About the Author
拉里Lunetta副主席dent of WLAN and security solutions marketing at Aruba, a Hewlett Packard Enterprise company. Larry is also a guest lecturer for entrepreneur studies at Arizona State University.
Full bio每个CSO都需要警惕外部网络威胁的增长和复杂性,但最大的网络风险可能是他们自己网络中潜伏的。疏忽员工,恶意内部人员和受损的用户和主持人通常具有合法凭证的好处,以利用传统安全基础设施的弱点。
Traditional perimeter defenses give free rein to those credentials. But to determine if those "users" are part of an attack, enterprises really need to focus security on the behavior of who or what is using authorized credentials.
In a recent discussion on Verizon's2017 Data Breach Investigation Report, the company's senior security specialist and RISK Team leader, John Grim, toldComputer Business Reviewthat "[in] 81% of the data breaches that we looked at this year in terms of data sets, the threat actors are leveraging those default passwords, those weak passwords, or those passwords that have been stolen."
One in five employees in arecent surveyindicates they keep passwords in plain sight. Another survey finds that23% of workers would share sensitive, confidential, or regulated company informationif they believed the risk was low and the potential benefit high.
Guest Access
Other risks come from authorized guests. Guest networks may not be necessarily well-protected, allowing those guests to move into places they shouldn't be allowed to go and to access data that should be restricted.
Trusted partners represent yet another threat vector. AsCSOpointed out recently,“使用第三方提供商普遍存在,与他们相关的违规行为。”
The breach of Target's point-of-sale systems in 2013 was traced to a heating and air conditioning vendor whose legitimate credentials had been stolen, according to克鲁斯的安全.
A bad actor with legitimate credentials, whether an insider or outsider, can probe for weaknesses once on the network. In that type of situation, the only way to defend the enterprise is by finding the changes in the actor's behavior that would indicate an attack is under way.
Detecting Anomalies
With the benefit of machine learning, user and entity behavior analytics (UEBA) can detect anomalous actions that may indicate unauthorized activity and attacks. Aruba IntroSpect utilizes supervised and unsupervised machine learning models to ensure that the system is self-learning, continually adapting, and accurately identifying anomalies and confirming malicious activity before attacks inflict damage.
Bad behaviors on the network can be detected if you know what to look for and have the capabilities to do so. For example, when users access systems, how long do they stay on an application? What amount of data do they access? From where and with what devices are they doing so?
All those activities can be used to build baselines, or profiles, of what is normal behavior; anomalies can then be detected individually and correlated over time, alerting security professionals to take appropriate action when certain threshold conditions are met. With UEBA, baselines can be built around the activities of peer groups, so that if for example, a member of the finance group is behaving differently from his or her peers, it can be quickly detected.
Knowing what is going on in your network is as important as knowing who is on it.
Learn More
Get the CISO's Guide to Machine Learning & User and Entity Behavioral Analytics.
拉里Lunetta副主席dent of security product marketing at Aruba, a Hewlett Packard Enterprise company.
