April Newsletter 2019

Quote of the Month

More cowbell, baby!

Chuck Fontana, VP, Corporate & Business Development at Okta


The Backstory

Earlier this month we sponsored Oktane19, Okta’s annual user conference. If you’ve never attended, it’s one of the more compelling conferences because they put on an excellent show. They have celebrated speakers, a well-organized exhibit hall, product training sessions and high end entertainment. We were happy to be there to showcase our security analytics integration with Okta.

Risk Based Authentication

Our integration with Okta facilitates risk based authentication. This was a big theme at Oktane19, and something Gurucul has been offering for years. We calculate a real-time risk score based on user outlier behavior percentage, resident user risk and reputation, and data or transaction risk classification. We pass this score to Okta, which can then be used to make real-time authentication and access decisions, while simplifying the user experience and enhancing security.

For example, if a user with a low-risk reputation initiates an application session from a usual location with a known device, the run-time risk score would be low risk. As a trusted user, access would be granted without requiring a password. If the same user then begins accessing unusual information or conducting anomalous transactions (i.e., foreign funds transfer to several accounts not seen before), these are abnormal behaviors for the user. The real-time risk score would increase, potentially to high risk, which would require multi-factor authentication or the account might be suspended. If the user is medium risk, the application could actively limit available functionality and data.

It Takes a Village, or Rather a Symphony

At one of the keynotes, Chuck Fontana, VP Corporate & Business Development, equated running the Okta Integration Network with conducting a symphony. Specifically, he was talking about the launch of the new Apps for Good program within the Okta for Good campaign. Apps for Good are pre-built, easily-configured integrations that make it easier than ever for companies and employees to donate time, money, expertise, and more.

It’s a wonderful program. Chuck’s pitch was that we could do more good with more people taking more action. And, the Apps for Good program makes it easy for Otka customers, employees and partners to take giving action. That’s when he said, you know what we really need? “More cowbell, baby!” He was referring to the need for everyone in the audience to chime in and take action. His Okta Integration Network needs more cowbell for Apps for Good. That got us thinking…

Sometimes, More is Better

We’ve all heard the saying, “Less is more.” This is appropriate in many circumstances. Less talking during a movie is better. Less words in a sentence is optimal. Definitely less stress in a work day is essential. And, less dialogue in an action movie is better.

When it comes to data about users and entities, however, more is infinitely better. When you’re trying to establish whether a person or entity is behaving badly, the more data you have about what users and entities are doing, when, where and with what entitlements, the more successful you will be at deciphering bad behavior from anomalous behavior. And, that is the goal of big data security analytics. You’re looking for behavior based signs of malintent. So, the more data you can ingest to get to a decision, the better.

How Much More?

How much behavioral data do you literally have to have before you know for certain a user’s behavior is criminal or simply anomalous? GREAT question! What’s your answer? Is there a specific amount of data, or a specific set of data that will absolutely distinguish between criminal and anomalous behavior?

Security analytics does not discriminate. It wants all your data. Machine learning models on the backend will filter out data that is not needed for specific behavior models, but when we’re trying to figure out what’s going on with a person or an entity, we want all behavior data. This includes Access Data (Login / Identity Information, Access Entitlements, Roles, Groups and Permissions), Resource Event Logs (Authentication, Authorization, Transaction Execution) and Activity Data (DLP, document repositories, other applications). Below is a non-exhaustive list of the types of data Gurucul’s behavior based security analytics platform ingests to uncover criminal behavior:

  • User Data (HR or Customer): Job Title, Manager, Other peer group info, Performance rating
  • Network Authentication Logs
  • AD Event Logs
  • Platform Security Logs
  • VPN Event Logs
  • Endpoint DLP Alerts
  • DLP Gateway
  • CMDB / Configuration Management DB
  • DHCP
  • Privileged Access Management Event Logs
  • Application Event Logs
  • File Server / Document Repository Activity Logs (SharePoint, OneDrive, Box, Documentum, Source Code Control)
  • SIEM / Log Aggregation
  • Network / Packet NetFlow
  • Cloud Infrastructure
  • IDM Integration
  • Physical Building Access / Physical Security Logs
  • Unix LDAP Groups
  • AD / Windows Groups
  • Application Roles, Groups, Entitlements
  • Segregation of Duties Rules
  • Data Owner Context
  • Resource Classification

Behavior Models

Once we have the data, we apply machine learning models to extract intelligence for specific behavior patterns. For predicting insider threats, for example, we have a vast number of behavior models that look for anomalous behavior typical of malicious insiders. Access, activity and resource data is ingested in real-time into our enterprise risk engine which sits on a big data lake. Behavior analytics is applied against all that data to generate 360 degree views of users and entities. This is how we can quickly identify not only anomalous behavior, but risky or criminal behavior.

