We’ve all had something like this happen at some point. The phone rings and you answer it.
“Hello John, this is Judy from the bank. We’ve noticed some unusual activity on your account. It appears that there was a $1,500 charge to Clowns R Us for a twenty foot tall velvet clown painting. Is this a legitimate purchase?”
“Yes Judy, yes it is.”
After you hang up, you might be upset that Judy is judging you. Sure, you don’t have a wall to fit a 20’ tall velvet clown painting, but who is she to judge? If you take a step back though, you’ll realize that this is pretty cool. The bank is evaluating your purchasing behavior and found this outlier that doesn’t fit with their baseline, so they check it with you before processing. A recent call like this got me thinking about how behavior analytics can apply to the IT world to make us all a little more secure.
I was talking to a couple of friends that focus on the security world and I asked them about what they think of using behavior as part of a security posture. I got overwhelmingly positive responses about it. One went as far as saying, “Many breaches could have been prevented by tracking bad or abnormal behavior. Others could have been dealt with quickly if behaviors outside the norm were flagged.”
That sounds great from an organizational perspective. If your security group could see what normal behavior is and then block or flag what is outside those norms, you could do a lot to block the effects of trojans, hackers, end user ignorance, malicious end users and other nastiness that might penetrate your company.
I was lucky enough to be invited to Tech Field Day 16 in Austin, Texas and one of the presenters that week was Forcepoint. Their User and Entity Behavior Analytics (UEBA) platform provides just those capabilities to establish a user behavior baseline and then compare current activity against it.
To start with, UEBA is not designed to stop people from getting into your network. That’s what your firewall and other devices are supposed to work on. UEBA helps prevent and identify insider threats. An insider threat could be anything from a user accidentally mis-typing e-mail address and sending confidential data outside the organization to malware making actions on the user’s behalf to a user maliciously stealing data and everywhere in between. Often things like firewall policies disregard traffic from the inside of the network out, but UEBA can work with other security components to assign a risk level to a user and determine whether they should be able to perform that action based on their score. Jim from accounting has been involved in some risky behavior on the network lately? Maybe he shouldn’t have access to download the full comp plan for your sales force and upload it to an external file storage site.
All of this user behavior information is gathered from a lot of sources. If you’re using Forcepoint’s other security products they can send data about user activity to the UEBA. But it doesn’t have to be from there. UEBA can ingest data from a lot of different third party sources for instance, Active Directory, physical security card readers, and more.
The place that you can grab massively deep user behavior information is the Insider Threat product. It’s basically like an agent that runs on a user’s computer that has deep access into anything that goes on there. Registry changes, files being put on any drive, data being uploaded, basically it sounds like if something happens on your computer it can get deep data on it to determine user behavior. That’s a ton of information and when I first heard about it, I was a bit concerned. Here’s why:
The challenge with something that collects so much information on your users is what that does to their privacy and who in your organization has access to your personally identifiable data. After all, when I’m bidding on a new velvet painting of Pennywise on eBay, I don’t want that jerk Dan in IT that has access to all my behavioral data to see that and go outbid me. I know I’m joking here, but there are a lot of instances where you wouldn’t want just anyone to have access to the data that a user generates. It could be something to deal with HR or even communications regarding an upcoming merger, or maybe someone for some reason is communicating with their doctor over corporate e-mail (yeah, I know, but users will be crazy). The point is that there is just some information that the people that manage the system (IT) should probably never see. This was really bothering me, so I placed a call to Forcepoint and put the question to them. They were super helpful in giving me this information.
Forcepoint has two concepts called entitlement and application roles that address privacy concerns when it comes to user behavior data. Entitlements can define whether a user can see types of data pertaining to specific users. So for instance, if we don’t want Dan in IT to be able to see the e-mails of the CEO, that can be restricted. The application roles can allow you to define whether individual users see anonymized data (where names are replaced pseudonyms) and whether data is masked or completely hidden. The data is masked in more than just the source and destination, the content is searched and anonymized as well. On the back end, UEBA is still tracking the original behavior data, so if the CIO needs detailed information on a user that Dan can’t see, then he can be given that access.
My other concern with technology like this is that if you’re gathering thirty or sixty days of deep user behavior data on your users, that creates a huge vault of data that someone might be interested in. How is this secured? UEBA uses a variety of open source datastores for the storage of their behavior vault (that’s my term, not theirs) like Elastic Search. All the data is encrypted while in the vault helping you rest a little more easily that someone isn’t going to break in a steal all that behavior data. From an organization perspective, you still want to align the rest of your security policies to help protect that data, encryption is just one portion in a line of protections.
I have to admit, when I first saw the presentation on Forcepoint UEBA I was definitely impressed, but had an equal sense of Orwellian paranoia. Admittedly, while there’s still a touch of that paranoia, it’s eased somewhat by the lengths that Forcepoint has taken to protect user privacy where it makes sense, while still being able to add a layer of security that most organizations don’t currently have. If used correctly, UEBA can be a valuable part of and organiation’s security posture, just keep away from my velvet clown paintings.
I occasionally attend various Tech Field Day events organized by Gestalt IT. These events are sponsored by networking vendors who thus indirectly cover our travel costs. In addition to a presentation (or more), vendors may give us parting gifts ranging from their own products, to usb keys and various swag.
The vendors sponsoring Tech Field Day events don’t ask for, nor are they promised any kind of consideration in the writing of blog posts, and as always, all opinions expressed here are entirely my own and not those of sponsoring vendors, my employer and/or its affiliates, and all the mistakes are my fault (but please do feel free to point them out, I gladly correct factual errors).