RESTON, VA – Security, it turns out, is all about layers, where if one layer fails, there are secondary and tertiary and a long line of backup defenses. This is neither new nor revolutionary. It’s why castles had moats, drawbridges and parapets; it’s also why prisons have cells, walls and gates.

When you move from the physical to the cyberspace, the idea of a layered approach remains. However, it becomes more complicated and abstract. In a briefing at the Raytheon Cyber Security Summit, Avivah Litan, a vice president and distinguished analyst at Gartner, listed seven layers of  context-aware behavioral analytics. These operate not only as a system of fail-safes but can also be deployed to help IT security teams differentiate between relevant and irrelevant network anomalies, a problem that has been cited in a number of recent breaches.

In a session titled “Winning the Breach War with Behavioral Analytics,” Litan explained that many large organizations are flooded with security alerts to the point that the alerts become meaningless. Security teams at Comcast, she said for example, were receiving more than 100,000 security alerts per hour at one point. Litan noted the giant telecom managed to trim that number down to 100 such alerts per hour by focusing on context aware behavioral analytics.

In order to properly secure themselves, organizations need to gathering transactional authentication information as well as behavioral information about the context in which those transactions take place. Companies should build profiles on users, accounts, clients, contractors, and others associated with the business. They should build databases of proactive rules with blacklists for future transaction authentication. In other words, when a transaction comes in, companies need to run it against the profile database and incorporate external information about bad IP blocks so they can see each transaction in context.

Using this system, Litan argues, there likely would have been no Target breach nor would there have been an Edward Snowden affair.

Specifically, Litan described the use of context aware behavioral analytics for data security with the following seven steps:

First, there must be as much endpoint-focused protection as possible. This should obviously include malware defense but also less obvious features as well. Litan mentioned “bio printing,” which looks at how users type and use their mouse, and taking into account where a log-in is taking place. The latter, she said, can be done by mobile location tracking and device fingerprinting, making sure network access is coming from predictable locations and that one device isn’t logging into several accounts suspiciously. She also mentioned phone printing, or analyze acoustics information to determine if someone is spoofing caller ID and location information.

The second point should examine network behavior keeping an eye out for anomalous activities that might suggest the presence of malware or botnet traffic.

The third and fourth layer, she said, are increasingly linked. One watches the behavior of each individual, creating profiles of that behavior, while the other monitors that behavior and how it changes from device to device. In this way, organizations can compare real-time behavior with a profile of past user behavior to flag anomalous activity.

The fifth layer incorporates big-data analytics to identify suspect activities by culling data from third party sources. For example, Litan explained that criminals will create counterfeit doctor identities, then set up and incorporate fake medical clinics. Once they have done this, the criminals can purchase patient insurance identifications and bill those patients’ insurers for procedures that aren’t being performed. This accounts for massive losses that we all pay for in the end, Litan explained. However, using big data analytics, insurance providers and law enforcement may notice that a bunch of doctors are setting up clinics in middle-of-nowhere office malls and running more brain scans than there are people in the area.

The sixth layer incorporates external threat intelligence. Organizations can invest in threat and identity intelligence, they can integrate external security intelligence and blacklists, networked relationships and history, news feeds to determine if contractors, competitors or other associated firms are being targeted as well as public records from credit bureaus, social networks and sentiment analyses. There are companies, Litan claimed, that collect data about account and device history to make sure that accounts aren’t associated with previous frauds. Other companies can pay to access these services, and this can be valuable, according to Litan, because criminals are often lazy, using the same accounts and IP blocks across multiple attacks.

The seventh layer is all about alert management. Security teams need to bring all the layers together so that they are receiving relevant alerts.

Using this system, Litan argues, the Target breach and Snowden disclosures could have been avoided. This is why:

Citing her own understanding of events, Litan said that Target believed its cardholder information and its contractor network were completely separate entities. Very briefly put, attackers compromised the networks of an HVAC contractor and used that access to steal shared credentials via Active Directory, access the networks containing payment information and install malware on Target’s point-of-sale processing servers. All this shouldn’t have escaped the gaze of IT security teams, but they were reportedly inundated with irrelevant security alerts.

