The use of detective analytics is now a central piece of security architectures, as security professionals are increasingly encountering a needle-in-the-haystack problem. Security tools – especially rule based ones – as well as systems, applications, and infrastructure, create so much data that it’s tough to uncover the signal of a real attack. Behavior analytics tools help make sense of the vast amount of data that these systems generate. While many vendors claim to use behavioral techniques, they fail to integrate them with other data science models to deal with today’s nation state or hacktivist-type attacker. There are some real use cases where using behavioral techniques for data analysis can identify some of the most real and pressing detection issues security teams face, and that conventional analytic tools alone fail to spot. One among many of these use cases is trying to spot compromised hosts, both internal and external. Real threats don’t openly advertise themselves. They hide their activity among all the other things that are happening in today’s typically complex IT environments. These threats rely on the assumption that today’s security teams have neither the tools nor the time to investigate deeply enough to distinguish between their activity and those of employees, customers or partners. Today’s sophisticated attackers use ways to get information in and out of the organization that evade detection, leveraging what are known as “covert channels” that enable command and control (C2) of resources. Many successful recent public attacks have covert channels communicating with C2 servers that can fully compromise systems.
For example: