Uncovering cyber threats: it’s all about the data

By Derek Lin, Chief Data Scientist at Exabeam explores how behavioural analytics can help to uncover cyber security threats hiding in big data.

  • 6 years ago Posted in
Keeping sensitive business data secure is proving a top challenge for organisations large and small. As the 2017 Verizon Data Breach Investigations Report confirms, data breaches are becoming a seemingly everyday occurrence, with employees increasingly representing a prime vulnerability point. Verizon’s report reveals how the number of credentials stolen in 2016 jumped considerably compared to previous years; attackers use these valid credentials to blend in and carry out malicious activities while remaining hidden.

Clearly, when it comes to enterprise security, mindsets need to change because relying on threat prevention technologies is no longer enough. What’s needed is a more proactive, data-driven approach that can transform how companies protect their sensitive data.

Threats are hiding in big data

The time it takes for companies to discover a security breach is critical. Breaches can go undetected for weeks or months – it took over a year for the Sony breach to be identified, during which time millions of records were compromised. More often than not, there are multiple telltale signs that an attack is under way. The issue is that companies struggle to sift through the enormous number of logs and alerts that security technologies are producing to know what is important.  
What security analysts need, is a means to leverage these big data sets to help identify uncharacteristic activity as it happens and ideally before data is compromised. These data sets are made up of activity logs from which a ‘baseline’ for normal user or machine activity can be established. With this baseline in place, the moment a user or machine’s activity strays from the norm, the security teams can be instantly alerted to take action, locking down the account in question and launching an investigation.

Detecting anomalous behaviour with analytics

User & Entity Behaviour Analytics (UEBA) technologies have emerged to meet this growing need. By leveraging machine learning, UEBA can uncover deviations from normal behaviour and automatically increase a risk score for that user or machine. Once the risk score reaches a certain threshold, the security analyst is notified. This approach helps eliminate the time IT teams spend looking into false positives. Machine Learning takes much of the work out of sifting through alerts and logs and helps remove ‘alert fatigue’, allowing security analysts to deal with real threats in near real-time.

Analysts can review data across a variety of vectors; for example, by user or individual anomaly to identify patterns; while one anomaly in itself may not be of interest, an aggregation of anomalies related to one user will more than likely indicate a threat. Similarly, by applying complex data-mining processes to the VPN and activity logs, infrastructure access from compromised accounts can be quickly identified. Meanwhile, database and file-level access logs can help identify abnormal activity related to specific accounts and assets – whether that’s an intruder from outside or an internal threat.

Helping to detect ‘unknown unknowns’, UEBA platforms effectively combine big data, machine learning and analytics to deliver a deep understanding of how systems and users behave. And, since cyber criminals are constantly evolving their attack vectors, it’s good to know that the algorithms built into UEBA tools keep on getting smarter too. Focusing only on preventing attacks made sense years ago. However, the modern threat landscape calls for a modern approach to security. Arming teams with the tools to protect networks, alert users to breaches, and minimise the fallout caused by an attack prepares them to address the risks most prevalent today. 

Ultimately, UEBA offers a highly efficient way of detecting both perimeter breaches and insider threats in real-time. Indeed, it’s a big data and analytics technology approach that delivers truly proactive security operations.
By Kevin Kline, SolarWinds database technology evangelist.
By Vera Huang, Sales Director, Data Services at IQ-EQ.
By Trevor Schulze, Chief Information Officer at Alteryx.
By Jonny Dixon, Senior Project Manager at Dremio.
By James Hall, UK Country Manager, Snowflake.
By Barley Laing, the UK Managing Director at Melissa.