The Difference Between Anomalous and Malicious

07 Oct

The Difference Between Anomalous and Malicious

in Blog, Perspectives

by Larry Lunetta

The security industry is in self-congratulatory mode over new capabilities such as User Behavior Analytics (UBA) and machine learning. Imagine that, software that can tell you that it is unusual for someone to access the general ledger at 2 a.m. for the first time.

The idea that employees, customers, contractors, etc., work in predictable enough patterns to establish “normal” baselines underlies this technology. The theory is that as soon as someone changes behavior sufficiently, an anomaly alert is generated. The key word is “sufficiently.” Is a download that is 50 percent bigger than average an anomaly? Is working from home on Tuesday? You get the point.

In fact, it’s not rocket science to find numeric or temporal changes in a user’s “typical” behavior. Security Information and Event Management (SIEM) technology can do that today with the right set of rules. They can even do it with the right visualization tools.

The true breakthrough comes when the analytics not only see anomalous behavior, but also have the context to know that the “anomaly” is worth noting because the entity (i.e., user, host, etc.) is part of an attack. For example, if a user that logs in at 2 a.m. has also been spotted downloading a suspicious file, periodically visiting new domains and uncharacteristically reaching out laterally to other systems, then the anomaly can be confidently flagged as malicious and is worth an analyst’s attention. It’s important to have the breadth and clarity of vision needed to spot “weak” signals that provide context to the picture, bringing it into focus.

Making the leap from anomalous to malicious requires a platform that can aggregate a wide range of sources, from network traffic to logs to alerts. It also needs to deal not just with user behavior, but also with systems, device, and application behavior – what Avivah Litan from Gartner calls “entities” (hence her rebranding of UBA to UEBA).

UEBA requires the data science chops to operate across all the kill chain stages, with models and techniques tuned specifically to separate the merely strange from the truly threatening. Not simple averages, three standard deviations or other brain-dead techniques, but real application of techniques used in genomics research, weather forecasting, etc.

When you are ready to check out big data security analytics and UEBA, make sure the solution doesn’t add to the already-overwhelming white noise by confusing anomalies with attacks.

Tags: Blog, Perspectives