Last updated at Mon, 28 Oct 2019 17:40:45 GMT

This originally published on InfoSec Island.

One of the most important metrics in infosec is “attacker dwell time”—how long does it take to detect and remediate an intrusion? While each year brings improvement, the latest research reveals an average of 95 days, still over three months.

Attackers continue to hide in plain sight by impersonating company users, forcing security teams to overcome two challenges. First, companies must centralize all security-related events and employee behavior on the network. Then, security teams must analyze that mountain of data to expose signs of compromise.

Security information and event management (SIEM) tools are great for data centralization, but have struggled with the analytics layer: making sense of the data mountain. This has led to the explosion of user behavior analytics (UBA), which impacts attacker dwell time via intelligent detections and faster investigations. By first building a baseline of normal user behavior across the network, and then matching new actions against a combination of machine learning and statistical algorithms, UBA exposes threats without relying on signatures or threat intelligence.

If you’re investing in user monitoring as a facet of your program, here are suggestions: two tech, two human—to maximize your impact.

Comprehensively Collect Data
For a complete picture of user behavior, you need visibility both on and off the corporate network. Traveling employees, remote workers, and cloud services are under your purview, meaning that your user behavior analytics needs to cover that, too. This can include analyzing endpoint authentications and behavior and matching it against user activity from Office 365 or Google Apps. If you’re only collecting logs from headquarters or critical assets, you’ll have glaring blind spots and fewer opportunities to identify an ongoing attack.

Devote Cycles to the Technology
Today’s leading SIEM technologies, like Rapid7’s InsightIDR come with user behavior analytics, making it no longer just for investigations and compliance—it can identify real-time risk across users and assets. To get the most out of your user monitoring, you need two types of skillsets: data management and incident response. The right data feeds must be properly centralized, and your team needs to take action on the output.

This is a challenge when the entire industry is clamoring for talent—in response, Managed Detection and Response (MDR) services are quickly rising in popularity. Should you want to tackle incident response in-house, consider a SaaS SIEM or co-managed model. Otherwise, consider a MDR service that both brings security expertise and can help you check the compliance box for log management.

Be Transparent with the Company
Security teams get the bad rap as the “team that says no”. For employees, rolling out user monitoring can feel like an Orwellian mask layered over shadowy operations. Flipping that on its head, UBA can be a great opportunity to share the threat landscape we live in today.

All employees must be vigilant about their credentials: "81% of confirmed breaches involve the misuse of stolen or weak credentials." If an attacker successfully phishes an Office 365 login, they can view that employee’s mailbox, send super-credible phishing attacks, and try for a VPN certificate for internal network access—all without malware.

Sharing how user behavior analytics detects the use of stolen or misused credentials—and will only be used to detect compromise—can help everyone see through the same lens. Your employees should always be the most reliable sources of truth.

Share Successes
Security savants don’t get a lot of the company spotlight. Similar to IT, security often comes to mind only when something is amiss. User behavior analytics can shift that dynamic, as it gives your team the opportunity to improve security posture, and help with employee awareness. This includes identifying risk across credentials and configurations, which can range from unknown admins and running processes to non-expiring passwords. If you’re able to identify and coordinate with IT on fixes, it’s a great story—share both progress and how an attacker could have taken next steps.

Perhaps the best benefit of user behavior analytics is that it can give you room to breathe. Instead of being plagued by endless alerts and scattered investigations, you’ll have the chance to execute a long-term security strategy. We walked through a few suggestions—if you’re able to build mutual trust with employees and have teams see through the same lens, you won’t just be monitoring users; you’ll be understanding normal. And security isn’t about the obviously bad. It’s about the barely abnormal.

Banner image "Awake Could Be So Beautiful" by Cameron Gray.