Take a moment to visualize driving your car with a fogged windshield. If you’re like me, you crank the blower and then watch as the road ahead becomes clearer. It is this experience translated to enterprise security that illustrates the goal of behavioral analytics tools. That is, they clear the fog around deviations from the norm, thus clarifying behaviors from users, endpoints, hosts, or other entities that might require a security response.
This idea that behavioral analytics tools can make suspicious indicators clearer was a key learning point for me during a recent technical discussion with my industry colleague Ravi Devireddy, Founder and CTO of E8 Security. As former head of security analytics at Visa, Ravi knows that such a benefit for enterprise security teams is best achieved on analysis platforms that support the clever use of learning techniques, both machine-based and human-assisted.
“Through periods of incubation, user entity behavioral analytics tools must act like learning engines that can focus on pattern-based profiles,” he explained to me. “After this initial learning stage, human assisted guidance can help fine tune the analysis engine into a truly effective cyber security platform.”
This is a profound observation because it implies that anomalous entity behavior is best detected through assisted learning. The E8 Security Fusion Platform, for example, measures differences in observed behaviors from profiled norms, but can also maintain a continuous process of adjusting to pattern shifts. Such learning is as essential for detecting malicious staff in cubicles, as it is for detecting malware in heat pumps and wind turbines.
Ravi also shared useful insights about the probabilistic nature of identity in the context of behavioral analytics. That is, all analytics starts with identity, and the algorithms to establish attribution must be carefully designed.
“The foundational elements of identity,” he said, “include IP address, user IDs, MAC addresses, host addresses, and many other components that help an analyst determine the real identity of some actor.”
Our discussion also covered the importance of scale in any user entity behavioral analytics platform. The E8 Security team has focused considerable effort in supporting security-relevant data of many different types at high volume, utilizing Big Data platforms such as Hadoop, as well as SIEMs and log management systems. As analytics expands to IoT, industrial control, and IT/OT, collected data sources will expand to include factory control databases, industrial inventory management systems, and IoT telemetry systems.
And finally, on top of the data collection facility is the set of advanced analytic tools that automate the process of sifting through reams of collected behavioral telemetry information to locate those indicators of anomalous activity that require attention. These tools must include advanced heuristic algorithms, along with the previously mentioned ability to continually improve through learning methods.
“While there may be several behavioral anomalies and patterns identified by the machine learning engine,” Ravi explained, “differentiating between anomalies and threats is important. A clear threat-modeling framework is required to connect disparate anomalies, patterns, and events into specific threat models. This is where we try to differentiate the E8 platform.”
If you work for a large company, the use of advanced analytics for cyber security protection likely comes naturally to you and your team. The challenge in our industry, instead, is to now extend the scope and applicability of such an advanced capability down-market to a larger segment of the enterprise community. Platforms like the Fusion Platform from E8 Security make this transition simpler and more accessible.
And there are many good resources available to help you. Download Volume 1 of the 2017 TAG Cyber Security Annual and spend a little time reading about the security analytics marketplace. Visit the E8 Security website and read some of the technical briefs on this topic. With the intensity of threats growing every day, developing a better understanding of user entity behavioral analytics is well worth your time.
I look forward to hearing how your learning journey is progressing.
Dr. Edward G. Amoroso is currently Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of companies across the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.
View and share this article on LinkedIn.