Part Three – Deus ex Machina, Taking Action
In my last two blogs I covered Deus ex Machina – both the art of the possible and also some examples of how the detection of anomalous behaviour is a new capability critical to business.
Now I want to talk about connecting detection to action.
Let’s take a use case. Bob is a systems admin in a major bank with access to most of the core systems in FX trading.  He’s become disenchanted recently after a string of average performance reviews and is thinking about setting up his own niche FX platform with a friend in another bank.  He thinks that with the bank’s existing trading model and some adaptations they can create a smart little business.
He’s been downloading the models and sample data sets over the last few weeks (at the end of the day) to a private sandbox VM that he created – whilst making his day job changes to the core platform backups and permissions.
So he is in role, security logs are captured, but neither security information and event management (SIEM) nor governance, risk management, and compliance (GRC) would flag a change in his behaviour. In the background, however, the bank’s anomalous behaviour detection platform can capture his actions. The machine learning aspects have established how the system administrators in the bank operate and can map changes in Bob’s pattern of behaviour based on:

  • Anomalous creation of a virtual machine 
  • Accessing multiple models and IP – no changes, but accessed at close of play each day rather than during working day
  • Multiple data sets being copied without subsequent access

So what happens next?
Historically you’d have two options – alerting a security team for manual investigation and/or closing down user access. If you take a risk matrix approach then you can classify the next best action based on potential exposure and the controls you have automated:

  • Alert security team for manual investigation
  • Based on user access and the threat level, your response could be to:

    • Flag to manager via email
    • Adapt access provided by identity and access management to narrow access but not prevent employee from all of his day job responsibilities (e.g. moving systems in question to read only mode)
    • Automatically duplicate (and place authenticity controls on the copy for evidence collection) whilst quarantining the virtual machine  from live systems
    • Adapt SIEM policies to keep all data from this (and related users) for a longer retention period

In closing, I believe the action from the insight becomes as important as the detection.
As a business you need to tune your automated response actions to minimise the impact of the potential threat, taking into account the resources needed to effectively investigate – and minimize the threat window.
It’s a delicate balance but it can be done.