In addition to BYOD, the other, less-mentioned destroyer of the network perimeter is the increasing integration of third party business partners with the enterprise IT ecosystem. Not because access is poorly controlled, but because once access is achieved, there is no way to know that the person using the credentials is not authorized to do so, or that those credentials have been compromised by an outsider as part of an attack on the partner, or that the credentials are being used as part of a coordinated attack.
In other words, many of the standard security oversight mechanisms have a giant blind spot.
Typically partner access is either through a VPN connection or web portal. Sometimes each partner will have one set of access credentials shared among its own users. Alternatively, individual partners may have multiple credentialed users.
As Bill Dixon from Stroz Friedberg has observed in a recent blog, “Your Vendors are Your Threat Vectors”, he points out that the risk comes from two directions: access to sensitive data and general network access. Our customer engagements has stemmed from an accidental discovery of a small business partner that had been downloading ten times the data volume that is typical for similar partners. They know accidental discovery is not a security best practice, which is why they turned to Niara.
When advanced attacks cloak themselves as legitimate insider access, detection can only come from finding small changes in behavior that are telltale signs that whoever is using the userid and password, their activities are different enough from normal to raise an alert.
With PartnerWatch™, we have extended the coverage of our UEBA solution to now include partners as a full-fledged member of the entity “ecosystem” alongside users, hosts, applications, and IP addresses. With Niara watch lists, the security team can “red circle” partner accounts along with the high value assets they typically access. Combined with the ability to reflect business context in the machine learning model scoring, unusual partner behavior either compared to their historical baseline or compared to their peers will be a reliable early-warning indicator of partner compromise.
UEBA and Machine Learning are all about providing the security team more visibility into attacks on the inside as well as instant access to the forensic information needed to respond. When trusted partners turn malicious, making the right decision to block or restrict access can be done before the damage is done.