Jamie Graves, CEO, ZoneFox
Jamie Graves, CEO, ZoneFox

What would you use to kill a vampire? Holy water is a good start, a string of garlic bulbs might keep them away for a while, but the best known, the tried and tested method, is the wooden stake. A one-shot weapon to completely eliminate the threat.

If only cyber-security was so easy. The traditional breach has been surpassed long ago; between DDoS smokescreens, phishing, ransomware, forced entry and insider threats, companies are facing issues from all sides. Despite our best efforts, there is no one solution to combat these.

Some of these threats are certainly more dangerous than others. Out of all of these, clearly the most insidious is the issue of insider threats. This isn't the monster knocking at your door, but the one already hanging from the rafters.

These are issues that stem from within an organisation, be it someone leaving themselves logged in on a public computer all the way through to corporate espionage and the removal of IP from the network. The obvious issue with this type of cyber-threat is that the use of authorised details to gain access means that the alarms don't sound until long after the damage has been done. Therefore, companies are turning to a new, more advanced way of monitoring their network for suspicious activity: user-behaviour analytics (UBA).

UBA is the collection and analysis of a person's data and activity within a network, allowing an overview of how they operate and where they are going without compromising privacy. In short, it looks to flag problems before they occur by building profiles of employees over time to understand if something suspect is happening – specifically useful for the malicious insider that attempts to sneak past in disguise with their ill-gotten gains.

The issue with this kind of oversight is having the capability to analyse everything happening at any one time and deal with this in an effective time frame.To do this, even with the controls and dashboards out there to streamline this data, you would have to have dedicated staff monitoring your employees within the network, a luxury few organisations can afford to have.

Further to this squeeze on resources is the fact that not all instances may be uncovered manually; people carrying out malicious insider threats often use a “low and slow” methodology to access and steal data while keeping everybody else unaware. This is where UBA – and specifically UBA that is based around machine learning – comes into play. This technology can build a profile of someone within a network from multiple data sets, accurately working out when someone is doing something that is both not allowed and out of the ordinary for them. After all, a junior member of the financial team is going to have a very different network footprint to that of the human resources director.

So, to combat someone within your network looking to cause harm, you need to install an appropriately intelligent UBA programme and it's sorted? Sadly not. As previously stated, there isn't really a silver bullet for any security threat. The next stage to the process is ensuring that you are using the correct data sets and feeding this into the system to provide the necessary oversight.

For a long time, these systems and their precursors were fed administrative information to digest and report on. This is understandable as it's long been the only type of data to go on. But it is only surface level, and as criminals become more advanced, so too should the tools and data that we are using to combat them. There are three different types of data that have been used to try and monitor networks, and it is worth looking at these in more detail.

Network data works well for malware analysis but unfortunately leaves you blind to activity carried out outside of this, along with any on-host activities. These are vital for building a picture of both normal and abnormal behaviour and develop the personal profiles of employees.

Facing a similar issue are log files and other admin data sets: they are used for de-bugging issues, administrative issues and troubleshooting, again nowhere near deep enough insight to pick up on the subtle cues that could show that an insider incident is taking place.

For a UBA to be successful, it must pull in data from a variety of custom sources. From files to emails, you want the program working away in the background, monitoring everything from thousands of “file delete” actions in a short time windows to unusual directory visits and or launches of rarely used apps, all perhaps indicating that a user is behaving uncharacteristically. When it comes to network security, especially in our modern climate of ‘if not when' with cyber-attacks, time is money.

You need to be able to flag up issues as close to real time as possible, and at the same time not be constantly bombarded with false flags. Traditional data sources cannot give you these kinds of results, so full access to the network for the UBA is vital for organisations, especially if resources are limited. After all, you may be sitting on a legacy system consisting of decades of important files, emails and applications – so make sure you make the most of this.

So it seems that although there may not yet be the cyber-security stake that is needed to kill off insider threats, there are ways to start assembling an anti-vampire toolkit. It's this combination of appropriate data sets with new, intelligent security technologies such as UBA that will allow you to consistently – and without impinging on privacy – monitor your entire network and work out if something is amiss. No more scary surprises lurking in the shadows.

Contributed by Jamie Graves, CEO, ZoneFox