User Behavior Analytics: Automated Storytelling for Incident Response

When a security staff member sees a security event there’s a process that occurs. First, there’s verification that it’s not a false positive or false negative. After that it goes into a review queue that may accumulate several hundred or more critical events per day. These get looked at by more senior analysts. They try to ascertain:

• The origin of the attack,
• What assets may have been involved and possibly compromised,
• Involvement of malicious code,
• If (and what) data may have been stolen and;
• Who was behind the attack (if possible).

This is the story the incident response team tries to tell. It’s the preponderance of evidence that they look for. The more evidence they can find the more likely their ability to tell a complete story. As they piece together the chain of events around the attack one wrong assumption and they’ll get to wrong root cause. Depending on how long the attacker has had access to one or more valid credentials, this could take a couple of weeks or months or, sometimes not at all. “Not at all” often happens when the attacker switches identities while moving throughout the infrastructure.

When the CEO has to write a letter to the public, it is the worst thing that can happen to a company. Why? Because it is about delivering bad news in the apologetic tone and the damage has already been done. When the letter has to be created, its often is missing key details that are hard to come by given the length of time the attacker has been roaming around inside the network. From the get-go there is almost no chance of building a credible storyline, simply because it is hard to relate these things to each other in time. You will be going to firewall experts to look at firewall incidents trying to find the ones that matter, malware experts looking at the different intrusions and FireEye alerts to try and find what went wrong. Someone in IT will be looking for failed logins – but these are all multiple entities. When you look at the classic SIEM approach (it was supposed to show you all of these events), you have the same problem. You will have malware, firewall and IT incidents being alerted and assigned to different people to figure out individually.

This is why I love the Exabeam behavior-based approach and why I decided to join Exabeam. Exabeam can find the smoking gun. It brings together the firewalls, the IT activity and the malware activity into one story line, attributes the alerts to anomalous credential activities and places everything on a timeline. This is the story of the data breach. It’s a story I’ve never seen built as well by any other product.

This means the first responder can be anyone. We don’t need to wait for a malware or firewall expert, it can be a junior level analyst in his first year at a company who finds it and is empowered to take charge. That is the power of having control of the narrative and building a story line.

Companies like Mandiant are often brought into fill this story telling gap and they do the manual digging. If as a CEO I’m given the story line of the breach before I have to report it to the public, everything changes. My company’s response time is faster, my company looks more credible to the public, the board of directors and investors. Since the response time is faster, I have the ability to stop the hacker or at least garner more information about the hacker and stop additional damage from being done.

Exabeam is built for storytelling. You are not just a storyteller; you get to control how the story ends and you are an active participant. Imagine having a technology that makes the attackers movements completely transparent. As a bonus, there are no longer politics or human error between employees in the mix. With Exabeam, the firewall guy, the antivirus guy, the security guy and the behavioral guy are working together and viewing the evidence of an attack all together to address the problem sooner. User behavior intelligence can be used to link all those “different people feeling different parts of the elephant.” They are able to comment on what the elephant looks like as a group.

Want to know what security stories you can tell with user behavior intelligence?