Lesson 4 Part 2.pdf
Document Details
Uploaded by CooperativeJacksonville
Nanyang Technological University
Tags
Full Transcript
Lesson 4 Part 2 When you conduct anomaly detection it's important to calculate the average activity for each user and remember that no user's activity will be the same and therefore you need to work out every user's baseline. So next we calculate the standard deviation. So for each month we use the...
Lesson 4 Part 2 When you conduct anomaly detection it's important to calculate the average activity for each user and remember that no user's activity will be the same and therefore you need to work out every user's baseline. So next we calculate the standard deviation. So for each month we use the number of job searches minus the mean and then square it. We then divide by the number of months and square root the value to get the standard deviation. Setting thresholds for anomaly detection can help reduce false positive rates and the upper threshold is usually two times the standard deviation, however this can be adjusted depending on how sensitive the detections need to be. A lower threshold can also be used if activity is below the user's average and you have concerns about that also. We can use other data to correlate with this anomaly to proactively determine if Bob could be a potential insider threat. So for example we can correlate Bob's job search anomalies with other anomalies in emails that Bob has sent externally and a combination of the two indicators can allow us to proactively detect if Bob is going to leave the organization and if he's a potential insider threat and may attempt to exfiltrate business sensitive data before he leaves. Anomaly detection can be very resource intensive as you must calculate per user every user and every user will behave differently and businesses do not always have their log sources centralized into a single sim which can make anomaly detection difficult. Anomaly detection requires having historical user activity data to be able to accurately detect anomalies but there are some tools and products in market that can actually do this for you. Most user behavior analytics or UBA tools available on the market use a form of anomaly detection using standard deviation to detect changes in user behavior and sim systems such as Splunk have apps such as the machine learning toolkit or MLK available as well as built-in standard deviation functions to conduct anomalies or outlier detection. Now anomalies and other indicators alone do not always show the full picture of an insider threat incident and correlating various data sources through sequence detection can help provide a bigger picture of what activity has occurred and the potential threat and sequence detection involves grouping together anomalies or activities that could indicate a certain activity. So for instance a data exfiltration sequence event could involve a user downloading a sensitive file followed by renaming that file and then sending that file to their personal email. Sequence detections can occur over a specified time frame and don't always occur one after another. A user could download a sensitive file then rename it and send out five days later to their personal email account. But what we can do is link the various activities together to create a sequence of events that can alert us to the potential insider threat and this is especially useful when the activities are spread across a longer period and it's harder to detect. So combining anomaly detection and sequence detection and other insider threat indicators can create a full picture of a user's activity and the potential threats that they may pose to an organisation.