Threat Hunting with xVisor – Part 1October 19, 2023
A Brief History of Networking: Part 2November 20, 2023
In Dorothy Denning’s seminal 1986 paper “An Intrusion-Detection Model”, she introduces her core concept in her second sentence:
“The model is based on the hypothesis that security violations can be detected by monitoring a system’s audit records for abnormal patterns of system usage.”
This idea, more commonly known today as User and Entity Behavior Analytics (UEBA), is still a key part of today’s cybersecurity landscape. But in addition to improving an organization’s cybersecurity posture, UEBA can improve an organization’s network performance and lower its overall costs.
UEBA for network troubleshooting
UEBA, by identifying outliers, can often identify misconfigured systems that often decrease the overall performance of the network.
For example, in one organization we are aware of, the highest number of internal DNS queries were due to a typo in a script the organization used to provision their servers. The organization’s cybersecurity unit, monitoring outliers in network traffic patterns, spotted the problem. Working with the organization’s IT group, they tracked down the root cause – a typo in a hostname in the configuration script used by the servers. Once corrected, the servers were able to connect to the system they were supposed to and stopped making large numbers of DNS queries. Reducing the load on the DNS servers decreased DNS response times for the rest of their systems, which in turn led to increased performance throughout their network.
In another example, an organization had many DNS servers which were misconfigured in a way that allowed attackers to use those servers in DDoS attacks against other systems – what is referred to as a DNS reflection and amplification attack. At some points in time, upwards of 85% of inbound DNS queries to the organization were part of DDoS attacks. Correcting these misconfigurations improved DNS performance and decreased the amount of network bandwidth being used in DDoS attacks against other organizations. These changes improved overall performance for regular users in the organization.
Misconfigurations such as these can lead organizations to believe their resources such as DNS servers, routers, and network bandwidth are saturated and that they need to buy higher-end equipment. UEBA can help identify the real problems, guide the organization to correcting the root cause of the problems, improve overall performance of the network, and in the end save the organization real money by avoiding unnecessary purchases.
UEBA to lower cyber insurance costs
UEBA can also save organizations money by reducing their cyber insurance premiums.
Increasingly organizations are buying insurance policies to cover the costs of cyber incidents. To calculate the premiums that the insurance company will charge an organization, the insurance company will often look at external signals including how often and for how long computers from the organization’s network were placed on blocklists for sending out spam, participating in DDoS attacks, and scanning the Internet.
UEBA, by quickly identifying when computers are misbehaving, can help an organization stay off those blocklists. This in turn can drive down cyber insurance premiums and save the organization real money.
Contact Ennetix to learn how UEBA can increase your security, improve your network performance, and save you money.