Capping IT Off

Capping IT Off

Opinions expressed on this blog reflect the writer’s views and not the position of the Capgemini Group

What is Anomalous Behaviour Detection? Examples...

Part Two - Examples
In my last blog I talked about ‘Deus ex Machina’ and the seemingly impossible capabilities that Data Science and Data Lakes allow us to create a capability towards detecting anomalous behaviour. This capability enables businesses to detect and respond to new threats, both internal and external. A few use cases make the power of these technologies even more apparent.
Just travelling or a new threat?
Many employees travel as part of their job – locally, nationally and internationally. These key workers often have a high level of access to Intellectual Property, pricing, competitive insight etc. They are able to access information from a range of countries, IP addresses and systems.  You can use machine learning across a key demographic of your work force to establish a baseline of normal behaviour. Follow this up by combining disparate sources of network data with HR data to identify deviations. This is where you can start to differentiate between cases such as:
  • Me logging in from China as part of a known business trip
  • Me logging in from China – but HR thinks I’m in the UK
  • Me logging in from China – but I was also logging in from the UK 4 hrs ago… so how did I get there so quickly?
Malware detection is a mature technology – existing defences are good, but not complete. There are some key indicators of malware behaviour such as unusual domain address access, port numbers, time of day access etc. Some of these can’t be detected by every anti-malware package. Malware signatures take time to update and propagate and so there is always some attack window.
Again, by combining extensive web access log data with machine learning the norm can be defined across a wider user base. This will help in early malware detection, thus enabling faster counter-action to minimize the length of the threat window.
Abnormal Purchase Orders
A smaller scale – and more regular kind of threat to a business comes from finance controls. Take Alice for example. Within the finance system, she can authorise purchase orders of certain limits within the business to her approvals ceiling. But how do we discover that this quarter Alice has authorised 3x the normal volume of purchase orders in one category as compared to her peers? Again, through machine learning, business can define the norm and map historic and current usage data feeds to highlight exceptions.
[You can be even smarter though and map “employees at risk” – from key word analysis from IM web logs, email or even HR performance data to focus analysis of employees that may wish to exit or are already exiting.]
The limits of penetration and threat to the business remain significant. Behavioural analysis is the key to being able to react accordingly to the business threat, but in reacting you also need to create a proportionate response – which is the next layer of the challenge.

About the author

Paul Gittins

Leave a comment

Your email address will not be published. Required fields are marked *.