User-centric and entity-centric analytics, the perfect combination for IoT security
Cisco and Microsoft have recently invested in the Internet of Things (IoT) – indicating not only that IoT has reached massive scale, but that tech giants are clearly putting their bets behind it. Why? Because IoT is changing the game. Consider the collapse of the I-35 W Mississippi River Bridge in Minnesota that caused multiple fatalities and hundreds of injuries. When rebuilding the bridge, architects could equip smart cement with sensors to monitor for weaknesses that developed in the infrastructure over time. Those sensors could also communicate the presence of ice to sensors in one’s car, alerting drivers when they need to slow down, or if one was driving a smart car, have the car slow down itself. And that’s just a glimpse of what’s possible with IoT.
While we’re consistently discussing the potential of IoT and connected “things,” what’s often missing from the story is how to better develop security practices that evolve alongside. As the number of “things” continues to grow, so should an enterprise’s security program, adapting to the new tactics of cyber criminals and to address data fatigue. Yet enterprises aren’t properly investing in security for their increasingly complex networks filled with more and more mobile devices, or they’re applying security after the fact, when it’s too late. Cost issues and a confusing, overly-crowded market are just two factors that come to mind as to why organizations are not developing proper security programs, leaving them at a much higher risk for attacks.
Perimeter Defenses Lag Behind Modern Day Threats
Historically, organizations have relied on perimeter defenses – the Fort Knox solution – and monitoring solutions when the threats were known. Unfortunately, these tools have fallen short as attackers become more sophisticated and threats are increasingly unknown. This may seem a bit obvious, but I bring it up because rules and signatures are the foundation on which perimeter defenses and traditional security monitoring solutions have built their success. When threats are unknown, there are no signatures or rules to identify the advanced attacks that are regularly deployed by attackers. These are slow-and-grow attacks, occurring in multiple phases over long periods of time that either don’t trigger alarms from traditional defenses or if they do, activate warnings that by themselves appear harmless.
User behavior analytics (UBA) has emerged to help find unknown attacks that are being exploited in the wild. UBA creates baselines for normal user behavior, connects the dots between these separate, seemingly harmless events, and compares the normal baseline to the current activity, thereby revealing an attack. However, as IoT continues to grow and the attack landscape evolves, UBA will fail to keep up with the growing number of IoT devices – primarily because exploits of IoT vulnerabilities are generally not linked to a user, rather to a “thing.” For example, there are many types of network devices (e.g., servers, dropcams, etc.) within an organization that are not associated with a user. During a multi-stage attack these “headless” devices can become compromised, leaving organizations exposed.
Combining User And Entity Behavior Is The Answer
While profiling user behavior is necessary, it alone is not sufficient to satisfy enterprise security needs. To ensure an organization has the comprehensive visibility needed to combat attacks that will inevitably come from vulnerabilities introduced by IoT devices, it’s critical that any behavior analytics solution can not only establish a baseline for users, but also for entities (i.e., hosts, IP addresses, applications). Even Gartner’s thinking has evolved – the organization went from publishing a Market Guide on User Behavior Analytics in 2014 to publishing a Market Guide on User and Entity Behavior Analytics (UEBA) in 2015. Avivah Litan, who authored the most recent report, outlines the reason for this change:
“The letter “e” in the term UEBA recognizes the fact that other entities besides users are often profiled in order to more accurately pinpoint threats, in part by correlating the behavior of these other entities with user behavior.”
UEBA is at the crossroads of the next wave of security monitoring and attack management. However, the technology to natively handle the “e” part of UEBA cannot be added after the fact. Organizations must employ a security solution that integrates the “e” from the start because moving from a user-only view of the threat environment to the n-dimensional world of entities requires a fundamental overhaul of everything from data formats, data storage, compute scale, analytics modules, etc. Think of UBA alone as the equivalent of listening to a song with only the bass turned on. You’re hearing lots of volume, but it’s not until all the other sound components are enabled that the true nature of the piece becomes clear.
As the threat landscape evolves and as IoT increasingly adopts more “things” not covered by traditional monitoring and detection solutions, attackers have new vehicles to penetrate the network. The pervasiveness of IoT and connected devices means that cybercriminals have an even better chance to gain a foothold within the enterprise or to find a point of weakness to exploit as endpoints continue to increase in number and mobility. With UEBA, organizations can protect against external threats that make their way inside the perimeter as well as the insider threats that already exist – essentially protecting data from the inside-out. UEBA is designed to find attacks that have eluded real-time defenses. Investing in a long-term architecture and solution designed for both users and “things” through UEBA will provide the visibility needed to speed both attack detection and investigation, enhancing an organization’s response capabilities before more damage has been done.
Like this article? Subscribe to our weekly newsletter to never miss out!