The most common defense mechanism in today’s network environments is signature-based defense or threat detection. Indicators of compromise (IOCs) are a cornerstone of this defense strategy. Once virus signatures and IP addresses – along with MD5 hashes of malware files, URLs, domain names of botnet command and control servers – are identified as an IOC, their distinct characteristics provide the vital data for signature-based defense against future attacks. These signatures are regularly updated into intrusion detection systems and security software. These IOC’s are the “known bad” activity of attackers. Unfortunately, they are not the only source of threats. Consider these two facts:
- The AV-TEST Institute registers over 390,000 new malicious programs every day
- 97% of malware is unique to a specific endpoint, rendering signature-based defense security virtually useless (Webroot, 2015)
It’s a well-known fact that the endpoint, the human factor, is the most prevalent target for nefarious actors, whether through malware, phishing, social engineering or other means. With this massive volume and velocity of new threats targeting the endpoint, how can signature-based defenses keep up?
Signatures are no longer effective or sufficient for prevention in today’s landscape. While IOCs are useful in forensic reviews and mapping an attack, security leaders must start thinking in a completely different way when it comes to defending their environments (and many are) to balance out prevention and detection. This is why User and Entity Behavior Analytics (UEBA) is becoming so important.
UEBA doesn’t depend on signatures, but instead focuses on identity and behavior. And unlike signature databases, UEBA does not need to be updated continually on a millisecond basis for it to be effective. So while nefarious actors may succeed in stealing someone’s credentials, they cannot hide their behavior. In UEBA, identity is tied to the context of legitimate user behavior established over an extended period of time and correlated with peer groups. So if an attacker succeeds in compromising a target environment, their behavior will quickly be detected as an anomaly because of the baseline behavior established by the legitimate user. The subsequent digital exhaust created by the intruder will in turn generate UEBA risk scores and set off alerts which elicit prompt attention and targeted remediation.
With more than 550 million pieces of malware currently in circulation, it’s clearly time to put legacy, signature-based detection methods on the back burner. It’s time to follow the lead of progressive security leaders that have recognized the power and benefits of user behavior analytics — and incorporated it into their security portfolio.