It turns out that most of the hacks on a system are the result of someone using legitimate credentials, explained Monzy Merza (@monzymerza), chief security evangelist for Splunk, in our conversation at the Black Hat Conference in Las Vegas.
A credential alone is a weak line of defense. “It’s not just about authentication events, but about the user’s behavior,” said Merza. A second line of defense is necessary to compare user behavior against a baseline.
Watching user behavior online is not a new concept. What is new though, said Merza, is the sheer volume of information we have to correlate, combined with our advanced machine learning. Look at everything you can and see if you can create a baseline pattern for each user. Look at the network, endpoints, threat intelligence, information from business applications, and also the information you’re collecting from access and identity systems.
When I broached the subject that this technique could possibly suffer the problem of false positives, Monzy said my question was based on an old world of thinking. It’s based on an old model of having very little information and not much confidence in our results. Instead of focusing our concerns on the issue of false positives, we should be more concerned with measuring our degree of confidence on whether an authenticated user’s behavior is veering from our baseline.