It’s not a new problem and there is a clever technical solution available - User Behaviour Analytics (UBA) - a system to collect and record instances of human behaviour, then apply algorithms and statistical analysis to detect meaningful anomalies indicating a potential threat from those behavioural patterns. In recent years this has been expanded to User and Entity Behaviour Analytics (UEBA) which includes the collection and analysis of applications, devices and anything else that interacts with your electronic environment. It all sounds extremely impressive, but before you rush out and buy one, be aware such a solution can prove expensive and requires a large investment in time and resources to configure and run.
Luckily there is an inexpensive, non-technical and practical measure you can take which will go a long way to duplicating the capability of a UBA solution and, as an added bonus, help instil a culture of security awareness within your organisation.
Your office is an organism
The first thing you’ll need to do is think of your office environment as a living organism. All parts must operate together to survive and anything which has a detrimental effect on one part is likely to spread to the rest. Such thinking assists with taking a holistic approach to how you view security and has been proven to be beneficial; whether the attack comes through your front door or over the internet, it’s still an attack and both have the capability of causing you major problems.
Just like an organism, your business processes don’t operate in isolation, everything must work together. Also, your data doesn’t sit in a permanently locked box inaccessible to all; like an organism’s brain, it constantly takes input, changes and grows, and this affects the output which helps to drive your company forward. But having your data accessible, even where access is restricted to those who need it, does not fully protect it against misuse and destruction. All parts of your enterprise are inter-connected in some manner and the way you handle threat identification needs to take this into account. Where to start though, to use a common phrase, the weakest link in the security chain is the human. And it’s the threats posed by the people around you we need to address and here we’ll explain how to do it.
Everyone in your organisation will do things slightly differently: some will regularly take a late lunch, others always go early; some will arrive late and work late while one or two will be there at the crack of dawn and be away by mid-afternoon; there are always colleagues who’ll take any excuse for a chat while others will be head down, non-stop, all day. Humans are creatures of habit which describe past and present behaviours and will also help to define future behaviours. We can think of these as following patterns which will, by and large, be repeated regularly. These patterns also repeat on large and small scales; for example, everyone arrives at different times each morning, but all arrivals occur between 8 and 9:30am.
However, to confirm these patterns exist we also need to ensure the sample size is sufficient. Kevin started his new job with the company yesterday and arrived at 8am sharp; will he arrive at 8am every day? Tracey has worked for the company for over five years and almost without exception gets to the office every day at 8:25am; will she arrive at 8:25 tomorrow? In this example the pattern established by Tracey has a sample size of over one thousand instances, whereas the pattern of Kevin’s arrival has just one which, being his first day, is likely subject to extenuating circumstances (did you not also arrive extra early on your first day?). Recognising patterns also requires us to recognise what makes a good and bad pattern to test against.
Once the patterns are deduced and understood, it’s time to look for behaviour which doesn’t conform to what’s expected. These variations are where you’ll often find the early indication of a threat.
Cause and effect
What could cause someone to pose a threat and how would this method help detect it? There are many potential examples but for the sake of brevity I’ll stick to just three.
Evidence of apathetic behaviour, such as arriving late and leaving early, whining to colleagues, and being slow to get things done, should be identified and dealt with promptly. Such behaviour can be contagious and becomes even worse when the apathy is shown by management as that will quickly affect the entire organisation. Furthermore, such poor performance could potentially lead to anything from lost business to physical injury in extreme cases. One likely example is the apathetic attitude leads to a lack of care when reading emails and a malicious link is clicked on, infecting your systems with malware or bringing your operations to a halt with a ransomware infection.
It'll be obvious that a colleague is angry when she’s repeatedly critical or insulting of someone else in the company. But a less noticeable display of anger would be when she makes disparaging remarks about their quality of work or personal appearance, in a subtle attempt to influence opinion. If this approach doesn’t work, she might try to expose any perceived wrongdoing outside the organisation to clients and the public, bringing your company into disrepute. An increase in meeting attendance or casual circuits of the office can indicate a desire to spread malicious gossip, or it might be indicated by more time spent on the phone than usual loudly complaining to friends.
Whether it’s failure to land a promotion, failure in his personal life or failure in some other form, the inability to achieve a desired goal can be destructive. Take for example a situation where he lost out on a job promotion; the initial feeling might be anger but this can transform into revenge against his manager or even the entire company. Symptoms may look like anger, apathy or some combination of the two but what the general dissatisfaction is hiding may be incipient reprisal. This can take the form of malicious destruction of your company data to posting details of your clients online, exposing you to sanctions from the ICO and the SRA. Look for changes to normal behaviour as described above, together with other changes such as disrupting colleagues from their own work and not taking care of office equipment; anything that suggests his dissatisfaction with the working environment.
