CISO Series Video Chat On Anomalous Behavior

Sotero’s Co-Founder and Chief Strategist Purandar Das had the pleasure of joining Chris Hatter, CISO at Nielsen on David Spark’s recent CISO Series Video Chat. The topic focused on “Hacking Anomalous Behavior: An hour of critical thinking on when user actions raise the red flag”. As with all CISO Series video chats, this topic led to a lively discussion with many best bad idea contributions from the audience. Did you miss attending the chat? Fear not, we have you covered with the top five things that were discussed.

1. What is Anomalous Behavior and Anomaly Detection?
   At a very basic level anomalous behavior refers to what looks normal but isn’t. Anomalous behavior can come from humans, user interactions, end users, machines, or applications. Our Co-Founder defines anomaly detection as, “The ability to use computing or resources to identify anomalous behavior at scale”.
2. Anomaly Detection – How Does It Work?
   To have a successful anomaly detection implementation, it is key for an organization to set a baseline of what is considered normal behavior. It is equally important in this baseline to determine what false signals of abnormal or anomalous behavior may look like. From there, it must be defined what actions or behaviors are considered truly anomalous, or deviating from the established baseline. This allows an organization to be able to detect and filter out any behavior that is considered abnormal.
3. How to Triage Appropriate Alerts – Anomaly Fatigue?
   The process of having an anomaly detection solution that successfully identifies anomalies is not an easy feat. It is almost impossible for organizations to define a set of rules that govern what behavior is deemed normal due to the complexity and interconnectivity of systems. The sheer volume of activity overwhelms anything that is purely rule-based. Any rule-based approach assumes that one can predict what anomalous behavior looks like. Instead, organizations should leverage artificial intelligence (AI) and machine learning (ML) to build a framework to monitor all traffic in a known set of parameters. This is a highly effective approach to advancing anomaly detection accuracy. Algorithms enable ML systems to self-learn in addition to building on an organization’s existing baseline, thus refining their analytical and predictive capacity. This approach is a scalable and manageable means of behavior monitoring.
4. Network Vs. Data-Access Level Anomaly Detection And Why It Matters
   The majority of anomaly detection solutions identify bad actors at the network level. This tends to no longer be a comprehensive approach. This may give one a chance to prevent unauthorized access, but it will not stop someone from conducting harmful behavior if they are already in the network. Often, an organization’s most valuable asset is its data. By focusing on anomalies at the data level rather than the network level, organizations can hone in on what may be benign at the network level, but still malicious at the data level. If you’d like to learn more about a data-centric real-time anomaly detection and malicious user prevention approach, view this whitepaper.
5. The Benefits of Advanced Anomaly Detection
   Hackers are using every technology and toolset they can get their hands on to automate attacks and attempts to infiltrate organizations. Scalability through automation is what makes hackers so successful. Our co-founder recommends, “that if you’re going to have a viable security posture, automation, whether machine learning or a form of that, is the future. No one is going to be able to keep up with the speed and scale at which attackers are operating without some form of automation or intelligence.”

Now that you’ve had insight into the top five takeaways, we do highly recommend you check out the lively Video Chat here. After all, who wants to miss out on the audience’s best bad ideas on anomalous behavior, unique tips, and brilliant quotes from the chat room?