Building a Second Line of Defense When the Hacker Has Credentials
It turns out that most of the hacks on a system are the result of someone using legitimate credentials, explained Monzy Merza (@monzymerza), chief security evangelist for Splunk, in our conversation at the Black Hat Conference in Las Vegas.
A credential alone is a weak line of defense. “It’s not just about authentication events, but about the user’s behavior,” said Merza. A second line of defense is necessary to compare user behavior against a baseline.
Watching user behavior online is not a new concept. What is new though, said Merza, is the sheer volume of information we have to correlate, combined with our advanced machine learning. Look at everything you can and see if you can create a baseline pattern for each user. Look at the network, endpoints, threat intelligence, information from business applications, and also the information you’re collecting from access and identity systems.
When I broached the subject that this technique could possibly suffer the problem of false positives, Monzy said my question was based on an old world of thinking. It’s based on an old model of having very little information and not much confidence in our results. Instead of focusing our concerns on the issue of false positives, we should be more concerned with measuring our degree of confidence on whether an authenticated user’s behavior is veering from our baseline.
Related Articles
How A CNAPP Can Take You From Cloud Security Novice To Native In 10 Steps
May 23, 2024Context is critical in cloud security. In a recent RSA presentation, Tenable's Shai Morag offered ten tips for end-to-end cloud infrastructure security.
Logs of Our Fathers
September 22, 2009<p>At USENIX in Anaheim, back in 2005, George Dyson treated us to a fantastic keynote speech about the early history of computing. You can catch a videotaped reprise of it <a href="http://www.ted.com/talks/lang/eng/george_dyson_at_the_birth_of_the_computer.html" target="_blank">here, on the TED site</a>. I highly recommend it - there's lots of interesting and quirky stuff. I managed to talk him into giving me a copy of his powerpoint file, and subsequently tracked him down and am re-posting this material with his permission.</p> <h3>November, 1951 </h3> <p style="TEXT-ALIGN: center"><a href="http://www.ranum.com/security/computer_security/papers/ur-syslogs/first_syslog.jpg" target="_blank"><img border="0" height="375" src="http://www.ranum.com/security/computer_security/papers/ur-syslogs/t/first_syslog.jpg" width="500" /></a> <br /><strong>Machine Log #1</strong></p>
ShmooCon 2009 - Playing Poker for Charity
February 12, 2009Tenable sponsored a booth at this year's ShmooCon and ran a Texas Hold'em table to help raise money for the Hackers for Charity organization. We raised close to $400 from conference attendees ...
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
August 14, 2024Ivanti released a patch for a critical severity authentication bypass vulnerability and a warning that exploit code is publicly available
Microsoft’s August 2024 Patch Tuesday Addresses 88 CVEs
August 13, 2024Microsoft addresses 88 CVEs with seven critical vulnerabilities and 10 zero-day vulnerabilities, six of which were exploited in the wild.
Compromising Microsoft's AI Healthcare Chatbot Service
August 13, 2024Tenable Research discovered multiple privilege-escalation issues in the Azure Health Bot Service via a server-side request forgery (SSRF), which allowed researchers access to cross-tenant resources.
- Conferences