How does an organisation tackle a cybersecurity threat once the perimeter has been breached? The traditional cybersecurity narrative tends to revolve around keeping the criminals out, building a seemingly impenetrable wall of security technologies around the network. This technology’s sole purpose is to filter an organisation’s incoming traffic and protect its most precious resource; its data. Whilst there is no doubt that these traditional technologies such as firewalls and security gateways have an impact, the security game is changing, and all organisations need to take notice.
In today’s threat landscape, where organisations are facing threats like never before, perimeter defences cannot be an organisation’s sole form of defence. Consider these defences to be like a country’s border force, entirely necessary but essentially useless if the biggest threat is already on the inside. Organisations must shift their mindset from one where they are waiting for an attack, to one where they should assume an attack is already underway.
As such, an organisation’s IT department must ask themselves what tools are at their disposal once their border has been breached. What are the best methods of detection and remediation? And if these attacks target privileged access users, what steps need to be taken in order to reduce the damage that may be done.
Passwords Just Aren’t Enough Anymore
Imagine a seemingly trusted user gaining access to a corporate CRM system, except this user should not be trusted – they’re in a fact a hacker who has managed to gain access through acquiring a legitimate employee’s password and is now in the system. In this instance, what can an organisation’s security operations centre do? The answer here is probably nothing. How are they to know that this user is a hacker rather than the employee – until it’s too late.
This is why it is becoming more widely accepted that passwords are no longer sufficient in keeping the bad guys out anymore. In order to defend your organisation against the current threat landscape, organisations need to take a holistic approach to their cybersecurity. The main idea behind this mentality is that organisations need to go beyond passwords and look to integrate more modern forms of security – such as contextual identity solutions.
Whilst basic privileged access monitoring allows an IT security team to have a general overview of a users’ actions – alerting the team as behaviour deviates from baseline behaviour – contextual tools add just that, context to the behaviour. It does this by taking into account a user’s device, IP address, time of access and previous interactions in order to understand if the actions are in line with their standard behaviour. These machine learning algorithms aid security teams in swiftly alerting security teams if the user’s account has been compromised.
How Behaviour Analysis Works In Practice
Due to the multi-faceted nature of data threats in the current climate, and the ease of gaining a password, it’s important for organisations to think about the missing piece of their security puzzle. What will enable them to detect an attacker once a perimeter has been breached? One answer is through analysing behaviour.
A machine is more or less homogenous, if they have the same specifications and have been programmed by the same IT team, they’ll typically behave in the same way, which can make it difficult to spot anomalous activity. Humans are the complete opposite. A users’ keystrokes or mouse activity will be entirely different from another’s. In fact, the way an employee moves their mouse is almost as unique as their fingerprint.
Every privileged user within an organisation’s network will demonstrate a certain pattern of behaviours that can be recorded as metadata – this is inclusive of everything from the servers they use to how they typically behave once logged in.
Through storing this metadata, IT security teams can build up a profile of acceptable or expected behaviour for any user. And, most importantly, use this profile to quickly spot behavioural anomalies that indicate the person driving the machine isn’t the correct privileged user.
Significantly, behavioural monitoring technologies are able to detect even the smartest cyber criminals mimicking privileged user behaviour. In these cases, the technology can go beyond the metadata and examine minute traits, such as typing speed or even a user’s most common spelling errors, meaning anything out of the ordinary is flagged to the internal team immediately.
Staying Two Steps Ahead
The battle to stay ahead of cybercriminals continues to move at a breakneck speed where organisations can often feel two steps behind. Traditional authentication methods have been somewhat left behind and are proven to be essentially useless once the hacker is in possession of a user’s valid credentials. Behaviour is the new security battleground. Only by monitoring privileged users can businesses truly understand who has gained access to their systems, and just what they’re getting up to within the network.