Deviation and correlation
Jane arrives at 8:45am each morning and switches on her PC, while it’s starting up she goes to the kitchen and makes a mug of coffee before returning to her desk. At 10am each morning she has a meeting with the senior partner to discuss progress on existing cases and new cases in the pipeline. This meeting usually lasts about an hour. Jane is always flexible as to when she has lunch, but it’ll be somewhere between midday and 1:30pm and lasts about 45 minutes. She usually leaves her desk a couple of times in the afternoon to get coffee, frequently stopping by Joe’s desk to have a chat for 10 minutes. At 5:30pm she starts to pack up and is out of the door 10 minutes later. However, the next few days Jane arrives 30 minutes earlier than usual and most days she leaves later. Sometimes she barely stops for lunch and often has no time to chat to Joe. Something has changed dramatically in Jane’s normal behaviour. Alarm bells ringing? The first step is to correlate her activity with other changes, you’ll see her daily meetings now start at 9am and continue much longer than they used to, sometimes all morning. In this case her behavioural change can be linked with a sudden increase in workload.
Often changes from the norm and correlation with the reason can be subtle and hard to spot. For most of the detective work we must rely on our perception and visual acuity; we will observe and attempt to spot behaviour out of the ordinary. However, what if we’re busy or fail to pick up on the clues? Not to worry, we can give ourselves a helping hand by creating activity maps, diagrams that plot daily behaviour.
This is an activity map of Tim’s usual day:
Tim has on average three meetings a day, and usually takes three coffee breaks a day. If Tim is spotted missing a coffee break there is a deviation from normal behaviour, but it’s nothing to be concerned about if it only happens once a week.
Now we’ll add in Pam and Grahams’ activity maps, and it becomes a lot easier to spot deviations across the office: at just after 8am Pam is the only one in the office, anyone else there is uncommon; at about 12:15pm the expectation is everyone’s at lunch; at around 3:30 Pam and Graham take a coffee break together, but if neither of them are in the kitchen it could indicate something out of the norm – or the coffee machine is broken; and by 5:30pm all but Graham have left for the day.
As in the example above where Pam and Graham both go for a coffee together, you can correlate activities to locations. Does your office printer have its own corner? Then you can correlate a pattern of behaviour to that location. How often do your staff print out documents and how many pages are those documents on average? If the answers are infrequently and a few pages at a time, the pattern becomes easier to establish. Then a member of staff spending an hour over by the printer will show an unexpected behaviour and is therefore abnormal. At this point it’s time to look for a reason, test for a correlation – could they have been tasked with printing a very large document? – and identify whether it merits further investigation.
Implementing your monitoring
Back to our organism analogy, what characterises the cells who identify something that’s wrong? T cells, a form of white blood cell which continually circulate throughout the body. Just like an organism, your lookouts need to be able to circulate, to see everyone and everything in the office. Choosing the person who sits behind a closed door all day will not help, instead think of your receptionists, secretaries, clerks and others who have the most interaction with other staff; these are your ideal observers and first line of defence.
Empower your people to observe and report; many of us have a natural tendency to not comment on anything unusual, to look the other way. In this instance you need to reverse this behaviour and encourage reporting. It’s a good idea to point out not only are they looking for security threats but they could be helping to identify physical or mental illness and other issues, thereby assisting the observed person too.
When a behaviour out of the ordinary has been identified and is cause for concern, it should be handled liker any other potential staff welfare investigation. It could be nothing, or it could be the tiny thing that uncovers a serious threat.
And remember this is an inexact science, as anyone who’s got experience in security information and event management (SIEM) solutions will tell you, a fair proportion of correlated events turn out to be false positives. Like any system it takes time to “bed in” and a fair amount of fine tuning is required. Furthermore, there needs to be a clear understanding of the threats faced, the desire to defend against those threats and the level of resources you’re prepared to dedicate to that defence, before you can put into place a successful behaviour monitoring program.
Anything you do to improve the security of your organisation will fail if done in isolation. So, while this article talks about low-tech methods to identify security issues, and it does have its place in the pantheon of security tools, it mustn’t be the only thing you do. Talk to us about the full range of security methods and technologies available that will suit your enterprise. And if you’re looking for an UEBA solution, well we can offer those too.