Behavioral analytics are critical to successful security monitoring and detection. Quite simply, standard rule and signature based detection is wholly insufficient to detect today’s attacks. Unfortunately, when most organizations think about and implement behavioral analytics they only approach it through looking at human behaviors via user behavioral analytics (UBA). However, real security is better achieved when you marry UBA with network and asset behaviors.
Network behavioral analytics look for anomalies in the way network systems and protocols operate and communicate on a computer network. Just like humans, computers and networks tend to function consistently and predictably over time. They tend to follow the same patterns over and over.
A mail server has the function of receiving, processing, and sending email for an organization. The normal behaviors we would expect to see include a high amount of email protocol traffic such as SMTP, IMAP, or Pop3; emails that include the organizational email domain on at least one side of the communication; and we can even expect to see a relatively consistent volume of email traffic at a given time of day. As the analytic understands what is normal behavior for the server, it then can start looking for anomalies. Perhaps we see an unexpected increase in web browsing (HTTP) traffic originating from the server or we see an abnormal spike in data leaving the server. Each of these could be indicative of malicious activity or at the least identify anomalous activity that ought to be investigated.
Another strategy for these analytics is to monitor the behaviors of protocols across the network. DNS for example is a well-defined and structured protocol. We know how it should work and what the traffic looks like. So if we observe behaviors deviating from that model, then we have an alertable event. We could also look for unexpected spikes in the volume of obscure protocols communicating on the network or unexpected outbound traffic to known malicious sites or locations that have not been observed before.
Through monitoring the way your network behaves then correlating it with your user and asset behavioral analytics, you will successfully discover more malicious activity and keep your network secure.
About Security On-Demand
Security On-Demand is an industry pioneer and recognized innovator within the managed security space. We are leading the industry in threat detection through behavioral analytics and machine learning.