Building a Second Line of Defense When the Hacker Has Credentials
It turns out that most of the hacks on a system are the result of someone using legitimate credentials, explained Monzy Merza (@monzymerza), chief security evangelist for Splunk, in our conversation at the Black Hat Conference in Las Vegas.
A credential alone is a weak line of defense. “It’s not just about authentication events, but about the user’s behavior,” said Merza. A second line of defense is necessary to compare user behavior against a baseline.
Watching user behavior online is not a new concept. What is new though, said Merza, is the sheer volume of information we have to correlate, combined with our advanced machine learning. Look at everything you can and see if you can create a baseline pattern for each user. Look at the network, endpoints, threat intelligence, information from business applications, and also the information you’re collecting from access and identity systems.
When I broached the subject that this technique could possibly suffer the problem of false positives, Monzy said my question was based on an old world of thinking. It’s based on an old model of having very little information and not much confidence in our results. Instead of focusing our concerns on the issue of false positives, we should be more concerned with measuring our degree of confidence on whether an authenticated user’s behavior is veering from our baseline.
Related Articles
Tenable Capture the Flag 2021: The Results Are In!
March 2, 2021More than 1,500 teams from nearly 140 countries competed in Tenable's first-ever Capture the Flag competition. And the winners are... That’s a wrap on the first Tenable Capture the Flag event! ...
Ready to Test Your Hacking Skills? Join Tenable’s First CTF Competition!
January 20, 2021Tenable launches new Capture the Flag event for the security community, running from February 18–22. Capture the Flag events are a tried and true way of testing your cybersecurity skills, practicing ...
Giving Tuesday at Tenable: A Look at We Care → In Action
December 3, 2019In the spirit of Giving Tuesday, we’re featuring the Multiple Sclerosis Foundation, Tenable’s We Care → In Action global cause for 2019. Here, our own Adrian Morgan, senior marketing operations manage...
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
Oracle April 2024 Critical Patch Update Addresses 239 CVEs
April 17, 2024Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
- Conferences