In the salad days of internet security, we were faced with threats like SQL Slammer and the ILOVEYOU virus. In those instances, the attacker was obvious and the fix was relatively simple, especially compared to today’s advanced attacks. The indiscretions of youthful security could be counteracted with antivirus solutions without the complicated algorithms behind security intelligence and forensics.

Today, since threats often come from inside our own networks, an advanced behavior analytics solution is an essential ingredient for any cybersecurity pantry.

The Right Ingredients

Organizations frequently conduct investigations on security incidents with limited context. A major problem is that these incidents are accompanied by either few breadcrumbs to follow or several loaves worth of croutons strewn about the network. It’s important to use a solution that reduces the time and resources required to diagnose and respond to an attack.

To further complicate matters, many of these attacks are attributed to legitimate credentials on the network. The second layer of defense is the ability to detect advanced attacks that evade real-time defenses using these valid credentials. Enter user behavior analytics.

Introducing Niara

Niara’s user and network entity behavior analytics solution deploys supervised and unsupervised machine learning models running on a Spark/Hadoop platform to spot small, telltale changes in user or system behavior. These breadcrumbs can be indications of a gestating attack, in which case Niara can automatically aggregate and summarize the forensic data necessary for triage and response with a security intelligence solution. This technique worked at a legal firm, where Niara analyzed authentication and activity patterns to detect instances of password sharing among employees.

Niara uses more than 100 machine learning models that provide a unified view of all IT activity, including packets and flows, logs and alerts, and external threat intelligence. With an enterprise scale that can monitor over 100,000 entities for abnormal behavior, Niara seamlessly integrates with the IBM QRadar console, analytics and workflow.

This workflow integration is particularly key for supporting forensic data analysis and alert triage. One organization saved an average of 30 hours per investigation by using the forensic information within Niara’s solution.

Niara Behavioral Analytics from Niara on Vimeo

From Days to Minutes

Between Niara and QRadar, full visibility across the IT ecosystem means no blind spots in the machine language coverage and attack detection. The seamless integration of the attack alert, a full description of the behavior analytics and supporting information means that incident response is reduced from hours and days to minutes with just a few clicks to get down to the packet level.

For one financial services client, Niara leveraged behavioral techniques to analyze activity data for employees. It detected two employees trying to exfiltrate data to Dropbox in violation of corporate security policy. For a high-tech customer, Niara machine learning identified a small change intended to spoof a sender’s email address (for example, versus to detect a targeted whaling attack.

Whaling is a particular type of phishing email typically targeting the financial department of a company. It appears to come from a high-level executive, likely a CEO or CFO, looking for an immediate transfer of funds. But the real destination for the funds is the attacker’s bank account. Domain spoofing, a technique that causes the source of the malicious message to appear legitimate, is the most popular strategy in whaling.

Learn More About Behavior Analytics

Visit the IBM Security App Exchange to try Niara’s integration with QRadar for yourself. You can also learn more about Niara’s user and network behavior analytics solution in the upcoming webinar “Detect and Respond to Threats Better With IBM Security App Exchange Partners,” scheduled for Nov. 8, 2016.

more from Intelligence & Analytics

CISA Certification: What You Need to Know

The globally-recognized Certified Information Systems Auditor (CISA) certification shows knowledge of IT and auditing, security, governance, control and assurance to assess potential threats. As you can imagine, it’s very much in demand. It can also be confusing.  Is CISA Certification Related to the Cybersecurity and Infrastructure Security Agency? CISA, the certification, is related to CISA, the federal agency, right?  Wrong.…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security…