Cybersecurity Insight

To Stop Cyber Threats We Must Focus On User, Says IT Vet

16 Oct

Cyber threats are present online at nearly every turn. Every day whether we’re at work, at home, on our smartphone or tablet, or using our fancy new smart-watch we are susceptible to cyber criminals.

While cyber crime against individuals seems to be slowing, cyber crimes against companies and organizations are at all time high. One former CISO says we must stop focusing so much on intrusion defense techniques and turn our attention to user behavior data to help catch threats before they happen or cause too much damage.

A recent report from Verizon showed that while cyber attacks happen extremely quickly, they often aren’t detected for several days, or even months. The report said that 60 percent of the time an attack could compromise an organization in a matter of minutes, and in 75 percent of cases the average time of discovery was days, not minutes or hours.

Leslie Lambert, a former CISO of Juniper Networks and Sun Microsystems says, “The primary reason for the long delays in breach discovery…is that we are still very much focused on defending against intrusions. A new and more effective approach to quickly decode cyber incidents is needed, one that enables us to understand the complex activities occurring on our networks, and what ‘good’ cyber activity looks like. To accomplish this, we need to start at the source of all network activity — the behaviors of users and entities or devices.”

Most IT professionals would agree that the weakest point in any network or security chain is the user. Over the years more implementation of user behavior monitoring has been used, but not to its most effective point. However, Lambert says that monitoring user behavior and identifying patterns of ‘good’ vs ‘bad’ usage can help detect intrusions before they have the ability to harm an organization.

“Active engagement in monitoring, detecting and deriving insight into user access and usage patterns can foretell risky activity. Identifying early warning signs is critical for protecting against sophisticated threats including malicious insiders and external attackers that have hijacked legitimate user accounts.” Says Lambert.

How is this accomplished? Well, it’s not as simple as walking by someone’s desk, of course. It’s important to review all security related data from logs, then determine from this data what “good” behavior looks like, Lambert explains, “This will make it easier to isolate user behaviors that are suspicious, should be monitored or investigated. Examples of suspicious behavior may include inappropriate use of elevated access privileges, or more latent threats, such as data breaches.”

Now, going back our original statement, we’re not saying you must stop trying to defend against intrusions and simply watch your users at all times. Of course, you need to implement a number of prevention techniques. Lambert’s suggestion is one part of the overall shield that will help your organization not only detect intrusions as they’re happening, but prevent future intrusions by being able to identify where your organization is the most vulnerable.