Behavior Analytics is the Next Step to Secure Organizations

by February 2, 2018 0 comments

With workforce mobility, BYOD and users increasingly working from home the defined perimeter is disintegrated and what’s left are users and data. There is more to it. Maheswaran S, Director, Sales Engineering-APAC at Forcepoint talks about the UEBA (User and Entity Behavior Analytics) platform which helps organizations to predict high risk behavior before a breach could happen.

Maheswaran S, Director, Sales Engineering-APAC, Forcepoint

What were the highlights in terms of business in 2017?

Firstly, I would just like to mention that Forcepoint specializes in helping organizations to enforce human centric security framework. We think this is extremely important because organizations traditionally have followed a threat centric model which has its own benefits but we see this change in business landscape where organizations want businesses to access information from anywhere in any device. They’re virtually operating in zero perimeter and our users are accessing critical information beyond the organizations boundary.

So, the most vulnerable point remains which we call as human point i.e. when users access critical information outside the organization and from unmanaged assets. It is important for organizations to understand what user behavior is allowing them to access critical information. That’s where Forcepoint helps organizations by embracing a human centric security framework and we have offerings with which our customers and prospects will be able to establish human centric security framework.

In terms of highlights, I would like to mention that we have been doing extremely well. We have observed a significant growth compared to last year. Considering the regulations that RBI has come up with, they have asked banks to deploy DLP. With regards to this, we are seeing our business unit growing extremely well and we also are seeing our CASB offerings getting a lot of interest. CASB (Cloud Access Security Broker) is getting a lot of attraction from our customers because we see more enterprise customers looking at protecting critical data residing in cloud data stores. We also have significant plans to promote our network security offerings next year.

Please elaborate more on UEBA, what it is and how it can help to enhance security practices.

UEBA (User and Entity Behavior Analytics) helps organizations to baseline behavior of users and also entities like endpoint servers or applications and then see if there are any deviations from normal baseline. They compare that with peer groups too and then apply advanced intent based analytics to establish intent like what exact impact or risk it would create for organizations because of the abnormal behavior of the user.

Predominantly, the solutions classify user behavior into three categories – accidental risk user behavior, compromised risk user behavior and malicious behavior. What I mean by compromised user behavior, is the user potential could have been compromised or the machine could have been compromised by a hacker and lastly a malicious user behavior is when the user definitely has the intent to cause harm for the organization. So this solution performs advanced analytics to provide this intent and accordingly help organizations to establish some predictive security model to even predict risk even before it happens.  UEBA would be one of the predictive controls that organizations can deploy to actually go and proactively monitor high risk behavior or entity behavior and establish control in terms of why it’s important for organizations.

We think that UEBA is going to be the foundation for organization’s security framework and that in fact is one of our predictions for 2018. It would be a key component in an organization’s security framework to help organizations to look at advance threats and monitor user activities which we think is going to be the most important aspect in an organization’s security.

What are the verticals which will get more profit with UEBA?

Any organization that is looking at deploying an insider threat program will be more profitable with UEBA. We have seen a shoot surge in customer’s insider threat program because it finally boils down to user behavior which is creating security incidents and I have already listed out those three behaviors earlier which are accidental, compromised and malicious.  So if an organization is looking at deploying an insider threat program, then UEBA is going to be the core component for that because this is the technology control which will help them to identify abnormal user behavior and establish them.

Secondly, any organization that has deployed DLP (Data Loss Prevention) is not able to extract full value because DLP focuses mostly on looking at sensitive content going out of the company. Organizations actually struggle to identify on what information is sensitive and that makes DLP not adding a lot of value for customers. UEBA actually complements DLP for organizations to see whether there are data theft attempts happening.

Identifying what to protect is a challenge for DLP. Organizations that have deployed DLP extensively and want to move to block mode associate with user behavior looking at UEBA technology. Organizations which a lot of intellectual property are looking at UEBA technology. We see a lot of interest from banks and government with due to lot of digital initiatives.

From future security stand, do you see UEBA as the next step? And with the integration of RedOwl is there any other solution that you are working on?

