According to the Verizon 2015 Data Breach Investigations Report (DBIR), 60 percent of the time, attackers were able to compromise an organization within minutes. Meanwhile, in more than 75 percent of the cases, the average time to discover breaches was measured in days. These findings indicate a growing “detection deficit” between attackers and defenders. Verizon sees this as one of the primary challenges to the security industry today and going forward.
For incident responders, time spent in the same position, area, or stage of a process, such as the delta between when a compromise occurs and when it is discovered, is called dwell time. Reducing dwell time is critical to enabling successful prevention or resolution of a cyber incident.
The primary reason for the long delays in breach discovery reported by Verizon is that we are still very much focused on defending against intrusions. A new and more effective approach to quickly decode cyber incidents is needed, one that enables us to understand the complex activities occurring on our networks, and what “good” cyber activity looks like. To accomplish this, we need to start at the source of all network activity -- the behaviors of users and entities or devices.
Why focus on behaviors? It’s well documented that users are the weakest link in the security chain and pose the highest risk to our computing environments. Yet, knowledge of user behaviors is where we typically have the least amount of visibility, especially into what users are accessing and their patterns of usage. Active engagement in monitoring, detecting and deriving insight into user access and usage patterns can foretell risky activity. Identifying early warning signs is critical for protecting against sophisticated threats including malicious insiders and external attackers that have hijacked legitimate user accounts.
Let’s examine the steps for implementing activity- and usage-centric incident response.
As a starting point, review all security-related data that is being collected by any form of logging. To make sense of this data establish a baseline of which user access and usage activities are being logged and which are not. This will expose any glaring blind spots in collection schemes.
Next, apply analytic techniques to understand the data that’s been collected and determine what “good behavior” looks like. This will make it easier to isolate user behaviors that are suspicious, should be monitored or investigated. Examples of suspicious behavior may include inappropriate use of elevated access privileges, or more latent threats, such as data breaches.
This should be followed by continuous monitoring of behavioral data in order to assess user access and usage within “trackable” peer groups. The use of peer groups places behaviors in context and helps to expose ‘outliers’ based on the roles each user performs in comparison to other members of their department, project or work groups, etc.
Sign up for Computerworld eNewsletters.