We’ve all received a call at one point or another from the fraud protection departments of our credit card providers, telling us they’ve detected some suspicious activity on our accounts and would like to verify a few recent charges.
What follows might be a list of purchases that we know we didn’t make. Ultimately, the customer service representative confirms that the card has been compromised, closes the account and issues a new card.
There are several parallels we can draw between these credit card inquiries and enterprise IT security. IT security teams can learn from the credit card industry how to more quickly identify the fraudulent use of valid employee credentials before a data breach takes hold.
Investigating security incidents
Stolen user credentials accounted for more than 76 percent of all network intrusions in 2013. The vast majority of major data breaches reported in the news in 2014 were the result of stolen credentials: Sony, Home Depot, Goodwill, Dairy Queen, Neiman Marcus, Target and the U.S. Postal Service, to name a few. This year promises to be no different as the CEOs of Anthem and Premera both site “unauthorized access” as the reason for their data breaches. Just as a credit card is a form of identity, so too, are employee credentials.
Now, what if a tier-one IT security operations center employee could approach an investigation in a manner that more closely resembles credit fraud investigations? We can imagine the following conversation:
“Hi, Mark. I noticed some suspicious activity with your user credentials and have a few questions to ask. Do you have a minute?”
“I’m showing you accessed the network via VPN from Rome yesterday. Are you traveling?”
“Yes, but I’ve been working from our Dayton office.”
“Are you on the VPN?”
“I see you trying to access the code repository from an HR system.”
“Well, I’m pretty sure that’s not me. I’m in a Starbucks answering email at the moment.”
“I’m sorry but I’ll have to cut your VPN access. Log out of the network and shut down your computer. I’ll ship a loaner machine to you overnight. Bring both machines back. Forensics will want to do a full analysis when you get here.”
The rise of user behavior intelligence
Credit card companies leverage machine-learning technologies to learn and establish normal baselines for purchasing behaviors. They automatically apply questions to transaction data in an effort to determine anomalous activity. A few behavioral clues, such as the charged amount, calculations to understand how the credit card can be used in two places at once, and the location of the store compared to the card holder’s home address are often enough to clue in a credit card fraud analyst that something is amiss.
Through user behavior intelligence, enterprises can establish a baseline for normal user behavior that enables machines to identify credential activities that deviates from the norm and flag it for further investigation by a security analyst. Gartner’s “Market Guide for User Behavior Analytics” offers a great overview of how enterprises can leverage existing security information and event management (SIEM) data and enhance it with active directory data to identify suspicious user activity.
Taking the cybersecurity battle to the front lines
Stolen user credentials are active in the gaps between links in the entire attack chain, enabling actions from initial compromise to the theft of sensitive data. Why, then, are enterprises doubling down on systems that defend against initial compromise and data exfiltration when these types of attacks are the shortest links in the attack chain?
Once an attacker gets a foothold on a network, he can move laterally and switch identities and maneuvering throughout the IT environment undetected. If existing enterprise security solutions or the security team misses the initial compromise, it’s game over. But rather than reconfiguring the entire cybersecurity infrastructure, enterprises can get ahead of attackers through behavioral analysis.
Attackers are increasingly sophisticated, and they will often stop at nothing until they breach an intended target. Widely deployed anti-virus solutions are about 45 percent effective. Independent tests on FireEye show it to be about 94 percent effective but malicious code can be designed to evade both. User behavior intelligence can add valuable context to SIEM alerts that will enable security teams to paint a complete picture of the entire user session to identify where user credentials were used and how. By applying the same practices as credit fraud analysts to determine suspicious activity, security researchers can instantly know which threats warrant immediate attention, rather than spending hours or days manually piecing together the entire attack chain. Credit card companies have adjusted their fraud priorities knowing the likelihood of their customers being compromised is high. It’s time we do the same for IT security.
Nir Polak is the co-founder and CEO of Exabeam, Inc.