EXPERT OPINION
From the C-suite to IT : Identifying anomalous behaviour to stop digital adversaries in their tracks
Orion Cassetto , Director , Product Marketing , Exabeam , surveys the cybersecurity risk to different departments of a business .
“ The highest-ranking members of a company are often the most lucrative targets for cybercriminals ,” he says .
Orion Cassetto , Director , Product Marketing , Exabeam epartments within an
D organisation may be easily distinguished by where they are situated in an office building ( when we are allowed into our offices , that is ) – perhaps finance and sales share floor two , and executives are up on floor six – but their network activity is just as identifiable .
Every user on a network performs specific tasks and generates unique events every day . These events are logged and collected to provide valuable information to security analysts that can be used for activity profiling and anomaly detection .
As cyberattacks become more complex and harder to find , correlation rules often lack context and also require significant maintenance , which generate false negatives or miss unique incidents . To mitigate threats and ensure malicious activity by attackers is not overlooked , security analysts must be able to benchmark baseline behaviours for users at all levels of an organisation .
Machine Learning-based behaviour analytics is increasingly deployed by security teams to identify when legitimate user accounts exhibit anomalous behaviour and provide insights into both compromised and malicious users to SOC analysts and insider threat teams .
Let ’ s dig into what some normal network activity might look like for various company personas and examples of anomalous behaviours that might raise suspicion for SOC analysts – and how to address them .
Company executives – CEOs , COOs and CFOs
The highest-ranking members of a company are often the most lucrative targets for cybercriminals . Since they hold significant clout within a company , cybercriminals can easily obtain assets by impersonating these individuals .
Normal network behaviour for a CEO and other high-level executives might include sharing earnings documents with stakeholders , accessing new business plans , reviewing contracts , competitive data or mergers and acquisition information .
If one of these individuals is suddenly directing suspicious wire transfers or sending mass emails to staff or stakeholders containing malicious www . intelligentciso . com
41