The Corvil stand was bustling with visitors at last week’s Black Hat Europe event with demo stations constantly occupied, highlighting how network visibility has become an overarching priority for security professionals. They are also looking to machine learning for preventative solutions, so we struck a chord on two fronts.
In our session, ‘Recognize Users From Their Network Traffic’, we introduced delegates to a new solution that employs machine learning to identify users involved in suspicious behavior. Insider threats now account for more than 80 per cent of cybersecurity incidents – a combination of hackers stealing identities and disgruntled employees stealing company data – so there is a growing demand for tools to fight back.
Because Corvil appliances decode and extract metadata from network traffic, we have a foundation for analyzing changes in user behavior that might point towards malicious activity. We see inside the packets and flows; we track users as they access different resources on different devices and hosts; we see the domains they visit on the internet.
We also recognize malicious files that are transferred across the network. The Holy Grail is to make sense of all this activity by linking all the elements together to show which specific users are accessing which files, and who transferred what and from which hosts. If someone is accessing an external domain that’s used by hackers, for example, you need to know which user accounts and what files are being transferred there.
One way we do this is by monitoring network activity on a per user basis. So once J Bloggs has logged in, we are able to link him to network traffic in terms of the bytes and packets he is generating, the hosts and devices he is using, and the files, website and databases he may be accessing.
The best way to identify suspicious individual activity is to detect a change in behavior patterns. Having collated all data associated with J Bloggs, we can construct a user behavior timeline that will reveal unusual activity. You can do this manually with the data that Corvil collects, but it’s a time-consuming process, particularly if you want to do it proactively at enterprise scale across hundreds of thousands of users.
We have developed an automated solution that uses machine learning to recognize 99 percent of people each day, based on past behavior. The challenge was finding the best way to distinguish one user from another. With a sample of 30-50 employees, the algorithm is able to learn what makes J Bloggs distinct - that he reads the New York Times, for example, is a Spotify user and his favorite browser is Firefox.
Corvil continuously updates the classifier that feeds the model so it’s always up to date. As a new sample comes in we test it to see how well it fits and score accordingly. When the score deviates significantly from the historical pattern, it starts to be assessed as a possible threat.
Because people change behavior for perfectly legitimate reasons, this is not our only measure. We combine the data with threat intelligence, file analysis, and various methods of malicious activity detection. The role of the user will also be considered – if J Bloggs has privileged access to highly sensitive data then the alert level will rise.
All of the combined information is presented as the overall risk score in the Corvil dashboard when the security analyst signs in. Recognizing users from their network traffic is not easy, but we’ve shown it can be done with a solution that represents a significant step towards insider threat containment.