EXECUTIVE SUMMARY THE STATE OF BEHAVIORAL ANALYSIS

Transcription

1

2 EXECUTIVE SUMMARY Behavioral Analysis is becoming a huge buzzword in the IT and Information Security industries. With the idea that you can automatically determine whether or not what s going on within your network is legitimate or not is a huge benefit to any organization. But, challenges exist. The sheer volume of data available makes finding attention-worthy events difficult at best, and when they are found, the risk of a system promoting false positives can cripple the efficiency of an organization s efforts to leverage this automation for a tangible benefit. Purpose-built Security Information and Event Management (SIEM) tools have the potential to deliver real value, but what about all the other tools which claim they have deep Behavioral Analysis functionality? This white paper will discuss some of the challenges present with making Behavioral Analysis an effective part of your organization. It then addresses better strategies for efficiently responding to events generated by third party tools in order to minimize false positives, increase the effectiveness of your security program, and enable your staff to focus in on the issues that matter most. THE STATE OF BEHAVIORAL ANALYSIS In the Cyber Security world, information is king. Whether it s the databases we try to protect from exposure, or the internally-created log and event information every single system on our networks generates, it all comes back to data. And as technology grows in scope, the amount of data these systems generate grows at exponential rates. WHEN BEHAVIORAL ANALYSIS DOESN T WORK WELL, YOU ACTUALLY CREATE MORE WORK FOR YOUR TEAMS SINCE THEY MUST DEAL WITH FALSE POSITIVES, UNMANAGEABLE VOLUMES OF RAW INFORMATION AND IMPROPER PRIORITIZATION OF THESE SYSTEM EVENTS. Where once a system administrator could simply review the local log files of a handful of servers on a daily basis to ensure that nothing troublesome is happening, now there are thousands upon thousands of systems generating terabytes of data, which no single human could review without the assistance of some sort of automated tool. This, of course, is where the true power of Security Information and Event Management (SIEM) tools has come into its own to help aggregate the sheer volume of data sources while helping to filter and prioritize the events that need to be reviewed. But SIEM vendors aren t the only ones who are trying to get their arms around all of this data. Many other companies are attempting to use whatever event data their specific, specialized software gathers to deliver additional value to their customers. This value add-on usually comes in the form of Behavioral Analysis, which is often touted as a way to automatically make decisions based on the data provided in order to detect anomalous behavior within the system. The idea here is to establish some sort of baseline that is deemed to be normal behavior by a user or a system, and then use that to flag anything that does not conform to the baseline pattern. A common example given is the idea of an IT Admin who normally works from 9 am to 5 pm who then suddenly starts logging in at 3 am. This admin, who likely has elevated access to critical systems, is now logging in at a time that is unusual and suspicious, and thus this activity gets flagged for review and/or action. But is this truly a proper analysis of behavior?

3 The promise of Behavioral Analysis is to provide operational efficiency for the personnel trying to sort through these mountains of data, while delivering critical and priority events that should be reviewed to the responsible parties quickly and accurately. Trying to sift through millions of events to determine what needs attention and what does not, is simply not scalable task for humans, especially given the constraint of resources available to IT teams everywhere. When a Behavioral Analysis tool does its job well, you can utilize those precious few human resources available in an optimal way to review critical events which require the subjective analysis that only a human can provide. However, if this type of analysis can t do that well, you actually create more work for your teams, since they must deal with false positives, unmanageable volumes of raw information and improper prioritization of these system events. This, of course, defeats the entire purpose of what proper Behavior Analysis tools are meant to do by increasing operational cost and inefficiency, and burdening IT teams with a tool that ultimately, they ll likely stop using. Unfortunately, this is an all too common scenario for many organizations. PUTTING CONTEXT AROUND THE PROBLEM If information is the king of the security profession, then context is the ruler of any proper Behavioral Analysis effort. Without context, a single data set could be interpreted in many different ways, most ending up to be incorrect. Take our IT Admin example cited above. One set of login data suggests that the IT Admin is either logging in at 3 am because he or she is up to something nefarious, or a hacker has gotten a hold of the Admin s account and is logging in with those credentials. Most of us could probably add a few more possibilities, incorporating other data sets that we know offhand. For example, maybe the Admin is working on an emergency help desk ticket and is working at 3 am due to this crisis problem. A very reasonable conclusion, but it requires the knowledge that a help desk system exists, that a process for problem resolution exists, and that this IT Admin may be one of the people assigned to handle incidents of this nature. Bringing all that to the table means we have several other sources of data in which to create context around the original event that the single set of login data cannot provide on its own. This example points to one of the big concerns with Behavior Analysis. Even if you provide a huge amount of context, it s still difficult to systematically create an accurate picture of what s actually going on for a given event. Often, it requires a human to get involved to review the data sets and then make a determination about whether the event is a real event or a false positive and whether or not the behavior detected is malicious or not. Without large amounts of contextual data, automated analysis tools are going to generate huge amounts of false positives that will require more time and attention from staff, thus reducing the effectiveness of the tool and burdening staff with more time being spent on dealing with these errors. EFFECTIVE AND EFFICIENT BEHAVIORAL ANALYSIS IS EXTREMELY DIFFICULT EVEN WHEN YOU HAVE A LOT OF DIFFERENT DATA SOURCES TO CREATE BROADER CONTEXT FOR AN EVENT. IT S NEARLY IMPOSSIBLE FOR A SOFTWARE TOOL THAT ISN T PURPOSE-BUILT FOR ANALYSIS AND IS ONLY LOOKING AT A LIMITED NUMBER OF DATA SOURCES TO MAKE ITS DETERMINATION. Even if you feed tons of data sets into an aggregation tool, there could still be missing pieces of non-system generated information that the behavioral analysis tool can t take into account. Is our IT Admin on vacation, or is he or she working from the other side of the planet in a completely different time zone? It may not occur to feed in the data from the employee time tracking system in order to add that context, even if it may be common knowledge to the people in the office where the Admin is on a given day. And suppose

