Derek Lin, Chief Data Scientist at Exabeam explains why adopting a people-centric approach to network security can significantly reduce the risk of breaches
The rising tide of cyber threats has placed the issue of network security in the spotlight. These days, protecting against insider and external threats has become a business imperative – one that has seen IT teams employ traffic flow monitoring and threat analysis tools in a bid to beef up network defences.
Despite these investments, security breaches continue to take place with alarming regularity. That’s because phishing, whaling, credential compromise and malicious insider threats all have one thing in common: human vulnerabilities. For a phishing attack, the user clicks on a suspicious link while in the case of a malicious insider, an individual chooses to steal company data. Ultimately, the success of these attacks depends on the susceptibility of people.
With hackers now actively targeting users in order to infiltrate the enterprise, IT teams can no longer rely on simply monitoring network traffic alone. What’s needed is a more people-centric approach that monitors user behaviours too.
Who is accessing the network – and why?
Today’s mobile and cloud-enabled workers hold multiple IDs giving them access rights to a plethora of applications and systems; everything from a standard Windows ID to accounts for SAP, Salesforce.com and Oracle. Throw BYOD into the mix and tracking ID for each user in one central location becomes nigh on impossible 3Ž4 makings it difficult to know, with certainty, precisely who is accessing the network.
But that’s not all. Without centralised asset monitoring in place, IT teams will have limited visibility of exactly what assets are held on the network. So, while it may be able possible to ascertain who is accessing which server, it will be difficult to know what other sensitive information is being held on that same server.
What’s more, even when IT teams are able to track who’s accessing what on the network it’s unlikely they could say for sure if this constitutes a ‘normal’ or ‘suspicious’ behaviour, since network flow monitoring won’t capture the contextual data required to answer such a question.
The good news is that machine-learning technologies can help address all these issues, giving IT teams the visibility they need to improve security practices.
Utilising user behaviour intelligence
Machine learning techniques can address the challenge of identity-based threats by providing a complete picture of all user behaviour, whether it’s risky or not, and a complete view of all activity on the enterprise network.
So, when an employee logs in from their office desk using their personal credentials and later in the day logs in remotely via a personal device from home, machine learning engines are able to connect these two actions using behavioural data.
But that’s not all. By tracking each employee’s actions over time, machine learning engines can build up accurate models of their network activity. Using these baselines, the normal activity for every user can be determined – making it faster and easier to spot new or previously unidentified threat behaviours.
As well as providing the much needed context required to analyse trends on a per-user basis and spot any activity that deviates from what is considered acceptable or ‘normal’, machine learning techniques can also be utilised to build accurate network asset models that give IT teams a true depiction of everything that’s on the network.
Armed with this detailed knowledge IT teams are better able to keep a close eye on what’s being accessed at any particular time, tagging high risk assets – such as those used by board members or senior managers, for example – to ensure these are subjected to more stringent security measures.
Initiating effective network security
Today’s powerful machine learning platforms are now cost-effective enough, from a compute power perspective, for any size of business to benefit from the real-time output that can be used to significantly improve security practices.
Delivering increased visibility into the activities of users on their network, IT teams are able to determine who is accessing the network, what they are doing and whether they should be doing it. All of which makes it easier to detect and respond to modern attacks fast and in a way that’s not possible using traffic monitoring tools alone.