Behavioral Monitoring - Tip Tuesday for NCSAM
During Week Two of National Cyber Awareness Month (NCSAM), our focus is on behavioral monitoring.
Often times, behavioral monitoring is uttered in the same sentence as big data analytics, or algorithms - making it sound as if behavioral monitoring is a form of witchcraft.
In many instances, behavioral monitoring can be undertaken with few resources in a simple way.
Behavioral monitoring is more about understanding what constitutes normal or acceptable behavior. For example, it is normal, or expected, that many children will cry on their first day of school as their parents leave them alone for the first time. But after a few years, a child crying when dropped off to school is a less common occurrence and such behavior warrants some investigation.
Here's a video on behavioral monitoring with some examples.
In monitoring terms, analysts can monitor certain aspects of the infrastructure in order to gain insight into normal behavior. For example, service monitoring provides visibility into the service uptime – and any unexpected outages can be identified quickly if being unavailable is not expected behavior for these services.
Similarly, netflow analysis can provide high level trends related to which protocols are being used, which hosts use the protocol, and the average bandwidth usage. Any major deviations from the norm can indicate malicious activity.
If the IT team develops a regular routine to monitor activity and analyze patterns, anomalies can be spotted. Several studies have shown that despite the advancements in AI, the human brain still remains one of the best pattern-recognition machines. In his book ‘how to create a mind’ Ray Kurzweil argues that the brain contains a hierarchy of pattern recognizers.
The real value in behavoral monitoring is that one does not need to be intimately familiar with the underlying technology to recognise an anomaly. For example, if traffic between two systems is relatively stable, but then suddenly spikes, it can be recognised as an anomaly – even if information about the kinds of systems, or the protocols used, are unknown.
Developing even basic behavioral monitoring capabilities can be extremely beneficial for spotting unknown threats, suspicious behavior, and even policy violations.