The role of the rule book is changing…
 

The real reasons that rules alone are not enough

12 Jul The real reasons that rules alone are not enough

Signature and rule-based tools have been a mainstay of enterprise security for decades. Over time, they’ve grown in complexity; they’ve been honed and strengthened – yet taken in isolation, they consistently prove inadequate in tackling the cyber threats faced by businesses.

The role of the rule book is changing…

So is it time to move on completely? Should businesses be ditching rules-based antivirus (AV) altogether? Well, not exactly. The SANS Endpoint Security Survey from last year showed that AV was still responsible for capturing 57% of “impactful events” that occurred within respondents’ organisations. The “rule book”; i.e. a central repository of known threats, remains a valuable resource to draw on.

But what about previously undocumented threats? Or malware that has the ability to change its appearance to circumvent the rulebook? Or those adversaries who don’t need to resort to malware or exploit an obvious vulnerability to do damage? The problem with the rulebook is twofold:

  • the threat landscape shifts too quickly for the rules to be updated to cover everything at any one time;
  • certain types of threats (especially if they come from within the organisation) are hard to identify if you are working to a rigid set of rules as your sole means of threat identification.

As Gartner’s recent overview of the endpoint protection market highlighted, enterprises are increasingly taking a proactive approach to threat detection. Correlation rules and the ability to collect and aggregate feeds of log data are still important – but they are not the be-all-and-end-all of security.

Against this background, User and Entity Behaviour Analytics (UEBA) can give firms a much more meaningful, contextualised and valuable overview of what’s happening across the system. With this in mind, here’s an overview of the gaps that need filling – and at how UEBA can help you fill them…

‘Rules’ and ‘Behaviour’: what are we talking about?

Signature and rules-based IT security is often referred to as “knowledge-based” detection – and for good reason. Take a standard AV solution, for instance; it’s likely to feature a DAT file, constantly updated to catalogue all of the threats known to the solution provider. The rules are determined on the basis of this knowledge: if (and only if) a catalogued threat is encountered will an alarm be triggered.

Likewise when it comes to system vulnerabilities; a knowledge-based solution will contain detailed information about those vulnerabilities and will look for identifiable attempts to exploit them. If a specific threat or user action isn’t on the list of things to look out for, then it’s deemed acceptable.  

Behaviour-based analytics looks at things from a different perspective. It says that systems, endpoints – and crucially – individual users – all tend to behave in predictable ways. Taking this as a starting point, it then becomes possible to draw up models of what ‘normal’ or valid behaviour looks like. It says that if something doesn’t look ‘normal’ in its environment, it deserves to be flagged up.

These are two distinct ways of scanning your IT environment for threats. They are not necessarily mutually exclusive: each can play a valuable role in bolstering your security posture…

Mind the gap: where the rulebook falls down (and where UEBA can make all the difference)

It’s when it comes to both new and unforeseen threats that signatures and rules fall down – and behavioural analytics can really come into its own…

Rogue insiders

According to IBM’s latest Cyber Security Intelligence Index, an estimated 60% of security attacks worldwide come from within organisations. There’s a double whammy here: as well as being one of the most significant risks encountered by businesses, the rogue insider is also uniquely placed to sidestep a traditional rules-based intrusion detection system.

He probably won’t unleash a malware payload (after all, he doesn’t need to). If he’s a privileged user, he enjoys unfettered access to whole swathes of your IT estate – without a single ‘rule’ being broken. Even a user with limited privileges might know enough about your IT architecture to copy and remove what she needs – without necessarily triggering a telltale system-specific mechanism or signature.

For effective insider threat detection, it’s not enough for organisations to ask “Has this individual broken the ‘rules’?”. Rather, UEBA gives you the ability to ask – and answer – “Has this individual’s behaviour changed – and if so, how?”.

Credential theft

Once an outsider has access to credentials, there’s the possibility of wholesale harvesting of your valuable intellectual property – all carried out under a cloak of legitimacy. So where is your business critical data going? How much data is being uploaded and downloaded from a particular user’s endpoint? Does this activity represent a departure from the norm?

UEBA gives you the ability to spot these anomalies across your infrastructure – providing a vital early warning system of a network breach.

Advanced malware threats

Over time, rule-based security solution providers have become quicker and better at recognising and logging threats. But faced with polymorphic malware – i.e. packages with the ability to automatically morph to avoid detection from anti-malware software – such solutions are always going to be fighting an uphill battle. The threat actors themselves are also getting ever-more sophisticated, with the 2017 Mandiant M-Trends report reminding us that the boundaries between ‘state sponsored’ and ‘ordinary criminal’ hackers are becoming increasingly blurred.

Apprehension of a hacker at the initial entry point isn’t always going to be possible. That said, an understanding of how your entities and users ought to behave is one of the most valuable assets available to you when it comes to stopping threat actors after the event. It gives you the ability to spot anomalous behaviour – in whatever guise that may take.

Making UEBA workable

Traditionally, from a Security Information and Event Management (SIEM) perspective, rules-based intrusion detection has one important factor in its favour: low false alarm rates. In other words, it won’t catch everything, but administrators can be sure that the alarms that are triggered are worthy of attention.

By contrast, UEBA is sometimes unfairly caricatured as a rather ‘paranoid’ approach to IT security: everything not previously seen is regarded as dangerous, potentially giving rise to a high occurrence of ‘false positives’ for administrators to deal with.

To be workable, a UEBA solution shouldn’t leave your administrators drowning in data; a concern that Zonefox has prioritised in our very own UEBA-based insider threat protection solution. Designed with SIEM in mind, it continuously analyses and records endpoint activities in real time. You get crystal clear visibility so you prioritise what’s relevant.

In other words, Zonefox gives valuable context to any existing rule-based solutions you may have in place already. It’s about supporting your SIEM strategy rather than making it more of a challenge.

So are you ready to move your security strategy beyond the ‘rule book?’ Request a Zonefox demo today for a first-hand glimpse of ‘intelligent’ asset protection in practice.   

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookEmail this to someone
Eilidh Curtis
e.curtis@zonefox.com

Edinburgh born and bred, with an embedded interest in technology, cybersecurity and the Scottish start up scene, I enjoy the occasional prosecco and have a minor stationery addiction.