Humans are not machines
We have long built our security functions and capabilities around the technical experts we employ to investigate, respond and recover our networks from cyber-attacks. To do so at scale, we have built security operations centres (SOCs), tiered analysis, investigation playbooks and various other processes that can never be consistent or truly effective.
How many times during incidents or exercises have you heard “We didn’t have a use case for that activity.” Or, “We detected it, but it wasn’t escalated correctly by the relevant team.”?
This is because our security teams are human - we cannot define every system, every event of interest and triage and assess those events consistently a thousand times a day. We still need security experts - but we must recognise that to truly investigate and scale, we must augment our experts with machines.
Analyst in a box
What if you could employ an untiring machine to do this? A machine that can not only look at alerts consistently, but correlate those events over days, weeks and months, identifying if something is outside of normal - without becoming bored?
User behaviour analytics, machine learning: both are overused industry buzzwords for ‘blackbox’ solutions. However, these technologies can save a SOC by leveraging the best of both: a skilled security analyst to train the machine and increase the fidelity of the alerts and the machine to untiringly triage the events. Together, they become a powerful solution that enables us to modernise the SOC and reduce our dependence on static content and runbooks.
Why user behaviour analytics?
Whether it’s through red-team exercises, internal pen-testing, external attacks, or in the latest threat report, the commonality in security incidents is often legitimate credentials used in an unexpected or in unusual way; either for privilege escalation, enumeration, credentials dumping or moving latterly within the environment. It is use of credentials in order to facilitate these attacks, that allows user behaviour analytics to model and identify when we step outside of ‘normal’ use.
We have a pattern
Although we may not be consistent as humans, we do have a pattern. It doesn’t matter if that pattern is a regular as clockwork, starting our day at 9 and leaving at 5, or if our pattern is sporadic working across time zones and all hours of the day - the important element is this behaviour can be modelled over a period of days, weeks and months, allowing us to identify how accounts and identities are normally used.
A powerful element of UBA is its establishment of ‘peer groups’ - automatically grouping individuals and system identities that behave in the same way, based on user behaviours and resource access. This is more powerful than relying on static groups to define who is in marketing or working on a specific product or project. We now know what is normal for an identity through system interaction, rather than the definition of static rules.
From this, we can start risk scoring activities such as the first time a new resource is accessed; increased outbound internet activity for a user; system access outside of normal hours. Each one of these events is not necessarily a cause for concern on its own, but coupled together... UBA scores these activities, allowing the analyst to quickly identify activity for investigation.
Through risk scoring activities, we move away from binary alerting and having to treat each alert in the same way; we can now put them in context of all the other system activity automatically. This allows the SOC to focus analytical effort on the alerts that have the greatest impact, conveying the users and events that require investigation to the top. This not only increases the value of the SOC but makes better use of the skills, in both humans and the machine learning capabilities we leverage.
Augmenting our analysts
Bringing this together, UBA gives us the capability to better inform our analysts - to augment the triage of alerts and identify where investigation and expertise can be focused. It is through this augmentation, that we will scale the SOC and maintain effectiveness in dynamic and changing environments in the businesses we protect.
UBA is not a magic bullet, nor a replacement for skilled security analysts - but as we move forward, we must recognise that we cannot ask our security teams to triage machine data as effectively as machines. It is only through leveraging capabilities like UBA, machine learning and automation, that will we improve our focus on the events that require analyst expertise.
This is, of course, a simplification of UBA and its capabilities, but it is a useful mechanism to demonstrate where we can augment our security analysts and improve the effectiveness of the SOC.
Our security operations centres require a blended workforce; highly skilled analysts focusing on high value tasks that are interesting to them and the organisations they protect, coupled with machine learning and user behavioural analytics to trawl through machine logs 24/7/365 to find the needles in the haystack.
