In the dynamic world of cybersecurity, ‘authentication and authorization’ are not just buzzwords; they are essential pillars. These processes should be multifaceted, moving beyond basic username or group-based methods. This is where the integration of User and Entity Behavior Analytics (UEBA) becomes crucial, offering a more nuanced look at not just user actions but also device behaviors.
What are the additional factors to consider in this context?
Let’s start with the evolution of CAPTCHA, a familiar challenge-response test. CAPTCHA has evolved from simple image recognition to analyzing user interaction patterns, such as the time taken to respond, scrolling behavior, and the methods used to select images. These enhancements are crucial in distinguishing between human and automated bot interactions, fortifying the first line of defense in ‘network security’.
Beyond CAPTCHA, numerous behavioral factors play a significant role:
- Time of day: there are business hours, but these business hours may not be the same for sales or engineering for example. Folks in DevOps may be logged in at 2 a.m. Sunday morning to push out a maintenance release.
- Day of week: similar to time of day, there may be typical business days of work, but these may not be the same for all employees.
- Location: where is the remote user logging in from? With integrations into HR systems, checks can also be done to see if the location matches with the city, state, and/or country that the user has given. There are also known “bad actors” which direct traffic from certain locations and those may raise red flags quickly. This factor should also include adjusting time of day/day of week if the end user has permanently moved or is traveling.
- Applications access: which applications does this group or type of user typically use?
- Direction of traffic: is the end user mostly consuming an internal website? Do they typically just upload or edit a document? Are they now downloading documents a few days before their last day of employment? Again, an integration with the HR system may help catch some of these anomalies.
- Volume of traffic: most job functions have a “standard” range of traffic volume. If you’re doing video editing, you’ll mostly like have more traffic than the person working on an Excel spreadsheet. Baselining the volume traffic and then tracking and looking for anomalies will help detect employees trying to take intellectual property before they leave or even worse, hackers that have gained access to systems.
Establishing a baseline for these behaviors is imperative. This involves continuous learning about individual user patterns and adapting to changes, such as seasonal variations or shifts in work routines.
So, how is this information utilized?
- Learning versus enforcement modes: during the initial learning time as you baseline behavior, you don’t want to flag everything as an anomaly. However, as an admin setting policies you’ll also want to know what happens once you enable enforcement.
- Logging anomalies: all anomalies should be logged and shown in log files. Logs needs to be captured in UTC and normalized so that they are easier to read across regions. Anomalies should also be adjusted for severity and effect on access.
- Automatically reacting to anomalies: Once an anomaly is detected, the system should automatically react without needing analysis and action from a human. Multi-factor authentication (MFA) and sending out email/SMS challenges may be step one. Stepping down access may also be another form of immediate action. Allowing an admin to “acknowledge” an anomaly later may also be considered so that admins are aware of each anomaly, again, to help adjust policies.
- Advantages of a client to learn “offline” behavior: some systems only capture behavior when you’re connected to it. To get the best overall baseline of user and entity behavior, the system should always be looking at behavior. A client will also be able to detect software like keystroke loggers and other software that may be capturing credentials or trying to intercept system or network calls.
Interested in a deeper dive into how Banyan Security leverages these strategies to enhance ‘cybersecurity’? Schedule a demo and explore the advanced layers of security we provide at Banyan Security Demo Request.”
