As the enterprise struggles to deal with insider threats as well as other threat vectors, such as APTs, masquerading as insider activity within the noise of authorized network and database access, it has become ever more critical to employ proven best practices to mitigate those evolving threats. DB Networks has taken those best practices to heart and constructed a solution that leverages machine learning to detect, alert, and ultimately triage anomalous behavioral patterns indicative of database insider threats.
Overview of Best Practices to Address Insider Threats
Research organization Gartner has identified several best practices for dealing with insider security threats, best practices detailed in a report by analyst Andrew Walls. Action items include increasing detection, implementing activity monitoring, incorporating behavior pattern analysis, and deploying machine learning tools to automate the process.
Gartner is not alone in its advice on how to deal with insider threats. Carnegie Mellon University’s CERT.ORG has also identified and publicized best practices against insider threats. CERT.ORG's recommendations include establishing a baseline of normal network activity, identifying all assets, deploying log correlation and analysis tools, and monitoring and auditing employee activity.
Keeping these best practices in mind helps to ease the task of evaluating any particular security tool's effectiveness against insider threats. It is also critical to judge a product’s capabilities in light of how insider threats are evolving and growing across enterprises and their partners, however.
Laying the Groundwork for Best Practices Against Insider Threats with DB Networks
DB Networks incorporates industry best practices into both the design and the execution of the company’s insider threat detection technology. DB Networks has built their detection and analytics capabilities upon a concept that the company refers to as “Data Flow.” In the company’s nomenclature, data flow consists of ten unambiguous attributes that define communications with a database. Those attributes consist of:
- Mode (whether data is being read from or written to the database)
- Server Name
- DBMS service
- Client IP address
- DBMS server IP Address
- Listener port number.
Those ten attributes clearly indicate not only the type of communications occurring, but the velocity, veracity and volume of data that constitutes a data flow.
Insider Threat Detection Best Practice: Asset Identification
Protecting something from an insider threat requires that the threatened element be defined. In other words, you can only protect what you know about. DB Networks takes an approach of non-intrusive discovery. The product works using a tap (or span) port to detect interactions indicating that a user (or application) is connecting to a database. In essence, all traffic flows are analyzed to detect database activity, allowing DB Networks to build a comprehensive inventory of databases on the network, as well as who or what is interacting with those databases. Ultimately, all database assets are uncovered, including stealth (or rogue) databases, as part of the process. DB Networks accomplishes this lofty goal by incorporating full stack analysis into database flow monitoring via the systems deep protocol analysis engine.
The discovery process is fully automated, requiring very little administrator interaction, and successfully builds a full inventory of all database assets discovered on the network. This is critical for defining what to protect and create models of expected behavior.
Insider Threat Detection Best Practice: Building Behavioral Models
One of the best ways to identify an insider threat is by monitoring user behavior and creating a baseline of expected activity. For example, if a user works in the accounting department, accessing applications that deal with accounting systems may be an anticipated behavior. That said, there is often a subtlety behind behavior analytics that must be addressed. In other words, user (and application) behaviors need to be modeled and then constantly monitored to determine if behaviors fall out of norms.
DB Networks uses several technologies in concert to build behavioral models. Machine learning examines interactions and connections to databases to build a model of usage, which incorporates defined behavioral elements. That model, which is adaptive, can be used to analyze database flows to detect access abuses, such as stolen credentials, unauthorized endpoints, or other application behavioral anomalies and then execute the appropriate actions based upon administrator-defined policies.
DB Networks brings a unique approach to bear in its execution of behavioral modeling. The company combines unsupervised machine learning with reinforcement learning (human interactive definitions) to create an automated analytical process that can model deep protocol analysis. That allows the system to pick up on subtle insider threats, such as credentials being used to access a resource during unexpected time frames, or access to databases occurring from an unanticipated location. What’s more, the behavioral models created can account for a multitude of actions that fall outside of perceived norms, such as a particular set of credentials being used to access information that is not normally associated with those credentials. Simply put, knowing the expected behavior of users and applications makes it much easier to identify when activities exceed the expected behavioral paradigm.
Insider Threat Detection Best Practice: Policy Creation and Enforcement
One of the most critical aspects of an insider threat mitigation platform is the ability to take action when threats surface. There are many ways to accomplish that, ranging from automated blocking of the threat to issuing alerts to redirecting access. While any one of those actions provide some value, better value is offered by making threat reactions customizable.
DB Networks uses defined policies to lend more weight to particular analytic processes. For example, the product supports defining triggers under its Insider Risk Analysis capabilities, where data flows that impact particular tables, databases, or other elements can trigger an event. That event can drive other actions as needed. Rules can also be readily created to identify patterns and associate those patterns with non-compliant events. For example, administrators can define a rule that looks for a pattern of SQL commands or a combination of requests in a series of data flows.
Insider Threat Detection Best Practice: Leverage Visibility
The ability to transform logged events into visible representations proves to be a critical capability for those investigating insider risks. DB Networks goes to extensive lengths to provide an easily navigable management console, which offers the ability to drill down into data flows. A dashboard rolls events and data flows into a graphic representation of stability. In DB Network’s nomenclature, stability is a measure of how well data flow fits into models and established norms. Events that are identified as outliers from normalized data flows, are correlated and ultimately impact on the stability quotient of the system. Stability is broken down into categories such as Highly Stable, Medium Stability, Highly Volatile and Learning.
Those categories are represented by colors on the various charts and graphs offered by the multiple dashboard offered by the system. What’s more, the dashboards are fully interactive, allowing administrators to quickly select a risk analysis element by its stability rating and drill down into the data flow associated with the stability indicator.
It is the ability to drill down into the metrics of a data flow that proves to be of critical value for those investigating insider threats. Administrators are able to drill down to the who, what, when, and where of a data flow and then examine the raw data/commands associated with that volatile event. That information can be used for several different purposes, ranging from improving the accuracy of models, creating additional rules, or even completing forensic tasks.
Insider Threat Detection Best Practice: Setting Up a Honey Pot
Sometimes the best way to identify a potential insider threat is to set up a trap. Those traps, often referred to as honey pots in InfoSec parlance, consists of data elements that appear to contain valuable assets, such asbanking information, payroll records, credit data, or even intellectual property. What’s more, honey pots can also serve as decoys, effectively distracting intruders from actual assets that have value.
DB Networks offers the unique ability to quickly build honey pots and tie its analytics to the data flows interacting with those honey pots. With just a few mouse clicks, an administrator can create rules to monitor a honey pot using the Data Flow Explorer. Activity impacting that honey pot will trigger an immediate alert. Administrators are able to quickly ascertain the who, what, when and where of access to the honey pot and then use that information to build more effective protection for the actual company assets.
DB Networks's unique approach to the insider threat dilemma brings significant value to the battle against data exfiltration. By combining machine learning with behavior modeling, DB Networks has created an analytics platform that becomes more accurate over time and offers security administrators numerous tools to better understand what an insider threat is and to actually address it. What’s more, the company’s ideology of data flows brings better forensics to the table and ultimately creates an easily understood graphical representation of how assets are accessed on the network. The product’s ability to discover rogue databases and the associated stealth IT proves to be ever valuable for organizations looking to get a better handle on their IT assets.
DB Networks has brought Insider Threat Detection to a new level for those looking to protect sensitive databases from data exfiltration and has made that capability part of its own appliances, as well as an add-on for other security products looking to bring insider threats under control.