Watch (to Protect) Insiders

First, some definitions: To mitigate cyber threats, you match observations to patternsthat are either known or unknown. The known case involves signatures, and the unknown case involves behaviors. Machine learning applies to both cases. We process signatures using correlation, and we observe behaviors using profiles. To protect end-users, we perform user behavioral analytics. Got all that? Good. Quiz on Tuesday.

The unifying element in these security definitions is that automated tools watch activity in an environment. They try to make sense of the data being collected, and then initiate suitable mitigation and response. And despite all the flashy new cyber security methodologies and approaches introduced in the Expo Halls at RSA, this basic watch-to-protect cadence remains one of the most effective means for reducing cyber risk.

I had this notion of watch-to-protect in mind during a technical exchange last week with the principals of Jazz Networks. The company provides endpoint visibility for user notification and education, human error risk reduction, machine learning-based mitigation during an attack, and forensic support for investigation. I asked the team to share with me the salient aspects of their solution, and here is what I learned:

“Our goal is to shift human beings from being the weakest link,” explained Neena George, who serves as a systems engineer for the company, “to being the front line of defense. We do this via an endpoint solution that implements a suite of machine learning-based, user behavioral analytics (UBA) controls that can identify insider threats and detect security anomalies in fast and efficient manner.”

The Jazz Networks platform starts with the notion of a so-called cyber passport, which is built to include information about the identity, actions, and location of employees. More specifically, a cyber passport includes detailed metadata related to printing, browser, connections, files, DNS, USB usage, login behavior, and application events for employees, as well as WiFi use, on-line status, and Active Directory-related user information.

The UBA function is driven by machine learning algorithms that are designed to learn abnormal activity. Factors influencing such categorization include corporate security policy violations (e.g., connecting to an unsanctioned cloud), external attack indicators (e.g., a sequence of failed logins), and intellectual property theft (e.g., outbound information being sent to an uncategorized Internet site).

Jazz Networks mitigation is done in real-time, with options for advisory response, as well as more consequential action. “We can display messages to prompt end users if something abnormal is detected,” explained Josh Whitham, an account executive with the company. “But we can also lock and isolate an infected computer if we determine that something has been detected, usually malware, that could put the enterprise at risk of further attack.”

Users of Jazz Networks UBA also enjoy power search capability, without need to learn a query language, to support real-time investigations by analysts. Reporting and visualization tools are included to support a variety of different activity views. Traffic flow, application usage, bandwidth volume, and process communications can all be displayed to the analyst to support behavioral investigation.

As an analyst, I’d offer that this type of UBA – often also referred to as user-entity behavioral analytics (UEBA) – is gradually expanding to subsume many adjacent capabilities. Data leakage protection (DLP) has already become an integrated feature in most UBA installations, but increasingly, one might find EDR and SIEM functionality in these platforms. Jazz Networks certainly includes many features indicative of these types of tools.

This is good and bad news for enterprise. On the one hand, integration of complex features into a common platform is excellent. Next-generation security is all about this type of integration (just ask Palo Alto Networks). But on the other hand, teams with existing licensed deployments of SIEMs and DLP – which means everyone, will struggle to balance the decision to use, complement, suppress, or replace such capability with their new UBA.

I’d recommend you consider reaching out to the Jazz Networks team. They have offices in New York, Virginia, Norway, and the UK, so they’re probably sitting in a building somewhere near you. I think this general area of UBA is an important one to include in your program, so connecting up will be well worth your time. And please, as always, share with us what you learn.