WHY TODAY’S SECURITY MEASURES JUST DON’T CUT IT
CJ Schmit/Flickr
THE SECURITY CHALLENGES that businesses face on a daily basis are innumerable. In fact, we’ve spent the last thirty years securing all things imaginable – firewalls, antivirus, access and identity controls, biometrics, GRC, etc. However, today’s “hackers” are smarter than ever and companies need a more efficient way to stronghold their data.
For a hypothetical example, let’s take Bob, a systems administrator in a major bank with access to most of the core systems in FX trading. He’s become disenchanted recently after a string of average performance reviews and is thinking about setting up his own niche FX platform with a friend in another bank. He thinks that with the bank’s existing trading model and some adaptations they can create a smart little business.
[ Also on Insights: Stopping Cybercrime In Its Tracks ]
He’s been downloading the models and sample data sets over the last few weeks (at the end of the day) to a private sandbox virtual machine (VM) that he created – while making his day job changes to the core platform backups and permissions.
BUT WHAT ABOUT ALL THE LAYERS OF SECURITY CONTROLS?
He was working within his role. As a part of his responsibilities, he had system administrator access to search, copy and save data. He was allowed to access those data sets. He was allowed to copy data. However, neither security information and event management (SIEM) nor governance, or even risk management, and compliance (GRC) would flag a change in his behavior.
In essence, the firewalls, antivirus, access and identity controls, biometrics, GRC – were all doing what they were meant to, but because Bob was in role, the systems would not have flagged any breaches as his data usage constraints were in line with the policy.
SO WHERE WAS THE GAP?
None of these systems were able to spot the change in behavior. This included the creation of a new, internal and highly capable “threat actor” that had started to deviate from the way in which his peers were using the systems. This was clearly a change from normal behavior whereby he was extracting the data he wanted without alarm bells ringing.
The limits of penetration and threat to the business remain significant. Behavioral analysis is the key to being able to react accordingly to the business threat, but in reacting you also need to create a proportionate response – which is the next layer of the challenge.
DETECTING THE ANOMALY
The ability to analyze specific behavior starts with data science. Data science brings not just a set of tools – but also people that are savvy with the business context and can interpret what they are seeing and know how to create the algorithms – which can create the insight to help identify the “unknown unknowns” – the people who are acting in role, but abnormally. Leveraging machine learning across the historical behavior and access patterns helps to establish a baseline of what is reasonable and what is a threat.
The advantage of Data Science and machine learning is that it is not limited to just security and access control considerations, it can pull in social media, machine logs, HR data, instant messaging, email and even audio and video data. From this we can learn the “allowed and reasonable behavior,” from multiple users. It identifies what is not “normal” by creating a scope of the deviation from the norm.
So what happens when a potential threat is detected?
CONNECTING DETECTION TO ACTION
One challenge of traditional solutions is that they have alerted either too much or missed the event entirely. Some of the most notable breaches in the retail sector were found to have been detected but the salient information was lost in a sea of beeps. In Bob’s circumstance, the bank’s anomalous behavior detection platform (working in the background) can capture his actions. The machine learning aspects have established how the system administrators in the bank operate and can map changes in Bob’s pattern of behavior based on:
- Anomalous creation of a virtual machine
- Accessing multiple models and IP – no changes, but accessed at close of play each day rather than during the working day
- Multiple data sets being copied without subsequent access
In a traditional approach each individual one of these may have set off a beep and thus been ignored when looked at individually. By using Data Science therefore we concentrate not only on the series of events that are the issue, but also only alert when the threat becomes genuine.
Once detecting the anomalous behavior, you have several options: Alerting a security team for manual investigation, closing down user access or alerting their manager. The crucial aspect is to understand the nature of the threat and how to ensure someone effectively reacts to that threat. In Bob’s case the threat is considered extremely significant and he needs to be directly confronted with the evidence.
This would mean:
- First alerting the security team of the threat – this ensures the resolution process is started
- Secondly changing Bob’s security and access controls to prevent him leaving his area
- Thirdly informing his manager of the issue by raising a formal HR processes
The objective of anomalous behavior using Data Science is to learn not only on the threats but also to adapt to the most effective way of dealing with threats. In this way we are able to build a digital brain for the organisation which doesn’t just sit there ‘beeping’ but provides clear, concise and actionable information to help resolve the situations.
As our data and technology get smarter, so do the people that seek to find ways around the security methods that protect it. For today’s businesses, anomalous behavior detection is not only a good idea, it is a necessity; it is the best preventive measure you can invest in to mitigate the impact of potential threats to your company and its data.
Steve Jones is Director of Strategy for Big Data and Analytics at Capgemini.
No comments:
Post a Comment
Please leave a comment-- or suggestions, particularly of topics and places you'd like to see covered