When All Behavior is Abnormal, How Do We Detect Anomalies?
April 11 2020We log into work in the morning, usually between 0900 and 0915. We log into mail, the collaboration system, then the business applications. The place we log in from, the time we start work, and the sequence of logins form a unique pattern. And unique patterns can be useful as authentication factors. Right now, there’s a possible problem, though: How do you establish “normal” behaviors in an utterly abnormal time?
The issues around behavior-based authentication echo larger IT behavior issues of the moment. Daniel Norman, research analyst at the Information Security Forum, says, “During times of crisis, behavior can be overwhelmed by stress and especially by disruption to daily routines. The COVID-19 lockdown has demonstrated the requirement for organizations to manage behavior effectively, or face disruption from a growing range of security threats both from outside and within the business.”
Defining a useful normal
Robert Capps, vice president at NuData Security, a Mastercard company, says that benchmarking and using behavior may begin with understanding which behaviors remain useful indicators of a user’s identity. “Users who are sheltering in place will have some or all of the same characteristics present in their interactions, as they did pre-COVID,” Capps explains. “They will continue to use their home internet connection, their existing devices, and will use those devices in the same way as before.” He points out that the habits and patterns can actually decrease the “friction” in a user’s computing experience, allowing them to open and use some applications without stopping to think deeply about the user experience. That same “automatic” nature of the actions is what makes them useful from an authentication perspective.
Fortunately, while the overall business environment is at a highly unusual point, experts say that computer user behavior is not as anomalous as they might seem — and might be more consistent than before the pandemic. “I would imagine that today people’s behaviors are less anomalous than usual. On a normal day, people log into or visit sites from networks at work, on the train, at the Starbucks, at the airport and also at home. Today, they only login from home,” says Jason Kent, hacker in residence at Cequence Security.
“Most organizations already understand their infrastructure goes out to the remote worker, there are just more remote workers now,” he explains. Kent says that organizations should always use many different data points to make a determination of behavior. Some factors will always matter more than others, and it is the combination of factors that need to be considered to determine the risk.
Shahrokh Shahidzadeh, CEO at Acceptto says that looking past the login is critical. “There are normal behaviors where some users use VPN; but that is not important. Besides the VPN login, there are other factors in play, such as the patterns gained through the analysis of the applicational behavior,” he says, adding, “What we are interested in is what happens throughout the lifecycle of the session.”
Using behaviors across the entire user interaction provides valuable rich context for the behaviors we see. “The key to effective behavior based detection is context for the algorithms to learn from. When behavior based algorithms, specifically for authentication, are able to take in the whole picture, they are quickly able to adapt to new conditions,” says Wade Woolwine, principal security researcher at Rapid7.
“The whole picture means that we can see local system authentications against the domain, we can see VPN authentications, internal resource authentication and authorization, and external services authentication,” Woolwine explains. “With that level of visibility, behavior based detections quickly figure out that the strange IP authenticating to the external service is actually the same IP that successfully authenticated to the VPN just a minute ago.”
(next: page 2 of 2, “necessary complexity”)
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio
When All Behavior is Abnormal, How Do We Detect Anomalies?
April 11 2020We log into work in the morning, usually between 0900 and 0915. We log into mail, the collaboration system, then the business applications. The place we log in from, the time we start work, and the sequence of logins form a unique pattern. And unique patterns can be useful as authentication factors. Right now, there’s a possible problem, though: How do you establish “normal” behaviors in an utterly abnormal time?
The issues around behavior-based authentication echo larger IT behavior issues of the moment. Daniel Norman, research analyst at the Information Security Forum, says, “During times of crisis, behavior can be overwhelmed by stress and especially by disruption to daily routines. The COVID-19 lockdown has demonstrated the requirement for organizations to manage behavior effectively, or face disruption from a growing range of security threats both from outside and within the business.”
Defining a useful normal
Robert Capps, vice president at NuData Security, a Mastercard company, says that benchmarking and using behavior may begin with understanding which behaviors remain useful indicators of a user’s identity. “Users who are sheltering in place will have some or all of the same characteristics present in their interactions, as they did pre-COVID,” Capps explains. “They will continue to use their home internet connection, their existing devices, and will use those devices in the same way as before.” He points out that the habits and patterns can actually decrease the “friction” in a user’s computing experience, allowing them to open and use some applications without stopping to think deeply about the user experience. That same “automatic” nature of the actions is what makes them useful from an authentication perspective.
Fortunately, while the overall business environment is at a highly unusual point, experts say that computer user behavior is not as anomalous as they might seem — and might be more consistent than before the pandemic. “I would imagine that today people’s behaviors are less anomalous than usual. On a normal day, people log into or visit sites from networks at work, on the train, at the Starbucks, at the airport and also at home. Today, they only login from home,” says Jason Kent, hacker in residence at Cequence Security.
“Most organizations already understand their infrastructure goes out to the remote worker, there are just more remote workers now,” he explains. Kent says that organizations should always use many different data points to make a determination of behavior. Some factors will always matter more than others, and it is the combination of factors that need to be considered to determine the risk.
Shahrokh Shahidzadeh, CEO at Acceptto says that looking past the login is critical. “There are normal behaviors where some users use VPN; but that is not important. Besides the VPN login, there are other factors in play, such as the patterns gained through the analysis of the applicational behavior,” he says, adding, “What we are interested in is what happens throughout the lifecycle of the session.”
Using behaviors across the entire user interaction provides valuable rich context for the behaviors we see. “The key to effective behavior based detection is context for the algorithms to learn from. When behavior based algorithms, specifically for authentication, are able to take in the whole picture, they are quickly able to adapt to new conditions,” says Wade Woolwine, principal security researcher at Rapid7.
“The whole picture means that we can see local system authentications against the domain, we can see VPN authentications, internal resource authentication and authorization, and external services authentication,” Woolwine explains. “With that level of visibility, behavior based detections quickly figure out that the strange IP authenticating to the external service is actually the same IP that successfully authenticated to the VPN just a minute ago.”
(next: page 2 of 2, “necessary complexity”)
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio
