How user-behavior monitoring helps reduce risk

Dominic Vogel asks a researcher and a vendor to explain what behavioral monitoring adds to an organization's security strategy.

My previous blog article, "Putting Passwords out to Pasture: Identity behaviour vs. Identity authentication," I made the argument that corporate security teams needed to put more focus on behavioral monitoring at the user level (in addition to the network, system, and application layers). More and more security practitioners are realizing that 100% prevention is simply no longer achievable. There needs to be equal (if not more) focus on early detection, and rapid response to abnormal behaviour.

What does it mean to monitor user activity? According to Adrian Lane, Analyst & CTO at Securosis (a renowned information security research and advisory firm), it means "capturing the actions of a user -- including the use of applications, services, networks, and data in your IT environment." Effective security programs must quickly identify any system misuse, provide sufficient information to stop an attack, and clean up any fallout. Effective user monitoring would lessen the risk of over-reliance on passwords.

Lane, in a recent whitepaper, "Monitoring and Understanding User Activity," (I highly recommend reading it) outlines two of the more common methods for user monitoring. One method is to examine specific actions of users as they leverage IT resources. The other is comparing user behavior against historic usage patterns.

How should one go about implementing a comprehensive monitoring program? What technologies could be leveraged? What policies would need to be developed? Lacking sufficient expertise in this area, I decided to enlist the help of the aforementioned Adrian Lane, to answer some of the more burning questions I had regarding monitoring and user activity.

Questions for security researcher Adrian Lane

Vogel: Are corporate security teams realizing the importance of monitoring and understanding user activity? Often the "overworked and understaffed" excuse comes up for not having active monitoring. How to change this mindset?

Lane: Yes - awareness and use of monitoring is growing and it's critical to a successful security program as we know we can't block everything. The issue you refer to is/was due to monitoring products that assumed full time management and users want 'set & forget', but they are both wrong; the answer lies somewhere in the middle.

Vogel: What are the common pitfalls or shortcomings that security teams need to be aware of when implementing user monitoring?

Lane: Not monitoring enough of the total set of activity, focusing on the network solely, getting usable data as opposed to 'easily available' data, policy development, and management.

Vogel: What sort of existing technologies/products are there in terms of enterprise offerings? Are there any mature product offerings?

Lane: SIEM, DLP, DAM/DSP, Web Gateway/UTM products, WAF, and to a lesser extent IDS.

Vogel: How does user monitoring fit within other monitoring forms (network, system, application)? How important is the need for a holistic monitoring framework?

Lane: It fits into all three, and each is different. The further up the stack you go the more info, but harder to do. I just wrote a paper on this subject. Similarly Mike Rothman and I wrote a paper called "Monitoring Up the Stack" which talks a lot about monitoring at the system and application layers and adding that data to the (traditionally network focused) SIEM tools.

Wishing to get a vendor's viewpoint on monitoring and user activity (please, no booing), I decided to reach out to Nick Edwards, VP of Marketing, for Silver Tail Systems. The mission of this innovative company that specializes in next-generation user behavioural monitoring is to "revolutionize cyber security through web session intelligence".

Questions for a vendor: Nick Edwards of Silver Tail Systems

Vogel: At a high level, how do Silver Tail solutions (such as Profile Analyzer) work?

Edwards: Silver Tail Systems technology analyzes user behavior on a website - not only across a website's total population, but on an individual user basis. Patterns of normalcy are developed for each user during their web session through individual click monitoring, enabling Silver Tail Systems to identify and stop suspicious activity as it occurs. Our latest release, Profile Analyzer, builds upon Silver Tail Systems' ability to identify anomalous web session behavior by enabling individual user behaviors to be modeled against their own past usage history on the website to determine if their activity is legitimate or suspicious. This approach combines the baseline established by the entire crowd's website history with the context of specific users, increasing accuracy and response times to online threats.

Vogel: What protections are addressed (malicious insiders, nefarious external actors, mistakes)? What sort of companies would benefit from purchasing Silver Tail solutions?

Edwards: Our products sit in front of any website, whether it is an internet facing website or an intranet facing website (internal to an organization). This provides protection against a wide range of web-based threats. The types of attacks we most commonly detect include but are not limited to: account security/takeover attempts, fraud, certain DDOS attacks, password guessing, site-scraping, data exfiltration, man in the browser, man in the middle, HTMLParameter Injection, money laundering, stolen accounts used to purchase goods.

The types of attacks that Silver Tail Systems can prevent make our technology critical for financial institutions, ecommerce companies, government organizations, worldwide gaming operators, and more.

Vogel: For what is Silver Tail solutions not designed?

Edwards: We do not provide endpoint security and are not meant to take the place of those security measures. Companies should absolutely take a layered approach to their security strategy, and end point security is the start of that, and the monitoring and analysis of user behavior is designed specifically to secure the navigation layer of the web.

Vogel: How would a company go about implementing Silver Tail systems? What sort of planning/architecture changes need to carried out?

Edwards: Silver Tail Systems technology is available via SaaS or on-premise software, making it flexible for organizations with various requirements. No development work is needed, nor changes to HTML code or applications with the existing architecture. We simply plug into the SPAN port and can then get a feed of all clicks that occur on a website. The installation typically takes four hours to set up, and then depending upon the complexity of the environment time to value can take a few hours depending on the customer.

Vogel: What differentiates Silver Tail Systems from other user behavioral systems?

Edwards: Unlike other fraud prevention and security technologies, Silver Tail Systems monitors the entire http-based clickstream of a website in real-time and analyzes user behavior across full web sessions. We automatically create models of what is normal for the website's population and for individual users and can notify security teams when there is a web session that is statistically different from "normal" (web session is defined as the time a user spends interacting with a website). Because so much data and functionality is available via web applications, we fill the void where Data Loss Prevention, Intrusion Prevention, Web Application Security, and transactional fraud detection leave off.

With Silver Tail Systems, fraud and security teams can identify emerging threats within hours of initiation: a significant reduction of the average of days or weeks it historically takes to identify and address new threats. No other company takes this same approach. Other security systems are transactional. They look at an individual transaction - usually the transfer of money or the purchase of an e-commerce good - and use the parameters associated with that transaction to determine whether or not the transaction is fraudulent. For example, they will look at the geo-location of the IP address of the transaction and see if that is similar to the geo-location of the address on the account. Or they will look at the shipping address for a purchase to determine if that address is suspicious compared to previous shipping addresses. These transactional detection techniques have been in use for years and criminals know that these parameters are used for fraud detection. Because of this, criminals have found ways around them and looking at the behavior of the web session can identify the criminal when looking at transactional parameters is not sufficient.

Vogel: Should enterprise security teams be focusing more on effective user monitoring rather than preventative techniques?

Edwards: Preventative techniques are just as important as real-time behavioral monitoring. Organizations should have multiple layers of defense, and we often see detection and prevention segmented. Fraud prevention and information security teams need to design a framework for their programs so that they are not solely focused on fighting fires. Given the recent trends associated with attacks, breaches, fraud, and hacks, preventative techniques aren't enough. Technologies like behavioral monitoring are low hanging fruit that aren't being used by most companies. Its simplicity of deployment, accuracy and visibility are simply too valuable to not be considered for any online security project.

Me: How mature a field is behavior monitoring? Will this be a field that enterprise security teams need to put more focus on in the coming years?

Edwards: It is still early days; the industry is just starting to scratch the surface for what behavioral monitoring can deliver to security. Our technology evolved from co-founders who were trying to address these problems first hand at eBay and PayPal where they were the most targeted website on the Internet; in many cases, we are inventing the science as we go. It is an exciting time for us; the more technologies like ours get deployed, the harder it will be for the bad guys to get away with crime, and the sooner we'll be to restoring integrity to the Internet.

I would like to extend my heartfelt gratitude to both Adrian Lane and Nick Edwards for providing such pertinent and in-depth answers to my meager questions. It should be apparent that comprehensive monitoring framework, should be one of the foundational blocks for any security program.

What other enterprise offerings (besides Silver Tail Systems) in the area of monitoring and user activity would you recommend?