If Target followed the seven steps, Litan explained, it would have noticed contractor accounts acting abnormally. It would have also noticed abnormal file movement, namely that payment data was traveling along to a server that it shouldn’t have. They would have flagged administrative accounts uploading software to the point-of-sale servers and distributing it to the terminals. Big data analysis may have alerted them to realize that there was common abnormal activity across their point-of-sale infrastructure. And incorporating external intelligence very well could have detected the signature of BlackPOS malware that was installed on their systems as well as on the systems of a number of other retail companies.

As for the Snowden affair: Snowden is said to have logged into NSA networks during non-business hours for the official purpose of creating a disaster prevention system for Booze Allen Hamilton under an NSA contract. That he logged in during off hours may or may not have been truly anomalous considering his job. However, he also is said to have borrowed between 20 and 25 passwords from his colleagues and managed to achieve super root level privilege. He then downloaded 1.7 million files from NSA networks to a USB stick. Litan claimed that, in general, a guy creating a disaster prevention system wouldn’t be downloading massive amounts of files to a USB stick.

Under the seven steps, Snowden may or may not have been flagged for abnormal access stemming from the actual times he logged into networks. However, there was definitely a good deal of abnormal file transfer activity when he downloaded 1.7 million files to USB stick in Hawaii. He probably should and would have been flagged for achieving super root level access at NSA headquarters in Maryland. Abnormal account usage across some 25 peer accounts all linked to Snowden’s IP address would have almost certainly triggered alarms had the proper ones been implemented.

In the end, Litan recommends the prioritization of assets and information needed for protection and the implementation of behavior analytics. Companies must build baseline behavior profiles, not only for individual employees, contractors and clients, but also for devices and other entities as well as peer groups – in order to flag behaviors that may not be abnormal in respect to the individual but are abnormal compared to other people performing similar tasks in an organization.

Companies also must correlate alerts and events across monitoring systems to to generate better context and situational awareness. Anomaly detection needs to be informed in part by external threat information and threat actor identification information. Lastly, she said, organizations need to align with processes and acquire skills and expertise to make these plans a reality.

Categories: Web Security

Comment (1)

  1. Stephen Dodson, Prelert
    1

    Good post. The 7 layer description resonates with what we are hearing from customers, and how some of them are thinking about addressing this problem.

    An issue is ‘how to implement context behavioral analytics?’. Based on this, here are some of our observations from the field:

    Initially, there needs to be collection of sufficient data to capture behavior and context. Whilst this is obvious, it is often the first step in implementation. For example, without data associated with ‘bio or phone printing’ these behaviors cannot be captured.

    At the second layer, to “examine network behavior keeping an eye out for anomalous activities” without generating the 100,000’s of alerts per day is non-trivial. Normal behaviors are complex, and traditional rules are not dynamic or descriptive enough to capture behaviors without high false positive and false negative rates. Fortunately, this is an area where machine learning can be applied effectively to capture these behaviors and significantly reduce the false alert rate.

    At the 3rd and 4th layers, in a real environment there may be 100,000’s of users and devices with different normal behaviors. Comparing current behavior to historic behavior for one user can be difficult as there are multiple attributes that define ‘normal’ and then temporal behavior can vary significantly. For example, what may be normal at 1pm on Monday may not be normal at 1am, etc. This difficulty for one user is amplified by scale, as if incorrect behavior modeling for one user results in 1 false positive, then 100,000 users create 100,000 false alerts. Again accurate, scalable machine learning based on the correct input feature vector can be effective.

    The 5th and 6th layers are also clearly significant. Despite the claims, machine learning cannot differentiate benign from malicious anomalies. Expert knowledge in terms of intelligence and feedback can be applied in conjunction with machine learning to create a complete solution.

    Finally, in the 7th layer, bringing together alerts into a meaningful ‘insight’ then ‘incident’ is challenging. Even with machine learning, threat intelligence and expert knowledge, the value of correlation, search and navigation should not be overlooked in empowering security teams with context aware accurate information.

Comments are closed.