Embed Size (px)
Citation preview
Part 2 of a Two-Part Interview with Bert Rankin of Fortscale
The Practical Application of User Behavior Analytics
The Evolution of User Behavior Analytics© 2016 Information Security Media Group
Understanding the promise of user behavior analytics is one thing. Deploying them to detect and respond to threats is quite another. Bert Rankin of Fortscale offers tips on practical application of the latest UBA solutions.
The first big challenge for most organizations isn't technical or tactical, says Rankin,
who is Fortscale's chief marketing officer. Rather, the challenge is strategic.
"[T]hey need time to gain an understanding of how a UBA solution will impact their
existing enterprise security architecture and rethink how their architecture will need
to change so that their UBA solution provides them with that enhanced posture [and]
to consider how UBA can assist them in doing their job, rather than viewing it as a
point solution that gets thrown into the mix of other security solutions they use,"
Rankin says.
In an interview about the practical application of user behavior analytics, Rankin
discusses:
• Challenges for organizations deploying user behavior analytics;
• Real-world examples of threats that have been discovered with these solutions;
• How user behavior analytics will evolve in 2016.
With a 30-year career in high-technology management, Bert brings with him proven
expertise and leadership in developing innovative, world-class software solutions for
enterprise customers in both domestic and international markets.
He comes to Fortscale from ThreatMetrix, Inc., a comprehensive cybercrime
prevention solution provider, where he served as chief marketing officer. His
accomplishments include managing worldwide functions, increasing revenues
fiftyfold, and establishing ThreatMetrix as a premier brand in its field.
Fortscale turns the tables on insider
threats by delivering the industry’s
most precise, scalable, and extensible
user behavior analytics (UBA) solution.
Fortscale’s expertise—honed in the Israeli
Defense Force—offers unrivaled machine
learning, superior big-data analytics
capabilities and context-based alerting,
along with easy-to-use investigation tools
and unmatched user intelligence. Backed
by Intel Capital and Blumberg Capital,
Fortscale's UBA solution was a finalist
in the 2015 RSA® “Innovation Sandbox”
competition. For more information, visit
www.fortscale.com.
The Evolution of User Behavior Analytics© 2016 Information Security Media Group
Top Challenges of Deploying UBA Solutions
FIELD: In our first conversation we talked about the evolution of user behavior
analytics. I want to get more practical now. What do you find to be the challenges for
organizations that are first deploying UBA?
RANKIN: An organization that wants to deploy a UBA solution faces a number of
challenges, but the largest challenge is strategic in nature. Most organizations,
especially security organizations inside of a large enterprise, will admit to being
understaffed. Their workload is off the charts. A UBA solution can enhance their
security posture by providing more rapid detection and response capabilities that
will help them minimize insider threats and prevent future data breaches. But they
need time to gain an understanding of how a UBA solution will impact their existing
enterprise security architecture and rethink how their architecture will need to
change so that their UBA solution provides them with that enhanced posture. In
other words, they need to consider how UBA can assist them in doing their job,
rather than viewing it as a point solution that gets thrown into the mix of other
security solutions they use.
"When you consider use cases, specifically the types of threats they're looking to protect themselves against, organizations need to figure out if they will be able to have access to the data they need for effective monitoring."
Bert Rankin
The Evolution of User Behavior Analytics© 2016 Information Security Media Group
In addition to these strategic challenges, organizations also face tactical challenges
in deploying an effective UBA solution. The physical installation is relatively
straightforward, and so there aren't a whole lot of issues to discuss on that end.
But when you consider use cases, specifically the types of threats they're looking
to protect themselves against, organizations need to figure out if they will be able
to have access to the data they need for effective monitoring. Given that these
enterprise environments are relatively large and distributed in nature, the ability to
access and aggregate that necessary data across the entire organization ends up
being a challenge.
Integrating and taking action on the analysis that a UBA solution can provide is
perhaps the final key challenge organizations must address. The analytics piece
typically is a function of the vendor, and that's where we provide significant value.
Our solution produces a prioritized set of alerts that an organization can then
evaluate and take action on. But the organizations themselves must be able to
integrate those results so that the value that can be extracted from a UBA solution is
actually injected into their security workflow.
FIELD: Let’s bring this back to Fortscale. Talk to me a little bit about some real-world
examples of your customers and the threats that they’ve discovered when using user
behavior analytics.
Fundamental Threat: Policy Violations
RANKIN: The threats our customers discover usually fall into two fundamental areas:
policy violations and specific malicious activities. Let me spend some time talking
about each one.
We typically see three areas where policy violations affect an organization. By far the
policy violation we see most often would be the shared credentials violation. This
happens when users figure out they can more effectively do their job by borrowing
somebody else's credentials to gain access to a specific system rather than going
through the process of getting their own credentials. It becomes very apparent when
using a UBA solution because you can see that a given user has been accessing a
system much more frequently than they had been historically or that a user has
been accessing a system from geographically distributed areas in a manner that’s
impossible for them to have physically traveled.
"If I log in at 8:00 AM Pacific Time, and then somebody logs in from London at 8:05 PM Pacific Time on the same day, it's a good indicator that credential sharing is happening. Our UBA solution would generate an alert that the security team could then investigate."
