Are you you?

Most seasoned cybersecurity experts when asked will tell you the insider threat is the most serious problem they face (no, not bitcoin, yet). The insider is simply the most serious threat to any organization, they assert.

I disagree. I see insiders – legitimate users and employees – as an asset to achieve the goals of the organization but also a very important part of an overall security strategy of any modern enterprise. There is indeed a POC right in your pocket, and its been there since the 1980s.

Your credit card account (actually the bank’s risk and liability) is protected by what you do, not what you know. The same concept has been studied for quite some time and its time to reconsider our relationship to our users and utilize their individuality as a behavior-based security mechanism.

What’s an insider, really?

Insiders come in many flavors. The “real” malicious insider who has access and authority is a rare bad actor. It is far more likely an unsuspecting benign user will be socially manipulated to click a link and inject malware into their computer that hijacks a session and masquerades as the real user. Of course, credential theft is probably the most likely means of an external bad actor impersonating a legitimate user, handed the keys to do so without much effort. The ensuing losses and damage all point the finger in one direction, the legitimate sloppy insider. That’s the real threat? The real threat is insecure authentication.

Behavior is unique

The concept of behavior-based security is not exactly what the network-based UBA vendors will tell you as the value they provide. UBA seeks to infer anomalous users by traces of what they do on the network, from network log data. They primarily seek the rare malicious insider. Many attempt to compute group norms for subsets of users and look for the outliers.

Host-based UBA is different. The aim is to secure a system by evaluating a user’s actions are consistent with their past behavior to continuously verify that the user is who they say they are. Essentially, a host-based UBA agent continuously asks the user, “Are You You?” That’s no different than your credit card processor asking if your current transaction was actually initiated by You? Your transaction behavior history is the key to actively authenticating you each time you swipe, tap or plug in. (Don’t believe me? Check your last month’s transactions in 2017 to the same month in 2016. Amazing how consistent we are when we buy stuff.)

How well does it work?

DARPA initiated the Active Authentication program several years ago that brought together about 10 performers developing various ways of modeling and testing the authenticity of a user by a variety of different behavior modalities, from (some obvious) biometrics, such as speech, but also how you walk (the user’s gate with a mobile phone in their pocket), how the user writes prose, and how you search your computer. The key idea is to protect the last mile, the host machine and its user, by leveraging the unique behavior we each exhibit, rather than the faulty credentials we each forget. And behavior is very hard to lose. The results achieved were surprisingly excellent with some achieving near 98% detection of masqueraders with very few false rejections. Not bad. Of course, malware imposters are easy to detect, they simply don’t behave like humans.

So why isn’t host user behavior analytics in our phones and in our laptops, or protecting our cloud storage services? Its only a matter of time to overcome the confusion about what network UBA is and what it isn’t, and how host-based UBA is a substantial solution.

Insiders are a security asset

Pervasive host-based active authentication is an idea whose time has come, an idea that enterprises have not yet appreciated about their employees. Users in an enterprise are a security asset, not just a threat. Their behavior can protect their own devices and phones, and they are an important component of the security architecture of any large enterprise. Imagine that, people doing their job can also protect themselves and their company just by doing what they do!