4 that data was made available. It still may not accurately tell you if the 3 am login is supposed to be happening, or if it s truly a malicious event being staged by a rogue IT Admin. Effective and efficient Behavioral Analysis is extremely difficult even when you have a lot of different data sources to create broader context for an event. It s nearly impossible for a software tool that isn t purpose-built for analysis and is only looking at a limited number of data sources to make its determination. DELIVERING EFFECTIVE EVENT MANAGEMENT AND RESPONSE Why are these issues with Behavioral Analysis so important? As the most widely-used Privileged Account Management (PAM) tool out there, we at Thycotic often get questions from colleagues and customers about our take on Behavioral Analysis as it pertains to the administrative and elevated credentials our products protect and manage. And while these questions are valid, it s important to make sure we re asking the right question in this context. Are we trying to analyze data from a wide variety of sources to try and make difficult, subjective determinations as to what might be going on? Or, are we looking to take proactive action to stop activity which we already know to be improper or malicious? Most would answer with the latter, and it is this scenario where real value can be gained with your PAM tool or any other specialized security tool. That s because Thycotic Secret Server enables you to take control of the behaviors you do or don t want to take place around the use of your privileged accounts with a variety of tools built into the product. These Secret Server tools are designed to analyze and respond to behavior in the manner which you choose for your environment, effectively eliminating the need to manually review events (which may not have enough context available to determine accurate behavior patterns), as well as automating the process of taking action to protect your administrative credentials and prevent abuse of these keys to the kingdom. Here are several examples of how Secret Server can help you manage behavior associated with privileged passwords. Event Notification Within Secret Server, you can define specific rules for a wide variety of improper credential use or other flagged behavior and be notified immediately when these events take place. By defining the specific activities you are most concerned about taking place within your environment, you reduce the amount of noise generated by potential events and can focus your response teams on handling legitimate issues. Automated Discovery Rules In Secret Server you can automate the process for handling new accounts when they are created and discovered anywhere in your environment. Regardless of why the account may exist or who created it on your network, you have the ability to take control of these accounts and immediately secure them based on parameters you control and configure. These rules can be as simple as leveraging the Event Notification function to inform the appropriate parties that these accounts have been created, all the way to taking complete control of the account, rotating the password to something lengthy and complex, and applying existing policies to provide immediate access to the correct responsible teams within your IT or Operations teams. Role-Based Access Control and Policy Sets By applying security policies to the credentials stored in your Secret Server instance and leveraging strong Role- Based Access Control (RBAC), you can enforce the type of access you want your employees to have right from the start, without having to build baselines for behavior and compare against what may or may not be anomalous. These kinds of controls lock down the means and methods of access to ensure that the credentials are only used in a way you deem to be approved with no need for constant review or monitoring. SIEM Integration If, after all your controls are in place, you want to add true and proper Behavioral Analysis to your security programs, you can leverage

5 Secret Server s SIEM Integration to deliver the context that Secret Server maintains in its internal audit logs to your SIEM tool. This allows you to correlate the data around privileged account access and use to all of the other data streams in your environment, providing the proper context that any reasonable attempt to baseline behavior requires. Standard CEF and syslog support is available, and powerful APIs can be leverage to leverage the data feed to custom analysis tools. CONCLUSION At the end of the day, a mature security program will leverage a wide array of security tools, including Behavioral Analysis tools and processes. But be wary of any system or service that offers Behavioral Analysis without providing the wide breadth and necessary depth of context that needs to be present in order to create a reliable and useful offering. Log analysis from limited data sources is simply not sufficient to create true baseline patterns of behavior in which to further make determinations of what is or is not valid in your environment. But, by leveraging a more proactive approach and taking control of your privileged credentials up front and in accordance with the mission of your organization, you can more effectively improve your overall security posture with less effort and overhead while reducing the number of false positives that your staff has to deal with, and bringing real value to your organization. And, should you leverage this approach to augment a true SIEM-based Behavioral Analysis effort, you will strengthen the efficiency of that implementation by preventing anomalous behavior up front, without having to filter and sort through this data after the fact. ABOUT THE AUTHOR Nathan Wenzler Executive Director of Security, Thycotic Nathan has almost two decades of experience designing, implementing and managing both technical and non-technical solutions for IT and Information Security organizations. Throughout his career, Nathan has helped government agencies and Fortune 1000 companies build new information security programs from scratch, as well as improve and broaden existing programs with a focus on process, workflow, risk management, and the personnel side of a successful security effort. Currently as the Executive Director of Security for Thycotic, Nathan brings his expertise on security program development and implementation in both the public and private sector to admins, auditors, managers, and security professionals at a variety of conferences, trade shows, and educational events. ABOUT THYCOTIC Thycotic, a global leader in next-generation IT security solutions, delivers an indispensable, comprehensive Privileged Account Management (PAM) solution to protect your keys to the kingdom from cyber-attacks and insider threats. Unlike any other security offering, Thycotic Secret Server assures the protection of privileged accounts while being the fastest to deploy, easiest to use, exceptionally scalable enterpriseclass solution offered at a competitive price. Already securing privileged account access for more than 3,500 organizations worldwide, including Fortune 500 enterprises, Thycotic Secret Server is simply your best value for PAM protection. For more information, please visit.