March 11, 2016

How to Detect Insiders with Machine Learning and Analytics


In the previous posts of this series, we learned about the different types of insiders including careless, compromised and malicious insiders. This post explores the critical role Imperva CounterBreach plays in identifying insider threats before they cause damage.

Security executives tell Eric Cole, CTO and Chief Scientist of McAfee that “nearly all of their security incidents come from the inside." The Imperva 2016 Top Cyber Security Trends for 2016 supports this notion by placing the rise of insider threats as #2 overall threat.

Imperva was founded on the basis that all computers are potentially compromised, and an enterprise’s focus should be on protecting its data. Imperva SecureSphere can track access to databases, file and SharePoint servers, as well as how they are accessed via the server’s applications. It interfaces with directory services, knows your users, sees which users are conducting what activity and audits the activity. This gives SecureSphere a well-rounded look at what’s taking place with your data. And it has the ability to block unauthorized access and alert on suspicious or problematic activity. SecureSphere can generate lots of audit data, alerts and events.

Even with the most robust platforms, discerning if an event is critical while parsing through hundreds of thousands or even millions can be close to impossible. By definition, insiders are using legitimate credentials to access your network and resources. Under these circumstances, singling out illegitimate access to data is challenging, but at the same time critical to preventing serious breaches.

Brian Krebs reported that “investigators believe the source of the Target intrusion traces back to network credentials that Target had issued to Fazio Mechanical, a heating, air conditioning and refrigeration firm in Sharpsburg, Pa.” The source here was a Target contractor, but this vendor did have a legitimate reason to be in their network.

Regarding the Target breach, this Dark Reading article notes that “Target's security team reviewed -- and ignored -- urgent warnings from a threat-detection tool about unknown malware spotted on the network.” It then asks the question “What might have caused Target's security team to ignore the alert?” Answering "In two words: 'actionable intelligence,'" said Seculert's Raff via email. "With today's amount of detection data, just signaling an alarm isn't enough."

So while security events for this suspicious activity were generated, the security team apparently didn’t feel the activity posed enough of a risk to warrant immediate attention. And this is a common scenario, IT teams may see that a user accessed specific servers, but without context, without knowing what (data) was accessed, or how they were accessing it, the impetus for further investigation or urgency is simply not present. Think of it like a greyscale photo, lacking the color required to draw in the eye.

Today, organizations send these masses of events via SIEM to a User Behavior Analytics (UBA) tool to try to add some color and give prioritization. UBA tools analyze the events, can map out lateral movement in the network to try to identify something suspicious, and build a behavior profile for users. But the most crucial information, what data was accessed, how it was accessed, and how much was accessed is still missing. So with UBA tools, the ability to identify the real risk of any user data access activity – for example, if sensitive data is being accessed in a suspicious manner or mishandled - is likely an unknown.

What’s Different About CounterBreach

CounterBreach uses machine learning to establish a baseline of typical user data access, then looks for critical deviations from the norm. As opposed to UBA solutions that identify activities leading up to a login, SecureSphere not only sees the login but also the data that’s accessed. SecureSphere can also classify data assets so security teams can also see what data was accessed.

Additionally, it looks at which applications are being used to access data, and how those applications are connecting to the database. For example, CounterBreach tracks when service accounts are used to access a database instead of user (domain) accounts. This can indicate that a user is trying to hide their actions. Using a service account often bypasses the audit trail which means that it would be nearly impossible to identify what took place. Looking at traditional breaches that involve malware, if a database containing credit card data is behind SecureSphere, CounterBreach would then see exactly what the malware, masking itself as a legitimate user, was actually doing.

CounterBreach does all this in the context of a database connection, and the factors related to this connection. CounterBreach constructs a behavioral baseline for circumstances surrounding a connection by tracking factors such as who the user is, what exactly they’re accessing, how they’re accessing it, their role in the organization and additional behavioral metrics. It then uses this baseline to judge events, and discern whether behavior is normal or abnormal compared to the baseline – and, if abnormal, enables you to follow up on what took place before and after the event.

One of CounterBreach advantages is that Imperva owns the data monitoring layer, which we know intimately, and developed to seamlessly integrate between products. This enables us to continuously improve the CounterBreach learning engine through internal research and development, including making changes on the SecureSphere end when needed. This helps, for example, to accommodate new attack methods after they’re discovered.

Additional Attack Vectors

CounterBreach also enables Imperva to extend our reach to address additional attack vectors. For example, in our post on careless insiders, we describe how an accountant was copying sensitive excel spreadsheets to Dropbox so they could work on vacation, but how Man-in-the-Cloud attacks put that sensitive data at risk. CounterBreach integrates with Imperva Skyfence, our Cloud Access Security Broker (CASB) solution.

CB - Dashboard-Example

Skyfence is used to monitor user access to cloud apps like Dropbox and Google Drive, in addition to Salesforce, Microsoft 365 and other SAAS offerings. This activity, that organizations were blind to until recently, is integrated with CounterBreach so that security teams can see the full picture of your protected assets including databases, file servers, endpoints, and cloud apps, all in a single interface, as can be seen in the accompanying images. 

In summary, knowing the various insider risks helps us know what patterns to look for in user behavior. Having the right tools to identify abnormal behavior can be the difference heading home for the weekend, and working long hours doing damage control as the result of your customer’s personal data being taken by hackers or your organization’s trade secrets being stolen by competitors.

For a few examples of how CounterBreach keeps enterprise data safe from compromised, malicious and careless internal users, see the Inside Scoop on Imperva CounterBreach Findings.

Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.