Last week I had the opportunity to speak with several CISOs about what they are doing to deal with cyberattacks, breaches and internal threats. A consistent theme I heard is that detection only solutions aren't enough. They need more practical approaches to rapidly respond to anomalous behavior and they need to reduce burden on analysts. Working smarter not harder. This is one of the great benefits of real-time threat prevention based on identity, behavior and risk. It can removes work from analyst via adaptive response and automated resolution of false positives. One customer recently told me that within just a couple months, automated response has helped them improve their efficiency by 30-40%. That’s a lot of time that can focused on more critical security tasks.
Some have been reluctant to implementing automated response based on traditional behavioral analytics (UEBA) or next gen firewalls because there are a lot of shades of gray. Incidents can be inconclusive or unreliable and enforcement options are often limited to offline playbooks or a blunt Block/Allow which ultimately is not good for business enablement. Sometimes something looks risky but it’s actually a legitimate user and activity. That is something you don’t want to block. For automated response to work, it needs to have flexibility.
However, if you have a solution that is architected for continuously learning and identifying risky or anomalous behavior with real-time prevention (and auto resolution) as the ultimate goal, it can learn the shades of gray and use it to respond respectively. It can automatically respond and control access by intelligently adapting response based on identity, behavior and risk ensuring you are providing the right level of security at the right time.
When there is a shift in normal behavior, you want to be able to automatically challenge the user to verify their identity. Adaptive Responses to threats could include multi-factor authentication, allow, block, notify, end point isolation and others, which are designed to match the behavior, the type of user, application and the asset being targeted, and can be applied through a flexible policy. Real-time engagement with users now adds supervised learning into the behavioral analytics making it even more accurate over time.
Here’s a common scenario:
A privileged user accesses multiple servers he doesn’t normally access. Traditionally, an alert is generated and manually reviewed by security professionals. Based on the identity of the user, past behavior, and the value of the target asset, this user could automatically be challenged to verify identity via multi-factor authentication. If unsuccessful, they can be automatically blocked, potentially stopping an attacker who stole someone’s credentials. This entire process is completed without a security analyst ever needing to get involved.
However, in the previous example, if the user was a consultant, an executive or a compromised service account, the response could have been completely different. Adaptive response to threats ensures business processes are not disrupted but security threats can be contained.
This flexibility lends itself to a wide variety of use cases. Here are six of the most common scenarios we see our customers using real-time response for:
Compromised Accounts- Attackers will use compromised credentials so they can spread laterally through the network. This can turn a small system-level compromise into an enterprise-level compromise. Abnormal behavior can be automatically challenged via multi-factor authentication and subsequently trigger 3rd-party response orchestration, isolation of the host, or notification to security analysts based on policy.
Compromised Users or Devices- Find signs of malware or an attacker on a device such as abnormal or unknown protocols in use, attempts to escalate privileges, or the presence of new or unmanaged devices on the network.
Compromised Privileged Users and Service Accounts- By nature, privileged users, such as administrators have more risk. You can track and prioritize their risk scores to drive more aggressive response policies. The same approach can be applied to service accounts, which are often hard to manage, yet can provide an attacker with easy access to key servers and data.
Compromised Hashes/Tickets- Techniques such as Pass-the-Hash and Pass-the-Ticket have long been critical tools for attackers to move laterally within the network. When these techniques are detected, the affected user can be challenged via multi-factor authentication or by blocking or isolating the affected host.
Attacks Against Active Directory Infrastructure- Protecting your organization’s authentication infrastructure is critical. Prevent abuse including brute-force attacks, Golden Ticket attacks, forged PAC files, or attempts to harvest data from Active Directory.
Insider Access Abuse- The presence of a malicious insider or simply a naive or impatient end-user can quickly unravel the best laid plans of the security team. By learning normal working hours, locations, as well as the typical assets and applications of a user, the solution can challenge and respond to any anomalous behavior.
Using real-time threat prevention based on identity, behavior and risk ensures you can always take action that strikes the appropriate balance between security and enablement.