As attackers become more sophisticated, your organization needs increased visibility into what's happening on its computer networks. Advanced attacks can be carried out over months or even years, so security teams need to act quickly when a foe eventually does tip his hand.
One way to do that is to deploy the powerful combination of user and entity behavioral analytics with endpoint monitoring, detection, and response. Through a combination of machine learning, artificial intelligence, big data, and analytics, behavioral analytics can identify malicious activity and blunt or stop cyberattacks.
Fernando Montenegro, principal analyst for information security with 451 Research, said the data is used to identify changes in behavior that are suspicious enough to be flagged for follow up.
"It's about defining a user baseline, which is difficult. It's not an exact science."
—Fernando Montenegro
Here's how your organization can use behavioral analytics to tackle advanced threats.
Behavioral analysis' key indicator
A cornerstone of behavioral analysis is that all malicious attacks have one thing in common: They all exhibit behavior that's different from normal behavior on a network or system. By targeting this abnormal behavior, security teams can detect malicious attacks before they can get fully off the ground.
If you see someone in finance running reconnaissance-type command-line arguments such as "whoami" or "ipconfig," you pay attention. While the same activities from someone in engineering may not be as suspicious, said Greg Foss, a senior threat researcher with VMware Carbon Black, these should be investigated.
"This should rightfully raise some alarms. Paying attention to small details that are specific to your infrastructure can be a game-changer."
—Greg Foss
In a similar vein, endpoint detection and response technology monitors an organization's endpoints and proactively hunts for threats with advanced algorithms and behavioral analysis.
Needed: A rich source of data
Among all the sources of data scrutinized by user and entity behavioral analytics (UEBA), endpoint data is the richest, said Stephan Jou, CTO of Interset, a security analytics company owned by Micro Focus.
There are scenarios, such as privilege escalation, that are difficult to detect without endpoint monitoring, he said. With rich endpoint data ingested to run behavioral analytics, UEBA "gains more context around individual user and entity behaviors, thus shedding light on various threat indicators."
This new user information—abnormal login frequency, date or time of work, and people using unusual machines—"adds valuable context to help identify threats that might otherwise go unseen," he said.
"With the right user context, credential abuse, adversary surveillance, lateral movement, data exfiltration, and more can be detected efficiently and effectively."
—Stephan Jou
Monitoring tools also expose what's happening on the endpoints themselves. They can reveal facts about creating new files, launching processes, and accessing the registry, "which can all be signs of malicious activity," said Ekaterina Kilyusheva, head of information security analytics at Positive Technologies.
However, endpoint monitoring alone can't give security teams the kind of visibility they need to nip threats in the bud. The raw data it produces just increases the size of the haystack in which adversaries can hide, said Amol Kulkarni, chief product officer at the security company CrowdStrike.
"It needs to be coupled with behavioral analytics, to contextualize the telemetry and create actionable alerts by correlating diverse event streams across the environment."
—Amol Kulkarni
Gaining critical visibility
Nevertheless, endpoint monitoring remains important to understanding the threat landscape facing an organization.
"It allows security professionals to gain more visibility over important entry points which may be vulnerable to threat actors."
—Stephan Jou
This critical visibility over all network devices helps prevent hackers from exploiting gaps within your security architecture, he said. It also helps security professionals gain a better understanding of where they can improve their security posture—before damage is done.
But visibility isn't enough. You need to have real-time visibility to get ahead of attacker behavior.
"If only a snapshot of a potential cyber incident is presented to security teams, they lose the ability to get a comprehensive view into the attack cycle, which hinders better cyber hygiene and preparedness."
—Amol Kulkarni
Endpoint monitoring is necessary to obtain information about activity at the end nodes of the system that cannot be detected by auditing the network infrastructure. But to get a complete picture of the threat landscape, data about the end nodes alone is not enough.
"You also need to use network traffic analysis tools that complement the picture of what is happening in the infrastructure and allow you to see those events that go beyond the scope of the monitoring tools on the end nodes."
—Ekaterina Kilyusheva
Make analytics a team player
As powerful as behavioral analysis can be in thwarting sophisticated attacks, it's most powerful when teamed with other security systems.
"Behavioral analytics will not replace existing security systems."
—Greg Foss
Instead, it augments existing security infrastructure by providing context that can be leveraged for investigations and response.
Behavioral analytics and endpoint monitoring are made more powerful when combined with tools such as SIEM (security information and event management) and SOAR (security orchestration, automation, and response), Jou said.
"In today’s world, it’s extremely hard to rip and replace an existing security system, so intelligent UEBA and endpoint detection and response tools need to be able to simply integrate into an organization with things like cloud deployments and a seamless user experience."
—Stephan Jou
However, advanced analytics is an incredible augmentation to correlation, and a powerful tool for threat hunters, Jou said. "As this realization becomes more pervasive, solutions will become more tightly integrated and converged."
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.