Perfect security is unachievable. Security professionals should not presume they can prevent every attempt at a security breach and should prepare for the possibility that some compromises will happen. Instead, trying to be able to detect and recover from security breaches as quickly as viable in order to minimise their impact should be a security practitioner's top priority. When prevention is practical, it should be used, but when it is not, detective measures should be used.
To achieve this, we should make use of the defence-in-depth principle and employ overlapping controls to reduce singular points of failure. When it comes to security, we should adopt a risk-based strategy, first identifying the locations of our most important assets and the areas with the highest risk before allocating the necessary resources to safeguard those locations.
To assist in the identification of threats, we can use threat intelligence to obtain inventories of well-known IOCs (Indicators of Compromise). This strategy has been used for decades with tools like antivirus software, intrusion detection systems, spam filters, etc., but it has some drawbacks:
First, because the universe of threats is constantly growing, we will always need to look for new IOCs in addition to the old ones, which creates difficulties with keeping ever-lengthier lists of IOCs. Additionally, attackers can quickly change a few aspects of the attack, such as the source IP for network-based attacks or even just one piece of the malware code, to make the attack's hash incompatible with already-existing IOCs.
Most importantly, while this strategy works reasonably well against known threats, it is ineffective against zero-day exploits and other unknown threats because it depends on someone having seen and made a signature for those threats in the past.
Both known and unidentified threats should be taken into account when developing a detection strategy. How can we identify unknown threats when we must depend on detective controls?
What is The Behavioural Analysis Security Approach?
Regarding security, behaviour analysis is a technique for threat detection that emphasises understanding both the behaviours of users and entities (such as servers and file shares) in your environment and the behaviours of your adversaries, including their motivations and strategies. With this knowledge, you can recognise known adversary behaviour and subtle changes in the known behaviours of the users and entities in your environment that could be the by-product of malicious activity. This allows you to detect possible malicious activity.
Behaviour analysis differs from conventional IOC detection in that it requires you to view your environment from a macro-scale, rather than a microscopic, viewpoint as opposed to the microscopic view when you only concentrate on signature detection. This method reduces one of the main drawbacks of conventional signature detection, namely managing the continuously growing inventory of known-bad items you need to search for. As opposed to conventional signature-based techniques, which focus on an infinite number of signatures, behaviour analysis focuses on a limited number of known adversary behaviours.
The other major benefit of behaviour analysis over conventional signature-based detection techniques in security is that it is effective for both known and unknown threats because behavioural changes can be used as indicators of abnormal activity even when those changes have never been observed before.
Zero-Trust and Behavioural Analysis:
In many ways, zero trust represents a rethinking of security, including how access is granted and how users and their devices are constantly watched as they use apps and access data.
Machine learning (ML), artificial intelligence (AI), and data analytics are the main tools used in behavioural analytics for zero-trust security models. To transform the incessant chatter of activity logs into a useful credit-like score of a person and a device, AI and ML are essential. The credit-like score, also known as the confidence score, is based on a user's typical behaviour and how it contrasts with the actions and conduct of their peers.
In a zero-trust security approach, these two technologies are crucial for behavioural analytics and applications. Most systems simply have too many users and activities going on for the security team to be able to spot unusual activity without some kind of intelligence backing them up. In addition, many evolving threats do not follow historical patterns of attacks, necessitating the development of systems that can examine behavioural data sets for previously unidentified threat patterns.
A new user who is engaging in unusual behaviour, such as logging in outside of business hours from a different place and downloading large exports of customer data, could be found using behavioural analytics. Companies can update their access control policies in light of this information by, for instance, requiring 2FA when logging in from a new place or limiting downloads to a specific size when logging in during non-work hours.
How behavioural analysis shortens the duration of attackers?
Because of the defence-in-depth principle, there will always be value in utilising overlapping controls, which means that traditional signature detection techniques like IDS, blacklists, and anti-virus, firewalls will continue to be useful because they can be very effective at removing known-bads and are relatively simple to implement.
With detective controls, we must be careful not to overtax the limited resources of our security teams by receiving too many warnings from too many controls. We need methods for filtering out background noise and directing our security teams' attention to what is most critical at any given time in order to decrease the duration of an adversary. The use of only conventional signature-based identification techniques is inadequate. Security behavioural analysis can supplement these methods and close many of the gaps they leave behind.
Organizations can process billions of security events and thousands of alerts into a prioritised, manageable list of a few security incidents by combining these security methods with best-in-class log gathering and analytics. In order to reduce the amount of time adversaries can spend in the environment and the damage they can cause, it helps security teams rapidly detect and respond to threats.
Please do not enter any spam link in the comment box.