Articles / Analyzing the Security Relevant Behaviors of Entities

on 05 Apr 2017

Take a moment and visualize your car with a fogged windshield. If you’re like me, you crank the blower and watch as the road becomes clearer. It is this experience, translated to enterprise security, that illustrates behavioral analytic tools. That is, they clear the fog around deviations from norm, thus clarifying behaviors from users, endpoints, hosts, or other entities that require attention.

That behavioral analytics tools can make indicators clearer was a key insight during a recent technical discussion I had with Ravi Devireddy from E8 Security. As former head of security analytics at Visa, Ravi understands the benefits offered by analysis platforms that support the clever use of heuristic learning techniques, both machine-based and human assisted.

“Through periods of incubation, user entity behavioral analytics tools must act like learning engines that can focus on pattern-based profiles,” he explained to me. “After this initial stage, human assisted guidance can help fine tune the analysis engine into a truly effective cyber security platform.”

This is profound, because it implies that anomalous entity behavior is best detected through assisted learning. The E8 Security platform, for example, measures differences in observed behaviors from profiled norms, but can also maintain a continuous process of adjusting to pattern shifts. Such functionality is as essential for detecting disgruntled insiders in cubicles as it is for detecting malware in wind turbines.

Ravi also shared useful insights about the probabilistic nature of identity in the context of behavioral analytics. That is, all analytics starts with identity, and the algorithms to establish attribution must be carefully designed. “The foundational elements of identity,” he said, “include IP address, user IDs, MAC addresses, host addresses, and many other components that help an analyst determine the real identity of some actor.”

Our discussion also covered the importance of scale in any user behavioral analytics platform. The E8 Security team has focused on supporting security collection at high volume, utilizing Big Data platforms such as Hadoop, as well as SIEMs and log management systems. As the analytics expands to IoT, industrial control, and IT/OT, collected data sources will expand to include factory control databases, industrial inventory management systems, and IoT telemetry systems.

On top of the data collection facility are the advanced analytic tools that automate the process of sifting through reams of behavioral telemetry to highlight subtle indicators of anomalous activity that require attention. These tools must include advanced heuristic algorithms, along with the previously mentioned ability to continually improve through learning methods.

“While there may be several behavioral anomalies and patterns identified by the learning engine,” Ravi explained, “differentiating between anomalies and threats is important. A clear threat modeling framework is required to connect disparate anomalies, patterns and events into specific threat models. This is where we try to differentiate our E8 platform.”

If you work for a large company, then the use of advanced analytics for cyber security protection likely comes naturally to you and your team. The challenge in our industry, instead, is to now extend the scope and applicability of such advanced capability down-market to a larger segment of the enterprise community. Platform like from E8 Security make this transition simpler and more accessible.

Many resources are available to help you learn. For example, download Volume 1 of the 2017 TAG Cyber Security Annual and study my commentary on the security analytics marketplace. You can also visit the E8 Security Website and read technical briefs on this topic. With the intensity of threat growing every day, developing a better understanding of user entity behavioral analytics is well worth your time.

Let me know how your learning journey is progressing.