In the salad days of internet security, we were faced with threats like SQL Slammer and the ILOVEYOU virus. In those instances, the attacker was obvious and the fix was relatively simple, especially compared to today’s advanced attacks. The indiscretions of youthful security could be counteracted with antivirus solutions without the complicated algorithms behind security intelligence and forensics.
Today, since threats often come from inside our own networks, an advanced behavior analytics solution is an essential ingredient for any cybersecurity pantry.
The Right Ingredients
Organizations frequently conduct investigations on security incidents with limited context. A major problem is that these incidents are accompanied by either few breadcrumbs to follow or several loaves worth of croutons strewn about the network. It’s important to use a solution that reduces the time and resources required to diagnose and respond to an attack.
To further complicate matters, many of these attacks are attributed to legitimate credentials on the network. The second layer of defense is the ability to detect advanced attacks that evade real-time defenses using these valid credentials. Enter user behavior analytics.
Introducing Niara
Niara’s user and network entity behavior analytics solution deploys supervised and unsupervised machine learning models running on a Spark/Hadoop platform to spot small, telltale changes in user or system behavior. These breadcrumbs can be indications of a gestating attack, in which case Niara can automatically aggregate and summarize the forensic data necessary for triage and response with a security intelligence solution. This technique worked at a legal firm, where Niara analyzed authentication and activity patterns to detect instances of password sharing among employees.
Niara uses more than 100 machine learning models that provide a unified view of all IT activity, including packets and flows, logs and alerts, and external threat intelligence. With an enterprise scale that can monitor over 100,000 entities for abnormal behavior, Niara seamlessly integrates with the IBM QRadar console, analytics and workflow.
This workflow integration is particularly key for supporting forensic data analysis and alert triage. One organization saved an average of 30 hours per investigation by using the forensic information within Niara’s solution.
Niara Behavioral Analytics from Niara on Vimeo
From Days to Minutes
Between Niara and QRadar, full visibility across the IT ecosystem means no blind spots in the machine language coverage and attack detection. The seamless integration of the attack alert, a full description of the behavior analytics and supporting information means that incident response is reduced from hours and days to minutes with just a few clicks to get down to the packet level.
For one financial services client, Niara leveraged behavioral techniques to analyze activity data for employees. It detected two employees trying to exfiltrate data to Dropbox in violation of corporate security policy. For a high-tech customer, Niara machine learning identified a small change intended to spoof a sender’s email address (for example, N1ara.com versus Niara.com) to detect a targeted whaling attack.
Whaling is a particular type of phishing email typically targeting the financial department of a company. It appears to come from a high-level executive, likely a CEO or CFO, looking for an immediate transfer of funds. But the real destination for the funds is the attacker’s bank account. Domain spoofing, a technique that causes the source of the malicious message to appear legitimate, is the most popular strategy in whaling.
Learn More About Behavior Analytics
Visit the IBM Security App Exchange to try Niara’s integration with QRadar for yourself. You can also learn more about Niara’s user and network behavior analytics solution in the upcoming webinar “Detect and Respond to Threats Better With IBM Security App Exchange Partners,” scheduled for Nov. 8, 2016.
Market Segment Manager, IBM X-Force and Security Intelligence