevalent target for cyber threat actors, whether through malware, phishing, social engineering or other means. With this massive volume and velocity of new threats targeting the endpoint, how can signature-based defenses keep up?
UEBA Goes Beyond Signature Defense
Signatures are no longer effective at preventing today’s advanced cyber threats. While IOCs are useful in forensic reviews and mapping attacks, information security leaders must start thinking in a different way when it comes to defending their environments. This is the gap that User and Entity Behavior Analytics (UEBA) can fill.
UEBA doesn’t depend on signatures. Instead, it focuses on identity and behavior. And unlike signature databases, UEBA does not need to be updated continually to be effective.
So, while cyberattacks may still succeed in stealing someone’s credentials, the attacker cannot hide his behavior when using that credential. With UEBA, identity is tied to the context of legitimate user behavior established over a period of time and correlated with peer groups. That means if an attacker succeeds in compromising a target environment, his behavior will quickly be detected as anomalous because of the baseline behavior already established by the legitimate user.
The “digital exhaust” created by the intruder will generate high risk scores in the UEBA solution. It will also set off alerts which draw prompt attention and remediation.
With nearly 973 million pieces of malware currently in circulation, it’s clear we should move beyond legacy, signature-based detection methods. It’s time to follow the lead of progressive security leaders who recognize the power and benefits of behavior analytics and incorporate UEBA into our cybersecurity portfolios.