The Evolution of User Behavior Analytics© 2016 Information Security Media Group
For example, let's say somebody shares credentials with
another employee located in London. If I log in at 8:00 AM
Pacific Time, and then somebody logs in from London at 8:05
PM Pacific Time on the same day, it's a good indicator that
credential sharing is happening. Our UBA solution would
generate an alert that the security team could then investigate.
Another policy violation we see is the usage of stale or inactive
user accounts that somebody reactivates and begins to use.
And then the third is where an individual has access to a
sensitive or high-profile application that utilizes sensitive data,
such as customer, financial or code repository data. Through
the number or duration of times they're logging in, we can
see somebody has been attempting to circumvent policies
to more effectively complete a specific task or their specific
job responsibilities. Once again, we can detect these types of
policy violations quickly because we are monitoring specific
user actions within the organization. And as those user actions
change or evolve, we can alert the security team about
these anomalies.
Fundamental Threat: Malicious Activities
Malicious activities fall into a couple of camps. The first
one revolves around malicious application access and data
exfiltration, especially as it relates to a crown jewel application.
As I mentioned [in Part 1, "The Evolution of User Behavior
Analytics"] crown jewels are the applications organizations
have run their business on for years, were built a number of
years ago and tend to be proprietary. A large Fortune 2000
organization may have a few dozen crown jewel applications,
which have their own user access and event management logs
associated with them because they're concerned about who
exactly is accessing those applications and what they're doing
when they access them.
The Evolution of User Behavior Analytics© 2016 Information Security Media Group
The security team wants to know about any anomaly associated with these crown
jewel applications - and once again, these are exactly the kinds of alerts that a UBA
solution is adept at identifying. An employee accessing an application at an unusual
time, downloading data or accessing multiple records in an unusual sequence, these
all end up being the kinds of alerts that are extremely important for an organization
to understand and to investigate.
The second class of malicious activity involves employees who are disgruntled,
looking for corporate trade secrets or looking for information that would be
damaging if it were to be published in a more public forum. A UBA solution like ours
can monitor an employee's activities as they try to gain access to different servers or
applications for this information and spot that type of activity very quickly.
How UBA Solutions Will Evolve
FIELD: Bert, we covered a lot here in terms of the solutions’ capabilities, and certainly
we know that behavioral analytics are a buzz in the information security community
today. As you look out over the course of the coming year, how do you see UBA
solutions evolving beyond even what we’ve discussed today?
RANKIN: UBA solutions will evolve from being viewed as point products to being
viewed as an absolutely critical component - kind of the heart and soul - of enterprise
security solutions. And that's because they will provide security teams with the
analytics and analysis to determine where threats are occurring and when attacks
are actually happening.
Today user behavior analytics looks like a capability that enhances the information it
sends; however, there are a whole set of additional data sources that a UBA solution
could access and will access in the future in order to provide better alerting, as well
as a better understanding of the context of anomalies within an organization. For
example, external threat and identity intelligence is one area that UBA solutions will
increasingly begin to integrate with, providing a better understanding and a better
context for the alerts that are being generated.
As I mentioned earlier, the user access logs associated with crown jewel applications
are a critical data source for UBA solutions, so the notion of additional data sources
"An employee accessing an application at an unusual time, downloading data or accessing multiple records in an unusual sequence, these all end up being the kinds of alerts that are extremely important for an organization to understand and to investigate."
The Evolution of User Behavior Analytics© 2016 Information Security Media Group
providing UBA solutions the ability to better isolate attacks and
potential threats is going to happen very quickly, and certainly
2016 is the timeframe when we’ll see a lot of movement in
these areas.
Also, in terms of analytics, the sophistication of the machine
learning algorithm has advanced very quickly. The whole notion
of big data and machine learning being applied to enterprise
security is still in its very early stages. And as our install base
grows and our exposure to a range of different threats and
attacks expands, our ability to understand how to detect those
increases very quickly. And all of the users in our install base
that gain access to the site expect that. Analytics will continue
to improve very quickly, delivering fewer false positive and a
better understanding of what is a true threat vs. just unusual
employee activity.
And then a couple other areas that I think will be evolving very
quickly during 2016 are in the areas of reporting and providing
faster response. We're seeing that, as our install base grows, we
can produce a set of canned reports that provides high levels
of value to our customers, and the information stored in these
reports can be shared across our install base and requires little
tuning, if any, in order for any of our customers to use them
and get valuable information from them. So reporting is going
to get better, and then better integration with other security
solutions to allow an organization to remediate some threats
much faster than they currently can is probably the final area I
expect that user behavior analytics solutions will evolve as we
move into 2016. n
Listen online:
http://www.inforisktoday.com/interviews/practical-application-user-behavior-analytics-i-3031
902 Carnegie Center • Princeton, NJ • 08540 • www.ismgcorp.com
About ISMG
Headquartered in Princeton, New Jersey, Information Security Media Group, Corp.
(ISMG) is a media company focusing on Information Technology Risk Management for
vertical industries. The company provides news, training, education and other related
content for risk management professionals in their respective industries.
This information is used by ISMG’s subscribers in a variety of ways —researching
for a specific information security compliance issue, learning from their peers in the
industry, gaining insights into compliance related regulatory guidance and simply
keeping up with the Information Technology Risk Management landscape.
Contact
(800) 944-0401
