A recent Dark Reading article makes the case for encryption being the definitive technology for protecting enterprises’ data and that the proposal to “use analytics to secure your system” is flawed. I beg to differ. Encryption absolutely has a place in a robust defense in depth strategy, but to suggest that it alone is sufficient or that analytics can do little to help secure the enterprise is erroneous. Those claims miss two key attack mechanisms plaguing most enterprise networks today – compromised users and malicious insiders.
- In the case of compromised users, encryption wouldn’t really help as the attacker could use the employee’s credentials to decrypt and gain access to the sensitive information that the employee would have been entitled to have access.
- For malicious insiders, encryption can also do little to protect the enterprise if a disgruntled employee decides to download sensitive corporate information that he is entitled to access, copy it to a USB and walk out of the front door with the USB.
Many of these kinds of attacks are already on the inside of an organization and are very difficult to detect. So how do you differentiate between the actions of legitimate users and attackers who are masquerading as authorized users? How can you determine if a user is acting maliciously? If encryption can’t help, what can?
Behavioral Analytics: Helping Where Encryption Can’t
Behavioral analytics, sometimes referred to as user behavior analytics (UBA) or user and entity behavior analytics (UEBA), can help enterprises gain insights into anomalous or risky activities, providing early warning signs that sensitive data is likely to be exfiltrated.
Behavioral analytics involves a system using machine learning to learn normal behavior for a user (or entity) through an initial base-lining process. The baseline can be based on historical behavior or comparative analysis against peer groups. Future behaviors are then automatically compared against that baseline and deviations are flagged automatically. So even when the safeguards provided by encryption are compromised, either because an attacker is posing as an authorized user or an employee is disgruntled, behavioral analytics can help by surfacing deviant behaviors.
To truly add value, behavioral analytics systems must take a multi-dimensional approach by applying many different analytics modules to the data. The output of the analytics modules is used to adjust the overall risk score for the affected user or host. So take the case of a remote engineering employee who regularly VPNs into the corporate network from Tahoe, California. One day he does that, but a few minutes later he also accesses the corporate network from Australia. Behavioral analytics would flag that as an anomaly and probably increase the risk score significantly. That in turn alerts a security team to investigate the issue, and prevents what is clearly an attacker posing as an authorized user to do possible damage.
The analytics modules adapt on a continual basis, taking new entity behavior and analyst input into consideration as new anomalies are identified. Typical scenarios where behavioral analytics can help but encryption cannot include:
- Advanced, multi-stage, low and slow attacks
- Privilege escalation (e.g., a user or host trying to gain escalated privilege access to sensitive resources)
- Authentication abnormalities such as brute force login attempts or logins from devices not accessed by the user prior
- Credential violations such as password sharing
- Internal reconnaissance such as probes to identify and exploit vulnerable assets
- Lateral movement such as attacker movements from machine to machine to gain access to information
- Abnormal resource access including compromised users or malicious insiders accessing and/or downloading large amounts of sensitive information
- Protocol anomalies (HTTP, SMTP, DNS, SSL)
- Remote access (VPN) such as credential theft and impersonation of users to infiltrate the company
- Exfiltration such as emailing or uploading large volumes of data or using DNS to exfiltrate information or anomalous web behavior
Insights from Behavioral Analytics Better Protect the Organizations
There will be situations where attackers (both external attackers and the disgruntled insiders) compromise the effectiveness of encryption. Behavioral analytics can quickly surface those attacks and allow security teams to mitigate the severity of the impact. But behavioral analytics does more than just provide coverage where encryption cannot:
- Prioritizing alerts and enabling analyst to triage them effectively
- Providing user-level and entity-level security insights across the vast volumes of data already present in their environments
- Making threat hunting extremely efficient by continually analyzing and tagging data in interesting ways
Behavioral analytics provides a much needed machine-assist to what are fundamentally human-driven activities. Incident investigation, alert prioritization, incident response and threat hunting – all can be performed far more efficiently. That’s because the range of analytics provided by any reasonable behavioral analytics solution delivers a far clearer picture of what’s truly happening within the organization.
Layered security is the key to protecting your organization from cyberattacks. Encryption should definitely be part of that strategy. So must behavioral analytics