“It’s not the crime, it’s the coverup,” has become a truism in legal circles. It might be time for a similar aphorism in the world of cybersecurity: It’s not the hack, it’s the horizontal movement.
An initial security breach – the theft of login credentials, say – can at first can seem small. But the attack can escalate rapidly and exponentially.
A prime example is the SolarWinds hack. Cyber-criminals achieved access that allowed them to insert malicious code into the company’s Orion product, which helps organizations manage their IT networks. When SolarWinds customers updated their software, the attackers gained remote access to the systems of some 18,000 agencies and enterprises.
Today, your organization is at even greater risk as a significant portion of your employees work remotely. You must protect a vastly expanded number of entry points through which attackers can get inside your network – and then move laterally to steal data, disable systems and interrupt operations.
The solution is to replace outmoded cybersecurity techniques that respond to breaches as they’re occurring or after they’ve taken place. What’s needed is a proactive approach that leverages user behavior monitoring to identify potentially high-risk activities and move organizations “left of breach” – shutting down attacks before they begin.
Limited Visibility, Unlimited Vulnerabilities
When the COVID-19 crisis struck, organizations had to move quickly to enable employees to work remotely. They didn’t always have time and resources to put in place the technologies and policies to make remote work as secure as it should be. Now that remote work has become engrained, many of those vulnerabilities persist.
Worse, employees working from home experience stress that could lead them to take risks. A recent Forcepoint survey of 2,000 office workers in the United Kingdom and Germany found that younger employees and employees caring for family members are stressed when working remotely. They also engage in risky behaviors.
For instance, among employees under age 30, 67 percent use unapproved devices and applications, 55 percent make mistakes such as sending emails to the wrong address, and 63 percent say home distractions negatively affect decision making. For caregivers, 48 percent use unapproved technology, 52 percent make errors and 56 percent have trouble with decision making.
These findings aren’t surprising, but they should be a wakeup call to every agency cybersecurity team. Remote employees taking shortcuts like using Dropbox to store work files or using personal devices and email accounts to share them can tangibly increase your organization’s risk.
But if your organization is like many, you don’t have complete visibility into that risk. That’s because many agencies rely on indicators of compromise (IoCs) to identify breaches. IoCs include datapoints such as unusual network traffic, suspicious URLs and malware signatures. IoCs are a necessary part of data protection. But they often come into play only when an attack is taking place or has already occurred.
Worse, IoCs offer only a limited, channel-specific view into logins, email activity or network traffic. They don’t provide an integrated, global view of your overall risk. And that’s how seemingly small compromises can become network-wide, operations-halting breaches.
Understanding User Behaviors
The solution is to replace IoCs with indicators of behavior (IoBs). IoBs uncover anomalous user activities that indicate potential risk – before a breach takes place.
Whereas IoCs log individual events that a security analyst must piece together with other data to determine what has happened, IoBs capture the entire landscape of events when users interact with applications and data. They then add context from a variety of sources – everything from a screen capture of a sensitive file to the keywords of a web search or the content of a chat session.
In this way, IoBs enable you to create a baseline for how each employee or contractor usually behaves. Someone on your IT team, for example, might typically install new software and provide users with privileged access. Someone in your HR department, on the other hand, might access sensitive employee files and send organization-wide emails. If the IT staffer opens an employee file, or the HR pro installs new software, that’s anomalous – and potentially high-risk – behavior.
IoBs also combine behavioral analytics with data from the edge. If a user lives in Washington, D.C., and she simultaneously logs in to accounts at 9 a.m. local time in Moscow and 2 p.m. local time in Beijing, then it’s likely a compromised account. Firewall rules alone would say that because the access was authorized, the activity is valid. IoB analytics would recognize the larger context and expose the compromise.
IoBs can also reveal more subtle behaviors, such as a disgruntled engineer suddenly placing project files on a thumb drive and emailing co-workers outside his peer group. Is the employee planning to leave the organization and take intellectual property along with him? IoBs can raise a red flag before a breach occurs.
Staying on Track with Risk Scores
With the right solution for user behavior monitoring, you can create a risk score for each individual in your organization. Compromised accounts often access systems in anomalous ways. So if a user’s risk score is 40 and then shoots up to 55, there might be a problem. On the other hand, malicious users often try to avoid detection by acting more cautiously. So if the same user’s risk score suddenly drops to 25, it’s also cause for potential concern.
One benefit of risk scores is that they equip your cybersecurity analysts to focus on behavior that actually represents risk. Another is that you can leverage them across access-control systems in your organization. For example, you can integrate risk scores with identity, credential and access management (ICAM) technology for real-time risk mitigation at control points.
As your employees continue to work remotely, you’re operating in a perimeter-less environment with more potential access points than you’ve ever had to manage before. User behavior monitoring, enabled by IoBs, can give your organization the end-to-end visibility you need to understand employee behaviors and home in on risk. More important, it can empower you to move left of breach – and stop cybersecurity attacks before they occur.
