Detecting Insiders with Analytics

Roughly a quarter of a century ago, I sent my first book proposal to Greg Doench at Prentice-Hall. I remember Greg wondering aloud whether the world needed another text on computer security, because Dorothy Denning had completed her seminal Cryptography and Data Security ten years earlier. While we eventually moved forward, Greg was absolutely correct to hesitate, if only because of Denning’s amazing reputation.

In case you didn’t know, it was Dorothy Denning – then with SRI International, and now at the Naval Postgraduate School – who basically invented intrusion detection. During the Reagan years, she was explaining how to create “profiles for representing the behavior of subjects with respect to objects in terms of metrics and statistical models.” This was the birth of detecting attacks from behaviors – and the field has come such a long way since.

I had this historical sense of behavioral analytics in mind as I enjoyed a lovely dinner in Manhattan recently with Sachin Nayyar and his fine team at Securonix. Nayyar has a strong background in our industry having served previously as the Chief Identity Strategist for the now-legendary Sun Microsystems. His expertise is evident in his company’s blending of analytics with identity to reduce the risk of insider threats.

The Securonix solution is best described as a user-entity behavioral analytic platform, one that employs modern machine learning algorithms to draw conclusions about observed activity. It’s a natural descendent of Denning’s original intrusion detection models, because while preserving the original intent – detection of errant activity – it incorporates the best available technology into a modern cyber security approach.

First, the Securonix platform includes clear emphasis on integrating with identity and access management systems – not a surprise, given Nayyar’s background at Sun. This IAM connection allows the platform to learn, for example, to differentiate between good and bad user entitlements, entity accesses, and privilege requests. These are the determinants of potential insider activity, which remains a pretty significant organizational threat.

Second, the platform easily installs into existing enterprise ecosystems, since no modern business is a greenfield. Instead, user entity behavioral analytics demands and supports an unusually high level of integration with the IT and network environment. “We develop connectors to ensure proper collection of behavioral analytic support,” Nayyar said, “and this includes native processing for Hadoop clusters with high performance requirements.”

Third, the Securonix platform focuses on high quality interfaces for SOC analysts who need to efficiently identify meaningful anomalies while minimizing false alarms. Advanced machine learning algorithms are included in the platform with the ability to improve the overall processing based on supervised learning. The automation goal is to reduce the labor intensity of humans manually sifting through reams of data.

Finally, the platform’s algorithms include heuristics models for how compromised insiders exploit vulnerabilities. By embedding clever learning solutions that detect unusual entitlements in peer groups, outliers in access certification processes, or anomalous usage of business applications, the Securonix user benefits from years of experience detecting and mitigating IAM exploits, insider and cyber security incidents, and fraud.

Clearly, modern behavioral analytic platforms are still evolving, and the reliable detection of nation-state originated APTs might remain difficult. But with foundations rooted in the work of scientists like Dorothy Denning, UEBA solutions such as from Securonix will most definitely reduce enterprise risk. And it certainly does not hurt that the platform provides a fast lane for IAM data – perhaps the most important indicator of insider threat.

Have a look at UEBA and let us all know what you think. I suspect Nayyar and his team will be happy to help you in this regard.