Author: Matt Rodgers, VP of Product Management
I was recently asked why fusing devices and users to IP addresses is so important to an analytics system. Our end-users, security analysts, are ultimately working towards identifying specific actions to take based on the behavior signals we alert them to. If we cannot be specific about the user or hosts triggering those behaviors, then we are like a 9-1-1 operator without caller-ID — we might know something bad is happening somewhere, but we don’t know what to do about it.
Within our Fusion Platform, we have chosen a processing window in which we generate a signal for an entity (user + device) or group of entities. Within this window, there are many things that can be happening to the entity and how it is described. For instance, the IP address of the entity can change one or more times.
People Change, So Do Their IP Addresses
At one of our customer sites, when users change floors within the building, they walk from one IP address range to another, so changes in IP address can happen many times within a single hour. Often, control devices in the network are focused on an IP address and they do not have any idea who has been using the network — which user or set of users. This stateless method of logging network activity via IP address is common in firewall, proxy, and netflow data. The reason this stateless ID method made sense to the designers of the logging systems was that they had no systems in which they could send the data to retain or decipher state in the first place, therefore stateless one-off logging made a lot of sense to them.
Now that we’ve created a mechanized memory for security analysts to take advantage of within our behavioral analytics Fusion Platform, state is much more important. Without it, a user with one IP address and another user re-using that IP address within the same hour can be mistaken as the same entity, or even worse, can be falsely accused of performing behaviors for which they’re not responsible. This is an example of what an analyst would consider a false positive within an analytics system.
To keep signals assigned to the right entity, it’s important to get at least these core properties correct when connecting users and devices to IP addresses, or what we call Entity Fusion.
- IP Address
- Device hardware identifier (This shouldn’t be limited to MAC address, as there are many types of communication methods and MAC is limited. For example, VMs via SDN.)
The point of Entity Fusion as a feature is to leverage the fact the Fusion Platform has access to many entity properties within the logs/data flow to solve this identifying problem for our customers. We now see the connection of users and devices to IP addresses as a requirement for behavioral analytics to assign a quality reference to each signal.
The “Frederick Issue”
This problem has been referred to internally as the “Frederick Issue,” taking the name of the analyst who first described it to us. He described it after a new control device was deployed in-line at his company, in which IP addresses where being found to be downloading malware. That malware identification wasn’t the issue. The real trouble came when Frederick was attempting to figure out who the owner of the IP address was at the time of each occurrence.
Frederick would log into Active Directory domain controllers to find logs showing username-to-host mapping. He would then download DHCP logs to determine host-to-IP mapping for each event timestamp, and then finally be able to determine how urgently his Incident Response (IR) team needs to track down the user. If it was the CEO, it would happen immediately. If it was a manager on a manufacturing floor, it might take days to get into IR. This process would take him about 20 minutes per alert.
Entity Fusion is a huge timesaver for security analysts. It automates this whole process, giving folks like Frederick at least half their day back to them. It’s a byproduct of a quality analytics system, and it happens to solve the “Frederick Issue.” This is why this key feature has been incorporated into the Fusion Platform.