Capping IT Off

Capping IT Off

Opinions expressed on this blog reflect the writer’s views and not the position of the Capgemini Group

What is Anomalous Behavior Detection?

Part One - Deus ex Machina, The Art of the Possible
Horace in Ars Poetica noted that poets should never resort to a “god from the machine” to resolve their plot points, "unless a difficulty worthy of a god's unravelling should happen".
He was, apparently, referring to the conventions of Greek tragedy, where a machine is used to bring actors playing gods onto the stage. Such plot devices are lazy, and require a suspension of disbelief from the audience.
The challenges that businesses face often need a similar suspension of disbelief for how organisations are being compromised.  We have spent the last 30 years securing all things imaginable – firewalls, antivirus, access and identity controls, biometrics, GRC, etc.
First, let me highlight the cliché. Edward Snowden. He was working in one of the most secure organisations in the world with extensive controls in place. Setting aside the politics and moral discussion, he managed to extract massive amounts of priviliged information that wasn’t detected at the time.
How was this possible?
He was working within his role. As a part of his responsibilities, he had system admin access to search, copy and save data. He was allowed to access those data sets. He was allowed to copy data.
But all the layers of security controls?
The firewalls, antivirus, access and identity controls, biometrics, GRC – were all doing what they were meant to. Snowdon was in role – so the systems would not have flagged any breaches as his data usage constraints were in line with the policy.
So where was the gap?
None of these systems were able to spot the change in behaviour. This  included the creation of a new, internal and highly capable “threat actor” that had started to deviate from the way in which his peers were using the systems. This was clearly a change from normal behaviour whereby he was extracting the data he wanted without alarm bells ringing.
Deus ex Machina
The discipline of data science (this point of view by Annika Jimenez is the most complete I have seen ) brings not just a set of tools – but also people that are savvy with the business context and can interpret what they are seeing  and know how to create the algorithms – which can create the insight to  help identify the “unknown unknowns” – the people who are acting in role, but abnormally.
Data lakes allow us to ingest not just classic security controls but wider data sets – HR, instant messaging, even video. Machine learning helps us learn the “allowed and normal behaviour”, from multiple users.  It identifies what is not “normal” by creating a scope of the deviation from the norm. This allows a business to create a security approach to:
  • Detect social engineering attacks as well as network level detections – for example the external attack by someone calling random numbers at a company, claiming to be calling from technical support. The attacker will "help" solve the problem and, in the process, give the attacker access or deploy malware.
  • Minimize the exposure time and loss
  • Potentially predict the leakage areas ahead of the attack
  • React appropriately based on the risk and behaviour spotted – anything from an email flag to the individual’s boss to automated changes in system/physical security access rights.
That’s a deux ex machina. And you can do it today…

About the author

Paul Gittins

Leave a comment

Your email address will not be published. Required fields are marked *.