Identifying the Insider Threat

Users have established patterns of behavior within a network. They log in at a certain time, log out at a certain time, visit the same systems within the network, and generally communicate to the same places. But sometimes those patterns change. The pattern might be a one-time thing, such as someone who jumps in to help accounting toward the end of the quarter, or it might be a permanent change because of new job responsibilities. Of course, sometimes that change in behavior is because the user is accessing systems they shouldn’t for malicious purposes. This is what is known as an insider threat, and it is a real challenge for security teams to deal with.

How can your security team examine millions of lines of logs and network traffic flow data to look for patterns that indicate whether a change in behavior is malicious or part of the regular workflow? There is a framework created around this type of analysis called user and entity behavior analytics (UEBA) that tracks the behavior of users and systems within an organization. UEBA looks at traffic flows, as well as roles and responsibilities, and alerts on any behavior outside the norm.

For example, a human resources professional should never have a reason to log in as an administrator to a mail server. When UEBA tools detect that type of access, an alert is sent. Similarly, a server that is designated as an internal monitoring server should not be sending thousands of emails to external addresses. When that behavior is detected, an alert is sent.

UEBA tools rely heavily on AI and ML—along with constant feedback and updates from the team that maintains the UEBA system—to comb through millions of events to find anomalous activity that could indicate an insider threat or an attacker impersonating an internal user.

Tracking Attacker Dwell Time

Another significant problem to examine is the issue of attacker dwell time, which indicates how long an attacker has remained resident in a network without being detected. Attacker dwell time is most often associated with advanced persistent threat (APT) actors. APTs are attackers, often, but not always a nation state, that use advanced tactics and techniques to avoid detection while within a target network. Rather than a typical “smash and grab” operation, APTs will spend months or years within a target organization until they get the specific information they want.

APTs take their time going from internal system to internal system in order to steal data, commit fraud, and cause disruptions. After an attacker has gained access, it is very difficult to detect their activity. Their back-door traffic often looks like every other piece of traffic from an internal perspective. This is due to the fact that the attack has already happened, the back door has been opened, it has remained open, and no one has detected it yet.

Most attacker-related data breaches today come in two fashions. The attacker either comes in the front door and attacks the applications that are exposed to the internet, or the attacker compromises and takes over an internal computer through a phishing attack. In the latter case, the attacker has complete control over an internal system and can remain in constant communication with that system from anywhere in the world, with its own communications with that system going right through any edge defenses in place.

Detecting APTs and their back-door communications are also a perfect task for AI- and ML-enabled traffic monitoring tools. To the normal human analyst who looks at traffic statistics all day, trying to find the one system that is being controlled remotely by an attacker is nearly impossible using the simplistic traffic monitoring tools on the market today. However, AI and ML can enable monitoring tools of the future that could potentially detect an APT within minutes.

Orchestrating Protection

Another area that has been greatly aided by the addition of AI and ML is the security orchestration, automation, and response (SOAR) market. The SOAR market, which includes vendors such as Phantom (now part of Splunk), Swimlane, and Komand (now part of Rapid7) could not exist without ML capabilities. SOAR technologies use ML to automate the security response to common incidents.

For example, well-known commodity Trojans are often more of a nuisance than a real threat to an organization, but they must be dealt with when one manages to elude the security protections in place. Rather than waste the time of a security operations center (SOC) analyst removing the Trojan, the SOAR tools can automatically block the Trojan and then initiate whatever cleanup steps that need to be taken (wipe and restore the infected machine, disconnect it from the network for further analysis, etc.). SOAR tools work in conjunction with the security, IT, and helpdesk teams to learn the processes and procedures in place to deal with different types of security incidents and then take over those responses that can be automated.

As procedures are put in place to deal with new threats, the SOAR tools ingest that information and adapt to the new procedures and act accordingly. The most effective orchestration tools are those that are able to connect with all security and networking systems within an organization. This allows the SOAR platform to have the maximum visibility of the organization and allows it to automate as many low-level security tasks as possible.

ML and AI in Security Solutions Today

Many of the security products in your organization today, including security information and event managers (SIEMs) such as Splunk, ArcSight, and AlienVault; managed security service providers (MSSP); and advanced next-generation antivirus solutions from providers such as Carbon Black and Cylance offer some sort of AI and ML capabilities. You might not even know that they are using AI and ML because these abilities are hidden below the surface, operating in the background to continuously improve the performance of these products, based on feedback from your team.

Many providers will tout that their products and solutions are “intelligent” and include ML and AI components. Not all of these products allow security teams to directly interact with the ML and AI capabilities. The AI and ML can be fed into the system by the security company’s own analysts, thus presenting the equivalent of an AI and ML black box to their customers. This is not necessarily a bad thing, given that many security teams are not ready for a full AI and ML integration, but this is a good conversation to have with all your vendors, whether that is with new vendors or when it is time to renew existing vendors. The goal is that your organization wants to have vendors that can grow with your team as you move to incorporate more AI and ML into your daily workflow.