Detecting and preventing data breaches is a challenge for most, if not all, enterprises. In fact, according to a study released in 2017, 78% of all CISOs are concerned that data breaches go undetected, while only 19% admit they are effective at breach prevention.
Simply put, breaches happen almost every day; most people know that but have no clue where they happen until it’s too late and finding them could be like finding one needle… in a stack of other needles. This is why we look to data access, not just user behavior, when detecting a breach.
The stack of needles: Digital enterprises and insider threats
In today’s data-driven economy, the number of legitimate credentials and data access-points organizations have is sky-rocketing. Not only does this encourage risky behavior among employees and insiders with legitimate credentials, it also opens up opportunities for outside attackers to compromise these credentials in order to gain access to enterprise data. The majority of security solutions that focus on keeping the bad guys out do not address threats that are already inside.
Additionally, increased data activity generates more data access events, adding to incident overload and subsequent alert fatigue, a common problem security teams already face. The challenge here is that most cybersecurity tools bombard IT teams with alerts based on false positives, making it difficult for them to identify, investigate and most importantly, act on the real security threats.
It’s just not humanly possible for IT security teams, no matter their size – and with the current industry-wide talent shortage – to investigate the volumes of security alerts they’re getting. According to the Ponemon Institute, the average time it takes to detect data breach is 206 days, just let that sink in for a minute.
Data Access Analytics
Sure, you can analyze user behavior to help detect abusive data access incidents, but it’s when you start pairing this with data analytics that you get real, actionable results. Think of it this way: the breach risks are highest at the intersection of data and user. If you are only looking at user activities — for example, their login and log out activity — you’re missing half of the equation. And what’s worse you’ll end up buried under an avalanche of alerts. By bringing users and data together, data access analytics allows us to focus only on those incidents that are considered indicators of data abuse.
Finding that one needle
At Imperva, we understand data inside and out — how databases and shared files are accessed and:
- Who is connecting to the database (an application, human user, privileged user, etc.)?
- How they connect to the database (a service account, personal account, etc.)?
- What data are they accessing (metadata, personal data, business-critical data, etc.)?
- Why are they accessing that data (for maintenance, data mining, sensitive transaction, etc.)?
- Do their peers access data?
- How much data do they query?
- When do they usually work?
Leveraging this domain expertise coupled with machine learning, Imperva CounterBreach identifies data breaches, as well as risky data access behavior practices, as they happen. Where security vendors lack this domain expertise, finding anomalies becomes a purely mathematical problem, “if something that usually doesn’t happen suddenly happens excessively, then it should be flagged to the customer.”
To illustrate our point, let’s look at an example: an employee attempts to access sensitive application tables which are typically only accessed by apps at a set number of times. This is considered “new” behavior by the employee as well as “excessive” in terms of the number of tables that were accessed. Clearly, this is an anomaly, but is it really a data breach?
Data-access analytics uniquely handles this situation with granular, contextual insights that lets analysts quickly determine whether it was a data breach or risky data consumption. Let’s say it finds that this employee was using a service account, the chance for this event being malicious increases because it indicates the user’s attempt to hide the incident. Service accounts not only offer free reign over sensitive information but also bypasses the audit trail and removes all accountability from transactions.
With this information, security analysts can promptly hone in on finding why (or how) this incident took place. It could well be a data breach due to account takeover, a classical insider threat case. Or it could turn out to be a bad security practice where a DBA, who took on a special project that required access to sensitive data, was using a service account to get the job done quickly. Immediately addressing this type of risky practice prevents abusive use of service accounts from covering real data breaches down the road.
Cut through the clutter and get to the point
So, you see how data-access analytics allows us to immediately drill down on users’ interactions with data, rather than what they did differently from the statistical perspectives, delivering a more in-depth picture of the security event. Because CounterBreach can uniquely generate a small number of truly meaningful alerts on abusive data accesses, security teams gain unprecedented speed and precision in detecting data breaches, as well as identifying high-risk data access behavior for breach prevention.
Want to know more about how CounterBreach works? Check this out.