Organizations are becoming increasingly digital in their operations, products and services offerings, as well as with their business methods. This means they are introducing more technology into their environment. At the same time, they have shrunk their IT shops – in particular, their infosec teams – and have less visibility into their environment and operations. While they are trying to do more with fewer staff, they are also falling behind in terms of tracking potential security alerts and understanding how attackers enter their networks. Unfortunately, threats are more complex as criminals use a variety of paths such as web, email, mobile, cloud, and native Windows exploits to insert malware and steal a company’s data and funds.
There has to be a better way, and one strategy is for enterprises to be more effective at managing their digital risk by better detecting changes in user behavior. The ideal situation is to do this through both adaptive authentication and more advanced security and information event management systems (SIEMs) that use continuous detection to monitor a wide collection of server logs, user movements, and data flows.
The concept of a SIEM was first coined by Mark Nicolett and Amrit Williams of Gartner in a 2005 report. Those days seem so simple in the light of today’s events. The pair defined a typical SIEM to examine real-time event management that could be correlated to historical data.
So, what has happened in the intervening years? For one thing, users continue to behave badly and continue to be the weakest link in any security solution. Phishers have gotten better at targeting their prey: this recent FBI report is just one of many indicators of how prevalent this has become. Second, hackers are using a combination of threats to penetrate networks, and as mentioned above, tracking the various techniques can be difficult. Some exploits combine dozens of different attack methods, the equivalent of testing out several digital doorknobs until one provides entry. Third, users are awash in trying to manage their passwords. Sadly, many of them continue to use weak or duplicate (or both) passwords for their numerous accounts. Finally, enterprises have become more focused on cloud and online services. This in turn increases their attack surface and hackers are quick to leverage this exposure.
Let’s look at these two approaches to managing digital risk in more detail. First is the concept of adaptive authentication (AA). The basic idea is that instead of using multiple authentication factors, security vendors are employing specialized methods for particular situations when authentication is required. In the past, IT would force a user-initiated event, such as typing in a PIN code or passphrase, for logins. AA has a user pass through a series of security hurdles to gain access to particular features or actions.
At first glance, this seems to add a burden on the user to gain access to their applications. But the brilliance behind AA is to seamlessly integrate authentications so that users aren’t even aware of the additional authentication hurdles. This means the authentication process is keeping track of the user’s location, their particular device, their biometric data, their keyboard typing cadence, and so forth. All of these characteristics are being tracked in near-real-time, so that the user is being constantly assessed as to whether they really are who they are supposed to be.
At the heart of AA is what is called user and entity behavior analytics (UEBA). The software has built-in tools to correlate all this data and decide on whether the genuine user or an imposter is at work. Software ties together machine learning techniques with log and traffic analysis to make these decisions. While a hacker can steal a user’s password, they can’t duplicate how a user behaves on his or her phone or tablet, or how they navigate around your enterprise network infrastructure. For example, if a user ordinarily downloads 10 MB of daily data and one day logs in and downloads several gigabytes instead, that condition could be flagged as a potential threat or as an indication of a potentially compromised account.
Authentication products have had risk scoring algorithms for years. What is different about AA is that these scores change over time – actually, they change continuously – and cover multiple dimensions and circumstances. They also make any user impersonation and account takeovers very difficult to pull off. In the past, authentication was a very binary decision: is this login legit? But with AA the user is being evaluated continuously across this spectrum of differing behaviors, as he or she picks up and discards various digital devices and moves around in the world to accomplish their daily computing lives.
The same underlying principles behind AA are also found in the more modern SIEM tools. In this case, instead of looking at user behavior, we look at establishing norms for network traffic and usage patterns. Earlier SIEMs focused on detecting real-time threats and were mostly about correlating security and event logs. The newer tools are looking at longer-term trends to identify hackers that might be living in our networks for days or months and try to identify the full range and reach of an attack. In essence, advanced SIEMs use user behavior to protect us over longer time periods, while AA uses user behavior to screen out immediate issues. They both have the same kinds of risk scoring techniques, just applied in different contexts.
The best advanced SIEMs incorporate big data and machine learning tools to create these risk scores and complement the existing SIEM monitoring tools and rule sets that you already have in place. Frost and Sullivan suggest the following criteria to look for in purchasing an advanced SIEM:
- Automation tools to understand context of data collected
- Monitoring workflow and network anomalies
- Metadata analysis to understand blended and complex threats
What does this mean for the role of the security operations center and enterprise IT security managers with both of these kinds of products?
First, we have to keep our eye on the prize: minimizing IT risks. The longer we depend on firewall rule sets, anti-malware screens and other outdated tools, the less protected our enterprises will be. Having both evolved SIEMs and AA products in place helps to increase our network defenses against attackers.
Second, we have to understand the scope and limitations of our existing security protective tools. Rapid7 learned from one survey that more than half of organizations can only investigate between one and ten alerts per day. However, most of the respondents’ SIEMs generate more than ten daily alerts. We need automation to help filter out false positives and provide the necessary focus to real security threat indicators. Linking these multiple security events together is the Rosetta Stone to understanding how hackers have entered our networks, and keeping them out.
Finally, we still have users as the weakest link in our networks. No tool is going to prevent someone from inadvertently clicking on a phishing link or using their computer on a public network. We need to better track user behavior more than ever.
“Taking a risk-based approach is imperative to set a target level of cybersecurity readiness,” Gartner's research director Rob McMillan said. “Raising budgets alone doesn’t create an improved risk posture."
# # #
Author: David Strom
Category: RSA Point of View, Blog Post
Keywords: Authentication, Evolved SIEM, Digital Risk, UEBA, Adaptive Authentication