We acquired RedOwl a couple of quarters back. UEBA is going to be the foundation platform for our Human Point System.  We are building a platform called Human Point System where UEBA is going to be the foundation platform which is going to do all the analytics and every Forcepoint offering will be embedded into this platform.

Already our DLP is embedded into this platform and it can be an advantage to our customers as user behavior can automatically be exposed on DLP system.  For instance, Let’s say I have a ransomware infection– I’ve clicked on the link which is infected which can actually exploit from my machine and infect my machine with ransomware. The UEBA system will pick it by integrating with our Web Gateway model.  Forcepoint also has a Web Gateway model and the Next Gen Firewall model with which we can get visibility that this user is accessing this site and he has downloaded a malware. For instance, if a malware is getting downloaded, we can see what are the registry changes the ransomware is doing on the machine and what sort of behavior footprint it’s establishing on that machine. This gets captured by UEBA and then before starting encryption we could have also tried to communicate with the command and control center to receive instructions from the hacker for what key should it be using to infect that machine.

We observe this communication and based on this communication, what we can do is automatically enforce a policy on our DLP to ensure that no application can access more than three files at any point in time. This means if a ransomware is trying to access more than three files in less than three seconds to four seconds then despite of that, it’s not going to allow the ransomware to access any more files.  So that way we would be able to predict incidents. As I mentioned earlier we also automate control to ensure that the risk is mitigated and Forcepoint is building that system. We already have integrated our DLP and very soon we would also be integrating our insider threat into this system and all Forcepoint products will be embedded on this platform.

We will also be extending this to third party technologies that exist in an organization’s ecosystem, it could be like EDR (Endpoint Detection and Response) where if risk is increasing we can automatically encroach to isolate that machine from an organization. We also can integrate with attendance management system or physical active system where we will be able to even restrict users from entering into a premise if that user is having a malicious intent.

So, it is very granular and it is going to be the foundation and a platform to automate controls and drive controls based on intelligence advance phase analytics to different components that exist in an organization.

How are you reaching to the customers especially mid-market segments as right now they are very much in transformation?

Yes, there is lot of transformation happening in the mid market and mostly people have to wear multiple hats in security.  So it’s important for them to have an intelligent system which can look for behavior and enforce controls automatically.  We see a lot of benefit going not just for large enterprises but also mid enterprises especially when they have a lean team. For us, it is very important to provide them a system, so they can act on high priority events and remediate them and even predict incidents even before it happens.  UEBA system is going to not just add value to large enterprises but to any customer because the whole objective of building this system is to ensure that controls are enforced in monitoring human activities because in an organization’s security framework it comprises people, process and technology.

Forcepoint Human Point System will help organizations to enforce controls on the constant that they have which is people and monitor people behavior and also involve people to take decisions on what controls need to be enforced. For example- If the user is trying to upload sensitive information to a website; machine throws a pop-up to the user and makes him aware that whatever info the user is trying to send is not normally allowed; and if he still needs to send it, they need to provide a justification for that. This not only helps to take the user’s decision before enforcing a control but also would help organizations to create active awareness campaign and raise the security intelligence level of end users. Nowadays, hackers are going after users because the user remains to be the most weakest link in an organization’s security framework. They are targeting users, they are targeting user credentials and once they get it they can use the trust that the user has established to get into the organization to get what they want.

It’s very important to raise the security culture and awareness of users which the Human Point System can also do before it’s actually enforcing a decision. Most organizations have a preventive and detective security framework. Unless they focus on people and people behavior, a predictive security framework would not get established which we think the Human Point System can do.

What will be the big focus for next financial year?

Our big focus is to sustain the growth; we are observing great growth for the last three years. We are absolutely excited because of some new capabilities that are in and through our product portfolio, like the  Human Point System is new, UEBA is new, CASB (Cloud Access Security Broker) is again a new offering which we think is going to create a lot of interest. We are already seeing a lot of interest and have some large customers too. We are going to promote Next Gen Firewall technology into the market for penetrating security market.

We are also seeing a huge interest within our partner community.  We are really excited and we think we will be able to sustain our growth and also help customers to embrace Human Point System and demonstrate lot of value there.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.