In general, today’s security operations center (SOC) monitors security alerts and alarms from security products and threats indicated by a security information and event management system (SIEM). These alerts and threats turn into cases that funnel into a workflow system in use by the security team. After initial review to determine if the alert is a false positive, additional data is gathered so that analysis can take place. To put it another way, the security team tries to build a story around the valid alert.
Once the story is created, a different team might be assigned to contain the incident and that same team (or another) would be assigned to restore systems to a pre-infection state. This closely resembles today’s Detection-Analysis-Containment-Restoration security process.
While there has been some refinement of the security tools that are used at the detection stage, “…Most of the security products available on the market are just a half-step better than old antivirus products.” The HIMSS organization surveyed nearly 300 healthcare organizations and the list of technologies healthcare providers had most of us could have recited from memory. AV, firewalls, log management, vulnerability management, IDS, access control lists, mobile device management and user access controls. A large majority of these security teams know they can’t stop current attacks (22% had confidence they could) and 81% said some new technology was needed. Security people are aware that processes built around those basic technology solutions listed above, have remained virtually unchanged for the last two decades.
Zeroing in on the process, it’s not hard to see what’s broken – the detection and analysis portion, or, what I call knowledge-building portion of the process. Today attackers run malware through all the latest detection techniques and anti-virus software prior to deployment to make it as invisible as possible. It may also be coded to evade malware sandbox detections. Once inside the network, it inherits the identity of the system’s user and that person’s access level. The attacker’s activity simply looks like normal IT activity making all the technologies listed above blind to the attacker. Detection never takes place and the security process never kicks off. I can hear some say, “What about encryption doesn’t that help?” Having valid credentials gets the attacker around this little problem. If the user is able to do their work, their access level allows the data to be decrypted.
The other part of the knowledge building process is Analysis. If you were lucky enough to have seen some evidence of malware on a system, it gets cleaned up but there is little to suggest which systems were infected and what credentials were compromised. If the data is valuable enough, the attacker can start over with the same or a different set of valid credentials.
Exabeam moves the security team’s focus away from malware and to the credentials that enable it. To do this the system learns what are the normal credential behaviors and access characteristics for a user and the user’s peer groups so what is anomalous can be surfaced and scored. Security alerts are automatically attributed to the user credential involved and these alerts and the anomalous behaviors are placed on a time line. This creates an attack chain that shows the intersection of credential use, assets touched, and security alerts. Voilà, the entire attack chain is automatically created.
Detection and analysis are now a single “knowledge-building” function. User behavior analytics makes the stealthiest attacks are made visible and analysis is created as the attack happens. You really have to see it to believe it. Attackers think its magic.