Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

01:05 PM
Curtis Franklin Jr.
Curtis Franklin Jr.
Edge Articles

When All Behavior Is Abnormal, How Do We Detect Anomalies?

Identifying normal behavior baselines is essential to behavior-based authentication. However, with COVID-19 upending all aspects of life, is it possible to build baselines and measure normal patterns when nothing at all seems normal?

We log into work in the morning, usually between 0900 and 0915. We log into mail, the collaboration system, then the business applications. The place we log in from, the time we start work, and the sequence of logins form a unique pattern. And unique patterns can be useful as authentication factors. Right now there's a possible problem, though: How do you establish "normal" behaviors in an utterly abnormal time?

(image by andigreyscale, via Adobe Stock)
(image by andigreyscale, via Adobe Stock)

The issues around behavior-based authentication echo larger IT behavior issues of the moment. "During times of crisis, behavior can be overwhelmed by stress and especially by disruption to daily routines," says Daniel Norman, research analyst at the Information Security Forum. "The COVID-19 lockdown has demonstrated the requirement for organizations to manage behavior effectively or face disruption from a growing range of security threats, both from outside and within the business."

Defining a Useful Normal
Robert Capps, vice president at NuData Security, a Mastercard company, says that benchmarking and using behavior may begin with understanding which behaviors remain useful indicators of a user's identity.

"Users who are sheltering in place will have some or all of the same characteristics present in their interactions, as they did pre-COVID," Capps explains. "They will continue to use their home Internet connection, their existing devices, and will use those devices in the same way as before."

He points out that the habits and patterns can actually decrease the "friction" in a user's computing experience, allowing the person to open and use some applications without stopping to think deeply about the user experience. That same "automatic" nature of the actions is what makes them useful from an authentication perspective.

Fortunately, while the overall business environment is at a highly unusual point, experts say that computer user behavior is not as anomalous as it might seem — and might be more consistent than before the pandemic.

"I would imagine that today people's behaviors are less anomalous than usual. On a normal day, people log into or visit sites from networks at work, on the train, at the Starbucks, at the airport, and also at home. Today they only login from home," says Jason Kent, hacker in residence at Cequence Security. "Most organizations already understand their infrastructure goes out to the remote worker; there are just more remote workers now."

Organizations should always use many different data points to make a determination of behavior, he adds. Some factors will always matter more than others, and it is their combination that needs to be considered to determine the risk.

Shahrokh Shahidzadeh, CEO at Acceptto says that looking past the login is critical.

"There are normal behaviors where some users use VPN, but that is not important," he says. "Besides the VPN login, there are other factors in play, such as the patterns gained through the analysis of the applicational behavior. What we are interested in is what happens throughout the life cycle of the session."

Using behaviors across the entire user interaction provides valuable, rich context for the behaviors we see.

"The key to effective behavior based detection is context for the algorithms to learn from. When behavior-based algorithms, specifically for authentication, are able to take in the whole picture, they are quickly able to adapt to new conditions," says Wade Woolwine, principal security researcher at Rapid7. "The whole picture means that we can see local system authentications against the domain, we can see VPN authentications, internal resource authentication and authorization, and external services authentication. With that level of visibility, behavior-based detections quickly figure out that the strange IP authenticating to the external service is actually the same IP that successfully authenticated to the VPN just a minute ago."

(Next: "Necessary complexity," page 2 of 2


Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
1 of 2

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View