You need all the diverse data points to paint the broader picture. That’s when you catch bad behavior. And, it’s easy to spot with the right data sources and the most mature machine learning models. Contact us for details. This is our special sauce and what we do better than anyone else at scale. The bigger, the better when it comes to security analytics!


Nearly 75% of RSA Attendees Surveyed Said They Are Vulnerable to Insider Threats

Gurucul Research Study Found that Human Error and Malicious Insiders Pose Greater Risk than Account Compromise

Gurucul announced the results of a survey on insider threats conducted at the recent RSA Conference.

Almost 75% of the more than 650 international IT professionals canvased said they are vulnerable to insider threats, and ranked user error (39%) and malicious insiders (35%) ahead of account compromise (26%) as their leading concern. Small enterprises reported being least vulnerable, while manufacturing companies led all sectors for being exceedingly vulnerable. Meanwhile, nearly half of respondents said they can’t detect insider threats before data has left the organization.

machine learning models

Wipro Security Incident Underscores MSP Vulnerability

A Wipro security incident involving an advanced, persistent phishing campaign has brought additional attention to MSP vulnerabilities

Saryu Nayyar, CEO at Gurucul, a cybersecurity company in El Segundo, Calif., suggested cases like Wipro point to the need for a holistic view of user and device activity.

“Account compromise attacks like this one at Wipro resemble an insider threat from a detection standpoint,” she said in a statement. “Therefore, unless an organization is monitoring the entire system stack, they won’t be able to identify subtle behavior anomalies that are indicators of account compromise. Since hackers will exploit whatever accounts they can successfully compromise to break into the organization including user accounts, system accounts [and] service accounts … it’s critical to actively monitor not just user activity, but also device and identity behavior.”

Read More

Manufacturing Sector Most Vulnerable to Insider Threats

Almost three quarters of the 650+ international IT professionals Gurucul canvassed said they are vulnerable to insider threats, and ranked user error (39%) and malicious insiders (35%) ahead of account compromise (26%) as their leading concern.

Small enterprises reported being least vulnerable, while manufacturing companies led all sectors for being exceedingly vulnerable. Meanwhile, nearly half of them said they can’t detect insider threats before data has left the organization.

“Insider threats have emerged as the leading concern for companies of all sizes because they are so difficult to detect and have the potential to inflict the greatest damage to an organization,” said Saryu Nayyar, CEO of Gurucul.”

Read More

What’s New On Our Blog

ABCs of UEBA: E is for Entity. ABCs of UEBA: E is for Entity. The “E” in UEBA stands for “Entity” – User and Entity Behavior Analytics. Traditional entities include servers, desktops, laptops, tablets, printers, routers and mobile phones. However, with the onslaught of Internet of Things (IoT) devices, there are a whole lot of new entities to be monitored with UEBA. What do we mean by Entity Behavior Analytics? Read on… Read More.
Insider Threat Survey Report: RSA 2019 Insider Threat Survey Report: RSA 2019. At the 2019 RSA Conference, Gurucul conducted an Insider Threat Survey. We wanted to get a sense for just how prevalent the Insider Threat is in the minds of the practitioners. 671 international IT professionals responded, which is incredible! The Gurucul Insider Threat Survey Report contains the survey questions and results.Read More.
Look at Risk as More of a Compass Than a Watch Look at Risk as More of a Compass Than a Watch.  We had a great week at RSAC 2019, and a highlight of the week was a well-attended CISO roundtable moderated by the original CISO, Steve Katz. At some point during the conversation, Steve made the comment, “Look at risk as more of a compass than a watch.” A wise observation. Do you know where you’re headed as you map out your risk mitigation strategy? Read More.
A Security Evolution: Taking Security Beyond SIEM with Gurucul Security Analytics A Security Evolution: Taking Security Beyond SIEM with Gurucul Security Analytics. If you came by our booth at RSA Conference 2019, you probably sat down for a short presentation exploring Gurucul’s behavior-based security analytics and how it differs from a SIEM. Read our blog to learn how Gurucul is leading an evolution from black box analytics to machine learning and risk scores! Read More.

Join Us

Health-ISAC 2019 Spring Summit. May 13​-17​, 2019​. Ponte Vedra Beach, FL. Gurucul will have a panel of healthcare customers presenting at this year’s Summit on “Behavior Based Security Analytics Best Practices”. Join us!

Infosecurity Europe. June 4​-6​, 2019​. London. Join Gurucul in the US Pavilion in booth #140. We will be showcasing our Behavior Based Security Analytics platform.

Gartner Security & Risk Management Summit. June 17​-20​, 2019​. National Harbor, MD. This is the year’s most valuable information update and networking opportunity for CISOs and security, risk and resilience professionals.

 

Share this page: