Unmasking Privileged Identity Thieves with User Behavior Analytics

Print Friendly, PDF & Email

In this special guest feature, Csaba Krasznay, Security Evangelist at Balabit, discusses how applying advanced statistical techniques to IT users’ digital behaviors, security professionals can then recognize and escalate unusual activity that could be related to identity theft. Csaba is responsible for the vision and strategy of Balabit’s Privileged Access Management solutions. He is a member of board at the Hungarian E-government Association and Voluntary Cyberdefence Coalition. He received his MSc in 2003 in Electrical Engineering at Budapest University of Technology and Economics, and his PhD at National University of Public Service, where he’s an Assistant Professor, and conducts research on the security of e-government systems. He was elected to the “Most Influential IT Security Expert of the Year 2011”.

What do seven of the 10 largest data breaches in the 21st century – from Yahoo to Target and JP Morgan Chase – have in common? According to post-mortem reviews of recent mega-breaches, privileged identity theft – or, the compromise of credentials to privileged accounts – played a large role.

Many of today’s sophisticated and well-resourced cybercriminals, some with the backing of nation states, actively target privileged administrator accounts because they hold the keys to the kingdom. Under the guise of a privileged user, criminals can infiltrate IT systems to steal data on a massive scale and disrupt critical infrastructure. The hijacking of privileged identities and accounts has amounted to billions of compromised records – from credit card details and user accounts, to employee information, health records, and more.

The danger of privileged identities is that they are already inside the network, meaning that an organizations’ typical perimeter defenses, including antivirus, firewalls, and passwords, are rendered useless.

Pinpointing threats that are already on the inside will require a new type of authentication, where privileged identities are verified continuously, rather than at a single point of time. Accomplishing continuous authentication will depend heavily on analytics – specifically, user behavior analytics.

At the Core: Digital Behavior

The Merriam Webster dictionary defines behavior as, “anything that an organism does involving action and response to stimulation.” Behaviors are conscious and observable, and they don’t just apply in the physical world – they can also exist digitally.

The times of day we log onto our computers, the screen resolutions we choose, the applications we use and the websites we visit – these are all behavioral characteristics that tell a story about who we are as individuals in the digital world.

By capturing data about employees’ digital behaviors, organizations can build a baseline of “normal” user behavior, and through continuous monitoring, they can detect unusual deviations and potentially suspicious activity related to an attack. This is all made possible by machine learning, which enables security systems to learn to identify threats in real-time, without being explicitly programmed.

Getting More Granular with Behavioral Biometrics

Analyzing conscious digital behaviors opens a window for organizations to tell if an outsider has compromised an employee’s privileged account. But, there are ways that security professionals can get even more granular in their analyses of digital behaviors – ones that the users themselves may not be aware of – through behavioral biometrics.

While most people are familiar with physiological biometrics such as using fingerprint, iris, and retina recognition as a form of authentication, behavioral biometrics are relatively unknown. How a person interacts with a computer – such as their typing and mouse movement habits – is highly unique to the individual and would be very difficult for a hacker replicate.

Tracking and analyzing keystroke dynamics for instance, might include creating baseline parameters around dwell time (how long a key pressed for) and flight time (the time between releasing a key up and pressing the next key down). Mouse movement analysis might account for speed, the elapsed time between two clicks of a double click, and even angular velocity of the cursor.

Behavioral biometrics is not treated as an authentication step that has to be performed – rather, it is performed continuously, and it can all happen without disrupting the employees’ normal workflows while significantly improving the security of privileged accounts.

The New Authentication is Continuous

As we’ve seen from growing numbers of cyber-attacks, one-off authentication methods as a means of telling friend from foe have failed to provide adequate protection. The new authentication is continuous authentication, driven by the application of user behavior analytics and machine learning to privileged users.

User behavior analytics has been proven effective in a variety of security use cases from credit card fraud detection to identifying rogue financial traders, but it can be particularly useful in detecting more subtle anomalies related to digital behaviors and behavioral biometrics. Armed with these advanced analytics capabilities, organizations will be better placed to rapidly detect and unmask privileged identity thieves inside the network.


Sign up for the free insideBIGDATA newsletter.

Speak Your Mind