Can’t defend what you can’t see

An opinion piece from Exabeam


You can’t protect against cyber threats you can’t see


Modern cybercrime is a lucrative business. Gone are the days when cyber attackers were simply looking to disrupt a victim’s operations for the sake of it. Now, ransomware attacks comprise 81% of financially motivated cyberattacks, and with the average cost of a ransomware attack doubling in 2021 to almost $2 million, organisations simply cannot afford to remain unprotected.


Two of the foundations of effective organisational security posture are visibility and threat intelligence. Security teams need to be armed with the right tools to uncover their blind spots and choose proactive security. Many organisations know this, yet can still fail to adequately protect their systems, putting the business at severe risk of disruption – or worse.


In the same way that cars have dangerous blind spots, so too do cybersecurity solutions. Most security-conscious businesses have a wide range of controls in place to protect their environment, ranging from data loss prevention to identity access management and next-generation firewalls. These controls are great for their specific purpose, but when they are all consolidated into a single SIEM (or XDR), they can leave users with a false sense of… ahem… security. That’s because they may indicate everything is fine, whereas in fact, it’s not. An attack could be occurring in a blind spot, away from the gaze of all the controls in place.


One common such blind spot is the monitoring of legitimate user and asset behaviour occurring within an organisation. Cyber attackers know that if they can gain legitimate access to an environment (either through acquiring compromised credentials or via a rogue insider) they can carry out an attack undetected, for days, months, or even years. Unfortunately, once the SOC team realises an attack has occurred, massive amounts of data may have already left the company.


Trying to protect against such attacks can often feel overwhelming for security teams. With employees and trusted third parties often accessing network assets worldwide, how can they possibly be expected to detect a single user who is really an attacker or the trusted insider that decides to go rogue? The short answer is, they can’t. Instead, they need to augment their capabilities with technology, enabling them to identify these threats and mitigate them as quickly as possible.


Achieving this starts with understanding what ‘normal’ behaviour looks like for every employee and device. For instance, what time do they typically log in and out, on what device(s) and where? What applications do they use regularly? How do they use it and what do their peers’ activities look like?


Once these questions (and many others) have been answered, a baseline of normal behaviour can be established. Doing so makes it much easier to detect when a user or device deviates from their baselines, indicating a breach may have occurred. Of course, creating such baselines can’t be done manually, it requires technology specifically designed to model users and assets and ‘learn’ what normal looks on an ongoing basis.


User and Entity Behaviour Analytics (UEBA) is one such technology that can complete this task with access to the required data (i.e., logs). Generally speaking, UEBA/behavioural analytics takes a few weeks to calculate baselines. Then going forward, as new behaviours are logged, any deviations can be quickly spotted.


More advanced solutions can also calculate risk scores, highlighting users and assets that have drifted furthest away from their baseline. In some cases, behavioural analytics is delivered as a component of a ‘next-gen SIEM’ solution and integrated so that security analysts have direct access to the raw data that influences the risk score.


Additionally, a next-gen solution should deliver more contextual information about the user or asset (e.g., role, department, locations, peer group, asset class) to fully understand the risk.


With the right technology in place, businesses can gain entirely new levels of visibility across their environment, helping to level the playing field against increasingly motivated and dangerous cyber attackers. While we all would like to believe that breaches can be eliminated, the unfortunate reality is nearly every business will experience some form of intrusion or breach at some point. What’s not inevitable is the pain and lasting consequences though. By incorporating the ability to determine ‘normal’ behaviour for users and entities in your environment, you stand a good chance of uncovering insider threats — whether malicious or accidental — and turn the tables on the attackers before any damage is done.