Strategy
When action speaks louder than words

Behavior and cybersecurity

Behavior and cybersecurity: When action speaks louder than words
In most cases, attacks have one striking thing in common: unusual, conspicuous behavior patterns that can be traced in networks.

The important question is: How can this be recognized at an early stage? It requires the continuous monitoring and analysis of internal and external network behavior. Together with the analysis of user behavior, these are two basic methods for monitoring security in corporate networks. As cyber security challenges continue to grow and become more complex, the methods used to prevent attacks and breaches of data security are becoming more sophisticated.

Network Behavior Analytics (NBA) connects all network activities and data sources. Behavior Analysis detects abnormal behavior – from unusual login times to locations where login attempts take place – and helps organizations improve security.

In the case of behavior analyses in the IT sector, the focus is increasingly on security-relevant data. The focus here is on understanding who is using a network, how this is done, and whether the activities and actions performed are permitted. The aim is to detect conspicuous behavior, abnormal behavior in the network, at an early stage.

Man vs. Machine

Technologies alone do not make a company secure. It is only the interaction of technical solutions and human expertise that can ensure optimum cyber security. The best solution is one in which technology and people work together efficiently, because fundamental questions require people, their specialist knowledge, their many years of experience, and the resulting good powers of judgment. This combination is what delivers a decisive advantage and ensures optimum security.

Behavior Analysis uses special algorithms and machine learning methods. A broad framework of data, including data from the field of log data analytics, or LDA for short, is integrated for comprehensive security access, thereby enabling attacks to be detected and blocked. With benchmarks that look like “normal” user and network behavior, actions that do not follow the usual pattern can be uncovered for further action to be taken.

The combination is the key: sophisticated analytics tools and machine learning combined with a wide variety of data sources. The goal is to improve detection rates for conspicuous behavior in the network and to keep false positives low. With this new approach, anomalies that can become risks are detected earlier. A departure from pure detection, alerting and blocking systems on the basis of threats.

An undetected act on repeat

All cyber attacks have one thing in common: the attack behavior deviates from normal behavior patterns. This knowledge is crucial when it comes to preventing future breaches of IT security. The future of cyber security will be shaped by technology that consistently and accurately identifies types of behavior that are out of the ordinary. By using an appropriate analysis that detects these anomalies, they can be detected more easily and quickly among the endless amounts of data.

But how can conspicuous behavior be identified? The process requires ongoing monitoring, analysis and the use of machine learning to identify the early signs of an attack. Accuracy is naturally of the utmost importance here to avoid wasting valuable resources caused by false alarms of any kind.

Attacks often remain undetected for a long time and conspicuous behavior goes unnoticed for too long, sometimes even for several years. As has been reported in recent months, it can affect hotel chains, airlines, sporting goods manufacturers or even construction companies.

No digitalization is no solution either

Intelligent technology for continuous monitoring and behavioral analysis could have detected the attack at an early stage. After all, when a system that has been manipulated by attackers suddenly accesses a database it has never accessed before, modern technologies immediately highlight these anomalies, thereby identifying a nascent attack and either averting damage or keeping it as low as possible.

Such attacks are wake-up calls for IT security managers in companies; they illustrate the complexity of cyber security.

Put a stop to bad behavior

There is no one-size-fits-all approach to the use and integration of behavioral analysis. However, creating use cases for normal network behavior and identifying anomalies can significantly improve protection. Behavioral analysis and machine learning cannot replace security experts, but they do make it possible to prioritize anomalies and make the tasks of IT teams and CDC analysts more efficient. Integration leads to a holistic approach to security and the introduction of comprehensive cyber security strategies in companies.

Behavioral analysis methods can detect multiple anomalies:

  1. A matter of time: Employees usually work at specific times. If employees log on outside normal working hours or suddenly access systems that are not relevant to them, this should trigger further investigations or require additional authentication.
  2. In case of application: An employee who suddenly uses unusual or unauthorized programs, such as Dropbox, can represent an early warning sign.
  3. On the premises: If an employee has logged into the network from a previously unknown IP address or another geographic location, this should be monitored carefully. The same applies to employees and devices that use an unusual WiFi network. An employee working in Berlin should not have an IP address in Brussels. Similarly, the use of different or changing IP addresses could indicate that the user is using a Virtual Private Network, VPN, to disguise the true location.
  4. Devices of all kinds: A login from an unknown device can also constitute an early warning sign. An attacker could be using stolen credentials to access data. Logging in from a public computer is also risky.
  5. Register human behavior: Another interesting aspect of analysis can be the speed at which employees usually type, use a touchscreen, or move the mouse. Behavior-based biometrics can recognize users based on their typing behavior. The type and speed of the keystroke, such as words per minute, frequent errors and letter sequences, are used here for evaluation and identification processes.
  6. Proper networking: Experienced experts know how data flows work under normal conditions, as this can also reveal unusual behavior. Network Behavior Analytics also investigates the question of what a good network looks like.
  7. With a clear model for normal behavior, it is difficult for attackers to adapt to normal, inconspicuous network behavior to avoid detection.